ZyXEL Communications USG 300 manuale d’uso
- Visualizza on-line o scarica il manuale
- 1121 pagine
- 26.97 mb
Vai alla pagina of
Un buon manuale d’uso
Le regole impongono al rivenditore l'obbligo di fornire all'acquirente, insieme alle merci, il manuale d’uso ZyXEL Communications USG 300. La mancanza del manuale d’uso o le informazioni errate fornite al consumatore sono la base di una denuncia in caso di inosservanza del dispositivo con il contratto. Secondo la legge, l’inclusione del manuale d’uso in una forma diversa da quella cartacea è permessa, che viene spesso utilizzato recentemente, includendo una forma grafica o elettronica ZyXEL Communications USG 300 o video didattici per gli utenti. La condizione è il suo carattere leggibile e comprensibile.
Che cosa è il manuale d’uso?
La parola deriva dal latino "instructio", cioè organizzare. Così, il manuale d’uso ZyXEL Communications USG 300 descrive le fasi del procedimento. Lo scopo del manuale d’uso è istruire, facilitare lo avviamento, l'uso di attrezzature o l’esecuzione di determinate azioni. Il manuale è una raccolta di informazioni sull'oggetto/servizio, un suggerimento.
Purtroppo, pochi utenti prendono il tempo di leggere il manuale d’uso, e un buono manuale non solo permette di conoscere una serie di funzionalità aggiuntive del dispositivo acquistato, ma anche evitare la maggioranza dei guasti.
Quindi cosa dovrebbe contenere il manuale perfetto?
Innanzitutto, il manuale d’uso ZyXEL Communications USG 300 dovrebbe contenere:
- informazioni sui dati tecnici del dispositivo ZyXEL Communications USG 300
- nome del fabbricante e anno di fabbricazione ZyXEL Communications USG 300
- istruzioni per l'uso, la regolazione e la manutenzione delle attrezzature ZyXEL Communications USG 300
- segnaletica di sicurezza e certificati che confermano la conformità con le norme pertinenti
Perché non leggiamo i manuali d’uso?
Generalmente questo è dovuto alla mancanza di tempo e certezza per quanto riguarda la funzionalità specifica delle attrezzature acquistate. Purtroppo, la connessione e l’avvio ZyXEL Communications USG 300 non sono sufficienti. Questo manuale contiene una serie di linee guida per funzionalità specifiche, la sicurezza, metodi di manutenzione (anche i mezzi che dovrebbero essere usati), eventuali difetti ZyXEL Communications USG 300 e modi per risolvere i problemi più comuni durante l'uso. Infine, il manuale contiene le coordinate del servizio ZyXEL Communications in assenza dell'efficacia delle soluzioni proposte. Attualmente, i manuali d’uso sotto forma di animazioni interessanti e video didattici che sono migliori che la brochure suscitano un interesse considerevole. Questo tipo di manuale permette all'utente di visualizzare tutto il video didattico senza saltare le specifiche e complicate descrizioni tecniche ZyXEL Communications USG 300, come nel caso della versione cartacea.
Perché leggere il manuale d’uso?
Prima di tutto, contiene la risposta sulla struttura, le possibilità del dispositivo ZyXEL Communications USG 300, l'uso di vari accessori ed una serie di informazioni per sfruttare totalmente tutte le caratteristiche e servizi.
Dopo l'acquisto di successo di attrezzature/dispositivo, prendere un momento per familiarizzare con tutte le parti del manuale d'uso ZyXEL Communications USG 300. Attualmente, sono preparati con cura e tradotti per essere comprensibili non solo per gli utenti, ma per svolgere la loro funzione di base di informazioni e di aiuto.
Sommario del manuale d’uso
-
Pagina 1
www .zyxel.com www .zyxel.com ZyW ALL USG 300 Unified Security Gateway Copyright © 2010 ZyXEL Communications Corporation V ersion 2.20 Edition 1, 3/2010 Default Login Details LAN P ort P1 IP Address https://192.168.1.1 User Name admin Pa ss wo rd 1234[...]
-
Pagina 2
[...]
-
Pagina 3
About This User's Guide ZyWALL USG 300 User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to want to configure the Z yW AL L using the W eb Configur ator . How T o Use This Guide •R e a d Chapter 1 on page 33 chapter for an overview of features av ailable on the Z yW ALL. •R e a d Ch[...]
-
Pagina 4
About This User's Guide ZyWALL USG 300 User’s Guide 4 • W eb Configurator On line H elp Click the help icon in an y screen for help in configuring that screen and supplementary information. Documentation Feedback Send your comments, questions or su g gestions to: techwriters@zyxel.com.tw Thank you! The T echni cal W riting T eam, Z yXEL Co[...]
-
Pagina 5
About This User's Guide ZyWALL USG 300 User’s Guide 5 See http://www .zyxel.com/web/con tact_us.php for contac t information. Pl ease have the follow in g informat io n re ady when you contact an office. • Product model and serial number . •W a r r a n t y I n f o r m a t i o n . • Date that you received yo ur device. • Brief descrip[...]
-
Pagina 6
Document Conventions ZyWALL USG 300 User’s Guide 6 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User’ s Guide. W arnings tell you about things that could harm you or your device. Note: Notes tell you other import ant informat ion (for example, other things you may need to configure or help ful tips[...]
-
Pagina 7
Document Conventions ZyWALL USG 300 User’s Guide 7 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The Z yW ALL icon is not an exact representation of your device. ZyW A L L Computer N otebook computer Server Firewall Te l e p h o n e Switc h Ro u t er[...]
-
Pagina 8
Safety Warnings ZyWALL USG 300 User’s Guide 8 Safety Warnings • Do NO T use this product near water , for exam ple, in a wet basement or n ear a swimming pool. • Do NO T expose your device to dampness, dust or corrosive liquids. • Do NO T store things on the device. • Do NOT install, use, or service this device during a thunderstorm. Ther[...]
-
Pagina 9
Contents Overview ZyWALL USG 300 User’s Guide 9 Contents Overview User ’ s Guide ................................................... ..................................................... .......... ......... 31 Introducing the ZyWALL . ................. ................ ................ ............. ................ ................ ......... [...]
-
Pagina 10
Contents Overview ZyWALL USG 300 User’s Guide 10 Content Filtering ......... ................ ............. ................ ................. ............ ................. ........ ........ . 643 Content Filter Reports ........ ................ ............. ................ ............. ............. ................ ......... ..... 667 Anti-[...]
-
Pagina 11
Table of Contents ZyWALL USG 300 User’s Guide 11 Table of Contents About This User's Guide ........................................... ..................................................... .......... 3 Document Conventions.................................................................. ......................................... .6 Safety Wa[...]
-
Pagina 12
Table of Contents ZyWALL USG 300 User’s Guide 12 3.3.2 Navigation Panel .... ... ... .... ... ... ... ... .... ... ... ............. ................ ............. ................ .......... 50 3.3.3 Main Window ... .... ... ............. ... ... ... .... ... ............. ... ... .... ... ... ............. ... ... .... ... ... ............ .5 7[...]
-
Pagina 13
Table of Contents ZyWALL USG 300 User’s Guide 13 6.3 T erminology in the ZyWALL .......... ............. ... ... ... .... ... ............. ... ... ... .... ... ............. ... ... ... .... ... 95 6.4 Packet Flow ........... ............. ... .... ... ... ... ... ............. .... ... ... ... .... ............ .... ... ... ... .... ......... .[...]
-
Pagina 14
Table of Contents ZyWALL USG 300 User’s Guide 14 7.1.2 Configure Zones ..... ... ... .... ............ .... ... ... ... .... ... ... ............. ... ... .... ... ... ... .... ............ .... .. 1 16 7.1.3 Configure Port Grouping .............. .......... ... ............. ................ ............. ................ ......1 17 7.2 How to C[...]
-
Pagina 15
Table of Contents ZyWALL USG 300 User’s Guide 15 7.14.1 Create the Public IP Address Range O b ject ..... ............. ................ ............. ........... 1 74 7.14.2 Configure the Policy Route ............... ... ............. ............. ................ ............. ........... 1 75 7.15 How to Use Active-Passive Device H A ........[...]
-
Pagina 16
Table of Contents ZyWALL USG 300 User’s Guide 16 10.4 The T raffic S tatistics Sc reen ....... ................ ............. ................ ............. ................ ........... 243 10.5 The Session Monitor Screen ........... ............. ................ ............. ................ ............. ........ 246 10.6 The DDNS S tatus Scr[...]
-
Pagina 17
Table of Contents ZyWALL USG 300 User’s Guide 17 13.1 Interface Overview ......... ................ ................ ............. ................ ............. ................ .... .... 289 13.1.1 What Y ou Can Do in this Chapter .. ... .......... ................ ............. ................ ............. . 289 13.1.2 What Y o u Need to Kno[...]
-
Pagina 18
Table of Contents ZyWALL USG 300 User’s Guide 18 15.1 Policy and S tatic Routes Overview .......... ............. ................ ............. ................ ............. . 373 15.1.1 What Y ou Can Do in this Chapter .. ... .......... ................ ............. ................ ............. . 373 15.1.2 What Y o u Need to Know ........ [...]
-
Pagina 19
Table of Contents ZyWALL USG 300 User’s Guide 19 19.2.1 The NA T Add/Edit Screen .......... .... ... .......... ................ ............. ................ ............. . 416 19.3 NA T T echnical Reference . ................... ....... .......... ................ ............. ................ ............. . 41 9 Chapter 20 HTTP Redirect ..[...]
-
Pagina 20
Table of Contents ZyWALL USG 300 User’s Guide 20 24.1.3 Firewall Rule Example A pplications ............ ................ ............. ................ .............. 452 24.1.4 Firewall Rule Configur ation Example .......... ................ ................ ............. .............. 455 24.2 The Firewall Screen ....... ... ... .... ... ... [...]
-
Pagina 21
Table of Contents ZyWALL USG 300 User’s Guide 21 27.5 Logging Out of the SSL VP N Us er Screens .. ................ ................ ............. ................ ..... 526 Chapter 28 SSL User Application Screens ........................................................................... ................. 529 28.1 SSL User Application Screens Ov[...]
-
Pagina 22
Table of Contents ZyWALL USG 300 User’s Guide 22 32.3 Application Patrol Applicat ions ................ ............. ................ ............. ................ ............. . 55 8 32.3.1 The Application Patrol Edit Screen ...... ............. ................ ................ ............. ........ 559 32.3.2 The Application Patrol Policy [...]
-
Pagina 23
Table of Contents ZyWALL USG 300 User’s Guide 23 34.8.3 Applying Custom Signatures ............. ................ ............. ................ ............. ........... 6 18 34.8.4 V erifying Custom Signatures ... .......... ...... ............. ................ ............. ................ ..... 619 34.9 IDP T echnical Reference .. ....... .[...]
-
Pagina 24
Table of Contents ZyWALL USG 300 User’s Guide 24 38.1.1 What Y ou Can Do in this Chapter .. ... .......... ................ ............. ................ ............. . 675 38.1.2 What Y o u Need to Know ...... ................ ............. ................ ............. ................ ........ 675 38.2 Before Y o u Begin . .......... ... ..[...]
-
Pagina 25
Table of Contents ZyWALL USG 300 User’s Guide 25 41.1.1 What Y ou Can Do in this Chapter .. ... .......... ................ ............. ................ ............. . 731 41.1.2 What Y o u Need T o Know ..... ............. ................ ............. ................ ............. ........... 731 41.2 Address Summary Screen ............. .[...]
-
Pagina 26
Table of Contents ZyWALL USG 300 User’s Guide 26 45.1.2 Before Y o u Begin ....... ............. ............. ............. ................ ............. ................ ........ 759 45.1.3 Example: Selecting a VPN Authentic ation Method ..... ................ ................ ........... 759 45.2 Authentication Method Ob jects ...............[...]
-
Pagina 27
Table of Contents ZyWALL USG 300 User’s Guide 27 49.3 Endpoint Security Add/Edit ............... ... .... ............. ................ ............. ............. ................ . 8 03 Chapter 50 System ...................................................................... ................................................. .......... 809 50.1 [...]
-
Pagina 28
Table of Contents ZyWALL USG 300 User’s Guide 28 50.10.3 Configuring SNMP ....... ................ ................ ................ ............. ................ ........... 851 50.1 1 Dial-in Management ........ ... .... ... ... ... ............. ... .... ... ... ... .... ... ... ... ... ............. .... ... ... ... ... .... .8 5 3 50.1 1.1 [...]
-
Pagina 29
Table of Contents ZyWALL USG 300 User’s Guide 29 55.1 Overview ........... ................ ............. ................ ................ ............. ................ ............ ......... 893 55.1.1 What Y o u Need T o Know ..... ............. ................ ............. ................ ............. ........... 893 55.2 The Shutdown Sc[...]
-
Pagina 30
Table of Contents ZyWALL USG 300 User’s Guide 30[...]
-
Pagina 31
31 P ART I User ’ s Guide[...]
-
Pagina 32
32[...]
-
Pagina 33
ZyWALL USG 300 User’s Guide 33 C HAPTER 1 Introducing the ZyWALL This chapter gives an overview of t he Z yWALL. It explains the front panel ports, LEDs, introduces the manage ment methods, and lists di fferent w ays to start or stop the Z yWALL. 1.1 Overview and Key Default Settings The Z yWALL is a comprehensive security device. It s flexible c[...]
-
Pagina 34
Chapter 1 Introducing the ZyWALL ZyWALL USG 300 User’s Guide 34 Use a #2 Phillips screwdriv er to install the screws. Note: Failure to use the proper screws may damage the unit. 1.2.1 Rack-Mounted Inst allation Procedure 1 Align one brack et with the holes on one si d e of the Z yWALL and secure it with the included br acket screws (smaller than [...]
-
Pagina 35
Chapter 1 Introducin g the ZyWALL ZyWALL USG 300 User’s Guide 35 1.3 Front Panel This section introduces the Z yWALL’ s front panel. Figure 3 ZyW ALL Front Panel 1.3.1 Front Panel LEDs The following table describes t he LEDs. 1.4 Management Overview Y ou can use the follow ing ways to manage the Z yWALL. T able 1 Front Panel LEDs LED COLOR STAT[...]
-
Pagina 36
Chapter 1 Introducing the ZyWALL ZyWALL USG 300 User’s Guide 36 Web Configurator The W eb Configurator allows easy Z yWALL setup and management usi ng an Internet browser . This User’ s Guid e provides information about the W eb Configurator . Figure 4 Managing the ZyW ALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use[...]
-
Pagina 37
Chapter 1 Introducin g the ZyWALL ZyWALL USG 300 User’s Guide 37 Always use Maintenance > Shut down > Shut down or the shutdown command before you turn off the Zy W ALL or remove the power . Not doing so can cause the firmwa re to become corr upt. The Z yWALL does not stop or start the system processes when y ou apply configuration fi les o[...]
-
Pagina 38
Chapter 1 Introducing the ZyWALL ZyWALL USG 300 User’s Guide 38[...]
-
Pagina 39
ZyWALL USG 300 User’s Guide 39 C HAPTER 2 Features and Applications This chapter introduces the main features and applications of the Z yWALL. 2.1 Features The Z yWALL ’s security features include VPN, firew all, anti-virus, content filtering, IDP (Intrusion Detection and Prev en tion), ADP (Anomaly Detection and Protection), and certificat es.[...]
-
Pagina 40
Chapter 2 Features and Applications ZyWALL USG 300 User’s Guide 40 Firewall The Z yWALL’ s firew all is a stateful inspection firew all. The Z yWALL rest ricts access by screening data packets against defined access rules. It can also inspect sessions. F or example, tr affic from one zone is not allowed unless it is initiated by a computer in a[...]
-
Pagina 41
Chapter 2 Features an d Applications ZyWALL USG 300 User’s Guide 41 Anti-Virus Scanner With the anti- v irus packet scanner , your Z yWALL scans files transmitt ing through the enabled interfaces into the network. The Z yWALL helps stop threats at the network edge before they reach th e local host computers. Anti-Sp am The anti-spam feature can m[...]
-
Pagina 42
Chapter 2 Features and Applications ZyWALL USG 300 User’s Guide 42 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, t elecommuters, and business tr a velers to provide secure access t o y our network. Y ou can also set up additional connections to the Inte rnet to provide better service. Figure 5 Applications: VPN C[...]
-
Pagina 43
Chapter 2 Features an d Applications ZyWALL USG 300 User’s Guide 43 Y ou do not have to install additional client software on the remote user computers for access. Figure 6 Network Access Mode: Reverse Proxy 2.2.2.2 Full T unnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subn e[...]
-
Pagina 44
Chapter 2 Features and Applications ZyWALL USG 300 User’s Guide 44 2.2.3 User-A ware Access Control Set up security policies that restrict access to sensitiv e information and shared resources based on the user who is trying to access it. Figure 8 Applications: User-A ware Access Control 2.2.4 Multiple W AN Interfaces Set up multiple connect ions[...]
-
Pagina 45
Chapter 2 Features an d Applications ZyWALL USG 300 User’s Guide 45 2.2.5 Device HA Set up an addit ional Z yWALL as a backup gatew ay to ensure the default gatew ay is always availab le for the network. Figure 10 Applications: Device HA[...]
-
Pagina 46
Chapter 2 Features and Applications ZyWALL USG 300 User’s Guide 46[...]
-
Pagina 47
ZyWALL USG 300 User’s Guide 47 C HAPTER 3 Web Configurator The Z yW ALL W eb Configurator allows easy Z yWALL setup and management using an Internet browser . 3.1 W eb Configurator Requirement s In order to use the W eb Configurat or , you must • Use Internet Explorer 7 or la ter , or Firefox 1.5 or l ater • Allow pop-up wi ndows (block ed by[...]
-
Pagina 48
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 48 2 Open your web browser , and go to http://192.168.1.1 . By default, the Z yWALL automatically routes this req uest to its HT TPS server , and it is recommended to keep this setting. The Login screen appears. Figure 1 1 Login Screen 3 T ype the user name (default: “adm in”) and pa[...]
-
Pagina 49
Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide 49 5 The screen above appears every time y ou log in using the default user name and default password. If you chang e the passw ord for the default user account, this screen does not appear anymore. Fol low the directions in this screen. If you change the default password, the Login screen ( [...]
-
Pagina 50
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 50 3.3.1 T itle Bar The title bar prov ides some icons in the upper right corner . Figure 14 Tit l e B a r The icons provide the following functions. 3.3.2 Navigation Panel Use the menu items on the na vigati on panel to open screens to configure Z yW ALL features. Click the arrow in the[...]
-
Pagina 51
Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide 51 hide the navigation panel menus or drag it to resize them. The following sections introduce the Z yWALL ’s navigati on panel menus and their screens. Figure 15 Navigation Pan el 3.3.2.1 Dashboard The dashboard displays gener al device information, system status, system resource usage, li[...]
-
Pagina 52
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 52 3.3.2.3 Configuration Menu Use the configurat ion menu screens to configure the ZyW ALL’s features. Cellular Status Displays details about the Z yW ALL’ s 3G connection status. AppP atrol Statistics Displays bandwidth and protocol statistics. VPN Monitor IPSec Displays and manages[...]
-
Pagina 53
Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide 53 Interface Por t G ro u p i ng Configure physical port groups. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a cellular Internet connection for an installed 3G card. WLAN Configure settings for an ins[...]
-
Pagina 54
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 54 SSL VP N Access Privilege Configure SSL VPN access rights for users and groups. Global Setting Configure the Z yWALL’ s SSL VPN settings that apply to all connections. L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings. AppPatrol Gener al Enable or disable traffic management b[...]
-
Pagina 55
Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide 55 Device HA General Configure device HA global settings, and see the status of each interface monitored by device HA. Act ive- Pass ive Mode Configure active-passive mode device HA. Legacy Mode Configure legacy mode device H A for use with Z yWALLs that already ha ve device HA setup using a [...]
-
Pagina 56
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 56 3.3.2.4 Maintenance Menu Use the maintenan ce menu screens to mana ge configuration and firmw are files, run diagnostics, and reb oot or shut down the Z yWALL. Console Speed Set the console speed. DNS Configure the DNS server and address records for the Z yWALL. WWW Service Control Co[...]
-
Pagina 57
Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide 57 3.3.3 Main Window The main window shows the screen you sele ct in the navigation panel. The main window screens are discussed in t he rest of this document. Right after y ou log in, the Dashboard screen is displayed. See Chapter 9 on page 221 for more information about the Da shboard scree[...]
-
Pagina 58
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 58 settings reference the object. The follo wing example shows which configuration settings reference the ldap-users user obje ct (in this case the first firewall rule). Figure 18 Object Refer ence The fields vary with the t ype of object. The following table describes labels that can ap[...]
-
Pagina 59
Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide 59 3.3.3.4 CLI Messages Click CLI to look at the CLI commands sen t by th e Web Configurator . These commands appear in a popup window , such as the following. Figure 19 CLI Messages Click Clear to remove the currently displa y ed information. See the Command Reference Guide fo r information [...]
-
Pagina 60
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 60 • Sort in ascending alphabetical order • Sort in descending (reverse) al phabetical order • Select which columns to display • Group entries by field • Show entries in groups • Filter by mathematical oper ators (< , >, or =) or searching for text Figure 21 Common T ab[...]
-
Pagina 61
Chapter 3 Web Configurator ZyWALL USG 300 User’s Guide 61 4 Select a column heading and dr ag and drop it to change the column order . A green check mark displays nex t to the c olumn’s title when you drag the c olumn to a valid new location. Figure 23 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate t[...]
-
Pagina 62
Chapter 3 Web C onfig ur a t or ZyWALL USG 300 User’s Guide 62 Here are descriptions for the most common table icons. 3.3.4.3 Wo rking with List s When a list of av ailable entries displays ne xt to a list of sele cted entries , you can often just double-click an entry to move it from one list to the other . In some lists you can also use the [Sh[...]
-
Pagina 63
ZyWALL USG 300 User’s Guide 63 C HAPTER 4 Installation Setup Wizard 4.1 Inst allation Setup Wizard Screens If you lo g into the W eb Configur ator when the Z yWALL is using its default configuration, the firs t Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscript ion servic[...]
-
Pagina 64
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 300 User’s Guide 64 4.1.1 Internet Access Setup - W AN Interface Use this screen to set how many W AN interfaces to configure and the first W AN interface’ s type of encapsulation and method of IP address ass ignment. The screens v ary depending on the encapsulation type. R efer to information [...]
-
Pagina 65
Chapter 4 Installa tion Setup Wizard ZyWALL USG 300 User’s Guide 65 Note: Enter the Internet access in formation exactly as given to you by your ISP . Figure 29 Internet Access: Ethernet Encapsulation • Encapsulation : This displays the type of Internet connection you are configu ring. • First WAN Interface : This is the number of the in terf[...]
-
Pagina 66
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 300 User’s Guide 66 4.1.3 Internet Access: PPPoE Note: Enter the Internet access in formation exactly as given to you by your ISP . Figure 30 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • T ype the PPPoE Service Name from your service provider . PPPoE uses a service name to iden[...]
-
Pagina 67
Chapter 4 Installa tion Setup Wizard ZyWALL USG 300 User’s Guide 67 4.1.3.2 W AN IP Address Assignment s • WAN Interface : This is the name of the inte rfac e that will conne ct with your ISP . • Zone: This is the se curity zone to wh ic h this interfac e an d Internet co nnection will belong . • IP Address : Enter your (s tatic) public IP [...]
-
Pagina 68
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 300 User’s Guide 68 • CHAP/PAP - Y our ZyW ALL accepts either CHAP or P AP when requested by the remote no de . • CHAP - Y our ZyW ALL accepts CHAP only . • PAP - Y our ZyW ALL accepts PAP onl y . • MSCHAP - Y our ZyW ALL accepts MSCHAP only . • MSCHAP-V2 - Y our Z yWALL accep ts MSCHAP[...]
-
Pagina 69
Chapter 4 Installa tion Setup Wizard ZyWALL USG 300 User’s Guide 69 4.1.6 Internet Access Se tup - Second W AN Interface If you se lected I have two ISPs , after you configure the First WAN Interface , you can configure the Second WAN Interface . The screens for configuring the second WAN interf ace are simil ar to the first (see Section 4.1.1 on[...]
-
Pagina 70
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 300 User’s Guide 70 Note: If you have not already do ne so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Click Next and us e the foll owing screen to perform a basic registrati on (see Section 4.2 on page 70 ). If you w ant to do a more detailed regist[...]
-
Pagina 71
Chapter 4 Installa tion Setup Wizard ZyWALL USG 300 User’s Guide 71 • Select existing myZyXEL.com account if you already have an account at myZ yXEL.com and enter your user name and password in the fields below t o register your Z yWALL. •E n t e r a User Name for your myZ yXEL.com account. Use from six to 20 alphanumeric characters (a nd the[...]
-
Pagina 72
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 300 User’s Guide 72[...]
-
Pagina 73
ZyWALL USG 300 User’s Guide 73 C HAPTER 5 Quick Setup 5.1 Quick Setup Overview The W eb Configur ator's quick setup wizards help you configure Internet and VPN connection settings. This chapt er pro vid es informa t io n on configu ring the qu ic k setup screens in the W eb Configurator . See the feature-specific chapters in this User’s Gu[...]
-
Pagina 74
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 74 5.2 W AN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to co nnect to the internet. Click Next . Figure 37 W AN Interface Quick Setup Wizard 5.2.1 Choose an Ethern[...]
-
Pagina 75
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 75 Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from y our ISP . Figure 39 W AN Interface Setup: S tep 2 The screens v ary depending on what encapsulation type you us e. Re fer to i n f o r m a t i o n p r o v i d e d b y y o u r I S P t o k n o w w h a t t[...]
-
Pagina 76
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 76 • IP Address Assignment : Select Auto If y our ISP did not assign you a fix ed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 W AN and ISP Connection Settings Use this screen to configure the ISP an d WAN interface settings. This screen is read-only if you set the IP [...]
-
Pagina 77
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 77 Authentication Ty p e Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Y our Z yWALL accepts eith er CHAP or P AP when requested by this remote node. CHAP - Y our Z yWALL accepts CHAP on ly . PAP - Y our Z y WALL accepts PAP only . MSCH[...]
-
Pagina 78
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 78 5.2.5 Quick Setup Interface Wizard: Summary This screen displa ys the WAN i nterface’ s settings. Figure 42 Interface Wizard: Su mmary W AN (PPTP Shown) The following table describes t he labels in this screen. First DNS Server Second DNS Server These fields only display for an interface with[...]
-
Pagina 79
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 79 5.3 VPN Quick Setup Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and ad dress objects that you can use later in configur ing more VPN con necti ons or other features. Clic[...]
-
Pagina 80
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 80 5.4 VPN Setup Wizard: W izard T ype A VPN (Virtual Private Network) tunnel is a secure connecti on to another computer or network. Use this screen to select wh ich type of VPN connection you wan t to configure. Figure 44 VPN Setup Wizard: Wizard T ype Express : Use this wizard to create a VPN c[...]
-
Pagina 81
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 81 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 44 on page 80 to display the following screen. Figure 45 VPN Express Wizard: S tep 2 Rule Name : T ype the name used to identify this VPN co nnection (and VPN gateway) . Y ou may use 1-31 alphanum eric char acte[...]
-
Pagina 82
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 82 5.5.1 VPN Express Wizard - Configuration Figure 46 VPN Express Wizard: S tep 3 • Secure Gateway : If Any displa ys in this field, it i s not configurable for the chosen scenario. If this field is conf i gurable, enter the W AN IP address or domain name of the remote IPSec devi ce (secure gate[...]
-
Pagina 83
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 83 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’ s configuration and also commands that you can copy and paste into another ZLD-based Z yWALL’ s command line interface to configure it. Figure 47 VPN Express Wizard: S tep 4 • Rule Name : Identi[...]
-
Pagina 84
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 84 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 48 VPN Express Wizard: S tep 6 Note: If you have not already do ne so, use t he myZyXEL.com link and register you r ZyW ALL with myZyXEL.com and activate trials of services like IDP . Click Close to exit the wizard.[...]
-
Pagina 85
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 85 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 44 on p age 80 to di spla y the following screen. Figure 49 VPN Advanced Wizard: Scenario Rule Name : T ype the name used to identify this VPN co nnection (and VPN gateway) . Y ou may use 1-31 alphanum eric [...]
-
Pagina 86
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 86 • Remote Access (Client R ole ) - Choose this to connect to an IPSec serv er . This Z yWALL is the cli ent (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet K ey Exchange) negotiation – phase 1 (Authentic[...]
-
Pagina 87
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 87 that uses a 168-bit k ey . As a result, 3DES is more secure than DES. It also requires more processing power , result ing in increased latency and decreased throughput. AES128 uses a 128-bit ke y and is faster than 3DES. AES192 uses a 192-bit ke y and AES256 uses a 256- bit key . • Authentica[...]
-
Pagina 88
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 88 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA t hat was established in phase 1 t o negotiate SAs for IPSec. Figure 51 VPN Advanced Wizard: S tep 4 • Active Protocol : ESP is compatible with NA T , AH is not. • Encapsulation : Tunn el is com p atible with N A T , Transpor[...]
-
Pagina 89
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 89 • Nailed-Up : This displays for the site-to-si te and remote access client role scenarios. Select this to have the Z y WALL automati cally renegotiate the IPSec SA when the SA l ife time expires. 5.5.7 VPN Advanced Wizard - Summary This is a read-only summary of the VPN tunnel settings. Figur[...]
-
Pagina 90
Chapter 5 Quick Setup ZyWALL USG 300 User’s Guide 90 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 53 VPN Wizard: S tep 6: Advanced Note: If you have not already do ne so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Click Close to exit the wizard.[...]
-
Pagina 91
ZyWALL USG 300 User’s Guide 91 C HAPTER 6 Configuration Basics This information is provided to help yo u configure the ZyW ALL effectively . Some of it is helpf u l wh en you are ju st getti ng started . Som e of it is pr ovi d ed fo r your reference when you configure various features in the Z yWALL. • Section 6.1 on page 91 introduces the Z y[...]
-
Pagina 92
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 92 objects whenever the interface’ s IP addres s settin gs change . For example, if you change an Ethernet interf ace’ s IP address, the Z y WALL automatically updates the rules or settings that use the interf ace-based, LAN subnet ad dress object. Y ou can use the Configuration[...]
-
Pagina 93
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 93 6.2.1 Interface T ypes There are man y types of interfaces in th e ZyW ALL. In addition to being used in various features, i nterfaces also describe the network that is direct ly connected to the ZyW AL L. • Ethernet interfaces are the foundation for defi ni ng oth er interfaces [...]
-
Pagina 94
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 94 6.2.2 Default Interface and Zone Configuration This section introduces the Z yWALL’ s default zone member ph ysical interfaces and the default configuration of those interfac es. The following figure uses letters to denote public IP addresses or part of a priv ate IP address. F[...]
-
Pagina 95
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 95 • The W AN zone contai ns the ge2 an d ge3 interfaces (p hysical ports 2 and 3 ). They use public IP ad dresses to connect to the Internet. • The DMZ zone contains the ge4 and ge5 interfaces (physical ports 4 and 5 ). The DMZ zone has servers that are avai la ble to the public.[...]
-
Pagina 96
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 96 6.4 Packet Flow Here is the order in which the Z yWALL applies its features and checks. Figure 56 Packet Flow 6.4.1 ZLD 2.20 Packet Flow Enhancement s ZLD version 2.20 has been enhanced to simplif y configurat ion. The packet flow has been changed as follows: • Automatic SNA T [...]
-
Pagina 97
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 97 • Y ou do not need to set up policy routes for 1:1 NA T entries. • Y ou can create Many 1:1 NA T entries to translate a range of private network addresses to a r ange of public IP addresses • Static an d dynamic routes have their own category . Even wi th these chan ges, you [...]
-
Pagina 98
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 98 2 Policy Routes : These are the user-configured policy routes. Configure policy routes to send packets through the ap propriate interface or VPN tunnel. See Chapter 15 on page 373 for more on policy routes. 3 1 to 1 and Many 1 to 1 NAT : These are the 1 to 1 NA T and many 1 to 1 [...]
-
Pagina 99
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 99 Z yWALL stops checking the packets against the NA T table and moves on to bandwidth management. Figure 58 NA T T able Checking Flow 1 SNA T defined in the policy routes . This w as already in ZLD 2.1x. 2 1 to 1 SNA T (including Many 1 to 1) is also included in the NA T table. 3 NA [...]
-
Pagina 100
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 100 6.5.1 Feature This provides a brief description. See the appropriate chapter(s) in this Us er’s Guide for more information about any feature. Example: This provi des a simple example to show you how to configure this feature. The example is usually ba sed on the network topolo[...]
-
Pagina 101
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 101 subscription to update the anti -virus and IDP/ap plication patrol signatures Y ou must have Internet access to myZ yXEL.com. 6.5.4 Interface See Section 6.2 on page 92 for background information. Note: When you create an interfa ce, there is no security ap plied o n it until you [...]
-
Pagina 102
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 102 and general NA T on the source address. Y ou hav e to set up the criteria, next-hops, and NA T settings first. Example: Y ou h a ve a n F T P s er v e r co n n e c te d t o ge4 (in the DMZ zone). Y ou want to limit the amount of FTP tr affic that goes out from the FTP server thr[...]
-
Pagina 103
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 103 6.5.7 S t atic Routes Use static routes to tell the Z yWALL abou t networks not directly connected to the Zy WA L L . 6.5.8 Zones See Section 6.2 on page 92 for background information. A zone is a group of interfaces and VPN tunnels. T he Zy WALL uses zones, not interfaces, in man[...]
-
Pagina 104
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 104 The Z yWALL only checks regu lar (through-ZyW ALL) firewall rules for packets that are redirected by NA T , it does not check the to-Z yWALL f irewall rules. Example: Suppose you ha ve an FTP server with a private IP address connected t o a DMZ port. Y ou could configure a NA T [...]
-
Pagina 105
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 105 3 Name the entry . 4 Select the interface from which you w a nt to redirect incoming HT TP requests ( ge1 ). 5 Specify the IP address of the HT TP proxy server . 6 Specify the port number to use for the HT TP traff ic that you forward to the proxy server . 6.5.12 ALG The Z yWALL?[...]
-
Pagina 106
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 106 Example: Suppose you hav e a SIP proxy server connected to the DMZ zone for V oIP calls. Y ou could configure a firewall rule to allow V oIP sessions from the SIP proxy server on DMZ to the LAN so V oIP users on the LAN can receiv e calls. 1 Create a V oIP service object for UDP[...]
-
Pagina 107
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 107 Example: See Chapter 7 on page 115 . 6.5.17 L2TP VPN Use L2TP VPN to let remote users use the L2TP and IPSec cli ent softw are includ ed with their computers’ operati ng systems to securely connect to the network behind the Z yWALL. Example: See Chapter 8 on page 183 . 6.5.18 Ap[...]
-
Pagina 108
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 108 Note: With this example, Bob would have to log in using his a ccount. If you do not want him to have to log in, you might create a n exception policy with Bob’ s computer IP address as the so urce. 6.5.19 Anti-V irus Use anti-v irus to detect and tak e action on viruses. Y o u[...]
-
Pagina 109
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 109 1 Create a user account for Bill if you have not done so already ( Configuration > Object > User/Group ). 2 Create a schedule for the work day ( Configuration > Object > Schedule ). 3 Click Configuration > Anti-X > Content Filter > Filter Profile . Click the A[...]
-
Pagina 110
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 11 0 6.6 Object s Objects store information and are ref erenced by other features. If you up date this informat ion in re sponse to change s, th e ZyW ALL automa tically propagates the change through the features that use the o bjec t. Move your cu rso r over a configur ation object[...]
-
Pagina 111
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 111 If you want to force us ers to log in to the ZyW ALL before the Z yWALL routes traffic for them, you might have to configure prerequis ites first. 6.7 System This section introduces some of the management featu res in the Z yWALL. Use Host Name to configure the system and domain n[...]
-
Pagina 112
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 11 2 2 Create an address object for t he administr ator’s computer ( Configuration > Object > Ad dress ). 3 Click Configuration > System > WWW to configure the HT TP management access. Enable HT TPS an d add an administr ator service control entry . • Select the addr[...]
-
Pagina 113
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 300 User’s Guide 11 3 Always use Maintenance > Shut down > Shut down or the shutdown command before you turn off the Zy W ALL or remove the power . Not doing so can cause the firm ware to become corrupt. MENU ITEM(S) Maintenance > Shutdown[...]
-
Pagina 114
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 300 User’s Guide 11 4[...]
-
Pagina 115
ZyWALL USG 300 User’s Guide 11 5 C HAPTER 7 Tutorials Here are examples of using the W eb Conf igurator to set up features in the Zy WA L L . S e e a l s o Chapter 8 on page 183 for an example of configuring L2TP VPN. Note: The tuto rials featu red he re re qu i r e a bas i c u nd e rs t and i ng o f co nn ec ti ng to and using the W eb Configura[...]
-
Pagina 116
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 11 6 • Y ou want to be able to apply security settings spec ifically for all VPN tunnels so you create a new VPN zone. Figure 59 Ethernet In terface, Port Grouping, and Zone Configuration Example 7.1.1 Configure a W AN Ethernet Interface Y ou need to assign the ZyW ALL’s ge2 interface a static I[...]
-
Pagina 117
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 11 7 1 Click Configuration > Network > Zone and then the Add icon. 2 Enter VPN as the name, select Default_L2TP_VPN_Connection a n d m o v e i t t o the Member box and clic k OK . Figure 61 Configura tion > Network > Zone > W AN Edit 7.1.3 Configure Port Grouping Here is how to combin[...]
-
Pagina 118
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 11 8 2 Drag physical port 5 ont o representative interface ge4 and click Apply . Figure 62 Configura tion > Network > Interface > Port Grouping Examp le 3 Click Dashboar d , and look at the Interface Status Summary . Ethernet interface ge4 has a status of Port Group Up if it is connect ed o[...]
-
Pagina 119
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 11 9 3 Click Configuration > Network > Interface > Cellular . Select the 3G device’ s entry and click Edit . Figure 64 Configura tion > Network > Interface > Cellular 4 Enable the interface and add it to a z one. It is highly recommended that you set the Zone to WAN to apply your[...]
-
Pagina 120
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 120 5 Go to the Dashboard . The Interface Status Summary section should contain a “cellular” entry . When its connection status is Connected you can use the 3G connection to acce ss the Internet. Figure 66 S tatus 6 The Z yWALL automatically adds the cellular interface to the system d efault WA [...]
-
Pagina 121
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 121 Y ou do not have to change many of the Z yWALL ’s settings f rom the defaults to set up this trunk. Y ou only hav e to set up the outgoing bandwidth on each of the W AN interfaces and configure the WAN_TRUN K trunk’ s load balancing settings. 7.3.1 Set Up A vailable Bandwid th on Ethernet In[...]
-
Pagina 122
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 122 7.3.2 Configure the W AN T runk 1 Click Configuration > Netw ork > Interface > T r un k . Click the Add icon. 2 Name the tru n k a nd se t the Load Balancing Algorithm field to Weighted Round Robin . Add ge2 and enter 2 in the Weight column. Add ge3 and enter 1 in the Weight column. Cli[...]
-
Pagina 123
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 123 3 Select the trunk as the defaul t trunk and click Apply . Figure 70 Configura tion > Network > Interface > T runk 7.4 How to Set Up a Wireless LAN Y ou can install a wireless LAN card (IEEE 802.11b/g) in the PCIMCIA slot (see T able 264 on page 915 for the supported cards). Y ou can co[...]
-
Pagina 124
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 124 1 Click Configura tion > Object > User /Group > User and the Add icon. 2 Set the User Name to wlan_user . Enter (and re-enter) the user’s password. Click OK . Figure 71 Configura tion > Object > User/Group > User > Add 3 Use the Add icon in the Config uration > Ob ject [...]
-
Pagina 125
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 125 2 Edit this screen as follows. A (internal) name for the WLAN interface displays. Y ou can modify it if you w ant to. The Z yWALL ’s security settings are configured by zones . Select to which security zone you want the WLAN interface to belo ng (the WLAN zone in this example). This determines[...]
-
Pagina 126
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 126 Figure 72 Configura tion > Network > Interface > WLAN > Add[...]
-
Pagina 127
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 127 3 T urn on the wireless LAN and click Apply . Figure 73 Configura tion > Network > Interface > WLAN 7.4.3 Set Up the Wireless Clie nt s to Use the WLAN Interface The following sections show you how to have a wireless client (not included with the Z yWALL) use the wireless network. 7.4.3[...]
-
Pagina 128
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 128 1 Open the wireless client utility and c lick Profile . Figure 74 ZyXEL Wireless Client 2 Add a new profile. This example uses “Z YXEL_WP A ” as the name. It is also the SSID (name) of the w ire le ss netwo rk. Se lect Infrastructure and click Next . Figure 75 ZyXEL Wireless Client > Prof[...]
-
Pagina 129
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 129 3 Select WPA2 as the security t ype and click Next . Figure 76 ZyXEL Wireless Client > Prof ile: Security T ype 4 Set the encryption type to TKIP and the EAP type to TTLS . Configure wlan_user as the Login Name and enter the account’ s password (also wlan_user in this example. In TTLS Proto[...]
-
Pagina 130
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 130 5 Confirm your setti ngs and click Save . Figure 78 ZyXEL Wireless Client > Prof ile: Save 6 Click Activate Now . Figure 79 ZyXEL Wireless Client > Prof ile: Activate[...]
-
Pagina 131
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 131 7 The ZYXEL_WPA profile displays in your list of profiles. Figure 80 ZyXEL Wireless Client > Prof ile: Activate Since the Z yXEL utility does not hav e the wireless client v alidate the Z yW ALL’ s certificate, you can go to Section 7.4.3.4 on page 139 . 7.4.3.2 Configure the Funk Odyssey W[...]
-
Pagina 132
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 132 2 Name the profile (this example uses ZYXEL_WPA ). In th e User Info tab, configure wlan_user as the Login name . In the Password sub-tab, select Prompt for long name and password . Figure 82 Odyssey Access Client Manage r > Profiles > User Info 3 Click the Authentication tab and select Va[...]
-
Pagina 133
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 133 4 Click the TTLS tab and select PAP . Then click OK . Figure 84 Odyssey Access Client Manager > Profiles > Authentication 5 Click Networ ks > Add . Figure 85 Odyssey Access Client Manager > Networks[...]
-
Pagina 134
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 134 6 Enter the name of the wireless network (“ ZYXEL_WP A ” in this example) or click Scan to look for it. Then select Authenticate us ing profile and select the profile you conf igured (“ZYXEL_WP A ” in this example). Cli ck OK . Figure 86 Odyssey Access Client Manager > Networks > A[...]
-
Pagina 135
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 135 1 In Internet Explorer , click Tools > Internet Options > Content and click the Certificates button. Figure 87 Internet Explo rer: T ools > Internet Options > Content 2 Click Import . Figure 88 Internet Explor er: T ools > Internet Options > Content > Certificates[...]
-
Pagina 136
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 136 3 Use the wizard screens to import the ce rtificate. Y ou may need to change the Files of Type setting to All Files in order to see th e certificate file. Figure 89 Internet Explo rer Certificate Import Wizard File Open Screen 4 When you get to the Certificate Store sc reen, select the option to[...]
-
Pagina 137
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 137 5 If you get a sec uri ty warni ng screen, cli ck Yes to proceed. Figure 91 Internet Explo rer Certificate Import Certificate W arning Screen[...]
-
Pagina 138
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 138 6 The Internet Explorer Certificates screen rema ins open after the import is done. Y ou can see th e newly import ed certificate listed in the Trusted Root Certification Authorities tab. The v alues in the Issued To and Issued By fields should match those in the Z yWALL’ s My Certificates scr[...]
-
Pagina 139
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 139 7.4.3.4 Wireless Client s Use the WL AN Interface A login screen dis p lays when the wireles s clie n t at te m p ts to c o nn ec t to th e wireless interface. Enter the us ername and password and c lick OK . Figure 94 Funk Odysse y Access Wireless Client Login Example 7.5 How to Set Up an IPSec[...]
-
Pagina 140
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 140 7.5.1 Set Up the VPN Gateway The VPN gateway manag es the IKE SA. Y ou do not have to set up any other objects before you configure the VPN gatew ay because this VPN tunnel does not use any certificates or extended authentication. 1 Click Configuration > VPN > IPSec VPN > VPN Gateway , [...]
-
Pagina 141
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 141 1 Click Configuration > Object > Address . Click the Add icon. 2 Give the new address ob ject a name (“VPN_REMO TE_SUBNET”), change the Address Type to SUBNET . Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK . Figure 97 Configura tion > Object >[...]
-
Pagina 142
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 142 7.5.3 Configure Security Policies for the VPN T unnel Y ou configure security policies based on zones. Assign the new VPN connection to a zone to be able to apply security polici es (firewall rules, IDP , and so on) to the VPN connection. Make sure all fi rew a lls between the Zy WALL and remote[...]
-
Pagina 143
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 143 • My Address: 10.0.0.2 • Primary R emote Gateway: 10.0.0.1 Network Policy (Phase 2) • Local Network: 192.168.167.0/255. 255.255.0 • Remote Net work: 192.168.168.0~192.168.169.255 Headquarters (ZyW ALL USG): VPN Gateway (VPN T unnel 1): • My Address: 10.0.0.1 • P eer Gatew ay Address:[...]
-
Pagina 144
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 144 7.6.0.1 Hub-and-spoke VPN Re quirement s and Suggestions Consider the following when im plementing a hub-and-s poke VPN. • This example uses a wide r ange for the Z yNOS-based Z yWALL’ s remote network, to use a narrower range, see Section 25.4.1 on page 491 for an example of configuri ng a [...]
-
Pagina 145
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 145 The users are authenticated by an ex ternal RADIUS serv er at 192.168.1.200. First, set up the user accounts and user groups in the Z yWALL. Then, set up user authenticat i on us i ng the RADIU S ser ver . Finall y , se t up the poli c ie s i n th e table above. The Z yWALL has its default setti[...]
-
Pagina 146
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 146 7.7.2 Set Up User Group s Set up the user groups and assign the users to the user groups. 1 Click Configura tion > Object > User/Gro up > Group . Click the Add icon. 2 Enter the n ame of the grou p that is used in T able 20 on page 144 . In this example, it is “Finance” . Then, sele[...]
-
Pagina 147
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 147 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Configure the RADIUS server’ s address authentication port (1812 if you were not told otherwise), key , and click Apply . Figure 102 Configuration > Object > AAA Server > RADIUS > Add 2 [...]
-
Pagina 148
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 148 Note: The users will have to lo g in using the W eb Configurator login screen befo re they can use HTTP or MSN. Figure 104 Configur ation > Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to brow se the web (or use an y HT TP/HT TPS applicati[...]
-
Pagina 149
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 149 1 Click Configuration > AppPatrol . If application patrol and b andwidth management are not enabled, enable them, and click Apply . Figure 105 Configuration > AppPatrol > General 2 Click the Common tab and double-clic k the http entry . Figure 106 Configuration > AppPatrol > Commo[...]
-
Pagina 150
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 150 3 Double-click the Defau lt policy . Figure 107 Configuration > AppPatrol > Common > http 4 Change the access to Dr op because you do n ot want any one except authorized user groups to browse the web. Click OK . Figure 108 Configuration > AppPatrol > Common > http > Edit Def[...]
-
Pagina 151
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 151 5 Click the Add icon in the policy list. In the ne w policy , select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fiel ds. Click OK . R epeat this process to add exceptions for all the other user grou ps that[...]
-
Pagina 152
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 152 2 Give the schedule a descriptive name. Set up the d ays (Monday through Friday) and the times (8:30 - 18:00) when Sal es is allowed to use MSN. Click OK . Figure 1 10 Configuration > Object > Sche dule > Add (Recurring) 3 Fol low the steps in Section 7.7.4 on page 148 to set up the app[...]
-
Pagina 153
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 153 2 Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 1 12 Configuration > Firewa ll > Add 3 Re peat this proc ess to set up firewall rules for the other user groups that are allowed to access the DMZ. 7.8 How to Use a RADIUS Serv[...]
-
Pagina 154
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 154 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Besides configuring the RADIUS server’ s address, authentication port, and key; set the Group Membership Attribute fiel d to the attri but e that the Z yW ALL is to check t o determine to which grou[...]
-
Pagina 155
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 155 2 Now you add ext -group-user user objects t o identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server . Click Configuration > Object > User/Group > User . Click the Add icon. Enter a user name and set the User T[...]
-
Pagina 156
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 156 • Select Endpoint must have Personal Firewall installed and move the K asper sk y Internet Se c uri ty en tries t o th e allowed list (you can double-click an entry to move it). • Select Endpoint must have Anti-Virus softwa re installed and move the K aspersk y Internet S ec uri ty an d Kasp[...]
-
Pagina 157
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 157 Repeat as needed to create endpoint secu rity objects for other Windows operating system versions. 7.9.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the En dpoint Security Edit screen. Use this screen to configure an authentication p olicy to use en[...]
-
Pagina 158
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 158 4 T urn on authentication policy and click Apply . Figure 1 17 Configuration > Auth. Policy The following figure shows an error me ssage example when a user’ s computer does not meet an endpoint securi ty object’ s requirements. Click Close to return to the login screen. Figure 1 18 Examp[...]
-
Pagina 159
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 159 user access (logging into SSL VPN for example). See Chapter 50 on page 809 for more on service control. The T o-ZyW ALL firewall rules apply to any ki nd of HTTP or HT TPS connection to the Z yWALL . They do not distinguish between administrator management access and user access. If you conf igu[...]
-
Pagina 160
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 160 4 Select the new rule and click the Add icon. Figure 121 Configur ation > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny . Click OK . Figure 122 Configuration > System > WWW > Service Control Rule Edit[...]
-
Pagina 161
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 161 6 Click Apply . Figure 123 Configuration > System > WWW (Sec ond Example Ad min Service Rule Configured) Now administr ator access to the W eb Conf igurat or can only come from the LAN zone. Non-admin users can still use HTTPS to log into the Z yW ALL from any of the Z yWALL’ s zones (to[...]
-
Pagina 162
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 162 for ge2 IP address 10.0.0.8 t o a H.323 de vice located on the LAN and using IP address 192.168.1.56. Figure 124 W AN to LAN H.323 Peer-to-peer Calls Example 7.1 1.1 T urn On the ALG Click Configuration > Network > ALG . Select Enable H.323 ALG and Enable H.323 tran sformations and click A[...]
-
Pagina 163
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 163 1 Use Configuration > Object > Address > Add to create an address object for the public W AN IP address (called WAN_IP-for -H323 here). Then use it again t o create an address object for the H.323 de vice’ s private LAN IP address (called LAN_H323 here). Figure 126 Create Addre ss Obj[...]
-
Pagina 164
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 164 2 Click Configuration > Network > NAT > Add. Configure a name for the rule (W AN-LAN_H323 here). Y ou want the LAN H.323 device to receive peer -to-peer calls from the WAN and also be able to initiate calls to t he WAN so you set the Classification to NAT 1:1 . Set the Incoming Interfac[...]
-
Pagina 165
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 165 1 Click Configuration > Firewall > Add . In the From field select W A N. In the To field select LAN. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’ s LAN IP address object ( LAN_H323 ). LAN_H323 is the destination because the ZyW ALL applie[...]
-
Pagina 166
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 166 7.12.1 Create the Address Object s Use Configuration > Object > Address > Add to create the addr ess obje cts. 1 Create a host address object named DMZ_HT TP for the HT TP server ’s priv ate IP address of 192.168.3.7. Figure 130 Creating the Address Object for the HTTP Server ’s Pri[...]
-
Pagina 167
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 167 • K eep Enable NAT Loopback selected to allow users connected to other interfaces to ac ce ss the HTTP server (see NA T Loopback on page 419 for details). Figure 132 Creating the NA T Entry 7.12.3 Set Up a Firewall Rule The firewall blocks traffi c from the W AN zone to the DMZ zone by default[...]
-
Pagina 168
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 168 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the HT TP server’s DMZ IP address object ( DMZ_HTTP ). DMZ_HTTP is the destination because the Z yW ALL applies NA T to traffic before applying the firewal l rule. Set the [...]
-
Pagina 169
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 169 address 1.1.1.2 that you wi ll use on the ge3 interface and map to the IPPBX’ s privat e IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 134 IPPBX Example Network T opology[...]
-
Pagina 170
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 170 7.13.1 T urn On the ALG Click Configuration > Network > ALG . Select Enable SIP ALG and Enable SIP Transformations and click Apply . Figure 135 Configuration > Netw o rk > ALG 7.13.2 Create the Address Object s Use Configuration > Object > Address > Add to create the addr es[...]
-
Pagina 171
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 171 2 Create a host address object named IPPB X -Public for the public W AN IP address 1.1.1.2. Figure 137 Creating the Public IP Address Object 7.13.3 Setup a NA T Policy for the IPPBX Click Configuration > Network > NAT > Add. • Configure a name for the rule (WAN-DMZ_IPPBX here). • Y [...]
-
Pagina 172
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 172 •C l i c k OK . Figure 138 Configu ration > Network > NA T > Add 7.13.4 Set Up a W AN to DMZ Firewall Rule for SIP The firewall blocks traffi c from the W AN zone to the DMZ zone by default so you need to create a firew all rule to allow the pu blic to send SIP traffic to the IPPB X. [...]
-
Pagina 173
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 173 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the IPPBX’ s DMZ IP address object ( DMZ_SIP ). IPPBX_DMZ is the desti nation be caus e the Z yW ALL applies NA T to traffic before applying the firewal l rule. Set the Acc[...]
-
Pagina 174
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 174 1 Click Configuration > Firewall > Add . Set the From field as DMZ and the To field as LAN . Set the Destination to the IPPBX’ s DMZ IP address object ( DMZ_SIP ). Set the Source to IPPBX_DMZ . Leave the Access field to allow and click OK . Figure 140 Configuration > Fi rewall > Ad[...]
-
Pagina 175
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 175 7.14.2 Configure the Policy Route Now you need to configure a policy r out e that has the ZyW ALL use the range of public IP addresses as the source address for W AN to LAN traffic. Click Configuration > Netw ork > Routing > Add . Although adding a descri ption is optional, it is recomm[...]
-
Pagina 176
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 176 An Ethernet switch connects both Z yWALLs’ ge1 interfaces to the LAN. Whichever Z yWALL is functioning as the master uses the default gatewa y IP address of the LAN computers (192.168.1.1) for its ge 1 interface and the static public IP address (1.1.1.1) for its ge2 interface. If Z yWA LL A re[...]
-
Pagina 177
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 177 7.15.2 Configure Device HA on the Master ZyW ALL 1 Log into Z yW ALL A (the master) and click Configuration > Device HA > Active - Passive Mode . Double-click ge1 ’s e n t r y . 2 Configure 192.168.1.3 as the Management IP and 255.255.255.0 as the Manage IP Subnet Mask . Click OK . Figur[...]
-
Pagina 178
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 178 3 Set the Device Role to Mas ter . This example focuses on the connection from the LAN ( ge1 ) to the Internet through t he ge2 interface, so select the ge1 and ge2 interfaces and click Activate . Enter a Synchronization Password (“mySyncPassword” in this ex a m p le) a nd c li c k Apply . F[...]
-
Pagina 179
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 179 7.15.3 Configure the Backup ZyW ALL 1 Connect a computer to ZyW ALL B ’s ge1 interface and log into its W eb Configurator . Connect Z yWALL B to the Internet and su bscribe it to the same subscription services (lik e content fi ltering and anti -virus) t o which Z yWALL A is subscribed. See Ch[...]
-
Pagina 180
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 180 4 Set the Device Role to Backup . Activ ate monitoring for the ge1 and ge2 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “m ySyncP assword” . Select Auto Synchronize and set the Interval to 60. Click Apply . Figure 149 Configu ration &[...]
-
Pagina 181
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 181 7.15.4 Deploy th e Backup ZyW ALL Connect Z yWALL B ’s ge1 interface to the LAN ne twork. Connec t Z yWALL B ’s ge2 interface to the same router that Z yWALL A ’s ge2 interface uses for Internet access. Z yWALL B copies A ’ s configuration (and re-synchronizes wit h A every hour). If Z y[...]
-
Pagina 182
Chapter 7 Tutorials ZyWALL USG 300 User’s Guide 182[...]
-
Pagina 183
ZyWALL USG 300 User’s Guide 183 C HAPTER 8 L2TP VPN Example Here is how to crea te a b asi c L2 T P V PN tunnel. 8.1 L2TP VPN Example This example uses the following setti ngs in creating a basic L 2TP VPN tunnel. Figure 151 L2TP VPN Example • The Z yWALL has a static IP address of 172.16.1.2 for the ge2 interface. • The remote user has a dyn[...]
-
Pagina 184
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 184 • Configure the My Address setting. This example uses interface ge2 with static IP address 172.16.1. 2. Note: If it is possible that the remote user’s public IP address could be in the same subnet as the specified My Address , cli ck Configure > Network > Routing > Policy Rou[...]
-
Pagina 185
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 185 8.3 Configuring the Default L2TP VPN Connection Example 1 Click Configuration > VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Double-click the Default_L2TP_VPN_Connection entry . 2 Click the Show Advanced Settings button. Configure and enforce the [...]
-
Pagina 186
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 186 3 Select the Default_L2TP_VPN_Connection entry and click Activate and then Apply to turn on the entry . Figure 155 Configu ration > VPN > IPSec VPN > VPN Connect ion (Enable) 8.4 Configuring the L2TP VPN Settings Example 1 Click Configuration > VPN > L2TP VPN and configure [...]
-
Pagina 187
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 187 • The other fields are l eft to the defaults in this example, click Apply . Figure 156 Configu ration > VPN > L2TP VPN Example 8.5 Configuring L2TP VPN in Windows V ist a, XP , or 2000 The following sections cover how to configure L2TP in remote user computers using Windows Vista[...]
-
Pagina 188
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 188 2 Select Connect to a workplace and click Next . Figure 157 Set up a connection or network: Chose a connection type 3 Select Use my Internet connection (VPN) . Figure 158 Connect to a workpla ce: How do you want to connect?[...]
-
Pagina 189
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 189 4 Enter the domain name or W AN IP address config ured as the My Address in the VPN gateway config uration that the Z yWALL is using for L2TP VPN (172.16.1.2 in this example). For t h e Destination Nam e , enter L2TP to ZyWALL . Select Don’t connect now, just set it up so I can connect[...]
-
Pagina 190
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 190 6 Click Close . Figure 161 Connect to a workpla ce: The connection is ready to use 7 In the Network and Sharing Center screen, click Connect to a network . Right- click the L2TP VPN connec tion and select Properties . Figure 162 Connect L2TP to ZyW ALL[...]
-
Pagina 191
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 191 8 Click Security , select Advanced (custom settings) and click Settings . Figure 163 Connect L2TP to ZyW ALL: Security 9 Set Data encryption to Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PA P ) and clear al[...]
-
Pagina 192
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 192 inside it. The L2TP tunnel i tself does no t need encryption sinc e it is inside th e encrypted IPSec VPN tunnel. Figure 165 Connect ZyW ALL L2TP: Security > Advanced > W arning 11 Click Networ king . Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings . Figure 166 L2TP t[...]
-
Pagina 193
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 193 13 Select the L2TP VPN connection and click Connect . Figure 168 L2TP to ZyW ALL Properties: Networking 14 Enter the us er name and password of your Z yWALL user account. Click Connect . Figure 169 Connect L2TP to ZyW ALL[...]
-
Pagina 194
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 194 15 A window appears while the user name and password are verified and notifies you when the connection is establi shed. Figure 170 Connecting t o L2TP to ZyW ALL 16 If a window appears asking you to select a locat ion for the network, you can select Work if you want your comput er to be d[...]
-
Pagina 195
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 195 17 After the network location has been set, click Close . Figure 172 Set Network L ocation Successful 18 After the connection is up a connecti on icon displays in your system tra y . Click it and then the L2TP connection to ope n a status screen. Figure 173 Connection System T ray Icon[...]
-
Pagina 196
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 196 19 Click the L2TP connection’ s View status link to open a status screen. Figure 174 Network an d Sharing Center 20 Click Detail s to see the address that you received is from the L2TP range you specified on the Z yWALL (192.168.10.10-192.168. 10.20). Figure 175 ZyW ALL-L2TP S tatus: De[...]
-
Pagina 197
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 197 8.5.2 Configuring L2TP in Windows XP In Windows XP do the following to establi sh an L2TP VPN connection. 1 Click Start > Control Panel > Network Conne ctions > New Connection Wizard . 2 Click Next in the Welcome screen. 3 Select Connect to the network at my workplace and click [...]
-
Pagina 198
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 198 5 Ty p e L2TP to ZyWALL as the Company Name . Figure 178 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and cl ick Next . Figure 179 New Connection Wizard: Public Network[...]
-
Pagina 199
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 199 7 Enter the domain name or W AN IP address config ured as the My Address in the VPN gateway config uration that the Z yWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 180 New Connection Wizard: VPN Ser ver Selection 8 Click Finish . 9 The Connect L2TP to ZyWALL screen app[...]
-
Pagina 200
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 200 10 Click Security , select Advanced (custom settings) and click Settings . Figure 182 Connect L2TP to ZyW ALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the other ch[...]
-
Pagina 201
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 201 12 Click IPSec Settings . Figure 184 L2TP to ZyW ALL Properties > Security 13 Select the Use pr e-shared key f or authentication check bo x and enter the pre- shared key used in the VPN gate way configur ation that the ZyW ALL is using for L2TP VPN. Click OK . Figure 185 L2TP to ZyW A[...]
-
Pagina 202
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 202 14 Click Networ king . Select L2TP IPSec VPN as the Ty pe of VPN . Click OK . Figure 186 L2TP to ZyW ALL Properties: Networking 15 Enter the us er name and password of your Z yWALL acco unt. Click Connect . Figure 187 Connect L2TP to ZyW ALL 16 A window appears while the user name and pas[...]
-
Pagina 203
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 203 18 Click Detail s to see the address that you received is from the L2TP range you specified on the Z yWALL (192.168.10.10-192.168. 10.20). Figure 189 ZyW ALL-L2TP S tatus: Det ails 19 Access a se rver or ot her n etwork reso urc e b ehind the ZyW ALL to ma ke su re you r access works. 8.[...]
-
Pagina 204
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 204 3 Select HKEY_LOCAL_MACHINESys temCurre ntControlSetServicesRasmanP arameters . Figure 191 Regist ry Key 4 Right- click Parameters and select New > DWORD Value . Figure 192 New DWORD V alue 5 Enter ProhibitIpSec as the name. And mak e sure the Data displays as 0’ s. Figure 193 P[...]
-
Pagina 205
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 205 8.5.3.2 Configure the Windows 2000 IPSec Policy After you hav e created the registry entr y and restarted the computer , use these directions to configure an IPSec policy for the computer to use. 1 Click Start > Run . T ype mmc and click OK . Figure 194 Run mm c 2 Click Console > A[...]
-
Pagina 206
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 206 3 Click Add > IP Security Policy Management >Add > Finish . Click Close > OK . Figure 196 Add > IP Security Policy Manageme nt > Finish 4 Right- click IP Security Policies on Local Machine and click Create IP Security Policy . Click Next in the welcome screen. Figure 197[...]
-
Pagina 207
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 207 5 Name the IP security policy L2TP to ZyWALL , and click Next . Figure 198 IP Se curity Policy: Name 6 Clear the Activate the defa ult response rule check box and clic k Next . Figure 199 IP Se curity Policy: Request for Secure Communication[...]
-
Pagina 208
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 208 7 Leave the Edit Properties check b ox selected and cli ck Finish . Figure 200 IP Se curity Policy: Completing the IP Security Policy Wizard 8 In the properties dialog bo x, click Add > Next . Figure 201 IP Se curity Policy Properties > Add[...]
-
Pagina 209
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 209 9 Select This rule does no t specify a tunnel and click Next . Figure 202 IP Se curity Policy Properties: T unnel Endpoint 10 Select All network connections and click Next . Figure 203 IP Se curity Policy Properties: Network T ype[...]
-
Pagina 210
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 210 11 Select Use this string to protect th e key exchange (preshared key) , type password in the text box, and cli ck Next . Figure 204 IP Se curity Policy Properties: Authentication Method 12 Click Add . Figure 205 IP Se curity Policy Properties: IP Filter List[...]
-
Pagina 211
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 21 1 13 Ty p e ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add . Figure 206 IP Se curity Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab. Select My IP Address in the Source address drop-down list box. Select A spec[...]
-
Pagina 212
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 212 15 Configure the following in the Filter Properties window’ s Protoco l tab. S e t the protocol t ype to UDP from port 1701. Select To any port . Click Apply , OK, and then Close . Figure 208 Filter Properties: Pro tocol 16 Select ZyWALL WAN_IP and click Next . Figure 209 IP Se curity P[...]
-
Pagina 213
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 213 17 Select Require Security and click Next . Then click Finish and Close . Figure 210 IP Se curity Policy Properties: IP Filter List 18 In the Console window , right-click L2TP to ZyWALL and select Assign . Figure 21 1 Console: L2TP to ZyW ALL Assign 8.5.3.3 Configure the Wind ows 2000 Ne[...]
-
Pagina 214
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 214 1 Click Start > Settings > Network and Dial-up connections > Make New Connection . In the wizard welcome screen, click Next . Figure 212 S tart New Connection Wizard 2 Select Connect to a private network through the Internet and clic k Next . Figure 213 New Connection Wizard: Net[...]
-
Pagina 215
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 215 4 Select For all users and click Next . Figure 215 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish . Figure 216 New Connection Wizard: Naming the Connection 6 Click Proper ties . Figure 217 Connect L2TP to ZyW ALL[...]
-
Pagina 216
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 216 7 Click Security and select Advanced (custom settings) and click Settings . Figure 218 Connect L2TP to ZyW ALL: Security 8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of the [...]
-
Pagina 217
Chapter 8 L2TP VPN Exampl e ZyWALL USG 300 User’s Guide 217 9 Click Networ king and select Laye r 2 Tunneling Protocol ( L2TP) from the drop-down list box. Click OK . Figure 220 Connect L2TP to ZyW ALL: Networking 10 Enter your user name and p assword and click Co nnect . It may take up to one minute to establish the connection and register on th[...]
-
Pagina 218
Chapter 8 L2TP VPN Example ZyWALL USG 300 User’s Guide 218 12 Click Detail s and scroll down to see the addre ss that you recei v ed is from the L2TP range you specified on the Z yWALL (192.168.10.10-192.168.10.20) . Figure 223 L2TP to ZyW ALL S tatus: Deta ils 13 Access a se rver or ot her n etwork reso urc e b ehind the ZyW ALL to ma ke su re y[...]
-
Pagina 219
219 P ART II Technical Reference[...]
-
Pagina 220
220[...]
-
Pagina 221
ZyWALL USG 300 User’s Guide 221 C HAPTER 9 Dashboard 9.1 Overview Use the Dashboard screens to check status information about the Z yWALL. 9.1.1 What Y ou Can Do in this Chapter Use the Dashboard screens for the following. •U s e t h e m a i n Dashboard screen (see Section 9.2 on page 221 ) to see the Z yWALL’ s general device information, sy[...]
-
Pagina 222
Chapter 9 Das hb o ar d ZyWALL USG 300 User’s Guide 222 interface status in widgets that you can re-arrange to suit y our needs. Y ou can also collapse, refresh, and close individual widgets. Figure 224 Dashboard The following table describes t he labels in this screen. T able 21 Dashboard LABEL DESCRIPTION Widget Setting (A) Use this link to re-[...]
-
Pagina 223
Chapter 9 D as hb oa rd ZyWALL USG 300 User’s Guide 223 The following front and rear panel labels display when you hover y our cursor over a connected interface or slot. Name This field displays the name of each interface. Slot This field displays the name of each extension slot. Device This field displays the name of the device connected to the [...]
-
Pagina 224
Chapter 9 Das hb o ar d ZyWALL USG 300 User’s Guide 224 Device This identifies a device installed in one of the Z yWALL’ s extension slots or USB por t s. Device Information Syst e m Name This field displays the name used to iden tify the ZyW ALL on any network. Click the icon to open the screen where you can change it. See Section 50.2 on page[...]
-
Pagina 225
Chapter 9 D as hb oa rd ZyWALL USG 300 User’s Guide 225 Status This field displays the current status of each interface. The possible values depend on what type of interface it is. F or Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet inte[...]
-
Pagina 226
Chapter 9 Das hb o ar d ZyWALL USG 300 User’s Guide 226 Action Use this field to get or to update the IP address for the interface. Click Renew to send a new DHCP request to a DHCP server . Click the Connect icon to hav e the ZyW ALL try to connect a PPP oE/PPTP interface or the auxiliary interface. If the interface cannot use one of these ways t[...]
-
Pagina 227
Chapter 9 D as hb oa rd ZyWALL USG 300 User’s Guide 227 Boot Status This field displays details about the Z yWALL’ s startup state. OK - The Z y WALL started up successfully . Firmware update OK - A firmware update was successful. Problematic configuration after firmware update - The application of the configuration failed after a firmware upgr[...]
-
Pagina 228
Chapter 9 Das hb o ar d ZyWALL USG 300 User’s Guide 228 9.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyW ALL’ s recent CPU usage. T o access this screen, click CPU Usage in the dashboard. Figure 225 Dashboard > CPU Usage The following table describes t he labels in this screen. Signature Name The signature name identi[...]
-
Pagina 229
Chapter 9 D as hb oa rd ZyWALL USG 300 User’s Guide 229 9.2.2 The Memory Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent memory (RAM) usage. T o access this screen, click Memory Usage in the dashboard. Figure 226 Dashboard > Memory Usage The following table describes t he labels in this screen. T able 23 Dashboard &g[...]
-
Pagina 230
Chapter 9 Das hb o ar d ZyWALL USG 300 User’s Guide 230 9.2.3 The Session Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent traff ic ses sion usage. T o access this screen, click Session Usage in the dashboard. Figure 227 Dashboard > Sessio n Usage The following table describes t he labels in this screen. T able 24 Das[...]
-
Pagina 231
Chapter 9 D as hb oa rd ZyWALL USG 300 User’s Guide 231 9.2.4 The VPN S t atus Screen Use this screen to look at the VPN tunnels that are currently establi shed. T o access this screen, click VPN Status in the das hboard. Figure 228 Dashboard > VPN S tatus The following table describes t he labels in this screen. 9.2.5 The DHCP T able Screen U[...]
-
Pagina 232
Chapter 9 Das hb o ar d ZyWALL USG 300 User’s Guide 232 The following table describes t he labels in this screen. 9.2.6 The Number of Login Users Screen Use this screen to look at a list of the users current ly logged into the Z yWALL. T o access this screen, click the dashboard’ s Number of Login Users icon. Figure 230 Dashboard > Number of[...]
-
Pagina 233
Chapter 9 D as hb oa rd ZyWALL USG 300 User’s Guide 233 The following table describes t he labels in this screen. T able 27 Dashboard > Number of Login Users LABEL DESCRIPTION # This field is a sequential v alue and is not associated wi th any entry . User ID This field displays the user name of each user who is currently logged in to the ZyW [...]
-
Pagina 234
Chapter 9 Das hb o ar d ZyWALL USG 300 User’s Guide 234[...]
-
Pagina 235
ZyWALL USG 300 User’s Guide 235 C HAPTER 10 Monitor 10.1 Overview Use the Monitor screens to check stat us and st at i sti cs in formation. 10.1.1 What Y ou Can Do in this Chapter Use the Monitor screens for the foll owi ng. •U s e t h e System Status > Port Statistics screen (see Section 10.2 on page 236 ) to look at pack et statistics for [...]
-
Pagina 236
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 236 •U s e t h e VPN Monitor > SSL screen (see S ection 10.13 on page 261 ) to list the users currently logged into the VPN SSL client portal. Y ou can also log out individual users and delete related session information. •U s e t h e VPN Monitor > L2TP over IPSec screen (see Section 10.[...]
-
Pagina 237
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 237 The following table describes t he labels in this screen. T able 28 Monitor > System S tatus > Port S tatistics LABEL DESCRIPTION P oll Interval Enter how often you want this window to be updated automatically , and click Set Interval . Set Interval Click this to set the Poll Interval the s[...]
-
Pagina 238
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 238 10.2.1 The Port S t atistics Graph Screen Use this screen to look at a line gr aph of packet statistics for each ph ysical port. T o access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button . Figure 232 Monitor > System S tatus > Port S ta[...]
-
Pagina 239
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 239 10.3 Interface S t atus Screen This screen lists all of the Z yWALL’ s interfaces and gives packet statistics for them. Click Monitor > System Status > Inter face Status to access this screen. Figure 233 Monitor > System S tatus > Interface S tatus Last Update This field displays th[...]
-
Pagina 240
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 240 Each field is desc ribed in the followi ng table. T able 30 Monitor > System S tatus > Interface S tatus LABEL DESCRIPTION Interface Status If an Ethernet interface does not hav e any physical ports associated with it, its entry is displayed in light gr ay text. Expand/Close Click this b[...]
-
Pagina 241
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 241 Status This field displays the current status of each interface. The possible values depend on what type of interface it is. F or Ethernet interfaces: Inactive - The Ethernet interface is disabled. Down - The Ethernet interface is enabled but not connected. Speed / Duplex - The Ethernet interface[...]
-
Pagina 242
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 242 Z one This field displays the z one to which the interface is assigned. IP Addr/ Netmask This field displays the current IP address and subnet mask assigned to the interface. If the IP address and subnet mask are 0.0.0.0, the interface is disabled or did not rece ive an IP address and subnet m[...]
-
Pagina 243
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 243 10.4 The T raffic S t atistics Screen Click Monitor > System Status > T r aff ic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most- visited W eb sites and the number of times each one w a s visited. This cou[...]
-
Pagina 244
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 244 There is a l imit on th e number of recor ds shown i n the repo rt. Pl ease see T able 32 on page 245 for more information. The foll owing table describes the labels in this screen. T able 31 Monitor > System S tatus > Traffic Statistics LABEL DESCRIPTION Data Collection Collect Statisti[...]
-
Pagina 245
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 245 The following table displays the maximum number of records shown in the report, the byt e count limit, and the hit c ount li mit. These fields are available when the Traffic Type is Service/Por t . # This field is the r ank of each record. The protocols and service ports are sorted by the amount [...]
-
Pagina 246
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 246 10.5 The Session Monitor Screen The Session Mo nitor screen displays information about active ses sions for debugging or statistical analysis. It is not poss ible to manage sessions in this screen. The fo llowing in fo rmation is di s pl ayed. • User who started the session • Protocol or s[...]
-
Pagina 247
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 247 The following table describes t he labels in this screen. T able 33 Monitor > System S tatus > Session Monitor LABEL DESCRIPTION View Select how you want the information to be displa yed. Choices are: sessions by users - display all activ e sessions grouped by user sessions by services - di[...]
-
Pagina 248
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 248 10.6 The DDNS S t atus Screen The DD NS Status screen shows the status of the Z yW ALL’s DDNS domain names. Click Monitor > System Stat us > D DNS Status to open the following scree n. Figure 236 Monitor > System S tatus > DDNS S tatus The following table describes t he labels in[...]
-
Pagina 249
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 249 10.7 IP/MAC Binding Monitor Click Moni tor > System S t atus > IP/MAC Binding to open the IP/MAC Binding Monitor screen. This screen lis ts the devices that hav e received an IP address from Z yW ALL interf aces with IP/MAC binding enabled and hav e ever est ablished a session with the Z yW[...]
-
Pagina 250
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 250 10.8 The Login Users Screen Use this screen to look at a list of the users current ly logged into the Z yWALL. T o access this screen, click Monitor > System S tatus > Login Users . Figure 238 Monitor > System S tatus > Login Users The following table describes t he labels in this [...]
-
Pagina 251
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 251 10.9 WLAN Interface S t ation Monitor Screen The station monitor displays the connection status of the wireless cli ents connected to (or trying to connect to) a IEEE 802.11b/g card installed in the Zy WA L L . T o open the station monitor , click Mo nitor > System Status > WLAN Status . Th[...]
-
Pagina 252
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 252 10.10 Cellular S t atus Screen This screen displays y our 3G connection status. click Monitor > System Status > Cellular Status to display this scre en. Figure 240 Monitor > System S tatus > Cellular S tatus The following table describes t he labels in this screen. T able 38 Monito[...]
-
Pagina 253
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 253 Status No device - no 3G device is connected to the ZyW ALL. Device detected - displays when you connect a 3G device. Device error - a 3G device is connected but there is an error . Probe device fail - the Z yWALL’ s test of the 3G device failed. Probe device ok - the Z yWALL’ s test of the 3[...]
-
Pagina 254
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 254 10.1 1 Application Patrol S t atistics This screen displays a bandwi dth usage graph and stati stics for selected protocols. Click Monitor > AppPatrol Statistics to open the following screen. 10.1 1.1 Application Patrol St atistics: General Setup Use the top of the Monitor > AppPatrol St[...]
-
Pagina 255
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 255 10.1 1.2 Application Patrol St atistics: Bandwid th St atistics The middle of the Monitor > AppPatrol S t atistics screen displays a bandwidth usage line gr aph for th e selected protocols. Figure 242 Monitor > AppPatrol S tatistics: Bandwid th S tatistics • The y -axis represents the amo[...]
-
Pagina 256
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 256 10.1 1.3 Application Patrol St atistics: Protocol St atistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics f or each of the selected protocols. Figure 243 Monitor > AppPatrol S tatistics: Protocol S tatistics The following table describes t he labels in thi[...]
-
Pagina 257
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 257 10.1 1.4 Application Patrol St atistics: Individual Protocol S t atistics by Rule The bottom of the Monitor > AppPatrol Statistics screen displays statistics f or each of the selected protocols. Click a service’ s name to display this screen with statistics for each of the service’ s appli[...]
-
Pagina 258
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 258 The following table describes t he labels in this screen. 10.12 The IPSec Monitor Screen Y ou can use the IPSec Monitor screen to display and to manage activ e IPSec SAs. T o access this screen, click Monitor > VPN Monitor > IPSec . The following T able 41 Monitor > AppPatrol S tatist[...]
-
Pagina 259
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 259 screen appears. Click a column’ s heading cell to sort the t able entries by that column’s criteria. Click t he head ing cell again t o reverse t he sort o rder . Figure 245 Monitor > VPN Monitor > IPSec Each field is desc ribed in the followi ng table. T able 42 Monitor > VPN Monito[...]
-
Pagina 260
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 260 10.12.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single char acte r in the VPN connecti on or policy name vary . For e xample, use “a?c” (without the quotation marks) to specify abc, acc and so on. Wildcards (*) let multi ple VPN connection or policy names matc[...]
-
Pagina 261
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 261 10.13 The SSL Connection Monitor Screen The Z yW ALL keeps tr ack of the users who are currentl y logged into the VPN SSL client portal. Click Monitor > VPN Monitor > SSL to display the user list. Use this screen to do the fol lowing: • View a list of activ e SSL VPN connections. • Log [...]
-
Pagina 262
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 262 10.14 L2TP over IPSec Session Monitor Screen Click Monit or > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to disp lay and mana ge the Z yWALL’ s connected L2TP VPN sessions. Figure 247 Monitor > VPN Monitor > L2TP over IPSec The following table des[...]
-
Pagina 263
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 263 10.15 The Anti-V irus St atistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to displa y the following screen. This screen displays anti- virus statistics. Figure 248 Monitor > Anti-X S tatistics > Anti-Virus: Virus Name The following table describes t he labels in this scr[...]
-
Pagina 264
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 264 The statistics displa y as follows when you display the top entries by source. Figure 249 Monitor > Anti-X S tatistics > Anti-Virus: Source IP The statistics displa y as follows when you display the top entries by destination. Figure 250 Monitor > Anti-X S tatistics > Anti-Virus: D[...]
-
Pagina 265
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 265 10.16 The IDP S t atistics Screen Click Monitor > Anti-X Statistics > IDP to display the followi ng screen. This screen displays IDP (Intrusi on Detect ion and Prevention) statist ics. Figure 251 Monitor > Anti-X S tatistics > IDP: Signature Name The following table describes t he lab[...]
-
Pagina 266
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 266 The statistics displa y as follows when you display the top entries by source. Figure 252 Monitor > Anti-X S tatistics > IDP: Source The statistics displa y as follows when you display the top entries by destination. Figure 253 Monitor > Anti-X S tatis tics > IDP: Destination To p [...]
-
Pagina 267
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 267 10.17 The Content Filter S t atistics Screen Click Monitor > Anti-X Statistics > Content Filter to displa y the foll owing screen. This screen disp lays content filter statisti cs. Figure 254 Monitor > Anti-X S tatistics > Content Filter The following table describes t he labels in th[...]
-
Pagina 268
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 268 10.18 Content Filter Cache Screen Click Monitor > Anti-X Statistics > Content Filter > Cache to display the Content Filter Cache screen. Use this screen to view and configure your Z yWALL ’s URL caching. Y ou can also configure how long a categorized web site address remains in the [...]
-
Pagina 269
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 269 Y ou can remove individual entries from the cache. When you do this, the Z yWALL queries the external content filtering da tabase the next time someone tries to access that web site. This allows you to check whether a web site’ s category has been changed. Click a column’ s heading cell to so[...]
-
Pagina 270
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 270 Category This field shows whether access to the web site’ s URL was blocked or allowed. Click the column heading to sort the entries. P oint the triangle up to display the blocked URLs before the URLs to which access w as allowed. P oint the triangle down to display the URLs to which access [...]
-
Pagina 271
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 271 10.19 The Anti-S p am S t atistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to disp lay the following screen. This screen displays sp am statistics. Figure 256 Monitor > Anti-X S tatistics > Anti-S pam The following table describes t he labels in this screen. T able 49 Mon[...]
-
Pagina 272
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 272 Spam Mails This is the number of e-mails that the Z yWALL has determined to be spam. Spam Mails Detected by Black List This is the number of e-mails that matched an entry in the Z yW ALL’ s anti- spam black list. Spam Mails Detected by DNSBL The Z y WALL can check the sender and relay IP add[...]
-
Pagina 273
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 273 10.20 The Anti-S p am S t atus Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the Anti- Spam Status scre en. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning an d statisti cs for the DNSBLs. Figure 257 Monitor &g[...]
-
Pagina 274
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 274 10.21 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regu lar log, you can look at all the log messages by selecting All Logs , or you can select a specific category of log messages (for example, firewall or user). Y[...]
-
Pagina 275
Chapter 10 Monitor ZyWALL USG 300 User’s Guide 275 The following table describes t he labels in this screen. T able 51 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display , Email Log Now , Refresh , and Clear Log fie lds are a vaila b l [...]
-
Pagina 276
Chapter 10 M o nito r ZyWALL USG 300 User’s Guide 276 The W eb Configurator sa ves the f ilter settings if you leav e the View Log screen and return to it later . Priority This field displays the priority of the log message. It has the same range of values as the Priority field above. Category This field displays the log that generated the log me[...]
-
Pagina 277
ZyWALL USG 300 User’s Guide 277 C HAPTER 11 Registration 1 1.1 Overview Use the Configura tion > Licensing > Reg i stratio n screens to register y our Z yWALL and manage its service subscript ions. 1 1 .1.1 What Y ou Can Do in this Chapter •U s e t h e Registration screen (see Section 11.2 on page 279 ) t o register your Z yWALL with myZ [...]
-
Pagina 278
Chapter 11 Re g istr at ion ZyWALL USG 300 User’s Guide 278 Subscription Services A vailable on the ZyW ALL Y ou can have the ZyW ALL use anti-virus, IDP/AppP atrol (Intrusion Detection and Prevention and application patrol ), and cont ent filtering subscripti on services. Y ou can also purchase and enter a license key to hav e the Z yWALL use mo[...]
-
Pagina 279
Chapter 11 Registration ZyWALL USG 300 User’s Guide 279 1 1.2 The Registration Screen Use this screen to regi ster your Z y WALL wi th myZ yXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to op en the screen as shown next. Figure 259 Configu ration > Licens[...]
-
Pagina 280
Chapter 11 Re g istr at ion ZyWALL USG 300 User’s Guide 280 Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. Y ou can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Select your country from the drop-down box list. T rial Se rvice Activ[...]
-
Pagina 281
Chapter 11 Registration ZyWALL USG 300 User’s Guide 281 Note: If the ZyW ALL is registered already , this screen is read-only and indicates whether trial services are activated (if any). Y ou can still select the unchecked trial service(s) to activate it after registra tion. Use the Service screen to update your service subscription sta tus. Figu[...]
-
Pagina 282
Chapter 11 Re g istr at ion ZyWALL USG 300 User’s Guide 282 The following table describes t he labels in this screen. T able 53 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry’s position in the list. Service Thi s lists the services that available on the Z yWALL. Status This field[...]
-
Pagina 283
ZyWALL USG 300 User’s Guide 283 C HAPTER 12 Signature Update 12.1 Overview This chapter shows you how t o update the Z y WALL’ s signature packages. 12.1.1 What Y ou Can Do in this Chapter •U s e t h e Configuration > Licensing > Update > Anti-virus screen ( Section 12.2 on page 284 ) to up date the anti- virus signatures. See Chapte[...]
-
Pagina 284
Chapter 12 Signature Update ZyWALL USG 300 User’s Guide 284 12.2 The Antivirus Up date Screen Click Configuration > Licensing > Update > Anti-Virus to display th e following screen. Figure 262 Configu ration > Licensing > Update >Anti-V irus The following table describes t he labels in this screen. LABEL DESCRIPTION Signature In[...]
-
Pagina 285
Chapter 12 Signature Update ZyWALL USG 300 User’s Guide 285 12.3 The IDP/AppPatrol Up date Screen Click Configuration > Licensing > Update > IDP/AppPatrol to displa y the following screen. The Z yWALL comes with signatures for th e IDP and application patrol features. These signatures are continually upda ted as new attac k types evolve.[...]
-
Pagina 286
Chapter 12 Signature Update ZyWALL USG 300 User’s Guide 286 signatures from my Z yXEL.com (see the Registration screens). Use th e Update IDP /AppPatrol screen to sched ul e or immediat ely download IDP signatures . Figure 263 Configu ration > Licensing > Update > IDP/AppPatrol The following table describes t he fields in this screen. T [...]
-
Pagina 287
Chapter 12 Signature Update ZyWALL USG 300 User’s Guide 287 12.4 The System Protect Up date Screen Click Configuration > Licensing > Update > System Protect to display the following screen. Use this screen to schedule or imme diately download system-protection signatures. The Z yWALL comes wi th si gnatures that it uses to protect itself[...]
-
Pagina 288
Chapter 12 Signature Update ZyWALL USG 300 User’s Guide 288 The following table describes t he fields in this screen. T able 55 Configuration > Licensing > Update > System Protect LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the Z yWALL is using. Current Ve r s i o n T[...]
-
Pagina 289
ZyWALL USG 300 User’s Guide 289 C HAPTER 13 Interfaces 13.1 Interface Overview Use the Interface screens to configure the Z yWALL ’ s interfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physi cal ports to which you connec t cables. • Interfaces are used within the system operationally . Y ou use them in c[...]
-
Pagina 290
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 290 •U s e t h e Virtual Interface screen ( Section 13.11 on page 356 ) to create virtual interfaces on top of Ethernet i nterfaces to tell the Z yWALL where t o route packets. Y ou can create virtual Ethern et interfaces, virtual VLAN interfaces, and virtual bridge interfaces. •U s e t h [...]
-
Pagina 291
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 291 • Trunks manage load balancing between interfaces. P ort groups, trunks, and the a uxiliary interface have a l o t of characteri stics that are specific to each type of interface. See S ection 13.2 on page 293 , Chapter 14 on page 363 , and Section 13.10 on page 354 for details. The other ty[...]
-
Pagina 292
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 292 * - Y ou cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. Y ou also cannot add an Ethernet inte rface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on to[...]
-
Pagina 293
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 293 13.2 Port Grouping This section introduces port groups and then explai ns the screen for port groups. 13.2.1 Port Grouping Overview Use port grouping to create port group s and to assign physical ports and port groups to Ethernet interfaces . Each physical port is assigned to one Et hernet int[...]
-
Pagina 294
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 294 Each section in this screen is described below . 13.3 Ethernet Summary Screen This screen lists ev ery Ethernet interface and virtual interface created on top of Ethernet interfaces. T o access this screen, click Configuration > Network > Interface . Unlike other types of interfaces,[...]
-
Pagina 295
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 295 Figure 266 Configu ration > Network > Interface > Ethernet Each field is desc ribed in the followi ng table. T able 59 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify[...]
-
Pagina 296
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 296 13.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP set ti ngs, OSPF settings, DHCP settings, connectivit y check, and MAC address settings. T o access this screen, click an Edit icon in the Ethernet Summary screen. (See Section[...]
-
Pagina 297
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 297 Figure 267 Configuration > Network > Interface > Ethernet > Edit[...]
-
Pagina 298
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 298 This screen’ s fields are described in the table b elow . T able 60 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields. General[...]
-
Pagina 299
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 299 Use Fixed IP Address This option appears when Interface Properties is Ex ternal or General . Select this if you want to specify the IP address, subnet mask, and gatewa y manually . IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot de[...]
-
Pagina 300
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 300 Check P eriod Enter the number of seconds between connection check attempts. Check Timeout Enter the number of second s to wait for a response before the attempt is a failure. Check F ail To l e r a n c e Enter the number of consecutive failures before the Z yWALL stops routing through the[...]
-
Pagina 301
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 301 P ool Size Enter the number of IP addresse s to allocate. This number must be at least one and is limited by the interface’s Subnet Mask . For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Ad dress is 10.10.10.10, the ZyW ALL can allocate 10.1 0.1 0.10 to 10.10.10. 254, or 2[...]
-
Pagina 302
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 302 IP Address Enter the IP address to assign to a device with this entry’ s MAC address. MAC Address Enter the MAC address to which to assign this entry’ s IP address. Description Enter a description to help identify this static DHCP entry . Y ou can use alphanumeric and ()+/:=?!*#@$_%- c[...]
-
Pagina 303
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 303 13.3.2 Object References When a configur ation screen includes an Object References icon, select a configur ation object and click Object Referenc es to open the Object References screen. Th is s cre en displays whic h c o nf ig u ration set t in g s ref ere nce the selected object. The fi eld[...]
-
Pagina 304
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 304 Figure 268 Object References The following table describes l abels that can appear in this screen. 13.4 PPP Interfaces Use PPPoE/PPT P interfaces to connect to your ISP . This way , you do not have to install or manage PPP oE/PPTP software on each computer in the network. T able 61 Object [...]
-
Pagina 305
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 305 Figure 269 Example: PPPoE/PP TP Interfaces PPP oE/PPTP interfaces are similar to other interfaces in som e ways. They hav e an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and pack et size; and they can verify the gatew ay is av ailable. There ar[...]
-
Pagina 306
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 306 Figure 270 Configuration > Network > Interface > PPP Each field is desc ribed in the table belo w . T able 62 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / System Default The Z yWALL comes with the (non-remov able) System Default PPP int[...]
-
Pagina 307
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 307 13.4.2 PPP Interface Add or Edit Note: Y ou have to set up an ISP account bef ore you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. T o access this screen, click the Add icon or an Edit icon in the PPP Interface screen. Status The activ a te (light bu[...]
-
Pagina 308
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 308 Figure 271 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. T able 63 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate[...]
-
Pagina 309
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 309 Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name Specify a name for the interface. It can use alphanumeric char acters, hyphens, and underscores, and it can be up to 11 characters long. Base Interface Select the in[...]
-
Pagina 310
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 310 Interface Pa ra m e t e r s Egress Bandwidth Enter the maximum amount of tr affi c, in kilobits per second, the Z y WALL can send through the inte rface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. Enter the maximum amount of tr affi c,[...]
-
Pagina 311
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 31 1 13.5 Cellular Configuration Screen (3G) 3G (Third Generation) i s a digital, pack et -switched wireless te chnology . Bandwidth usage is optimized as mult iple users sh are the same channel and bandwidth is only allocated to users when they send da ta. It allows fast tr ansfer of voice and no[...]
-
Pagina 312
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 312 If the signal strength of a 3G network is too low , the 3G card may swi tch to an av ailable 2.5G or 2.75G network. See the following tab le for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. T o change your 3G W AN settings, click Configur ation > Network > In[...]
-
Pagina 313
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 313 Figure 272 Configuration > Network > Interface > Cellular The following table describes t he labels in this screen. 13.5.1 Cellular Add/Edit Screen T o change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit ). In the pop-up window that[...]
-
Pagina 314
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 314 Figure 273 Configur ation > Network > Interface > Cellular > Add[...]
-
Pagina 315
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 315 The following table describes t he labels in this screen. T able 66 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configur ation fields. General Setting[...]
-
Pagina 316
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 316 Dial String Enter the dial string if your ISP pro vides a string, which would include the APN, to initialize the 3G card. Y ou can enter up to 63 ASCII printable char acters. Spaces are allowed. This field is av ailable only when you insert a GSM 3G card. Authentication Ty p e The ZyW ALL [...]
-
Pagina 317
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 317 Egress Bandwidth Enter the maximum amount of tr affic, in kilobits per second, the Z yWALL can send through the interface to the n etwork. Allowed values are 0 - 1048576. This setting is used in W AN load balancing and bandwidth management. Ingress Bandwidth This is reserved for future use. En[...]
-
Pagina 318
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 318 Get Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address. IP Address Enter the cellular interface’ s WAN IP address in this field if you selected U[...]
-
Pagina 319
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 319 Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G conn ection within one month. Select Download to set a limit on the downstream traffic (from the ISP to the Z yWALL). Select Upload to set a limit on the upstream traffic [...]
-
Pagina 320
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 320 13.6 WLAN Interface General Screen The following figure provides an exam ple of a wireless network. The wireless network is in the blue ci rcle. Wireless cli e nts (A and B) connect to an access point (AP) to access other devi ces (such as the printer) or the Internet. Y our ZyW ALL works [...]
-
Pagina 321
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 321 Click Configuration > Network > Interface > WLAN to open the following screen. See Appendix E on page 1019 for more details on wi reless LANs. Figure 275 Configu ration > Network > Interface > WLAN The following table describes t he labels in this screen. T able 67 Configurat[...]
-
Pagina 322
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 322 802.11 Band Select whethe r you will let wireless clients connect to the Z yWALL using IEEE 802.11b, IEEE 802.11g, or both. Select b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyW ALL. Select g Only to allow only IEEE 802.11g compliant WLAN devices to asso[...]
-
Pagina 323
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 323 13.6.1 WLAN Add/Edit Screen Use the strongest security that every wi reless client in the wireless network supports. Note: WP A2 or WP A2-PSK security is recommended. • Y ou can use the ZyW ALL’s local user da tabase to use WP A or WP A2 without using an external RADIUS server . With WP A [...]
-
Pagina 324
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 324 Figure 276 Configu ration > Network > Interface > WLAN > Add (No Security)[...]
-
Pagina 325
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 325 The following table describes t he genera l wireless L AN labels in this screen. T able 69 Configuration > Network > Interf ace > WLAN > Add (No Security) LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of conf[...]
-
Pagina 326
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 326 IP Address Enter the IP address for this interface. Subnet Mask Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. Interface Pa ra m e t e r s Egress Bandwidth Enter the maximu[...]
-
Pagina 327
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 327 P ool Size Enter the number of IP addresses to allocate. This number must be at least one and is limited by t he interface’ s Subnet Mask . For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ZyW ALL can allocate 10.10.10.10 to 10.10 .10.254, or 245[...]
-
Pagina 328
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 328 Direction This field is effective when RIP is enabled. Select the RIP direction from the drop-down list box. BiDir - This interface sends and receives routing information. In-Only - This interface receives routing information. Out-Only - This interface sends routing information. Send V ers[...]
-
Pagina 329
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 329 13.6.2 WLAN Add/Edit: WEP Security WEP provides a mechanism for encrypting data using encryption keys. Both the Z yWALL and the wireless stations must use the same WEP k ey to encrypt and decrypt data. Y our Z yWALL all ows you to configure up to four 64-b it or 128-bit WEP keys, but only one [...]
-
Pagina 330
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 330 The following table describes t he WEP-related wireless LAN security label s. See T able 69 on page 325 for informatio n on the 802.1x fields. 13.6.3 WLAN Add/Edit: WP A-PSK/WP A2-PSK Security WP A-PSK or WP A2-PSK security has all of the WLAN interfac e’s users share the same password ([...]
-
Pagina 331
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 331 The following table describes t he WPA - PSK/WPA2-PSK -related wireless LAN security labels. 13.6.4 WLAN Add/Edit: WP A/WP A2 Security With WP A or WPA2 security , each user can have a separ ate user name and password. The Z yWALL us es an external RA DIUS serv er or the Z yWALL’ s internal [...]
-
Pagina 332
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 332 Figure 279 Configu ration > Network > Interface > WLAN > Add (WP A/WP A2 Security) The following table describes t he WPA/WP A2-related wireless LAN securi ty labels. T able 72 Configuration > Network > Interface > WLAN > Add (WP A/WP A2 Security) LABEL DESCRIPTION [...]
-
Pagina 333
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 333 13.7 WLAN Interface MAC Filter The MAC filter allows you to give specific wireless c lients exclusiv e access to the Z yWALL (allow association) or block speci fic devices from accessing the Z yWALL (deny as sociation) based on the devices’ MAC ad dresses. Every IEEE 802.11b or IEEE 802.11g [...]
-
Pagina 334
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 334 Figure 280 Network > Interface > WLAN > MAC Filter The following table describes t he labels in this screen. T able 73 Configuration > Network > Interface > WLAN > MAC Filte r LABEL DESCRIPTION Enable MAC Filter Select or clear the check box to enable or disable MAC ad[...]
-
Pagina 335
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 335 13.8 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 281 Example: Before VLAN In this examp le, there are two phy s ical networks and three departments A , B , and C . The physical net[...]
-
Pagina 336
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 336 • T raffic in side eac h VLAN is layer-2 co mmunic a t ion (dat a li nk layer , MAC addresses). It is handled by the switches. As a result, the new switch is required to handle tr affic inside VLAN 2. T raf fic is only b roadcast inside each VLAN, not each physical network. • T raffic [...]
-
Pagina 337
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 337 13.8.1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. T o access this screen, click Configuration > Network > Interface > VLAN . Figure 283 Configur ation > Network > Interface > VLAN Each field is explained[...]
-
Pagina 338
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 338 13.8.2 VLAN Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs , and connectivit y check for each VLAN interface. T o access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interfa[...]
-
Pagina 339
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 339 Figure 284 Configur ation > Network > Interface > VLAN > Edit[...]
-
Pagina 340
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 340 Each field is explained in the following table. T able 75 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields. General Settings Enable[...]
-
Pagina 341
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 341 Metric Enter the priority of the gateway (if any) on this interface. The Z yWALL decides which gatewa y to use based on this priority . The lower the number , the higher the priority . If two or more gateways have the same priority , the ZyW ALL uses the one that was configured first. Interfac[...]
-
Pagina 342
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 342 DHCP Select what type of DHCP service the Z yWALL provides to the network. Choices are: None - the ZyW ALL does not provide any DHCP services. There is already a DHCP serv er on the network. DHCP Relay - the Z yWALL ro utes DHCP requests to one or m ore DHCP servers you specify . The DH CP[...]
-
Pagina 343
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 343 Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid. Enable[...]
-
Pagina 344
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 344 OSPF Setting See Section 16.3 on page 391 for more information about OSPF . Area Select the area in which this interface belongs. Select None to disable OSPF in this interface. Priority Enter the priority (between 0 and 255) of this interface when the area is looking for a Designated Route[...]
-
Pagina 345
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 345 13.9 Bridge Interfaces This section introduces brid ges and bri dge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the follo wing example, bridge X connect[...]
-
Pagina 346
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 346 If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 i n the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the pack et to port 2 accordingly . Bridge Interface Overview A bridge interface creates a software br idge betwee[...]
-
Pagina 347
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 347 13.9.1 Bridge Summary This screen lists every bridge interface and vi rtual interface created on top of bridge interfaces. T o access thi s screen, click Configuration > Network > Interface > Bridge . Figure 285 Configur ation > Network > Interface > Bridge Each field is desc[...]
-
Pagina 348
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 348 13.9.2 Bridge Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs , and connectivit y check for each bridge interface. T o access this screen, click the Add icon at the top of the Add column in th e Bridge Summary screen, or click [...]
-
Pagina 349
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 349 Figure 286 Configur ation > Network > Interface > Bridge > Add[...]
-
Pagina 350
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 350 Each field is desc ribed in the table belo w . T able 80 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields. General Settings Enabl[...]
-
Pagina 351
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 351 Gateway This field is enabled if you select Use Fixed IP Address . Enter the IP address of the gateway . The ZyW ALL sends packets to the gatewa y when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. Metric Enter the prio[...]
-
Pagina 352
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 352 IP P ool Start Address Enter the IP address from which the ZyW ALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer , click Add Static DHCP . If this field is blank, the Pool Size must also be blank. In this case, the Z yW ALL can assign ever[...]
-
Pagina 353
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 353 Add Click this to create a new entry . Edit Select an entry and click this to be able to modify it. R emo v e Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry . IP Address Enter the IP address to assign to a device [...]
-
Pagina 354
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 354 13.10 Auxiliary Interface This section introduces the auxil iary interf ace and then explains the screen for it. 13.10.1 Auxiliary Interface Overview Use the auxiliary interface to dial ou t from the Z yWALL’ s auxiliary port. For example, yo u might use this int e rface as a backup WAN [...]
-
Pagina 355
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 355 Figure 287 Configuration > Network > Interface > Auxiliary Each field is desc ribed in the table belo w . T able 81 Configuration > Network > Interface > Auxiliary LABEL DESCRIPTION General Settings Enable Interface Select this to turn on the auxiliary dial up interface. The [...]
-
Pagina 356
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 356 13.1 1 V irtual Interfaces Use virtual interfaces to tell th e Z yW ALL where to route pack ets. Virtual in terfaces can also be used in VPN gatewa ys (see Chapter 25 on page 467 ) and VRRP groups (see Chapter 39 on page 693 ). Virtual interfaces can be created on top of Ethernet interface[...]
-
Pagina 357
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 357 cannot change the MTU. The vi rtual in terface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not veri fy that the gatew ay is available. 13.1 1.1 V irtual Interfaces Add/Edit This screen lets yo u con[...]
-
Pagina 358
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 358 13.12 Interface T echnical Reference Here is more detailed information about interfaces on the Z yW ALL. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routi ng table. Figure 289 Example: Entry in the Routing T[...]
-
Pagina 359
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 359 For example, if the Z yWALL gets a pa ck et with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the Z yWALL gets a packet with a destination address of 200.200.200.200, it routes the pack et to interface ge2. In most interfaces, you can enter the IP address a[...]
-
Pagina 360
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 360 • Egress bandwidth sets the amount of traffic the Z yWALL s ends out through the interface to the network. • Ingress bandwidth sets the amount of tr affic the Z yWALL allows in through the interface from the network. 1 If you set the bandwidt h restrictions ve ry high, you effectively [...]
-
Pagina 361
Chapter 13 Interfaces ZyWALL USG 300 User’s Guide 361 • IP address - If the DHCP client’s MAC address is in the ZyW ALL’s static DHCP table, the interface assig ns the corresponding IP address. If not, the interface assigns IP addresses from a pool, define d by the starting address of the pool and the pool size. The Z yWALL cannot assign th[...]
-
Pagina 362
Chapter 13 In te r fac es ZyWALL USG 300 User’s Guide 362 PPPoE/PPTP Overview P o int -to-Point Protocol ov er Et hernet (PPPoE, RFC 2516) and P oint-to-P oint T unneling Protocol (PPTP , RFC 2637) are usually used to connect two computers over phone lines or broadband connectio ns. PPP oE is often used with cable modems and DSL connections. It p[...]
-
Pagina 363
ZyWALL USG 300 User’s Guide 363 C HAPTER 14 Trunks 14.1 Overview Use trunks for W AN traffic load balancing to increase o verall network t hroughput and reliability . Load balancing divides tr affic loads between multiple interfaces. This allows y ou to improve quality of service and maximiz e bandwidth utilization for multiple ISP links. Maybe y[...]
-
Pagina 364
Chapter 14 T run k s ZyWALL USG 300 User’s Guide 364 14.1.2 What Y ou Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffi c load. • If one W AN interface’ s connection goes down, the ZyW ALL sends tr affic through another member of the trunk. • For example, you connect one W AN inte rface to one ISP a[...]
-
Pagina 365
Chapter 14 Trunks ZyWALL USG 300 User’s Guide 365 2 The Z yWALL is using activ e/active load balanci ng. So when LAN user A tries to access something on the server , the request goes out through ge3. 3 The server finds that the request comes from ge3’ s IP address instead of ge2’ s IP address and rejects the request. If link sticking had been[...]
-
Pagina 366
Chapter 14 T run k s ZyWALL USG 300 User’s Guide 366 Since W AN 2 has a smaller load balancing index (meani ng that it is less util ized than WAN 1), the Zy WALL will send the subsequent new session tr affic through WAN 2 . Weighted Round Robin The W eighted Round R obin (WRR) algorit hm is best suited for situations when the bandwidths set for t[...]
-
Pagina 367
Chapter 14 Trunks ZyWALL USG 300 User’s Guide 367 interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoi d overloading the interface. In this example figure, the upper threshol d of the first int erface is set to 800K. The Z yWALL sends network tr affic of new sessions that exceed this limit to [...]
-
Pagina 368
Chapter 14 T run k s ZyWALL USG 300 User’s Guide 368 14.2 The T runk Summary Screen Click Configuration > Netw ork > Interface > T r un k to open the Trunk screen. This screen lists th e configured trunks and the load balancing al gorithm that each is configur ed to use. Figure 294 Configu ration > Network > Interface > T runk T[...]
-
Pagina 369
Chapter 14 Trunks ZyWALL USG 300 User’s Guide 369 14.3 Configuring a T runk Click Configuration > Netw ork > Interface > T r un k and then the Add (or Edit ) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry . Figure 295 Configu ration > Network > Interface > T runk > Add (or Edit) Enable[...]
-
Pagina 370
Chapter 14 T run k s ZyWALL USG 300 User’s Guide 370 Each field is desc ribed in the table belo w . T able 88 Configuration > Network > Interface > T runk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editin g an existing trunk. When adding a new trunk, enter a descriptive name for this trunk. Y ou may use 1-31 a[...]
-
Pagina 371
Chapter 14 Trunks ZyWALL USG 300 User’s Guide 371 14.4 T runk T echnical Reference Round Robin Load Balancing Algorithm Ro und R obin scheduli ng services qu eues on a rotating basis and i s activated only when an interface has more traffic than i t can handle. A queue is given an amount of bandwidth irrespec tive of the incoming tr affic on that[...]
-
Pagina 372
Chapter 14 T run k s ZyWALL USG 300 User’s Guide 372[...]
-
Pagina 373
ZyWALL USG 300 User’s Guide 373 C HAPTER 15 Policy and Static Routes 15.1 Policy and S t atic Routes Overview Use policy routes and static rout es to ov erride the Z yWALL’ s default routing behavior in order to send packets throug h the appropriate interface or VPN tunnel. For example, the next figure shows a computer ( A ) c onnected to the Z[...]
-
Pagina 374
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 374 •U s e t h e Static Route screens (see Section 15.3 on page 383 ) to list and configure static routes . 15.1.2 What Y ou Need to Know Policy Routing T raditionally , routing is based on the destination address only and the Z yWALL takes the sho rtest pa th to forward a pack et[...]
-
Pagina 375
Chapter 15 Policy and Sta tic Routes ZyWALL USG 300 User’s Guide 375 Policy Routes V ersus St atic Routes • Policy routes are more flexible tha n static routes. Y ou ca n select m o re c ri ter ia for the tr affic to match and can also use schedules , NA T , and bandwidth management. • Policy routes are only used within the Z yWALL itself . S[...]
-
Pagina 376
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 376 Finding Out More • See Section 6.5.6 on page 101 for related information on the policy route screens. • See Section 7.14 on page 174 for an example of creating a policy route for usi n g multiple static public W AN IP addresses for LAN to W AN traffic. • See Section 15.4 o[...]
-
Pagina 377
Chapter 15 Policy and Sta tic Routes ZyWALL USG 300 User’s Guide 377 The following table describes t he labels in this screen. T able 89 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configur at ion fields. Enable[...]
-
Pagina 378
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 378 DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP v alues or no DSCP marker . default means traffic with a DSCP value of 0. This is usually best effort traffic The “ af ” entries stand for Assured Forw arding. The num[...]
-
Pagina 379
Chapter 15 Policy and Sta tic Routes ZyWALL USG 300 User’s Guide 379 15.2.1 Policy Route Edit Screen Click Configuration > Netw ork > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or e dit a policy route. Figure 298 Configu ration > Network >[...]
-
Pagina 380
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 380 Incoming Select where the pack ets are coming from; any , an interface, a tunnel, an SSL VPN, or the Z yWALL itself . For an interface, a tunnel, or an S SL VPN, you also need to select the indi vidual interface, VPN tunnel, or SSL VPN connection. Source Address Se lect a source[...]
-
Pagina 381
Chapter 15 Policy and Sta tic Routes ZyWALL USG 300 User’s Guide 381 VPN T unnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyW ALL directly . Auto Destination Address This field displays when you select VPN Tunnel in the T[...]
-
Pagina 382
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 382 Source Network Address T ranslation Select none to not use NA T for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. If you select outgoin g-interface , you can also configure po[...]
-
Pagina 383
Chapter 15 Policy and Sta tic Routes ZyWALL USG 300 User’s Guide 383 15.3 IP S t atic Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displa ys the configured static routes. Configure static routes to be able to use R IP or OSPF to propagate the rout ing information to othe[...]
-
Pagina 384
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 384 The following table describes t he labels in this screen. 15.3.1 S t atic Route Add/Edit Screen Select a static route index number and click Add or Edit . The screen shown next appears. Use this screen to configure the required info rmation for a static route. Figure 300 Configu[...]
-
Pagina 385
Chapter 15 Policy and Sta tic Routes ZyWALL USG 300 User’s Guide 385 15.4 Policy Routing T echnical Reference Here is more detailed information about some of the features you can configure in policy routing. NA T and SNA T NA T (Network Address T ranslation - NA T , RFC 1631) is the tr anslation of the IP address in a packet in one network to a d[...]
-
Pagina 386
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 386 following twelve DSCP encodi ngs from AF11 through AF43. The decimal equiv alent is listed in br ackets. Port T r iggering Some services use a dedicated r ange of ports on the client side and a dedicated rang e of ports on the server side. With re gular port forwarding, you set [...]
-
Pagina 387
Chapter 15 Policy and Sta tic Routes ZyWALL USG 300 User’s Guide 387 3 Computer A and game server 1 are connected to ea ch ot her until the connection is closed or times out. Any other computers (such as B or C ) cannot connect to remote server 1 using the s ame port triggering rule as computer A unless they are using a different next hop (gatewa[...]
-
Pagina 388
Chapter 15 Policy an d Static Routes ZyWALL USG 300 User’s Guide 388[...]
-
Pagina 389
ZyWALL USG 300 User’s Guide 389 C HAPTER 16 Routing Protocols 16.1 Routing Protocols Overview Routing protocols give the Z yWALL rout ing information about the network from other routers. The Z yWALL stores this rout ing information in the routing table it uses to make rout in g decision s. In turn, the ZyWALL can also use routing protocols to pr[...]
-
Pagina 390
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 390 16.2 The RIP Screen RIP (R outing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other rout ers. RIP is a vector -space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunat[...]
-
Pagina 391
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 391 The following table describes t he labels in this screen. 16.3 The OSPF Screen OSPF (Open Shortest P ath First, RFC 2328) is a link -state protocol designed to distribute routing informatio n within a group of networ ks, called an Autonomous T able 95 Configuration > Network > Rou[...]
-
Pagina 392
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 392 System (AS). OSPF offers some adv antag es over v ector-space routing protocols like RIP . • OSPF supports variable-lengt h subnet masks, which can be set up to use av ailable IP addresses more efficiently . • OSPF filters and summarizes routing in formation, which reduces the size [...]
-
Pagina 393
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 393 Each type of area is illust rated in the following figure. Figure 303 OSPF: T ypes of Areas Thi s OS PF AS co nsi sts of fou r a rea s, a rea s 0- 3. Are a 0 i s a lways t he bac kbo ne . In this example, areas 1, 2, and 3 are all conn ected to it. Area 1 is a normal area. It has routin[...]
-
Pagina 394
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 394 • An Autonomous System Bounda ry Router (ASBR) exchanges routing information with routers in network s outside the OSPF AS. This is called redistribut ion in OSPF . • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone rout[...]
-
Pagina 395
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 395 to logically connect the area to t he backbo ne. This is illustr ated in the following example. Figure 305 OSPF: V irtual Link In this example, area 100 does not hav e a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual [...]
-
Pagina 396
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 396 Click Configuration > Network > Routing > OSPF to open the following screen. Figure 306 Configuration > Ne twork > Routi ng > OSPF The following table describes the labels in this screen. See Secti on 16.3.2 on page 398 for more information as well. T able 97 Configura[...]
-
Pagina 397
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 397 T ype Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2 . Type 1 - cost = OSPF AS cost + external cost ( Metric ) Type 2 - cost = external cost ( Metric ); th e OSPF A S cost i s ignore d. Metric T yp e the externa[...]
-
Pagina 398
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 398 16.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. T o access this screen, go to the OSPF summary screen (see Section 16.3 on page 391 ), and click either the Add icon or an Edit icon. Figure 307 Configuration > Net[...]
-
Pagina 399
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 399 16.3.3 V irtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OS PF add or edit screen (see Section 16.3.2 on page Te x t Authentication Ke y This field is available if the Authenticati on is Text . T ype [...]
-
Pagina 400
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 400 398 ) has the T ype set to Normal, a Virtual Link t able displays. Click ei ther the Add icon or an entry and the Edit icon to di splay a screen lik e the following. Figure 308 Configuration > Netwo rk > Routing > OSPF > Add > Add The following table describes t he labels[...]
-
Pagina 401
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 401 Authentication T ypes Authentication is used to guar antee the in tegrity , but not the confidentiality , of routing updates. The tr ansmitting router uses its k ey to encrypt the original message into a smaller messag e, and the smaller message is tr ansmitted with the original message[...]
-
Pagina 402
Chapter 16 Routing Protocols ZyWALL USG 300 User’s Guide 402[...]
-
Pagina 403
ZyWALL USG 300 User’s Guide 403 C HAPTER 17 Zones 17.1 Zones Overview Set up zones to configure network securit y and network policies in the Z yWALL. A zone is a group of interfaces and/or VP N tunnels. The Z yW ALL uses zones instead of interfaces in ma ny security and po li c y settings, such as firewall rul es , Anti- X, and remote management[...]
-
Pagina 404
Chapter 17 Z o ne s ZyWALL USG 300 User’s Guide 404 17.1.2 What Y ou Need to Know Effect s of Zones on Different T y pes of T raffic Z ones effectiv ely divide tr affic into three types--intr a-zone tr affic, inter -z one traffic, and extr a-zone tr a ffic--which are affected differen tly by zone-based security and policy settings. Intra-zone T r[...]
-
Pagina 405
Chapter 17 Zones ZyWALL USG 300 User’s Guide 405 17.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, ed it, and remo v e zones. T o access this screen, click Configuration > Network > Zone . Figure 310 Configu ration > Network > Zone The following table describes t he label[...]
-
Pagina 406
Chapter 17 Z o ne s ZyWALL USG 300 User’s Guide 406 17.3 Zone Edit The Zone Edit screen allows you to add or edit a z one. T o access this screen, go to the Zone screen (see Section 17.2 on page 405 ), and click the Add icon o r an Edit icon. Figure 31 1 Network > Zone > Add The following table describes t he labels in this screen. T able 1[...]
-
Pagina 407
ZyWALL USG 300 User’s Guide 407 C HAPTER 18 DDNS 18.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 18.1.1 What Y ou Can Do in this Chapter •U s e t h e DDNS screen (see Section 18.2 on page 408 ) to view a list o f the configured DDNS domain names and their details. •U s e t h e DDNS Add/Edit [...]
-
Pagina 408
Chapter 18 DDNS ZyWALL USG 300 User’s Guide 408 Note: Record your DDNS account’s user name, p assword, and domain name to use to configure the ZyW ALL. After , you configur e th e Z yW ALL, it auto matical ly sends updated IP addresses to the DDNS service provider , which help s redirect traffic accordingly . Finding Out More See Section 6.5.9 [...]
-
Pagina 409
Chapter 18 DDNS ZyWALL USG 300 User’s Guide 409 Primary Interface/IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Z yWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface. auto detected - The DDNS server checks th[...]
-
Pagina 410
Chapter 18 DDNS ZyWALL USG 300 User’s Guide 410 18.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyW ALL or to edit the configuration of an existing domain name. Click Configuratio n > Network > DDNS and then an Add or Edit icon to open this screen. Figure 313 Configu ration > Network[...]
-
Pagina 411
Chapter 18 DDNS ZyWALL USG 300 User’s Guide 41 1 Username T ype the user name used when you registered your domain name. Y ou can use up to 31 alphanumeric characters and the u nderscore. Spaces are not allowed. For a Dynu DDNS entry , this user name is the one you use for logging into the service, not the name record ed in your personal informat[...]
-
Pagina 412
Chapter 18 DDNS ZyWALL USG 300 User’s Guide 412 IP Address The options av ailable in this field vary by DDNS provider . Interface - The ZyW ALL uses the IP add ress of the spe cified interface. This option appears when y ou sele ct a specific interface in the Backup Binding Address Interface field. Auto - The DDNS server checks the source IP addr[...]
-
Pagina 413
ZyWALL USG 300 User’s Guide 413 C HAPTER 19 NAT 19.1 NA T Overview NA T (Network Address T ranslation - NA T , RFC 1631) is the tr anslation of the IP address of a host in a packet. For exampl e, the source address of an out going packet, used within one network is change d to a different IP address known within another network. Use Network Addre[...]
-
Pagina 414
Chapter 19 NA T ZyWALL USG 300 User’s Guide 414 19.1.2 What Y ou Need to Know NA T is also known as virtual server , port forwarding, or port translation. Finding Out More • See Section 6.5.10 on page 103 for related information on the se screens. • See Section 19.3 on page 419 for technic al background information rel ated to these screens. [...]
-
Pagina 415
Chapter 19 NAT ZyWALL USG 300 User’s Guide 415 Rem o v e T o re move an entry , select it and click Remove . The Z yW ALL conf irms you w ant to remove it before doing so. Activate T o turn on an entry , select it and click Activate . Inactivate T o turn off an entry , select it and click Inactivate . # This field is a sequential v alue, and it i[...]
-
Pagina 416
Chapter 19 NA T ZyWALL USG 300 User’s Guide 416 19.2.1 The NA T Add/Edit Screen The NAT Add/Edit screen lets you create new NA T rules and edit existing ones. T o open this window , open the NAT summary screen. (See Section 19.2 on page 414 .) Then, click on an Add icon or Edit icon to open the following screen. Figure 316 Configu ration > Net[...]
-
Pagina 417
Chapter 19 NAT ZyWALL USG 300 User’s Guide 417 Classification Select what kind of NA T this rule is to perform. Virtual Server - This mak es computer s on a priv ate netw ork behind the Z yWALL a vailable to a public network outside the ZyW ALL (like the Internet). 1:1 NAT - If the priv ate network server will initiate sessions to the outside cli[...]
-
Pagina 418
Chapter 19 NA T ZyWALL USG 300 User’s Guide 418 Mapped IP Subnet/Range This field displays for Many 1:1 NAT . Select to which translated destination IP address subnet or IP address range this NA T rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. Po r t M a p p i n g Ty p e Use [...]
-
Pagina 419
Chapter 19 NAT ZyWALL USG 300 User’s Guide 419 19.3 NA T T echnical Reference Here is more detailed information about NA T on the Z yWALL. NA T Loopback Suppose a NA T 1:1 rule maps a public IP add ress to the priv ate IP address of a LAN SMTP e-mail server to g ive W AN users access. NA T loopback allows other users to also use the rule’ s ori[...]
-
Pagina 420
Chapter 19 NA T ZyWALL USG 300 User’s Guide 420 For examp le, a LAN user’ s computer at IP address 192.168.1. 89 queries a public DNS server to resolve the SMTP server ’s domain name (xxx.LAN-SMTP .com in this example) and gets the SMTP serv er’s mapped public IP address of 1.1.1.1. Figure 317 LAN Computer Queries a Public DNS Server The LA[...]
-
Pagina 421
Chapter 19 NAT ZyWALL USG 300 User’s Guide 421 SMTP server replied directly to the LAN us er without the tr affic going through NA T , the source would not match the original destination address whi ch would cause the LAN user’s comput er to shut down the session. Figure 319 LAN to LAN Return T raffic 192.168.1.21 LAN 192.168.1.89 Source 1.1.1.[...]
-
Pagina 422
Chapter 19 NA T ZyWALL USG 300 User’s Guide 422[...]
-
Pagina 423
ZyWALL USG 300 User’s Guide 423 C HAPTER 20 HTTP Redirect 20.1 Overview HT TP redirect forwards the client’ s HTTP request (except HT TP traffic destined for the Z yWALL) to a web pro xy server . In the following example, proxy server A is connected to the DMZ interface. When a cl ient connected to the LAN zone wants to open a web page, its HT [...]
-
Pagina 424
Chapter 20 HTT P Red ire ct ZyWALL USG 300 User’s Guide 424 20.1.2 What Y ou Need to Know Web Proxy Server A proxy serv er helps client devices make in direct requests to access the Internet or outside network resources/services. A pr oxy server can act as a firewall or an ALG (applicati on layer gatew ay) between th e priv ate network and the In[...]
-
Pagina 425
Chapter 20 HTTP Redirect ZyWALL USG 300 User’s Guide 425 • a application patrol rule to allow HT TP traf fic between ge4 and ge2 . • a policy route to forw ard HT TP traffi c from proxy serv er A to the Internet. Finding Out More See Section 6.5.11 on page 104 for related information on these scree ns. 20.2 The HTTP Redirect Screen T o config[...]
-
Pagina 426
Chapter 20 HTT P Red ire ct ZyWALL USG 300 User’s Guide 426 20.2.1 The HTTP Redirect Edit Screen Click Networ k > HTTP Redi rect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule. Figure 322 Network > HTTP Redirect > Edit The following table describes [...]
-
Pagina 427
ZyWALL USG 300 User’s Guide 427 C HAPTER 21 ALG 21.1 ALG Overview Application Laye r Gateway (ALG) al lows the following applications to oper ate properly through the Z y WALL’ s NA T . • SIP - Session Initiation Protocol (SIP) - An application-la yer protocol that can be used to create voice and multimedia sessions over Internet. • H.323 -[...]
-
Pagina 428
Chapter 21 ALG ZyWALL USG 300 User’s Guide 428 21.1.2 What Y ou Need to Know Application Layer Gateway (ALG), NA T and Firewall The Z yWALL can function as an Applicat ion Layer Gatew ay (ALG) to all ow certain NA T un-friendly applications (such as SIP) to operate properly through the Z yWALL ’s NA T and firewall. The Z yWALL dynamically creat[...]
-
Pagina 429
Chapter 21 ALG ZyWALL USG 300 User’s Guide 429 • There should be only one SIP serv er (t otal) on the ZyW ALL’s private networks. Any other SIP servers must be on the WAN. So for example y ou could hav e a Back -to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN bu t no t on both. • Using the SIP AL G all[...]
-
Pagina 430
Chapter 21 ALG ZyWALL USG 300 User’s Guide 430 can receive incoming calls from t he Internet, LAN IP addresses B and C can still make calls out to t he Internet. Figure 325 V oIP Calls from the W AN with Multiple Outgoing Calls V o IP with Multiple W AN IP Addresses With multiple W AN IP addresses on th e Z yWALL, you can configure different fire[...]
-
Pagina 431
Chapter 21 ALG ZyWALL USG 300 User’s Guide 431 • See Section 21.3 on page 433 for ALG background/technical information. 21.1.3 Before Y ou Begin Y ou must also configure the firewall and enable NA T in the Z yWALL to allow sessions initiated from the W AN. 21.2 The ALG Screen Click Configuration > Network > A LG to open the ALG screen. Us[...]
-
Pagina 432
Chapter 21 ALG ZyWALL USG 300 User’s Guide 432 The following table describes t he labels in this screen. T able 109 Configuration > Ne twork > ALG LABEL DESCRIPTION Enable SI P ALG T urn on the SIP ALG to detect SIP traffic and help build SIP sessions through the Z yWALL’ s NA T . Enabling the SIP ALG also allows you to use the applicatio[...]
-
Pagina 433
Chapter 21 ALG ZyWALL USG 300 User’s Guide 433 21.3 ALG T echnical Reference Here is more detailed information about t he Application Layer Gatew ay . ALG Some applications cannot operate through NA T (are NA T un-friendly) becau se they embed IP addres ses and port number s in their packets’ data payload. The Z yWALL examines and uses IP addre[...]
-
Pagina 434
Chapter 21 ALG ZyWALL USG 300 User’s Guide 434 connections to the second (passive) int erf ace when the acti ve interface’ s connection goes down. When the active in terface’ s connection fails, the client needs to re-initialize the co nnection through the second inte rface (that was set to passive) in ord er to have the connection go through[...]
-
Pagina 435
ZyWALL USG 300 User’s Guide 435 C HAPTER 22 IP/MAC Binding 22.1 IP/MAC Binding Overview IP address to MAC address binding helps en sure that only the i ntended devices get to use privileg ed IP addresses. The Z yWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address. The Z yWALL then checks incoming connectio[...]
-
Pagina 436
Chapter 22 IP/MAC Binding ZyWALL USG 300 User’s Guide 436 22.1.2 What Y ou Need to Know DHCP IP/MAC address bindings are based on the ZyW ALL’s d ynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by inter face. Y ou can use IP /M AC binding with Ethernet, bridge, VLAN, and WLAN interfaces. Y[...]
-
Pagina 437
Chapter 22 IP/MAC Binding ZyWALL USG 300 User’s Guide 437 22.2.1 IP/MAC Binding Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Use this screen to configure an interface’ s IP to MAC address binding settings. Figure 330 Configur ation > Network > IP/MAC Binding > Edit The fol[...]
-
Pagina 438
Chapter 22 IP/MAC Binding ZyWALL USG 300 User’s Guide 438 22.2.2 S t atic DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Click the A dd or Edit icon to open the foll owing screen. Use this screen to configure an interface’ s IP to MAC address binding settings. Figure 331 Configu[...]
-
Pagina 439
Chapter 22 IP/MAC Binding ZyWALL USG 300 User’s Guide 439 The following table describes t he labels in this screen. 22.3 IP/MAC Binding Exempt List Click Configuration > Network > IP /MAC Binding > Exempt List t o o p e n t h e IP/MAC Binding Exempt List screen. Use this scree n to configure ranges of IP addresses to which the Z yWALL do[...]
-
Pagina 440
Chapter 22 IP/MAC Binding ZyWALL USG 300 User’s Guide 440 End IP Enter the last IP address in a range of IP addresses for which the ZyW ALL does not apply IP/MAC binding. Add icon Click the Add icon to add a new entry . Click the Remove icon to delete an entry . A window display s asking you to confirm that you w ant to delete it. Apply Click App[...]
-
Pagina 441
ZyWALL USG 300 User’s Guide 441 C HAPTER 23 Authentication Policy 23.1 Overview Use authentication polic ies to contro l who can access the network. Y ou can authenticate users (require them to lo g in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access t[...]
-
Pagina 442
Chapter 23 Auth en tic at ion Policy ZyWALL USG 300 User’s Guide 442 23.1.2 What Y ou Need to Know Authentication Policy and VPN Authentication polici es are applied based on a tr affic flow’ s source and destination IP addresses. If VPN tr affic matches an authentication pol icy’ s source and destination IP addresses, the user must pass auth[...]
-
Pagina 443
Chapter 23 Authentication Policy ZyWALL USG 300 User’s Guide 443 Click Configuration > Auth. Policy to display the screen. Figure 334 Configuration > Au th. Policy[...]
-
Pagina 444
Chapter 23 Auth en tic at ion Policy ZyWALL USG 300 User’s Guide 444 The following table giv es an overview of the objects you can configure. T able 1 14 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication P olicy Select this to turn on the authentication policy feature. Exceptional Services Use this table to list services tha[...]
-
Pagina 445
Chapter 23 Authentication Policy ZyWALL USG 300 User’s Guide 445 23.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy . Status This icon is lit when the entry is active and dimmed when[...]
-
Pagina 446
Chapter 23 Auth en tic at ion Policy ZyWALL USG 300 User’s Guide 446 Figure 336 Configuration > Aut h . Policy > Add The following table giv es an overview of the objects you can configure. T able 1 15 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use [...]
-
Pagina 447
Chapter 23 Authentication Policy ZyWALL USG 300 User’s Guide 447 Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configur able for the default policy . Authentication Select the authentication requirement for users when their tr affic matches this polic[...]
-
Pagina 448
Chapter 23 Auth en tic at ion Policy ZyWALL USG 300 User’s Guide 448[...]
-
Pagina 449
ZyWALL USG 300 User’s Guide 449 C HAPTER 24 Firewall 24.1 Overview Use the firewall t o block or allow servic es that use static port numbers. Use application patrol (see Chapter 32 on page 547 ) to control services using flexible/ dynamic port numbers. The firewall can al so limit the number of user sessions. This figure shows the Z yWALL’ s d[...]
-
Pagina 450
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 450 24.1.2 What Y ou Need to Know St ateful Inspection The Z yWALL has a stateful inspection fi rewall. The Z yWALL restricts ac cess by screening data pack ets ag ainst defined acce ss rules. It al so i nspec ts sessions. F or example, traffi c from one zone is not allo we d unless it is initiated [...]
-
Pagina 451
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 451 T o-ZyW ALL Ru les Rule s w ith ZyWALL as the To Zone apply to traffic going to the Z yW ALL itself . By default: • The firewall allows only LAN, WLAN, or W AN computers to access or manage the Z yW ALL. • The Z yWALL drops most pac kets from the W AN zone to the Z yWALL itself , except for [...]
-
Pagina 452
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 452 Firewall and Application Patrol T o use a service, make sure both the firewall and application patrol allow the service’ s packets t o go through the Z yW ALL. The Z yW ALL checks the firewall rules before the application patrol rul es for traffi c going through the Z yWALL. Firewall and VPN T[...]
-
Pagina 453
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 453 the firewall rule to alwa ys be in effect. The following figure shows the results of this rule. Figure 338 Blocking All LAN to W AN IRC Traf fic Example Y our fir ewall would have the following rules. • The first row blocks LAN access to the IRC service on the WAN. • The second row is the fi[...]
-
Pagina 454
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 454 Now you configure a LAN to WAN f irewall rule that allows IRC tr affic from the IP address of the CEO’ s computer (192.168.1.7 for example) to go to any destination address. Y ou do not need to specify a sch edule since you want the firewall rule to always be in effect. The following fi gure s[...]
-
Pagina 455
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 455 • The first row allows any LAN computer to access the IRC service on the W AN by logging into the Z yWALL with the CEO’ s user name. • The second row blocks LAN access to the IRC service on the WAN. • The third row is the firew all’ s default policy of allowing all tr affic from the LA[...]
-
Pagina 456
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 456 5 The screen for configuring a se rvice object opens. Configure it as follows and click OK . Figure 342 Firewall Example: Create a Service Obje ct 6 Select From WAN and To LAN1 . 7 Enter the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the Se[...]
-
Pagina 457
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 457 9 The firewall rule appears in the firewall rule summary . Figure 344 Firewall Example: Doom Rule in Summary 24.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the Z yWALL ’ s LAN IP address, return traffic may not go through[...]
-
Pagina 458
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 458 4 The Z yWALL then sends it to the compu te r on the LAN in Subnet 1 . Figure 345 Using V irtual Interfaces to Avoid Asymmetrical Routes 24.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen. Use this screen to enable or disable the firewall and asy[...]
-
Pagina 459
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 459 • The ordering of your rules is v ery im portant as rules are applied in sequence. Figure 346 Configuratio n > F irewall The following table describes t he labels in this screen. T able 120 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this check bo x[...]
-
Pagina 460
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 460 From Z one / To Z o n e This is the dire ction of travel of packets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of pack ets to which they apply . For example, from LAN to LAN means packets trav eling from a compu[...]
-
Pagina 461
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 461 24.2.2 The Firewall Add/Edit Screen In the Firewall screen, click the Edit or Add icon to dis p lay the Firewall Rule Edit screen. Figure 347 Configuration > Fi rewall > Add The following table descri bes the labels in this screen. Service This displays the service object to which this fir[...]
-
Pagina 462
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 462 24.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to displa y the Firewall Session Limit screen. Use this screen to limit th e number of concurrent NA T/ firewall sessions a client can use. Y ou can apply a default limit for all users and Description Enter a desc[...]
-
Pagina 463
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 463 individual limi ts for specific users, addres ses, or both. The individual li mit takes priority if you apply both. Figure 348 Configuration > Firewall > Session Limit The following table descri bes the labels in this screen. T able 122 Configuration > Firewall > Session Limit LABEL [...]
-
Pagina 464
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 464 24.3.1 The Session Limit Add/Edit Screen Click Configuration > Firewall > Session Limit and the Add or Edit icon to display t he Firewall Session Limit Edit screen. Use this screen to configure rules that define a session li mit for specific users or addresses. Figure 349 Configuration >[...]
-
Pagina 465
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 465 User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging. Note: If you specified an IP address (or ad[...]
-
Pagina 466
Chapter 24 Firewall ZyWALL USG 300 User’s Guide 466[...]
-
Pagina 467
ZyWALL USG 300 User’s Guide 467 C HAPTER 25 IPSec VPN 25.1 IPSec VPN Overview A virtual priv ate network (VPN) provides secure communications b etween sites without the expense of leased site-to-site lines. A s ecure VPN is a combination of tunneling, encryption, aut hentication, access control and auditing. It is used to transport tr affic over [...]
-
Pagina 468
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 468 •U s e t h e VPN Gateway screens (see Section 25.2.1 on page 472 ) to manage the ZyW AL L ’s VPN gateways. A VPN gate way specifies the IPSec rout ers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). Y ou can also activat e and deactivate each VPN gateway . •U s e[...]
-
Pagina 469
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 469 Application Scenarios The Z yW ALL’ s application scenarios make it easier to configure your VPN connection settings. Finding Out More • See Section 6.5.15 on page 106 for related information on the se screens. T able 124 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH DYNAMI[...]
-
Pagina 470
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 470 • See Section 25.5 on page 495 for IPSec VPN background information. • See Section 5.3 on page 79 for the IPSec VPN quick setup wizard. • See Section 7.5 on page 139 for an exampl e of configuring IPSec VPN. • See Section 7.6 on page 142 for an exampl e of how to configure a hub- and- s[...]
-
Pagina 471
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 471 SA). Click a column’ s heading cell to so rt the table entries by that column’ s criteria. Click the heading cell again to reverse the sort order . Figure 352 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following tabl e. See Secti on 25. 2.2 on p[...]
-
Pagina 472
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 472 25.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an existing one. T o access this screen, go to the Configuration > VPN Connection screen (see Section 25.2 on page 470 ), and click either the A[...]
-
Pagina 473
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 473 Figure 353 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)[...]
-
Pagina 474
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 474 Each field is desc ribed in the followi ng table. T able 126 Configuration > VPN > I PSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Us[...]
-
Pagina 475
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 475 P olicy Local P olicy Select the address corresp onding to the local network. Use Create new Object if you need to configure a new one. Re mote Policy Select the address corresp onding to the remote network. Use Create new Object if you need to configure a new one. P olicy Enforcement Clear thi[...]
-
Pagina 476
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 476 Encryption This field is applicable when the Active Protocol is ESP . Select which key size and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption k ey or algorithm DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algo[...]
-
Pagina 477
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 477 Check Method Select how the Z yWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyW ALL regularly ping the address you specify to make sure traffic can still go through the connection. Y ou may need to configure the p eer to re[...]
-
Pagina 478
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 478 Inbound T raffic Source NA T This translation hides the source address of computers in the remote network. Source Select the address object that re presents the original source address (or select Create Object to configure a new one). This is the address object for the remote network. The size [...]
-
Pagina 479
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 479 25.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one us ing a manual key . This is useful if you have problems wi th IKE key management . T o access this screen, go to the VPN Connect[...]
-
Pagina 480
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 480 Secure Gateway Address T ype the IP add ress of the remote IPSec router in the IPSec SA. SPI T ype a unique SPI (Security P arameter Index) between 256 and 4095. The SPI is used to identify the Z yWALL during authentication. The Z yWALL and remote IPSec router must use the same SP I. Encapsulat[...]
-
Pagina 481
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 481 Encryption K e y This field is applicable when you select an Encr yption Algor ithm . Enter the encryption key , which depends on the encryption algorithm. DES - type a unique key 8-32 char acters long 3DES - type a unique key 24-32 char acters long AES128 - type a unique key 16-32 characters l[...]
-
Pagina 482
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 482 25.3 The VPN Gateway Screen The VPN Gateway sum m ary screen disp l ays the IPSec VPN gateway polici es in the Z yWALL, as wel l as the Z yWALL’ s addr ess, remote IPSec router’s address, and associated VPN connections for each one. In additi on, it also l ets y ou activ at e and deactiv at[...]
-
Pagina 483
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 483 25.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit scre en allo ws you to create a new VPN gateway policy or edit an existing one. T o access this screen, go to the VPN Gateway summary screen (see Section 25.3 on page 482 ), and click either the Add icon or an Edit icon. Apply C li[...]
-
Pagina 484
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 484 Figure 356 Configuration > VPN > IPSec VPN > VPN Gateway > Edit[...]
-
Pagina 485
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 485 Each field is desc ribed in the followi ng table. T able 129 Configuration > VPN > I PSe c VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration field s. General Settings VPN [...]
-
Pagina 486
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 486 Pre-Shared Ke y Select this to have the Z yWALL and remote IPSec router use a pre- shared key (password) to identify each other when they negotiate the IKE SA. T ype the pre-shared key in the field to the right. The pre- shared key can be • 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*([...]
-
Pagina 487
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 487 Content This field is read-only if the Z yWALL and remote IPSec router use certificates to identify each other . T ype the identity of the Z yWALL during authentication. The identity depends on the Local ID Type . IP - type an IP ad dress; if you type 0.0.0.0, the ZyW ALL uses the IP address sp[...]
-
Pagina 488
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 488 Content This field is disabled if the Peer ID Ty pe is Any . T ype the identity of the remote IPSec router during au thentication. The identity depends on the Peer ID Type . If the Z yWALL and remote IPSec router do not use certificates, IP - type an IP address; see the no te at the end of this[...]
-
Pagina 489
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 489 Negotiation Mode Select the negotiation mode to use to nego tiate the IKE S A. Choices are Main - this encrypts the Z yWALL’ s and remote IPSec router ’ s identities but takes more time to establish the IKE S A Aggressive - this is faster but does not encrypt the identities The Z yWALL and [...]
-
Pagina 490
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 490 NA T T raversal Select this if any of these conditions are satisfied. • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol. • There are one or more NA T routers between the ZyW ALL and remote IPSec router , and these routers do not support IPSec pass-thru o[...]
-
Pagina 491
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 491 25.4 VPN Concentrator A VPN concentr ator combines sever al IPSec VPN connections into one secure network. Figure 357 VPN T opologies (Fully Meshed and Hub and S poke) In a fully -meshed VPN topology ( 1 in the figure), there is a VPN connection between every pair of routers. In a hub-and-spok [...]
-
Pagina 492
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 492 • Branch office A ’ s Z yW ALL uses one VPN rule to access both the headquarters (HQ) network and branch office B’ s network. • Branch office B’ s Z y W ALL uses one VPN rule to access branch office A ’s network only . Branch office B is not permitte d to access the headquarters net[...]
-
Pagina 493
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 493 VPN Connection (VPN T unnel 1): • Local P olicy: 192.168.1.0/255.255.255.0 • Remote P olicy:192.168.11.0/255.255.255.0 • Disable Policy Enforce ment VPN Gateway (VPN T unnel 2): • My Address: 10.0.0.1 • P eer Gatew ay Address: 10.0.0.3 VPN Connection (VPN T unnel 2): • Local P olicy[...]
-
Pagina 494
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 494 • The local IP addresses configured in the VPN rules should not overlap . • The concentrator must have at least on e separate VPN rule for each spoke. In the local policy , specify the IP addresses of the networks with which the spok e is to be able to hav e a VPN tunnel. This may require y[...]
-
Pagina 495
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 495 Concentrator summary screen (see Section 25.4 on page 491 ), and click either the Add icon or an Edit icon. Figure 360 Configu ration > VPN > IPSec VPN > Concentrator > Edit Each field is desc ribed in the followi ng table. 25.5 IPSec VPN Background Information Here is some more det[...]
-
Pagina 496
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 496 IKE SA Overview The IKE SA provides a se cure connec ti on between the ZyW ALL and remote IPSec router . It takes sev eral steps t o establish an IKE SA. The neg otiation mode determines how many . There are two negotiation mo des--main mode and aggressive mode. Main mode provides better securi[...]
-
Pagina 497
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 497 The Z yWALL sends one or more proposals to the remote IPSec router . (In some devices, you can only set up one propos al.) Each proposal consists of an encryption al gorithm, au thentication algorithm, and DH key group that the Z yWALL wants to use in the IKE SA. The remote IPSec rout er select[...]
-
Pagina 498
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 498 the longer it takes to encrypt and decr ypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 b its), but DH2 keys take longer to encrypt and decrypt. Authentication Before the Z yWA LL and remote IPSec router establish an IKE SA, they ha ve to verify each other?[...]
-
Pagina 499
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 499 Router identity cons ists of ID typ e and content. The ID type can be domain name, IP address, or e-mail address, and the content i s a (properly-formatted) domai n name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you enter[...]
-
Pagina 500
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 500 Negotiation Mode There are two negotiati on modes--main mo de and aggressiv e mode. Main mode provides better security , while aggressive mode is faster . Main mode takes six steps to establish an IKE S A. Steps 1 - 2: The Z yWALL sends its proposals to the remot e IPSec router . The remote IPS[...]
-
Pagina 501
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 501 feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP . (Se e Active Protocol on page 502 for more information about active protocols.) If router A does not hav e an IPSec pass-thru or if the activ e protocol is AH, y ou can solve this p roblem by enabl[...]
-
Pagina 502
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 502 • The local and peer ID type and content come from the certifi cates. Note: Y ou must set up the certificates for the ZyW ALL and remote IPSec rou ter first. IPSec SA Overview Once the Z yWALL and remote IPSec router hav e est ablis hed t he IKE S A, th ey can securely negotiate an IPSec SA t[...]
-
Pagina 503
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 503 These modes are illustrated below . In tunnel mode, the Z yWALL uses the activ e protocol to encaps ulate the entire IP packet. As a result, there are two IP headers: • Outside header: The outside IP header co ntains the IP address of the Z yWALL or remote IPSec router , whichever is the dest[...]
-
Pagina 504
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 504 Additional T opics for IPSec SA This section provi des more information about IPSec SA in your Z yWALL. IPSec SA usi ng Manual Keys Y ou might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly , for example, for troubl eshooting. Y ou should only do this as a [...]
-
Pagina 505
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 505 Each kind of tr anslation is explained below . The following example is used to help explain each one. Figure 366 VPN Example: NA T for Inbound and Outbound T raffic Source Address in Outbound Packet s (Outbound T raffic, Source NA T) This tr anslation lets the ZyW ALL route pack ets from compu[...]
-
Pagina 506
Chapter 25 IPSec VPN ZyWALL USG 300 User’s Guide 506 • SNA T - the translated source address; a different IP ad dress (range of addresses) to hide the original source address. Destination Address in Inbound P ackets (Inbound T raffic, Destination NA T) Y ou can set up this translati on if you want the Z yWALL to forward some packets from the re[...]
-
Pagina 507
ZyWALL USG 300 User’s Guide 507 C HAPTER 26 SSL VPN 26.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VP N router or VPN client software. 26.1.1 What Y ou Can Do in this Chapter •U s e t h e VPN > SSL VPN > Access Privilege screens (see Section 26.2 on page 510 ) to [...]
-
Pagina 508
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 508 Y ou do not have to install additional client software on the remote user computers for access. Figure 367 Network Access Mode: Reverse Proxy Full T unnel Mode In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subn et as t he local network[...]
-
Pagina 509
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 509 changes through the SSL poli cies that us e the object(s). When you delete an SSL policy , the objects are not removed. Y ou cannot delete an object that is refe renced by an S SL access policy . T o delete the object, you must first unassociate th e object from the SSL access policy . Finding Ou[...]
-
Pagina 510
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 510 26.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 369 VPN > SSL VPN > Access Privilege The following table describes t he labels in this screen. T able 135 VPN > SSL VPN > Acces[...]
-
Pagina 511
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 51 1 Apply Click Apply to save the settings. R eset Click Reset to discard all changes. T able 135 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION[...]
-
Pagina 512
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 512 26.2.1 The SSL Access Policy Add/Edit Screen T o create a new or edit an existing SSL access policy , click the Add or Edit icon in the Access Privilege screen. Figure 370 VPN > SSL VPN > Access Privilege > Add/Edit[...]
-
Pagina 513
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 513 The following table describes t he labels in this screen. T able 136 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Configuration Enable P olicy Select this option to activ ate[...]
-
Pagina 514
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 514 26.3 The SSL Global Setting Screen Click VPN > SSL V PN and click the Global Setting tab to display the foll owing screen. Use this screen to set the IP a ddress of the Z yW ALL (or a gatewa y device) SSL Application List (Optional) The Selectable Application Objects list displays the name(s) [...]
-
Pagina 515
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 515 on your network f or full tunnel mode ac cess, enter access messages or upl oad a custom logo to be displ ayed on the remote user screen. Figure 371 VPN > SSL VPN > Global Setting The following table describes t he labels in this screen. T able 137 VPN > SSL VPN > Global Setting LABEL[...]
-
Pagina 516
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 516 26.3.1 How to Upload a Custom Logo Fol low the steps below to upload a custom logo to displa y on the remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to di splay the configur ati on screen. 2 Click Browse to locate the logo graphic . Make su re the fil e is [...]
-
Pagina 517
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 517 The following shows an example logo on the remote user screen. Figure 372 Example Logo Graphic Display 26.4 Est ablishing an SSL VPN Connection After you hav e configured the S SL VPN settings on the Z yWALL, us e the Z yWA LL login screen’ s SSL VPN button to es tablish an SSL VPN connection. [...]
-
Pagina 518
Chapter 26 SSL VPN ZyWALL USG 300 User’s Guide 518 2 SSL VPN connection starts. This may take sever al minutes depending on yo ur network connection. Once the connection is up , you should see the client portal screen. The following shows an example. Figure 374 SSL VPN Client Portal Screen Example If the user account is not set up for SS L VPN ac[...]
-
Pagina 519
ZyWALL USG 300 User’s Guide 519 C HAPTER 27 SSL User Screens 27.1 Overview This chapter introduces the remote user S SL VPN screens. The following figure shows a network example where a remote user ( A ) logs into the Z yW ALL from the Internet to access the web serv er ( WWW ) on the local network. Figure 375 Network Exam p le 27.1.1 What Y ou N[...]
-
Pagina 520
Chapter 27 SSL User Screen s ZyWALL USG 300 User’s Guide 520 System Requirement s Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.5 and abov e • Using RDP requires Internet[...]
-
Pagina 521
Chapter 27 SSL User Screens ZyWALL USG 300 User’s Guide 521 1 Open a web browser and enter the web site address or IP address of the Z yW ALL. For examp le, “http://sslvpn.myc ompany .com” . Figure 376 Enter the Address in a We b Browser 2 Click OK or Yes if a security screen displays. Figure 377 Login Security Screen 3 A login screen display[...]
-
Pagina 522
Chapter 27 SSL User Screen s ZyWALL USG 300 User’s Guide 522 5 Y our computer sta rts establishing a se cure connection to the Z yWALL after a successful login. Thi s may take up to two minutes. If you get a message about needing Jav a, download and install it and restart y our browser and re-login. If a certificate warning screen displays, click[...]
-
Pagina 523
Chapter 27 SSL User Screens ZyWALL USG 300 User’s Guide 523 7 The Z yW ALL tries to install the SecuExtend er client. Y ou may need to c lick a pop- up to get your browser to allow this. In Internet Explorer , click Install . Figure 381 SecuExtender Blocked by Internet Exp lorer 8 The Z yW ALL tries to run the “ss ltun” applic ation. Y ou may[...]
-
Pagina 524
Chapter 27 SSL User Screen s ZyWALL USG 300 User’s Guide 524 10 If a screen like t he following displays, click Continue Anyway to finish installing the SecuExtender client on y our computer . Figure 384 Hardware Inst allation W arning 11 The Application screen displays showing the list of resources av ailable to you. See Figure 385 on page 525 f[...]
-
Pagina 525
Chapter 27 SSL User Screens ZyWALL USG 300 User’s Guide 525 27.3 The SSL VPN User Screens This section describes the main elem ents in the remote us er screens. Figure 385 Remote User Screen The following table describes t he various parts of a remot e user screen. T able 138 Remote User Screen Overview # DESCRIPTION 1 Click on a menu tab to go t[...]
-
Pagina 526
Chapter 27 SSL User Screen s ZyWALL USG 300 User’s Guide 526 27.4 Bookmarking the ZyW ALL Y ou can create a boo kmark of the Z yWALL by clicking the Add to Favorite icon. This allows you to access the Z yW ALL using the bookmark without having to enter the address every time. 1 In any remote user screen, click the Add to Favorite icon. 2 A screen[...]
-
Pagina 527
Chapter 27 SSL User Screens ZyWALL USG 300 User’s Guide 527 3 An information screen displays to indicate that t he SSL VPN connection is about to terminate. Figure 388 Logout: Connection T ermination Progress[...]
-
Pagina 528
Chapter 27 SSL User Screen s ZyWALL USG 300 User’s Guide 528[...]
-
Pagina 529
ZyWALL USG 300 User’s Guide 529 C HAPTER 28 SSL User Application Screens 28.1 SSL User Application Screens Overview Use the Application screen to access web-based applic ations (such as web sites and e-mail) on the network through the SSL VPN conne ct i on. Wh ich app l ic a t ion s you can access depends on the Z yWALL’ s configuration. 28.2 T[...]
-
Pagina 530
Chapter 28 SSL User Application Screens ZyWALL USG 300 User’s Guide 530[...]
-
Pagina 531
ZyWALL USG 300 User’s Guide 531 C HAPTER 29 SSL User File Sharing 29.1 Overview The File Sharing screen lets you access files on a file server through the SSL VPN connection. 29.1.1 What Y ou Need to Know Use the File Sharing screen to display and access shared files/folders on a fil e server . Y ou can also perform the following actions: • Acc[...]
-
Pagina 532
Chapter 29 SSL Use r File Sharing ZyWALL USG 300 User’s Guide 532 29.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) av ailable. The following figure show s an example with one file share. Figure 390 File Sh aring 29.3 Opening a File or Folder Y ou can open a file if the file extension is [...]
-
Pagina 533
Chapter 29 SS L User File Sharing ZyWALL USG 300 User’s Guide 533 3 If an access user name and password ar e requi red, a screen displays as shown in the following figure. Enter the account information and click Login to contin ue. Figure 391 File Sh aring: Enter Access User Name and Password[...]
-
Pagina 534
Chapter 29 SSL Use r File Sharing ZyWALL USG 300 User’s Guide 534 4 A list of files/ fo lders display s. Click on a fi le to open it in a sep a rate brows e r window . Y ou can also click a folder to access it. For t his example, click on a .doc file t o open the W ord document. Figure 392 File Sh aring: Open a W ord File 29.3.1 Downloading a Fil[...]
-
Pagina 535
Chapter 29 SS L User File Sharing ZyWALL USG 300 User’s Guide 535 29.3.2 Saving a File After you ha ve opened a file i n a web browser , you can save a copy of the file by clicking File > Save As and fo ll ow ing the on-s c r een instruct i o ns . Figure 393 File Sh aring: Save a Wor d File 29.4 Creating a New Folder T o create a new folder in[...]
-
Pagina 536
Chapter 29 SSL Use r File Sharing ZyWALL USG 300 User’s Guide 536 29.5 Renaming a File or Folder T o rename a file or folder , click the Rename icon next to the fi le/folder . Figure 395 File Sh aring: Rename A popup window displays. Specify the new na me and/or file exte nsio n in th e field provided. Y ou can enter up to 356 characters. Then cl[...]
-
Pagina 537
Chapter 29 SS L User File Sharing ZyWALL USG 300 User’s Guide 537 29.7 Uploading a File Fol low the steps below to upload a file to the file serv er . 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of th e file you w ant to upload. Or click Brows e to locate it. 3 Click Uploa d to send the fil[...]
-
Pagina 538
Chapter 29 SSL Use r File Sharing ZyWALL USG 300 User’s Guide 538[...]
-
Pagina 539
ZyWALL USG 300 User’s Guide 539 C HAPTER 30 ZyWALL SecuExtender The Z yWALL aut omatically loads the Z yW ALL SecuExtender client program to your computer after a successful logi n. The Z yWALL SecuExtender lets you: • Access servers , remote desktops and mana ge files as if you were on the local network. • Use applications like e-mail, file [...]
-
Pagina 540
Chapter 30 ZyW ALL SecuExtende r ZyWALL USG 300 User’s Guide 540 30.2 S t atistics Right- click the Z yW ALL SecuExtender ic on in the system tr ay and s elect Status to open the Status screen. Use this screen to view the ZyW ALL SecuExtender’s statistics. Figure 399 ZyW ALL SecuExtender S tatus The following table describes t he labels in this[...]
-
Pagina 541
Chapter 30 ZyWALL SecuExtender ZyWALL USG 300 User’s Guide 541 30.3 V iew Log If you h ave pro b lems w i th th e ZyWALL SecuExtender , customer support may request you to pro vide information from the log. Right -click the Zy WALL SecuExtender icon in the sys tem tr a y and select Log to open a notepad file of the Z yWALL SecuExtender’s log. F[...]
-
Pagina 542
Chapter 30 ZyW ALL SecuExtende r ZyWALL USG 300 User’s Guide 542 connected but not send any traffi c throug h it until y ou right-click the icon and resume the connection. 30.5 S top the Connection Right- click the icon and select Stop Connection to disconnect t he SSL VPN tunnel. 30.6 Uninst alling the ZyW ALL SecuExtender Do the following if yo[...]
-
Pagina 543
ZyWALL USG 300 User’s Guide 543 C HAPTER 31 L2TP VPN 31.1 Overview L2TP VPN let s remote users use the L2TP and IPSec client soft ware includ e d with their computers’ operating systems to secu rely connect to the network behind t he Z yWALL . The remote users do not need their own IPSec gatewa ys or VPN client software. Figure 403 L2TP VPN Ove[...]
-
Pagina 544
Chapter 31 L2T P VPN ZyWALL USG 300 User’s Guide 544 • Use transp ort mode. • Not be a manual key VPN connection. •U s e Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2T P VPN c lients to connect from more than one IP address. Using the Default L2 TP VPN Connection Default_[...]
-
Pagina 545
Chapter 31 L2TP VPN ZyWALL USG 300 User’s Guide 545 Finding Out More • See Section 6.5.17 on page 107 for related information on the se screens. • See Chapter 8 on page 183 for an example of how to create a basic L2TP VPN tunnel. 31.2 L2TP VPN Screen Click Configuration > VPN > L2TP VPN to open t he following screen. Use this screen to [...]
-
Pagina 546
Chapter 31 L2T P VPN ZyWALL USG 300 User’s Guide 546 VPN Connection Select the IPSec VPN connection the ZyW A LL uses for L2TP VPN. All of the configured VPN connections displa y here, but the one you use must meet the requirements listed in IPSec Configuration R equired for L2TP VPN on page 543 . Note: Modifying this VPN connection (or the VPN g[...]
-
Pagina 547
ZyWALL USG 300 User’s Guide 547 C HAPTER 32 Application Patrol 32.1 Overview Application patrol provides a convenie nt w ay to manage the use of v arious applications on the network. It manages general protocols (for example, HTTP and FTP) and instant messenger (IM), peer-to- peer (P2P), V o ice over IP (V oIP), and streaming (RSTP) appl ications[...]
-
Pagina 548
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 548 32.1.2 What Y ou Need to Know If you w ant to use a service, mak e sure both the firewall and application patrol allow the service’ s packets to go through the ZyW ALL. Note: The ZyW ALL checks firewall rules befor e it checks application pa trol rules for traffic goin g through t[...]
-
Pagina 549
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 549 numbers for SIP tr affic. Likewise, configuring the SIP ALG to use custom port numbers for SIP tr affic also configures applicati on patrol to use the same port numbers for SIP tr affic. DiffServ and DSCP Marking QoS is used to prioritize s o urce-to-destinat i on traffic flows. All pa[...]
-
Pagina 550
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 550 • The outbound tr affic flows from the connection initiator to the connection responder . • The inbound tr affic flows from the connecti on responder to the connection initiator . For example, a LAN to W AN connection is initiated from LA N and goes to t he WAN. • Outbound tra[...]
-
Pagina 551
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 551 Bandwid th Management Priority • The Z yWALL gives bandwidth to higher -priority traffic f irst, until it reaches i ts configured bandwidth r ate. • Then lower-pri o rit y traffic gets bandwid th. • The Z yWALL uses a fairness-based (round-robi n) scheduler to divide b andwidth a[...]
-
Pagina 552
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 552 Configured Rate Effect In the following table the configured r ates total less than the av ailable bandwidth and maximize bandwidth usage is disabled, both servers get t heir configured r ate. Priority Effect Here the configured rates total more than the available bandwidth. Because[...]
-
Pagina 553
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 553 regardless of its priority , server B gets almost no band width with this configu ration. Finding Out More • See Section 6.5.18 on page 107 for related information on the se screens. • See Section 7.7 on page 144 for an exampl e of how to set up web surfing policies with bandwidth [...]
-
Pagina 554
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 554 • FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connection s, but it must be the lowest priority and limited so it does not inte rfere with SIP and HT TP traffi c. Figure 409 Application Patrol Bandwid th Management Example 32[...]
-
Pagina 555
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 555 • Enable maximi ze bandwidth usage so the SIP tr affic can borrow unus ed bandwidth. Figure 410 SIP Any to W AN Bandwidth Management Example 32.1.3.3 SIP W AN to Any Ba ndwid th Management Example Y ou also create a policy for calls coming in from the SIP server on the WAN. It is the[...]
-
Pagina 556
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 556 32.1.3.5 FTP W AN to DMZ Ba ndwid t h Management Example • ADSL supports more downstream than upstream so you al low remote users 300 kbps for uploads to the DMZ F TP serv er (outbound) but only 100 kbps for downloads (inbound). • Third highes t priority (3) . • Disable maximi[...]
-
Pagina 557
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 557 32.2 Application Patrol General Screen Use this screen to enable and d isable applicati on patrol. It also lists the registration st atus and details about the sig nature set the Z y WALL is using. Note: Y ou must register for the IDP/AppPatrol signature service (at least the trial) be[...]
-
Pagina 558
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 558 32.3 Application Patrol Applications Use the application patrol Common , Instant Messenger , Peer to Peer , VoIP , or Streaming screen to manage traf fic of individual applications. Use the Common screen (shown here as an exam ple) to manage traffic of the most commonly used web , f[...]
-
Pagina 559
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 559 Click Configuration > App Patro l > Co mmon to open the following screen. Figure 415 Configur ation > App Patrol > Common The following table describes the labels in this screen. See Secti on 32.3.1 on page 559 for more information as well. 32.3.1 The Application Patrol Edi[...]
-
Pagina 560
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 560 Streaming screen and click an application’ s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 416 Application Edit The following table describes t he labels in this screen. T able 147 Application Edit LABEL DESCRIPTION Service Enable Service Se[...]
-
Pagina 561
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 561 # This field is a sequential value, and it is not associated with a specific entry . Note: The ZyW ALL checks ports in the order they appear in the list. While this sequence does not af fect the functionality , you might improve the performance of the ZyW ALL by putting more commonly u[...]
-
Pagina 562
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 562 Access This field displays what the Zy WALL does with pack ets for this application that match this policy . forward - the Z yWALL routes the pack ets for this application. Drop - the Z yWALL does not route the packets for this application and does not notify the client of its decis[...]
-
Pagina 563
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 563 32.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings f or an application. T o access this screen, go to the applicatio n patrol Common , Instant Messenger , Peer to Peer , VoIP , or Streaming screen and click an appl[...]
-
Pagina 564
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 564 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Ch a p t e r 4 3 o n p a g e 7 4 3 for details). Otherwise, select none to mak e the policy always effective. User Select a user name or user group to which to apply t[...]
-
Pagina 565
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 565 Action Block For som e applications, you can select individual uses of the application that the policy will have the Z yWALL block. These fields only apply when Access is set to forwar d . Login - Select this option to block users from logging in to a ser ver for this application. Mess[...]
-
Pagina 566
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 566 32.4 The Other Applications Screen Sometimes, the Z yWALL cannot identify the application. For example, the application might be a new application, or the pack ets might arriv e out of sequence. (The Z yWALL does not re order packets when identifying the application.) The Other (app[...]
-
Pagina 567
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 567 Click AppPatrol > Other to open the Other ( applicatio ns) screen. Figure 418 AppPatrol > Other The following table describes the labels in this screen. See Secti on 32.4.1 on page 569 for more information as well. T able 149 AppPatrol > Other LABEL DESCRIPTION Add Click this [...]
-
Pagina 568
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 568 Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this po licy applies. Access This field displa ys what the Z yWALL does wi[...]
-
Pagina 569
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 569 32.4.1 The Other Applications Add/Edit Screen The Other Configuration Add/Edit screen allows you to create a new condition or edit an existing one. T o access this screen, go to the Other Protocol screen (see Section 32.4 on page 566 ), and click either the Add icon or an Edit icon. Fi[...]
-
Pagina 570
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 570 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Ch a p t e r 4 3 o n p a g e 7 4 3 for details). Otherwise, select any to make the policy always effective. User Select a user name or user group to which to apply the[...]
-
Pagina 571
Chapter 32 Application Patrol ZyWALL USG 300 User’s Guide 571 Inbound kbps T ype how much inbound bandwidth , in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the Z yWALL sends to a connection’ s initiator . If you enter 0 here, this policy does not apply bandw idth management for the matching traffic[...]
-
Pagina 572
Chapter 32 App licat ion Patr ol ZyWALL USG 300 User’s Guide 572 OK Click OK to save your changes back to the Z yWALL. Cancel Click Cancel to exit this screen without saving your changes. T able 150 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION[...]
-
Pagina 573
ZyWALL USG 300 User’s Guide 573 C HAPTER 33 Anti-Virus 33.1 Overview Use the Z yWALL’ s anti-virus feature to pr otect your connect ed network from virus/ spyware infect ion. The Z yWALL checks tr affic going in the direction(s) you specify for signature matches. In the following fi gure the ZyW ALL is set to check traff ic coming from the W AN[...]
-
Pagina 574
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 574 33.1.2 What Y ou Need to Know Anti-Virus Engines Subscribe to signature files for Z yXEL ’s anti -virus engine or one powered by K aspersky . When using the trial, you can switch from one engine to the other in the Registration screen. After the trial expires, you need to purchase an iCard[...]
-
Pagina 575
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 575 2 If the packets are not session connection setup packets ( such as SYN, ACK and FIN), the Z yWALL records the sequence of the packets. 3 The scanning engine ch ecks the contents of the packets for virus. 4 If a virus pattern is matched, the Z yWALL removes the infect ed portion of the file [...]
-
Pagina 576
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 576 33.1.3 Before Y ou Begin • Before using anti-virus, see Chapter 11 on page 27 7 for how to register for the anti-vir us service. • Y ou may need to customize the zones (in the Network > Zone ) used for the anti-vi rus scanning direction. 33.2 Anti-V irus Summary Screen Click Configura[...]
-
Pagina 577
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 577 The following table describes t he labels in this screen. T able 151 Configuration > Anti-X > Anti-V irus > General LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a grea ter or lesser number of configuration fields. Enable Anti- Virus an[...]
-
Pagina 578
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 578 Protocol These are the protocols of traffic to scan for viruses. FTP applies to traffic using the T CP port number specified for FTP in the ALG screen. HTTP applies to traffic using T CP ports 80, 8080 and 3128. SMTP applies to traffic using T C P port 25 . POP3 applies to traffic using TCP [...]
-
Pagina 579
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 579 33.2.1 Anti-V irus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to displa y the configur ation screen as shown next. Figure 422 Configur ation > Anti-X > Anti-Viru s > General > Add The following table d[...]
-
Pagina 580
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 580 Actions When Matched Destroy infected file When you select this check bo x, if a virus pattern is matched, the Z yW ALL overwrites the infected portion of the file (and the rest of the file) with zeros. The un-infected po rtion of the file before a virus pattern was matched goes through unmo[...]
-
Pagina 581
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 581 33.3 Anti-V irus Black List Click Configuration > Anti-X > Anti-Virus > Black/White List to displa y the screen shown next. Use the Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns. Click a column’ s heading cell to sort the table entries by t[...]
-
Pagina 582
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 582 The following table describes t he labels in this screen. 33.4 Anti-V irus Black List or White List Add/Edit From the Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List ) screen, click the Add icon or an Ed it icon to display the following screen. [...]
-
Pagina 583
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 583 The following table describes t he labels in this screen. 33.5 Anti-V irus White List Click Configuration > Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next. Use the Black/White List screen to set up Anti- Virus black (blocked) and white (allow[...]
-
Pagina 584
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 584 column’ s heading cell to sort t he table en tries by that col umn’s criteria. Click the heading cell again to reverse the sort order . Figure 425 Configuration > Anti-X > Anti-Viru s > Black/White List > White List The following table describes t he labels in this screen. 33[...]
-
Pagina 585
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 585 If Internet Explorer op en s a warning screen ab out a scri pt making Internet Explorer run slowly and the computer ma ybe becoming unresponsiv e, just click No to continue. Cl ick a column’ s heading ce ll to sort the table entries by that column’s criteria. Click t he head ing cell aga[...]
-
Pagina 586
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 586 The following table describes t he labels in this screen. T able 156 Configuration > Anti-X > Anti-V irus > Signature LABEL DESCRIPTION Signatures Search Select the criteria on which to perform the search. Select By Name from the drop down list box and type th e name or part of the [...]
-
Pagina 587
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 587 33.7 Anti-V irus T echnical Reference T ypes of Computer Viruses The following table describes some of the common computer vi ruses. Computer Virus Inf ection and Prevention The following describes a simpl e life cycle of a computer virus. 1 A computer gets a copy of a virus from a source su[...]
-
Pagina 588
Chapter 33 Anti- Viru s ZyWALL USG 300 User’s Guide 588 A host-b ased anti- virus (HAV) scanner is often software installed on computers and/or servers in the network. It i nspects files for virus patterns as they are moved i n and out of the hard driv e. However , host- based anti-virus scanners cannot eliminate all viruses for a number of reaso[...]
-
Pagina 589
ZyWALL USG 300 User’s Guide 589 C HAPTER 34 IDP 34.1 Overview This chapter introduces pack et inspection IDP (Intrusi on, Detection and Prevention), IDP profiles, binding an IDP prof ile to a tr affic flow , custom signatures and updating signatures. An IDP system can detect malicious or suspicious packets and respond i nstantaneously . IDP on th[...]
-
Pagina 590
Chapter 34 ID P ZyWALL USG 300 User’s Guide 590 IDP Profiles An IDP profile is a set of related IDP sign atures that y o u can activ ate as a set and configure common log and action s ettings. Y ou can apply IDP profiles to traff ic flowing from one zone to another . For ex ample, appl y the default LAN_IDP p rofile to any tr affic going to the L[...]
-
Pagina 591
Chapter 34 IDP ZyWALL USG 300 User’s Guide 591 34.2 The IDP General Screen Click Configuration > Anti-X > IDP > Ge neral to open this scree n. Use this screen to turn IDP on or off , bind IDP profiles to t raffic direct ions, and view registra tion and signature information. Note: Y ou must register in order to use p acket inspection sig[...]
-
Pagina 592
Chapter 34 ID P ZyWALL USG 300 User’s Guide 592 Edit Select an entry and click this to be able to modify it. Re move Select an entry and click this to delete it. Activate T o turn on an entry , select it and click Activate . Inactivate T o turn off an entry , select it and click Inac tivate . Move T o change an entry’s position in the numbered [...]
-
Pagina 593
Chapter 34 IDP ZyWALL USG 300 User’s Guide 593 34.3 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. P acket inspection si gnatures examine packet content for malicious data. Pack et inspection applies t o OSI (Open System Int erconnection) layer -4 to lay er-7 contents. Y ou need to subscribe for IDP se rvice in [...]
-
Pagina 594
Chapter 34 ID P ZyWALL USG 300 User’s Guide 594 34.3.1 Base Profiles The Z yW ALL comes with sever al base profiles. Y ou use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, cli c k Add to display the following screen. Figure 428 Base Profiles The following table descri bes this screen. T able [...]
-
Pagina 595
Chapter 34 IDP ZyWALL USG 300 User’s Guide 595 34.4 The Profile Summary Screen Select Anti-X > IDP > Profile . Use this screen to: • Add a new profile • Edit an existing prof ile • Delete an existing profile. Click a column’ s heading cell to sort the table entries by that column’ s criteria. Click the heading cell again to revers[...]
-
Pagina 596
Chapter 34 ID P ZyWALL USG 300 User’s Guide 596 34.5 Creating New Profiles Y ou may want to create a new profile if not all signatures in a base profile are applicable to your network. In this case y ou should disable non-applicable signatures so as t o improve Z yWALL IDP p rocessing efficiency . Y ou may also f ind that certain signatures are t[...]
-
Pagina 597
Chapter 34 IDP ZyWALL USG 300 User’s Guide 597 34.6 Profiles: Packet Inspection Select Configuration > Anti -X > IDP > Pr ofile and then add a new or edit an existing profile select. P acket inspection signatures examine the contents of a packet for mal icious data. It oper ates at lay er-4 to lay er-7. 34.6.1 Profile > Group V iew Sc[...]
-
Pagina 598
Chapter 34 ID P ZyWALL USG 300 User’s Guide 598 The following table describes t he fields in this screen. T able 161 Configuration > Anti-X > IDP > Profile > Group View LABEL DESCRIPTION Name This is the name of the profile. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), bu t the first character cannot be [...]
-
Pagina 599
Chapter 34 IDP ZyWALL USG 300 User’s Guide 599 Action T o edit what action the Z yW ALL takes when a packet matches a signature, select the signature and use the Action icon. none : Select this action on an individual signature or a complete service group to have the Z yWALL tak e no action when a packet matches the signature(s). drop : Select th[...]
-
Pagina 600
Chapter 34 ID P ZyWALL USG 300 User’s Guide 600 34.6.2 Policy T ypes This section describes IDP poli cy types, also known as attack types, as c a tegorized in the ZyW ALL. Y ou may refer to these types when categorizing your own custom rules. Log These are the log options. T o edit this, select an item and use the Log icon. Action This is the act[...]
-
Pagina 601
Chapter 34 IDP ZyWALL USG 300 User’s Guide 601 34.6.3 IDP Service Group s An IDP service group is a set of re lated packet i nspection signatures. Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occur[...]
-
Pagina 602
Chapter 34 ID P ZyWALL USG 300 User’s Guide 602 The following figure shows the WEB_PHP se rvice group that contains signatures related to attacks on web servers us ing PHP exploits . PH P (PHP: Hypertext Preprocessor) is a serv er-side HTML embedd ed scripting language that allows web developers to build dynamic websites. Logs and actions appl ie[...]
-
Pagina 603
Chapter 34 IDP ZyWALL USG 300 User’s Guide 603 signatures by criteria such as name, ID , severity , attack type, vulnerable attack platforms, service category , log options or actions. Figure 432 Configuration > Ant i -X > IDP > Profile: Q uery View The following table describes t he fields specific to this screen’ s query view. T able[...]
-
Pagina 604
Chapter 34 ID P ZyWALL USG 300 User’s Guide 604 Severity Search for signatures by severit y level(s). Hold down the [Ctrl] key if you want to make multiple selections. These ar e the sev erities as defi ned in the Z yWALL. The number in brackets is the number you use if using comman d s . Severe (5): These denote attacks that try to run arbitrary[...]
-
Pagina 605
Chapter 34 IDP ZyWALL USG 300 User’s Guide 605 34.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attac k T ype: DDoS • Platform: Windows 2000 and Wind ows XP computers •S e r v i c e : A n y[...]
-
Pagina 606
Chapter 34 ID P ZyWALL USG 300 User’s Guide 606 •A c t i o n s : A n y Figure 433 Query Example Search Criteria Figure 434 Query Example Search Result s[...]
-
Pagina 607
Chapter 34 IDP ZyWALL USG 300 User’s Guide 607 34.7 Introducing IDP Custom Signatures Create custom signatures for new attack s or attacks peculiar to y our network. Custom signatures c an also be sav ed to/f rom y our computer so as to s hare with others. Y ou nee d some knowledge of packet header s and attack type s to creat e your own custom s[...]
-
Pagina 608
Chapter 34 ID P ZyWALL USG 300 User’s Guide 608 34.8 Configuring Custom Signatures Select Configuration > Anti-X > IDP > Cu stom Signature s. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click t he Add icon to create a new signature or click the Edit icon to edit an existing si[...]
-
Pagina 609
Chapter 34 IDP ZyWALL USG 300 User’s Guide 609 Note: The ZyW A LL checks all signatures and contin ues searching even af ter a match is found. If two or more rules have conflicting actions fo r the sa me p acket, then the ZyW ALL applies the more restrictive action ( reject-both, reject-receiver or reject-sender , drop, none in this order). If a [...]
-
Pagina 610
Chapter 34 ID P ZyWALL USG 300 User’s Guide 610 34.8.1 Creating or Editing a Custom Signature Click the Add icon to c reate a new signature or c lick the Edit icon to edit an existing signature in the screen as shown in Figure 436 on page 609 . A packet must match all items you configur e in this screen before it matches the signature. The more s[...]
-
Pagina 611
Chapter 34 IDP ZyWALL USG 300 User’s Guide 61 1 T ry to write signatures that target a vulner ability , for example a certain type of traffic on certain operating s ystems, instead of a specific exploit. Figure 437 Configur ation > Anti-X > IDP > Custom Signatures > Add/Edit[...]
-
Pagina 612
Chapter 34 ID P ZyWALL USG 300 User’s Guide 612 The following table describes the fields in this screen. T able 167 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit LABEL DESCRIPTION Name T ype the name of your custom signature. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the first charac[...]
-
Pagina 613
Chapter 34 IDP ZyWALL USG 300 User’s Guide 613 Fragmentation A fragmentation flag identifies whether the IP datagr am should be fragmented, not fr agmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses. Fragmentation Offset When an IP datagram is fr agme[...]
-
Pagina 614
Chapter 34 ID P ZyWALL USG 300 User’s Guide 614 Flow If selected, the signature only ap plies to certain directions of the traffic flow and only to c lients or servers. Select Flow and then select the identifying options. Established : The signature only checks for es tablished T CP connections Stateless : The signature is triggered regardless of[...]
-
Pagina 615
Chapter 34 IDP ZyWALL USG 300 User’s Guide 615 P ayload Size This field may be used to check for abno rmally sized packets or for detecting buffer overflows . Select the check box, then select Equal , Smalle r or Greater and then type the payload size. Stream rebuilt packets are not checked regardless of the size of the payload. Add Click this to[...]
-
Pagina 616
Chapter 34 ID P ZyWALL USG 300 User’s Guide 616 34.8.2 Custom Signature Example Before creating a custom signature, you must first clearly understand the vulnerabilit y . 34.8.2.1 Underst a nd the V ulnerability Check the ZyW ALL logs when the attack oc curs. Use web sites such as Google or Security F ocus t o get as much i nformatio n ab out the[...]
-
Pagina 617
Chapter 34 IDP ZyWALL USG 300 User’s Guide 617 34.8.2.2 Analyze Packet s Use the packet capture screen (se e Section 53.3 on page 886 ) and a packet analyzer (also known as a network or pr otocol analyzer) such as Wireshark or Ethereal to inv estigate some more. Figure 438 DNS Query Pa cket Details From the details about DNS query you see th at t[...]
-
Pagina 618
Chapter 34 ID P ZyWALL USG 300 User’s Guide 618 The final custom signature should look like as shown in the following figure. Figure 439 Example Custom Signatu re 34.8.3 Applying Custom Signatures After you create your custom signature, i t becomes avai lable in the IDP service group category in the Configuration > Anti-X > IDP > Profile[...]
-
Pagina 619
Chapter 34 IDP ZyWALL USG 300 User’s Guide 619 Y ou can activate the signature, configu r e what action to take when a packet matches it and if it should gener ate a log or alert i n a profil e. Then bind the profil e to a zone. Figure 440 Example: Custom Signat ure in IDP Profile 34.8.4 V erifying Custom Signatures Configure th e sig nature to c[...]
-
Pagina 620
Chapter 34 ID P ZyWALL USG 300 User’s Guide 620 destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 441 Custom Signature Log 34.9 IDP T echnical Reference This section contains some background information on IDP . Host Intrusions The goal of host -based intrusions is to infi ltrate files on a n [...]
-
Pagina 621
Chapter 34 IDP ZyWALL USG 300 User’s Guide 621 Network Intrusions Network -based intrusions have the goal of bringi ng down a ne twork or networks by attacking computer(s), switch(es), rout er(s) or modem(s). If a LAN switch is compromised for example, then the wh ole LA N is com promised. Ho st-based intrusions may be used to cause network - ba [...]
-
Pagina 622
Chapter 34 ID P ZyWALL USG 300 User’s Guide 622 Note: Not all Snort functionality is supported in the ZyW ALL. Same IP sameip T ransport Protocol T ransport Protocol: T CP P ort (In Snort rule header) Flow flow Flags flags Sequen ce Number seq Ack Number ack Window Size window T ransport Protocol: UDP (In Snort rule header) P ort (In Snort rule h[...]
-
Pagina 623
ZyWALL USG 300 User’s Guide 623 C HAPTER 35 ADP 35.1 Overview This chapter introduces ADP (Anomaly De tection and Prev ention), a nomaly profiles and applying an ADP profile to a traffic direction. AD P p rot ec ts ag ain st anomalies based on violations of prot ocol standards (RFCs – Requests for Comments) and abnormal flows such as p ort scan[...]
-
Pagina 624
Chapter 35 AD P ZyWALL USG 300 User’s Guide 624 Protocol Anomalies Protocol anomalies are packets t hat do not comply with the relevant RFC (R equest For Comments). Protocol anomaly detect ion includes HT TP Inspection, TCP Decoder , UDP Decoder and ICMP Decoder . Protocol anomaly rules may be updated when you up load new firmware. ADP Profile An[...]
-
Pagina 625
Chapter 35 ADP ZyWALL USG 300 User’s Guide 625 35.2 The ADP General Screen Click Configuration > Anti-X > ADP > General . Use this screen to turn anomaly detection on or off and apply an omaly profiles to tr affic directions. Figure 442 Configur ation > Anti-X > ADP > General The following table describes t he screens in this sc[...]
-
Pagina 626
Chapter 35 AD P ZyWALL USG 300 User’s Guide 626 35.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing prof ile • Delete an existing profile From, T o This is the direction of travel of packets to which an anomaly profile is bound. T raffic direction is defined by the zon[...]
-
Pagina 627
Chapter 35 ADP ZyWALL USG 300 User’s Guide 627 35.3.1 Base Profiles The Z yWALL comes with base profiles. Y ou use base profiles to crea te new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 443 Base Profiles These are the default base profiles at the ti me of writing. 35[...]
-
Pagina 628
Chapter 35 AD P ZyWALL USG 300 User’s Guide 628 The following table describes t he fields in this screen. 35.3.3 Creating New ADP Profiles Y o u may want to create a new profile if not all rules in a base profile are app licable to your networ k. In this case you should disable non-applicable rules so as to improve Z yWALL ADP processing efficien[...]
-
Pagina 629
Chapter 35 ADP ZyWALL USG 300 User’s Guide 629 belonging to this profile, mak e sure you hav e clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 445 Profile s: T raffic Anomaly[...]
-
Pagina 630
Chapter 35 AD P ZyWALL USG 300 User’s Guide 630 The following table describes t he fields in this screen. T able 172 Configuration > ADP > Prof ile > T raffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dashes (-), but the first character cannot be a [...]
-
Pagina 631
Chapter 35 ADP ZyWALL USG 300 User’s Guide 631 35.3.5 Protocol Anomaly Profiles Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against th e relev ant RFC (Request for Comments). Protocol anomaly detection includes HT TP Inspection, T CP Decoder , UDP Decoder , and ICMP Decoder whe[...]
-
Pagina 632
Chapter 35 AD P ZyWALL USG 300 User’s Guide 632 Figure 446 Profile s: Protocol Anomaly[...]
-
Pagina 633
Chapter 35 ADP ZyWALL USG 300 User’s Guide 633 The following table describes t he fields in this screen. T able 173 Configuration > ADP > Prof ile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profil e. Y ou may use 1-31 alphanumeric characters, underscores( _ ), or dash es (-), but the first character cannot be a num[...]
-
Pagina 634
Chapter 35 AD P ZyWALL USG 300 User’s Guide 634 Action T o edit what action the Z yWALL takes when a pack et matches a signature, select the signature and use the Act ion icon. original se tting : Select this action to return each signature in a service group to its previously saved configuration. none : Select this action on an individual signat[...]
-
Pagina 635
Chapter 35 ADP ZyWALL USG 300 User’s Guide 635 35.4 ADP T echnical Reference This section is divided i nto traff ic anomaly background information and protocol anomaly background information. T raffic Anomaly Background Information The following sections may help you conf igure the traffic anomaly profile screen ( Section 35.3.4 on page 628 ) Por[...]
-
Pagina 636
Chapter 35 AD P ZyWALL USG 300 User’s Guide 636 Decoy Port Scans Decoy port scans are scans where the atta cker has spoofed the source address . These are some decoy scan types: •T C P D e c o y P o r t s c a n • UDP Decoy P ortscan • IP Decoy P ortscan Distributed Port Scans Distributed port scans are many -to-one port scans. Distributed p[...]
-
Pagina 637
Chapter 35 ADP ZyWALL USG 300 User’s Guide 637 Flood Detection Flood attacks satur ate a network with useless data, use up all a vailabl e bandwidth, and therefore mak e communi cati ons in the network impossible. ICMP Flood Att ack An ICMP flood is broadcasting many p ings or UDP pack ets so that so much data is sent to the system, that it sl ow[...]
-
Pagina 638
Chapter 35 AD P ZyWALL USG 300 User’s Guide 638 the initiator responds with an ACK (ack nowledgment). After this handshak e, a connection is established. Figure 448 TCP Three-W ay Handshake A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN- ACK response. The receiv er then wa[...]
-
Pagina 639
Chapter 35 ADP ZyWALL USG 300 User’s Guide 639 UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to tr ansfer d ata. A UDP flood at tack is p ossible when an at tack er s ends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it wil l determine[...]
-
Pagina 640
Chapter 35 AD P ZyWALL USG 300 User’s Guide 640 DOUBLE-ENCODING ATT A C K This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second pass ASCII, bare byte, and %u encodings are done. IIS-BACKSLASH- EVASION A TT [...]
-
Pagina 641
Chapter 35 ADP ZyWALL USG 300 User’s Guide 641 WEBROO T -DIRECTOR Y - TRAV ERSAL A TT ACK This is when a directory traversal tr averses past the web server root directory . This generates much fewer false positives than the directory option, because it doesn’t alert on directory tra versals that stay within the web serv er directory structure. [...]
-
Pagina 642
Chapter 35 AD P ZyWALL USG 300 User’s Guide 642 TRUNCA TED-HEADER ATT A C K This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length. This may cause some applications to crash. TRUNCA TED- TIMEST AMP-HEADER ATT A C K This is when an ICMP packet is sent which has an ICMP datagram length of less than[...]
-
Pagina 643
ZyWALL USG 300 User’s Guide 643 C HAPTER 36 Content Filtering 36.1 Overview Use the content filtering feature to cont rol access to specific web sites or web content. 36.1.1 What Y ou Can Do in this Chapter •U s e t h e General screens ( Section 36.2 on page 645 ) to configure global content filtering settings, configure co ntent filtering poli[...]
-
Pagina 644
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 644 Content Filtering Profiles A content filtering profile convenient ly stores your custom set tings for the following featur es . • Category -based Bl ocking The Z yWALL can block access to particular categories of web site content, such as p o r n o g ra ph y o r rac i al i n t o le ra[...]
-
Pagina 645
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 645 Since the Z y WALL checks the URL ’ s domain name (or IP addres s) and fil e path separately , it will not find i tems that go across the two. F or example, with the URL www .zyxel.com.tw/news/pressroom.php , the Z yWALL would find “t w” in the domain name ( www .zyxel.com.tw[...]
-
Pagina 646
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 646 your list of content filter policies , create a denial of access message or specify a redirect URL and check your external we b filtering service regis tration status. Figure 450 Configuration > Ant i-X > Content F il ter > Genera l The following table describes t he labels in [...]
-
Pagina 647
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 647 Move T o change an entry’ s position in the numbered list, select it and click Move to display a field to type a number for where y ou want to put that entry and press [ENTER] to move the entry to the number that you typed. # This column lists the index numbers of the content fil[...]
-
Pagina 648
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 648 36.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content License Status This read-only field displays the status of your content-filter[...]
-
Pagina 649
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 649 filter policy . A content filter policy defi nes which content filter profil e should be applied, when it should be app lied, and to whose web access it shoul d be applied. Figure 451 Configu ration > Anti-X > Content Filter > General > Ad d l The following table descri[...]
-
Pagina 650
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 650 36.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile de fines to which web se rvices, web sites or web site categories acce ss is to be all owed or denied. Figure 452 Config[...]
-
Pagina 651
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 651 See Chapter 37 on page 667 for how to view content filtering reports. Figure 453 Configur ation > Anti-X > Content Filter > Filter Profile > Add[...]
-
Pagina 652
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 652 The following table describes t he labels in this screen. T able 178 Configuration > Anti-X > Cont ent Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of y our content-filtering database service registration. Not Licens[...]
-
Pagina 653
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 653 Action for Unsafe W eb Pa g e s Select Pass to allow users to access web pages that match the unsafe categories that you select below . Select Block to prevent users from accessing web pages that match the unsafe categories that you select below . When external database content fil[...]
-
Pagina 654
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 654 Action When Category Server Is Unav ailable Select Pass to allow users to access any requested web page if the external content filtering database is unav ailable. Select Block to block access to any requested web page if the external content filtering database is unavailable. Select Wa[...]
-
Pagina 655
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 655 Spyware/Malware Sources This category includes pages which distribute spyware and other malware. Spyware and malw are are defined as software which takes control of y our computer , modifies computer settings, collects or reports personal information, or misrepresents itself by tri[...]
-
Pagina 656
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 656 Nudity This category includes pages containing nude or seminude depictions of the human body . These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature. This category also includes nudist or na[...]
-
Pagina 657
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 657 Arts/Entertainment This category incl udes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment. Business/Economy This category includes page[...]
-
Pagina 658
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 658 Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services. It also includes pages that discuss or explain laws of various governmental entities. Military This[...]
-
Pagina 659
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 659 Re ligion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship. It does not include pages containing alternative religions such as Wicca[...]
-
Pagina 660
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 660 Sports/Recreation/ Hobbies This category includes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting. T ravel This category inc lud es pages that promote or[...]
-
Pagina 661
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 661 Alcohol Sites that promote, offer for sale, glorify , review , or in any wa y advocate the use or creation of alcoholic bever ages, including but not limited to beer , wine , and hard liquors. Pages that sell alcohol as a subset of other products such as restaurants or grocery stor[...]
-
Pagina 662
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 662 36.5.1 Content Filter Blocked and W arning Messages These are the content filtering warnin g messages. The messages f or blocked access are the same but do not include the buttons. Figure 454 Content Filter W arning Messages Placeholders This category includes pages that are under const[...]
-
Pagina 663
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 663 36.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen. Y ou can create a list of good (allowed) web site addresses and a list of bad (blo cked) web site a[...]
-
Pagina 664
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 664 Allow W eb traffic for trusted web sites only When this box is selected, the Z yWALL blocks W eb access to sites that are not on the Trusted Web Sites list. If they are chosen carefully , this is the most effective w ay to block objectionable material. Re stricted W eb F eatures Select [...]
-
Pagina 665
Chapter 36 Co n te nt F ilt ering ZyWALL USG 300 User’s Guide 665 36.7 Content Filter T echnical Reference This section provi des content filtering background informati on. Forbidden W eb Sites This list displays the forbidden web sites already added. Enter host names such as www .bad-site.com into this text field. Do not enter the complete URL o[...]
-
Pagina 666
Chapter 36 Content Filtering ZyWALL USG 300 User’s Guide 666 External Content Filter Server Lookup Procedure The content filter lookup process is described below . Figure 456 Content Filter Lookup Procedure 1 A computer behind the Z yWALL tries to access a web site. 2 The Z yWALL looks up the web site in its cache. If an attempt to access the web[...]
-
Pagina 667
ZyWALL USG 300 User’s Guide 667 C HAPTER 37 Content Filter Reports 37.1 Overview Y ou can view content filtering reports afte r you ha ve activ ated the category-based content filtering sub scription service. See Chapter 11 on page 277 on how t o create a myZ yXEL.com account, register your device and activ ate the subscription services. 37.2 V i[...]
-
Pagina 668
Chapter 37 Content Filter Reports ZyWALL USG 300 User’s Guide 668 2 Fill in your myZ yXEL.com account information and click Login . Figure 457 myZyXEL.com: Lo gin[...]
-
Pagina 669
Chapter 3 7 Content Filt er Reports ZyWALL USG 300 User’s Guide 669 3 A welcome screen displays. Cl ick your Z yWALL’ s model name and/or MAC address under Registered ZyXEL Products (the ZyW ALL 70 is shown as an exa m ple here). Y ou can change the descriptive name for your ZyW ALL using th e Rename button in the Service Management screen (see[...]
-
Pagina 670
Chapter 37 Content Filter Reports ZyWALL USG 300 User’s Guide 670 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 459 myZyXEL.com: Service Ma nagement 5 In the Web Filter Home screen, click the Reports tab. Figure 460 Content Filter Reports Main Screen[...]
-
Pagina 671
Chapter 3 7 Content Filt er Reports ZyWALL USG 300 User’s Guide 671 6 Select items under Global Reports to view the corresponding reports. Figure 461 Content Filter Reports: Report Home 7 Select a time period in the Da te R ange field, ei ther Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view [...]
-
Pagina 672
Chapter 37 Content Filter Reports ZyWALL USG 300 User’s Guide 672 8 A chart and/or list of requeste d web site categories disp lay in the lower half of the screen. Figure 462 Global Report Scre en Example[...]
-
Pagina 673
Chapter 3 7 Content Filt er Reports ZyWALL USG 300 User’s Guide 673 9 Y ou can click a category in the Categ ories report or click URLs in the Report Home screen to see the URLs that were requ es te d. Figure 463 Requested URLs Example[...]
-
Pagina 674
Chapter 37 Content Filter Reports ZyWALL USG 300 User’s Guide 674[...]
-
Pagina 675
ZyWALL USG 300 User’s Guide 675 C HAPTER 38 Anti-Spam 38.1 Overview The anti-spam feature can mark or disc ard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use t he black list to identify spam e- mail. T he ZyWA LL can also check e-mail aga ins t a DNS black l ist (DNSBL) of IP addresses of serve[...]
-
Pagina 676
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 676 Black List Configure black list entri es to identify spam. The black list entries ha ve the Z yWALL classify an y e-mail that is from or forwarded by a specified IP address or uses a specified header field and header v alue as being spam. If an e-mail does not match any of the white list ent[...]
-
Pagina 677
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 677 E-mail Header Buffer Size The Z yW ALL has a 5 K buffer for an individu al e-mail header . If an e-mail’ s header is longer than 5 K, the Z yWALL only checks up to the fi rst 5 K. DNSBL A DNS Black List (DNSBL) is a serv er that hosts a list of IP addresses known or suspected of having sent [...]
-
Pagina 678
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 678 spam policies. Y ou can also select t he action the Z yWALL takes when the mail sessions threshold is reached. Figure 464 Configu ration > Anti-X > Anti-S pam > General The following table describes t he labels in this screen. T able 180 Configuration > Anti-X > Anti-S pam >[...]
-
Pagina 679
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 679 38.3.1 The Anti-S p am Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configuration sc reen as shown next. Use this screen to configure an anti-spam policy that cont rols what traffic direction of e-mail t[...]
-
Pagina 680
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 680 check, which e-mail protocols to scan, the scanning options, and the action to t ake on spam tr affic. Figure 465 Configu ration > Anti-X > Anti-S pam > General > Add The following table describes t he labels in this screen. T able 181 Configuration > Anti-X > Anti-V irus &[...]
-
Pagina 681
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 681 38.4 The Anti-S p am Black List Screen Click Configuration > Anti-X > Anti-Spam > Black / White L ist to display the Anti-Spam Black List screen. Configure the black li st to identify spam e-mail. Y ou can create black l ist entries based on the sender’s or rela y server’ s IP add[...]
-
Pagina 682
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 682 specific subject t ext. Click a column’ s heading cell to s ort the tabl e entries by that column’s criteria. Click t he head ing cell again t o reverse t he sort o rder . Figure 466 Configuration > Anti -X > Anti-S pam > Black/Wh i te List > Black Li st The following table d[...]
-
Pagina 683
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 683 38.4.1 The Anti-S p am Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to displa y the following screen. Use this screen to configure an anti-spam bl ack list entry to identify spam e-mail. Y ou can create entries based o[...]
-
Pagina 684
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 684 38.4.2 Regular Expressions in Black or White List Entries The following applies for a black or white li st entry based on an e-mail subj ect, e- mail address, or e-mail header v alue. • Use a question mark (?) to let a single char acter vary . For example, use “a?c” (without the quotat[...]
-
Pagina 685
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 685 38.5 The Anti-S p am White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to displa y the Anti-Spam White List screen. Configure the white list to identify legi timate e-mail. Y ou can create white list entries based on the sender?[...]
-
Pagina 686
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 686 38.6 The DNSBL Screen Click Configuration > Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to co nfigure the Z yWALL to chec k the sender and relay IP addresses in e-mail headers ag ainst DNS (Domain Name Service)-based spam Black Lists (DNSBLs). F[...]
-
Pagina 687
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 687 The following table describes t he labels in this screen. T able 185 Configuration > Anti-X > Anti-S pam > DNSBL LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields. Enable DNS Black List (DN[...]
-
Pagina 688
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 688 38.7 Anti-S p am T echnical Reference Here is more detailed anti-spam information. DNSBL • Th e Z y W A L L c h e c k s o n l y p u b l i c s e n d e r a n d relay IP addresses, it does not check private IP addresses. • The Z yWALL sends a sep arate query (DNS lookup) for each sender or [...]
-
Pagina 689
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 689 Here is an example of an e- mail classified as spam based on DNSBL repl ies. Figure 470 DNSBL S pam Detection Example 1 The Z yW ALL receives an e- mail that was se nt from IP address a.a.a.a and relay ed by a n e -ma il ser ver at IP add re ss b. b.b. b. The Zy WALL send s a separ ate query t[...]
-
Pagina 690
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 690 Here is an example of an e-mail classifi ed as legitimate based on DNSBL replies. Figure 471 DNSBL Legitimate E-mail Detection Example 1 The Z yWALL receives an e-mail that was sent f rom IP address c.c.c.c and rela yed by an e-mail server at IP address d.d.d. d. The ZyW ALL sends a separate[...]
-
Pagina 691
Chapter 38 Anti-Spa m ZyWALL USG 300 User’s Guide 691 If the Z yWALL receiv es conf licting DNSBL replies for an e-mail routing IP address, the Z yWALL classifies the e-mail as spam. Here is an example. Figure 472 Conflicting DN SBL Replies Ex ample 1 The Z yW ALL receives an e-mail that was sent from IP addres s a.b.c.d and relayed by an e-mail [...]
-
Pagina 692
Chapter 38 Anti- S pa m ZyWALL USG 300 User’s Guide 692[...]
-
Pagina 693
ZyWALL USG 300 User’s Guide 693 C HAPTER 39 Device HA 39.1 Overview Device HA lets a backup Z yWALL ( B ) automatically take over if the master Zy W A L L ( A ) fails. Figure 473 Device HA Backup T aking Over for the Master 39.1.1 What Y ou Can Do in this Chapter •U s e t h e General screen ( Section 39.2 on page 695 ) t o configure device HA g[...]
-
Pagina 694
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 694 • Legacy mode allows for more complex relationships between the master and backup Z yWALLs, such as activ e-active or using different Z yWALLs as the master Z yWALL for individual interfaces . Legacy mode configurat ion involv es a greater degree of complexity . Active-pa ssi ve mode is recom[...]
-
Pagina 695
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 695 39.2 Device HA General The Configuration > Device HA General screen lets you enable or disable device HA, and displa ys which device HA mode the Z yWALL is set to use al ong with a summary of th e monitored inter faces. Figure 474 Configur ation > Device HA > General The following tab[...]
-
Pagina 696
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 696 39.3 The Active-Passive Mode Screen Virtual Router The master and backup Z yWALL form a single ‘virtual router’ . In the following example, master Z y WALL A and backup Z yWALL B form a virtual router . Figure 475 V irtual Router Cluster ID Y ou can have multiple ZyW A LL virtual routers on[...]
-
Pagina 697
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 697 B form a virtual router that uses cluster ID 1. Z yWALLs C and D form a virtual router that uses cluster ID 2. Figure 476 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Acti ve-Passive Mode Device HA Y ou can select which interfaces device HA monitors. If a monitored i nterfa[...]
-
Pagina 698
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 698 192.168.1.5 and Z yWALL B has its own LAN management IP address of 192.168.1.6. These do not change when Z yWALL B bec omes the master . Figure 477 Manageme nt IP Addresses 39.3.1 Configuring Active-Passive Mode Device HA The Device HA Active-Passive Mode screen lets you configure general activ[...]
-
Pagina 699
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 699 The following table describes t he labels in this screen. See Section 39.4 on page 701 for more information as well. T able 187 Configuration > De vice HA > Active-Passive Mode LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or less[...]
-
Pagina 700
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 700 Monitored Interface Summary This table shows the status of the device HA settings and stat us of the Zy WA L L ’s i n t e r f a c e s . Edit Select an entry and click this to be able to modify it. Activate T o turn on an entry , select it and click Ac tivate . Inactivate T o turn off an entry[...]
-
Pagina 701
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 701 39.4 Configuring an Active-Passive Mode Monitored Interface The Device HA Active-Passive Mo de Monitored Interface Edit screen lets you enable or disable monitoring of an interface and set the interface’ s management IP address and subnet mask. T o access this screen, click Configuration >[...]
-
Pagina 702
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 702 A bridge interface’ s device HA settings ar e not retained if you delete the bridge interface. Figure 479 Configuration > Dev ice HA > Active-Pas si ve Mode > Edit The following table descri bes the labels in this screen. T able 188 Configuration > De vice HA > Active-Passive M[...]
-
Pagina 703
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 703 39.5 The Legacy Mode Screen Virtual Router Redundancy Protocol (VRRP) Legacy mode device HA uses Virtual R out er R edundancy Protoc ol (VRRP) to create redundant backup gatewa ys to ensure that a default gateway is always available. The Z yW ALL uses a custom VRRP imp lementation and is not c[...]
-
Pagina 704
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 704 39.6 Configuring the Legacy Mode Screen The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, co nfigure the VRRP group and synchronize backup Z yWALLs. T o access thi s screen, click Configuration > Device HA > Legacy Mode . Figure[...]
-
Pagina 705
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 705 R emove Select an entry and click this to delete it. Activate T o turn on an entry , select it and click Acti vate . Activ ating a VRRP group has the Z yW ALL monitor the connection of the group’s interface. Each interface must have a static IP address and be connected to the same subnet as [...]
-
Pagina 706
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 706 Use the VRRP Group Add/Edit screen to add or edit VRRP groups. • Y ou can only use interfaces that hav e static IP addresses. In addition, yo u should set the stat ic IP address t o the IP ad dress of the virtual router . • Y ou can only enable one VRRP gr oup for each interface. • Y ou c[...]
-
Pagina 707
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 707 The following table descri bes the labels in this screen. T able 190 Configuration > De vice HA > Legacy Mode > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser number of configur ation fields. Enable VRRP Group Sele[...]
-
Pagina 708
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 708 39.7 Device HA T echnical Reference Active-Passive Mode Device HA with Bridge Interfaces Here are two wa ys to avoid a broadcast storm when you connect the bridge interfaces on two Z yWALLs. First Option for Connecting the Bridge Interfaces on T wo ZyW ALLs The first way is to activate d evice [...]
-
Pagina 709
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 709 1 Make sure the bridge i nterfaces of the master Z yWALL ( A ) and the backup Zy W A L L ( B ) are not connected. 2 Configure the bridge interface on the mast er ZyW ALL, set the bridge interface as a monitored interface, and act ivate device HA. 3 Configure the bridge interface on the back up[...]
-
Pagina 710
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 710 4 Connect the Z yWALLs. Second Option for Connecting the Bridge Interfaces on T wo ZyW ALLs Another option is to disab le the bridge interfaces, connect the bridge interfaces, activ ate device HA, and finally reacti vate the bridge interfaces as shown in the following example. 1 In this case th[...]
-
Pagina 711
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 71 1 2 Configure a corresponding disabled bridge int erface on the back up Z yW A LL. Then set the bridge interface as a monitored interface, and activat e device HA. 3 Enable the bridge interface on the master Z yWALL and then on the backup Zy WA L L . 4 Connect the Z yWALLs. B A Br0 {ge4, ge5} B[...]
-
Pagina 712
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 712 Legacy Mode ZyW ALL VRRP Application In VRRP , a virtual router represents a nu mber of Zy WALLs associated with one IP address, the IP address of the default gateway . Each virtual router is identified by a unique 8-bit identifi cation number calle d a Virtual R outer ID (VR ID). In the exampl[...]
-
Pagina 713
Chapter 39 Dev ice HA ZyWALL USG 300 User’s Guide 713 If Z yWALL A becomes a vailable again, Z yWALL A preempts Z yWALL B and becomes the master again (the network returns to t he state shown in Figure 482 on page 712 ). Synchronization During synchronizat ion, the master Z yWALL sends the following in formation to the backup Z yWALL. • Startup[...]
-
Pagina 714
Chapter 39 Device HA ZyWALL USG 300 User’s Guide 714[...]
-
Pagina 715
ZyWALL USG 300 User’s Guide 715 C HAPTER 40 User/Group 40.1 Overview This chapter describes how t o set up user accounts, user groups, and user settings for the Z yWAL L. Y ou can also set up rules that c ontrol when users have to log in to the Z yWALL before the Zy WALL routes traffic for them. 40.1.1 What Y ou Can Do in this Chapter •T h e Us[...]
-
Pagina 716
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 716 Note: The default admin account is alwa ys authenticated locally , regardless of the authentication method setting. (See Chapter 44 on page 749 for more information about authenticat ion methods.) Ext-User Account s Set up an ext-user account if the user is authenti cated by an external se[...]
-
Pagina 717
Chapter 40 User/Group ZyWALL USG 300 User’s Guide 717 See Setting up User Attr ibutes in an External Server on page 7 29 for a lis t of attributes and how to set up the at tributes in an external server . Ext-Group-User Account s Ext-Group-User accounts work are similar to ext -user accounts but allow you to group users by the value of the group [...]
-
Pagina 718
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 718 40.2 User Summary Screen The User screen provides a summary of all us er accounts. T o access this screen, login to th e W eb Con figurator , an d click Co nfiguration > Object > User/Group . Figure 484 Configu ration > Object > User/Group The following table describes t he lab[...]
-
Pagina 719
Chapter 40 User/Group ZyWALL USG 300 User’s Guide 719 •- [ d a s h e s ] The first character must be alphabetical (A -Z a-z), an underscore (_), or a dash (- ). Other limitations on user names are: • User names are case-sensitiv e. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP , it will us e the a[...]
-
Pagina 720
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 720 The following table describes t he labels in this screen. T able 193 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name T ype the user name for this user account. Y ou may use 1-3 1 alphanumeric characters, un derscores( _ ), or dashes (-), but the first character[...]
-
Pagina 721
Chapter 40 User/Group ZyWALL USG 300 User’s Guide 721 40.3 User Group Summary Screen User groups consist of access users and other user groups. Y ou cannot put admin users in user groups. The Gr oup screen provides a summar y of all user groups. In addition, this screen allows y o u to add, edi t, and remove user groups. T o access this screen, l[...]
-
Pagina 722
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 722 40.3.1 Group Add/Edit Screen The Group Add/Edit screen allows you to create a new user group or edit an existing one. T o access this screen, go to the Group screen (see Section 40.3 on page 721 ), and click either the Ad d icon or an Edit icon. Figure 487 Configu ration > User/Group &g[...]
-
Pagina 723
Chapter 40 User/Group ZyWALL USG 300 User’s Guide 723 40.4 Setting Screen The Setting screen controls default settings, login settings, loc kout settings, and other user settings for the Z yWALL. Y ou ca n also use this screen to specify when users must log in to the Z yWALL before it rout es traffic for t hem. Member List The Member list display[...]
-
Pagina 724
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 724 T o access this screen, login to the W eb Configurator , and click Configuration > Object > User/Group > Setting . Figure 488 Configuration > Obje ct > User/Group > Sett i ng The following table descri bes the labels in this screen. T able 196 Configuration > Object &g[...]
-
Pagina 725
Chapter 40 User/Group ZyWALL USG 300 User’s Guide 725 User T ype These are the kinds of user account the Z yWALL supports. • admin - this user can look at and change the configuration of the Z yWALL • limited-admin - this user can look at the conf iguration of the Z y WALL but not to change it • user - this user has access to the ZyW ALL’[...]
-
Pagina 726
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 726 40.4.1 Default User Authenti cation T imeout Settings Edit Screens The Default Authentication Timeout Settings Edit screen allows you to set the default au th ent ication tim e out settin g s fo r th e selected typ e of us er account. These default authentication timeout sett ings also con[...]
-
Pagina 727
Chapter 40 User/Group ZyWALL USG 300 User’s Guide 727 T o access this screen, go to t he Configuration > Obje ct > User/Group > Setting screen (see Section 40.4 on page 723 ), and click one of the Default Authentication Timeout Settings section’s Edit icons. Figure 489 Configuration > Object > User/Group > Setting > Edit Th[...]
-
Pagina 728
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 728 40.4.2 User A ware Login Example Access users cannot use the W eb Configurator to browse the configuration of the Z yWALL . Instead, after access users lo g into the Z yWALL, the following screen appears. Figure 490 W eb Configurator for Non-Admin Users The following table describes t he l[...]
-
Pagina 729
Chapter 40 User/Group ZyWALL USG 300 User’s Guide 729 40.5 User /Group T echnical Reference This section provi des some informat ion on us e rs who use an exte rn al authentication server in order to log in. Setting up User Attributes in an External Server T o set up user attributes, such as reau thentication ti me, in LDA P or RADIU S servers, u[...]
-
Pagina 730
Chapter 40 Us er /G ro up ZyWALL USG 300 User’s Guide 730[...]
-
Pagina 731
ZyWALL USG 300 User’s Guide 731 C HAPTER 41 Addresses 41.1 Overview Address objects can represent a single IP address or a r ange of IP addresses. Address groups are composed of addr ess objects and other address groups. 41.1.1 What Y ou Can Do in this Chapter •T h e Address screen ( Section 41.2 on page 731 ) provides a summary of al l address[...]
-
Pagina 732
Chapter 41 Add re sse s ZyWALL USG 300 User’s Guide 732 • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address . • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the Z yWALL. T o access this screen, click Configura[...]
-
Pagina 733
Chapter 41 Addresses ZyWALL USG 300 User’s Guide 733 41.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to the Address screen (see Section 41.2 on page 731 ), and click either the Add icon or an Edit icon. Figure 494 Configu ration &g[...]
-
Pagina 734
Chapter 41 Add re sse s ZyWALL USG 300 User’s Guide 734 41.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. T o access this screen, click C onfiguration > Object > Address > Address Group . Click a column’ s heading cell to sort t he table en tries by that col umn’s criteria. Click the[...]
-
Pagina 735
Chapter 41 Addresses ZyWALL USG 300 User’s Guide 735 41.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new addres s group or edit an existing one. T o access this screen, go to the Address Gro up screen (see Section 41.3 on page 734 ), and click either the Add icon or an Edit icon. Figure 496 Configu ra[...]
-
Pagina 736
Chapter 41 Add re sse s ZyWALL USG 300 User’s Guide 736[...]
-
Pagina 737
ZyWALL USG 300 User’s Guide 737 C HAPTER 42 Services 42.1 Overview Use service objects to define T CP applications, UDP applications, and ICMP messages. Y ou can also create service groups to refer to multip le service objects in other features. 42.1.1 What Y ou Can Do in this Chapter •U s e t h e Service screens ( Section 42.2 on page 738 ) to[...]
-
Pagina 738
Chapter 42 Serv ice s ZyWALL USG 300 User’s Guide 738 Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number . Some port numbers hav e b een standardized and are used by low- level system processes; man y othe rs have no particular meaning. Unlike T CP and UDP , Internet Control Message Protocol (ICMP , IP[...]
-
Pagina 739
Chapter 42 Services ZyWALL USG 300 User’s Guide 739 entries by that col umn’s criteria. Click the heading cell again to reverse the sort order . Figure 497 Configu ration > Object > Service > Service The following table describes t he labels in this screen. T able 204 Configuration > Object > Service > Service LABEL DESCRIPTIO[...]
-
Pagina 740
Chapter 42 Serv ice s ZyWALL USG 300 User’s Guide 740 42.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service screen (see Section 42.2 on page 738 ), and click either the Ad d icon or an Edit icon. Figure 498 Configu ration > Object >[...]
-
Pagina 741
Chapter 42 Services ZyWALL USG 300 User’s Guide 741 T o access this screen, log in t o the W eb Configurator , and click Configuration > Object > Service > Service Group . Figure 499 Configu ration > Object > Service > Service Group The following table describes the labels in this screen. See Secti on 42.3.1 on page 742 for more[...]
-
Pagina 742
Chapter 42 Serv ice s ZyWALL USG 300 User’s Guide 742 42.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. T o access this screen, go to the Service Group screen (see Section 42.3 on page 740 ), and click either the Add icon or an Edit icon. Figure 500 Configu[...]
-
Pagina 743
ZyWALL USG 300 User’s Guide 743 C HAPTER 43 Schedules 43.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rul es, application patrol, and co ntent filtering. The Z yWALL supports one- time and recurring schedules. One-time schedules are effective only once, while recurring schedul es us ually repeat.[...]
-
Pagina 744
Chapter 43 Sc he du le s ZyWALL USG 300 User’s Guide 744 Finding Out More • See Section 6.6 on page 110 for rel ated informat ion on these screens. • See Section 50.3 on page 811 for information about the Z yWALL’ s current date and time. 43.2 The Schedule Summary Screen The Schedule summary screen provides a summ ary of all schedules in th[...]
-
Pagina 745
Chapter 43 Sc hedules ZyWALL USG 300 User’s Guide 745 43.2.1 The One-T ime Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-ti me schedule or edit an existing one. T o access this screen, go to the Schedule screen (see Section 43.2 on page 744 ), and click either the Add icon or an Edit icon i n the One Ti[...]
-
Pagina 746
Chapter 43 Sc he du le s ZyWALL USG 300 User’s Guide 746 43.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to defi ne a recurring schedule or edit an existing one. T o access this screen, go to the Schedule screen Date Time StartDate Specify the year , month, and day when the schedule begins. Year - 1[...]
-
Pagina 747
Chapter 43 Sc hedules ZyWALL USG 300 User’s Guide 747 (see Section 43.2 on page 744 ), and click either the Add icon or an Edit icon i n the Recurring se ct ion. Figure 503 Configu ration > Object > Schedule > Edit (Recurring) The Year , Month , and Day columns are not used in recurring sched ules and are disabled in this screen. The fol[...]
-
Pagina 748
Chapter 43 Sc he du le s ZyWALL USG 300 User’s Guide 748[...]
-
Pagina 749
ZyWALL USG 300 User’s Guide 749 C HAPTER 44 AAA Server 44.1 Overview Y ou can use a AAA (Authentication, Authorization, Accounting) server to pro vide access control to your network. The AAA serv er can be a Acti ve Directory , LDAP , or RADIUS server . Use the AAA Server screens to create and manage objects that contain settings for using AAA se[...]
-
Pagina 750
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 750 44.1.2 RADIUS Server RADIUS (Remote Authentication Dial- In User Service) authentication is a popular protocol used to au thenticate users by me ans of an external server instead of (or in addition to) an internal device user database that is l imited to the memory capacity of the d evice. In [...]
-
Pagina 751
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 751 •U s e t h e Configuration > Object > AAA Serv er > RADIUS screen ( Section 44.3 on page 755 ) to configure the default extern al RADIUS server to use for user authentication. 44.1.5 What Y ou Need T o Know AAA Servers Supported by the ZyW ALL The following lists the types of authen[...]
-
Pagina 752
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 752 organizational boundaries. The following figure shows a basic directory structure branchi ng from countries to organizations to organization al units to individuals. Figure 506 Basic Direc tory S tructure Distinguished Name (DN) A DN uniquely identifies an entry in a directory . A DN consists [...]
-
Pagina 753
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 753 • See Section 7.8 on page 153 for an example of how to use a RADIUS server to authenticate user acco unts based on groups. 44.2 Active Directory or LDAP Server Summary Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the Zy W ALL can use in auth enticating use[...]
-
Pagina 754
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 754 following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 508 Configura tion > Object > AAA Server > Active Directory (or LDAP) > Ad d The following table describes t he labels in this screen. T able 212 Configuration > Object > AAA Se[...]
-
Pagina 755
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 755 44.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the Z yWALL can use in authenticating users. Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US . Use SSL S elect Use SSL to establish a secure connection to the A[...]
-
Pagina 756
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 756 Click Configuratio n > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 509 Configuration > Object > AAA Server > RADIUS The following table describes t he labels in this screen. T able 213 Configuration > Object > AAA Server > RADIUS LABEL DESCRIPTI[...]
-
Pagina 757
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 757 44.3.1 Adding a RADIUS Server Click Configuratio n > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to disp lay the followi ng scree n. Use th is screen to create a new AD or LDAP entry or edit an existing one. Figure 510 Configuration &g[...]
-
Pagina 758
Chapter 44 AAA Server ZyWALL USG 300 User’s Guide 758 Timeout S pecify the timeout period (betwee n 1 and 300 seconds) before the Z yWALL disconn ects from the RADIUS server . In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. K ey Enter a passw[...]
-
Pagina 759
ZyWALL USG 300 User’s Guide 759 C HAPTER 45 Authentication Method 45.1 Overview Authentication method objects set how the ZyW ALL authenticates wireless, HTTP/ HT TPS clients, peer IPSec routers (extended authenticati on), and L2TP VPN clients. Configure authentication method objects to have the Z yW ALL use the local user database, and/or the au[...]
-
Pagina 760
Chapter 45 Auth en tic ation Method ZyWALL USG 300 User’s Guide 760 3 Select Server Mode and select an auth entication method object from the drop- down list box. 4 Click OK to sav e the settings. Figure 51 1 Example: Using Authentication Method in VPN 45.2 Authentication Method Object s Click Configuration > Object > Auth. Method to disp l[...]
-
Pagina 761
Chapter 45 Authentication Method ZyWALL USG 300 User’s Guide 761 45.2.1 Creating an Authentication Method Object Follow the steps below to create an au thentica ti on me thod object. 1 Click Configuration > Object > Auth. Method . 2 Click Add . 3 Specify a descriptiv e name for identi fication purpos es in the Name field. Y ou may use 1-31 [...]
-
Pagina 762
Chapter 45 Auth en tic ation Method ZyWALL USG 300 User’s Guide 762 7 Click OK to sav e the settings or click Ca ncel to discard all changes and return to the previous screen. Figure 513 Configuration > O bj e ct > Auth. Meth od > Add The following table describes t he labels in this screen. T able 216 Configuration > Object > Auth[...]
-
Pagina 763
Chapter 45 Authentication Method ZyWALL USG 300 User’s Guide 763 Add icon Click Add to add a new entry . Click Edit to edit the settings of an entry . Click Delete to delete an entry . OK Click OK to sa ve the changes. Cancel Click Cancel to discard the changes. T able 216 Configuration > Object > Auth. Method > Add (continued) LABEL DES[...]
-
Pagina 764
Chapter 45 Auth en tic ation Method ZyWALL USG 300 User’s Guide 764[...]
-
Pagina 765
ZyWALL USG 300 User’s Guide 765 C HAPTER 46 Certificates 46.1 Overview The Z yWALL can use certificates (also call ed digital IDs) to authentic ate users. Certificates are based on public-priv ate key pairs. A certifi cate contains the certificate owner’ s identity and public k e y . Certificates provide a way to exchange public keys fo r u s e[...]
-
Pagina 766
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 766 2 Tim keeps the private key and makes the pu blic key op enly av ailable. This means that anyone who receives a message seeming to come from Tim c an read it and verify whether it is really from him or not. 3 Tim uses his priv ate key to sign the message and s ends it to Jenny . 4 Jenny rece[...]
-
Pagina 767
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 767 Factory Default Certificate The Zy W ALL gener ates its own unique self -s igned certific ate when you first turn it on. This cert if i cat e is referred to in the GUI as the fa ctory defa u lt certific a t e. Certificate File Format s Any certificate that you w a nt to import has to be in o[...]
-
Pagina 768
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 768 2 Make sure that the certificat e has a “. cer” or “.crt” file name extension. Figure 514 Remote Ho st Certi fica tes 3 Double-click the certificate’ s icon to open the Certificate window . Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Fig[...]
-
Pagina 769
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 769 46.2 The My Certificates Screen Click Configuration > Object > Ce rtificate > My Certificates to open the My Certificates screen. This is th e ZyW AL L’s summary l ist of ce rtificat es a nd certification requests. Figure 516 Configu ration > Object > Certificate > My Cer[...]
-
Pagina 770
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 770 46.2.1 The My Certificates Add Screen Click Configuration > Object > Cert ificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the T ype This field displays what kind of certificate this is. REQ represents a certification re[...]
-
Pagina 771
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 771 Z yWALL create a self-si gned certificate, enroll a certificate with a certification authority or gener ate a certification request. Figure 517 Configu ration > Object > Certificate > My Certificates > Add[...]
-
Pagina 772
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 772 The following table describes t he labels in this screen. T able 218 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify this certificate. Y ou can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’ ,.=- characters. [...]
-
Pagina 773
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 773 Create a certification request and save it locally for later manual enrollment Select this to have the Z yWALL gener ate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority . Copy th[...]
-
Pagina 774
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 774 If you confi gu red the My Certificate Create screen to hav e the Zy WALL enroll a certificate and the certificate enrol lment is not successful, y ou see a screen with a Return button that take s you back to the My Certificate Create screen. Click Return and check your information in the My[...]
-
Pagina 775
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 775 46.2.2 The My Certificates Edit Screen Click Configuration > Object > Cert ificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. Y ou can use this screen to view in-depth certificate information an d change the certificate’ s name. Figure 518 Con[...]
-
Pagina 776
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 776 The following table describes t he labels in this screen. T able 219 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. Y ou can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}?[...]
-
Pagina 777
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 777 K ey Algorithm This field displays the type of algorithm that was used to generate the certificate’s k ey pair (the Z yWALL uses RS A encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certifica te owner‘s IP addres[...]
-
Pagina 778
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 778 46.2.3 The My Certificates Import Screen Click Configuration > Object > Certific ate > My Certificates > Import to open the My Certificate Import screen. F ollow the instructions in this screen to save an exi sting certificate to t he Z yWALL. Note: Y ou can import a certificate [...]
-
Pagina 779
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 779 46.3 The T rusted Certificates Screen Click C onfiguration > O bject > Cert ificate > Truste d Certificates to open the Trusted Certificates screen. This screen d isplays a summary list of certificates that yo u have set t he ZyWALL to ac cept as trusted. The ZyW A LL also accepts a[...]
-
Pagina 780
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 780 46.3.1 The T r usted Certificates Edit Screen Click Configuration > Object > Cert ificate > Trusted Certificates and then a certificate’ s Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certifica t e, ch an ge the cer[...]
-
Pagina 781
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 781 authority’ s list of revoked certifi cates befo re trusting a certificate issued by the certification authority . Figure 521 Configu ration > Object > Certificate > T rusted Certificates > Edit[...]
-
Pagina 782
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 782 The following table describes t he labels in this screen. T able 222 Configuration > Object > Certificate > T rusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifyin g name of this certificate. Y ou can change the name. Y ou can use up to 31 alphanume[...]
-
Pagina 783
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 783 T ype This field displays general inform ation about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’ s owne r signed the certificate (not a certification authority). X.509 means that this certificate was create[...]
-
Pagina 784
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 784 46.3.2 The T r usted Certificates Import Screen Click Configuration > Object > Certificat e > Trusted Certificates > Import to open the Trusted Certifica tes Import screen. Follow the inst ructions in this screen to save a trusted certificate to the Z yWALL. Note: Y ou must remov[...]
-
Pagina 785
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 785 The following table describes t he labels in this screen. 46.4 Certificates T echnical Reference OCSP OCSP (Online Certificate Stat us Protocol) allows an application or device to check whether a certificate is v alid. With OC SP the Z yWALL checks the status of individual certificates inste[...]
-
Pagina 786
Chapter 46 Certificates ZyWALL USG 300 User’s Guide 786[...]
-
Pagina 787
ZyWALL USG 300 User’s Guide 787 C HAPTER 47 ISP Accounts 47.1 Overview Use ISP accounts to manage Internet Se rvice Prov ider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPP oE or PPTP . Finding Out More • See Section 13.4 on page 304 for information about PPP oE/PPTP in[...]
-
Pagina 788
Chapter 47 IS P Accoun ts ZyWALL USG 300 User’s Guide 788 The following table describes t he labels in this screen. See the ISP Accou nt Ed it section below for more information as well. 47.2.1 ISP Account Edit The ISP Account Edit screen lets you add i nformation about new accounts and edit inform ation about existing accoun ts. T o open this wi[...]
-
Pagina 789
Chapter 47 IS P Accoun ts ZyWALL USG 300 User’s Guide 789 The following table describes t he labels in this screen. T able 225 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you ar e editing an existing account. T ype in the profile name of the ISP account. The profile name is used t[...]
-
Pagina 790
Chapter 47 IS P Accoun ts ZyWALL USG 300 User’s Guide 790 Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about fou r . Idle Timeout This value specifies the number of seconds that must elapse without [...]
-
Pagina 791
ZyWALL USG 300 User’s Guide 791 C HAPTER 48 SSL Application 48.1 Overview Y ou use S S L application objects in S SL VPN. Configure an SSL application object to specify the t ype of application and the address of t he local computer , server , or web site SSL us ers are to be able to access. Y ou can apply one or more SSL application objects in t[...]
-
Pagina 792
Chapter 48 SSL Application ZyWALL USG 300 User’s Guide 792 Remote Desktop Connections Use SSL VPN to allow remote users to ma nage LAN computers. Depending on the functions supported by the remote deskto p softw are, they can install or remove software, run progr ams, change set tings, an d open, copy , create, and delete files. This is useful fo[...]
-
Pagina 793
Chapter 48 SSL Application ZyWALL USG 300 User’s Guide 793 2 Click the Add button and select Web Application in the Ty pe field. In the Server Type field, select Web Server . Enter a descriptive name in t he Display Name field. For example, “CompanyIntranet” . In the Address field, enter “http:// info” . Select Web Page Encryption to prev[...]
-
Pagina 794
Chapter 48 SSL Application ZyWALL USG 300 User’s Guide 794 The following table describes t he labels in this screen. 48.2.1 Creating/Editing a W eb-based SSL Application Object A web-based application all ows remote user s to access an application via standard web browsers. T o configure a web-based application, click the Add or Edit button in th[...]
-
Pagina 795
Chapter 48 SSL Application ZyWALL USG 300 User’s Guide 795 The following table describes t he labels in this screen. T able 227 Configuration > Object > SSL Application > Add/Edit: Web Application LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings This displays for VNC or RDP type web application objects. Click this button t[...]
-
Pagina 796
Chapter 48 SSL Application ZyWALL USG 300 User’s Guide 796 48.2.2 Creating/Editing a File Sharing SSL Application Object Y ou can specify the name of a folder on a file server (Linux or Windows) which remote users can access. R emote users can access files using a standard web browser and files are displa yed as links on the screen. T o configure[...]
-
Pagina 797
Chapter 48 SSL Application ZyWALL USG 300 User’s Guide 797 The following table describes t he labels in this screen. T able 228 Configuration > Object > SSL Application > Add/Edit: File Sharing LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen. Object T ype Select File [...]
-
Pagina 798
Chapter 48 SSL Application ZyWALL USG 300 User’s Guide 798[...]
-
Pagina 799
ZyWALL USG 300 User’s Guide 799 C HAPTER 49 Endpoint Security 49.1 Overview Use Endpoint Security (EPS), also known as endpoi nt control, to make sure users’ computers comply with defined corpor ate policies before they can access the network or an SSL VPN tunnel. After a su ccessful user authenticati on, a user’ s computer must meet the endp[...]
-
Pagina 800
Chapter 49 End po int Secu rity ZyWALL USG 300 User’s Guide 800 49.1.1 What Y ou Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens ( Sect ion 49.2 on page 801 ) to create and manage endpoint securit y objects. 49.1.2 What Y ou Need to Know What End point Security Can Check The settings endpoint securi ty can [...]
-
Pagina 801
Chapter 49 Endpoint Security ZyWALL USG 300 User’s Guide 801 49.2 End point Security Screen The Endpoint Security screen displays the endpoi nt security objects you have configured on the Z y WALL. Click Configuration > Obje ct > E nd point Security to display the screen. Figure 531 Configuration > O bject > Endpoint Security The foll[...]
-
Pagina 802
Chapter 49 End po int Secu rity ZyWALL USG 300 User’s Guide 802 Apply Click this button to save your changes to the Z yWALL. R eset C lick this button to return the screen to its last -saved settings. T able 229 Configuration > Object > Endpoint Se curity (continued) LABEL DESCRIPTION[...]
-
Pagina 803
Chapter 49 Endpoint Security ZyWALL USG 300 User’s Guide 803 49.3 End point Security Add/Edit Click Configuration > Object > Endpo int Security and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint secu rity object.[...]
-
Pagina 804
Chapter 49 End po int Secu rity ZyWALL USG 300 User’s Guide 804 Figure 532 Configuration > O bject > Endpoint Sec u rity > Add[...]
-
Pagina 805
Chapter 49 Endpoint Security ZyWALL USG 300 User’s Guide 805 The following table giv es an overview of the objects you can configure. T able 230 Configuration > Object > Endpoint Se curity > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.[...]
-
Pagina 806
Chapter 49 End po int Secu rity ZyWALL USG 300 User’s Guide 806 Checking Item - Personal Firewall If you selected Windows as the operating system, you can select whether or not the user’s computer is required to have personal firew all softw are installed. Move the permitted personal firewalls from the Available list to the Allowed Personal Fir[...]
-
Pagina 807
Chapter 49 Endpoint Security ZyWALL USG 300 User’s Guide 807 Checking Item - File Information If you selected Windows or Linux as the oper ating system, you can use this table to check details of specific files on the user’s computer . Use the Operation field to set whether the size or version of the file on the user’s computer has to be equa[...]
-
Pagina 808
Chapter 49 End po int Secu rity ZyWALL USG 300 User’s Guide 808[...]
-
Pagina 809
ZyWALL USG 300 User’s Guide 809 C HAPTER 50 System 50.1 Overview Use the system screens to configure general Z yWALL settings. 50.1.1 What Y ou Can Do in this Chapter •U s e t h e System > Host Name screen (see Section 50.2 on page 810 ) to configure a unique name for the ZyW ALL in your network. •U s e t h e System > Date/Tim e screen [...]
-
Pagina 810
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 810 • Connect an external seri al modem to the AUX port to provid e a management connection in case the Z yWALL’ s ot her WAN connections are down. Use the System > Dial-in Mgmt. screen (see Section 50.11 on page 853 ) to configure the external serial modem. • V antage CNM (Centralized Netwo[...]
-
Pagina 811
Chapter 50 System ZyWALL USG 300 User’s Guide 81 1 50.3 Date and T ime For ef fective scheduling and logg ing, the Z yWALL system time must be accur ate. The Z yWALL’ s Real Time Chip (R TC) k eeps track of the time and date. There is also a software mechan is m to set the time m anu ally or get the current time and date from an ex ternal serve[...]
-
Pagina 812
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 812 Manual Select this radio button to en ter the time and date manually . If you configure a new time and date, time zone and daylight sa ving at the same time, the time zone and daylight saving will affect the new time and date you entered. When you enter the time settings manually , the Z yWALL us[...]
-
Pagina 813
Chapter 50 System ZyWALL USG 300 User’s Guide 813 50.3.1 Pre-defined NTP T ime Servers List When you turn on the Z yWALL for the firs t time, the date and time start at 2003- 01-01 00:00:00. The Z yWALL then atte mpts to synchronize with one of the following pre-defined list of Netw ork Time Protocol (NTP) time servers. The Z yWALL continues to u[...]
-
Pagina 814
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 814 50.3.2 T ime Server Synchronization Click the Synchronize Now button to get the time and date from the t ime server you specified in the Time Server Address field. When the Please Wait... screen a ppears, you may have to wait up to one minute. Figure 535 Synchronizatio n in Process The Current Ti[...]
-
Pagina 815
Chapter 50 System ZyWALL USG 300 User’s Guide 815 5 Under Time and Date Setup , enter a Time Server A ddress ( T able 233 on page 813 ). 6 Click Apply . 50.4 Console Port S peed This section shows you how to set the cons ole port speed when you connect to the Z yWALL via the console port using a terminal emulation program. See Ta b l e 2 o n page[...]
-
Pagina 816
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 816 50.5.1 DNS Server Address Assignment The Z yWALL can get the DNS server ad dresses in the following w ays. • The ISP tells you the DNS serv er addresses, usually in the form of an info r mat io n sh e et, wh en yo u sig n u p. If you r ISP g ives yo u DNS s erve r addresses, manually enter them[...]
-
Pagina 817
Chapter 50 System ZyWALL USG 300 User’s Guide 817 The following table describes t he labels in this screen. T able 235 Configuration > Syste m > DNS LABEL DESCRIPTION Address/PTR Rec o r d This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For ex ample, www[...]
-
Pagina 818
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 818 DNS Serv er This is the IP address of a DN S server . This field displays N/A if you have the Z yWALL get a DNS server IP address from the ISP dynamically but the specified interface is not active. Query Via This is the interface through whic h the Z yWALL sends DNS queries to the entry’ s DNS [...]
-
Pagina 819
Chapter 50 System ZyWALL USG 300 User’s Guide 819 50.5.3 Address Record An address record contains the mapping of a Fully-Qua lified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. F or example, www .zyxel.com is a fully qualified domain name, where “www” is the ho st, “zyxel” is the second-level domain, a[...]
-
Pagina 820
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 820 The following table describes t he labels in this screen. 50.5.6 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address. The Z yWALL can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server . A domain z one is a full y qualifi ed[...]
-
Pagina 821
Chapter 50 System ZyWALL USG 300 User’s Guide 821 The following table describes t he labels in this screen. 50.5.8 MX Record A MX (Mail eXchange) record indicat es whic h host is respons ibl e for the mail for a particular domain, that is, c ontrols where mail is sent for that domain. If you do not configure proper MX records for your domain or o[...]
-
Pagina 822
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 822 50.5.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 540 Configuration > Syste m > DNS > MX Record Add The following table describes t he labels in this screen. 50.5.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control t[...]
-
Pagina 823
Chapter 50 System ZyWALL USG 300 User’s Guide 823 The following table describes t he labels in this screen. 50.6 WWW Overview The following figure shows secure and insecure management of the Z yWALL coming in from the W AN. HT TPS and SSH access are secure. HTTP , T elnet, and dial-in management access are not secure. Figure 542 Secure and Insecu[...]
-
Pagina 824
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 824 • See T o-Z yWALL Rules on page 451 for more on T o-ZyW ALL firewall rules. • See Section 7.10 on page 158 for an example of configuring service control to block administr ator HTTPS access from all zones except the LAN. T o stop a service from accessing the Z yWALL, clear Enable in the corre[...]
-
Pagina 825
Chapter 50 System ZyWALL USG 300 User’s Guide 825 It relies upon certificates, p ublic keys, and priv ate keys (see Chapter 46 on page 765 for more information). HT TPS on the ZyW ALL is used so that y ou can securely access the Z yW ALL using the W eb Configurator . The SSL protocol specifies that the HT TPS server (the Z y W ALL) must always au[...]
-
Pagina 826
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 826 Note: Admin Service Contro l deals with management access (to the W eb Configurator). User Service Control deals with user access to the ZyW A LL (logging into SSL VPN for example). Figure 544 Configur ation > System > WWW > Service Control The following table describes t he labels in th[...]
-
Pagina 827
Chapter 50 System ZyWALL USG 300 User’s Guide 827 Server P ort The HTTPS server listens on port 443 by default. If you change the HT TPS server port to a different number on the ZyW ALL, for example 8443, then you must notify people who need to acce ss the ZyW ALL W eb Configurator to use “https://Z yWALL IP Address: 8443 ” as the URL. Authen[...]
-
Pagina 828
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 828 HT TP Enable Select the check box to allow or disallo w the computer with the IP address that matches the IP address(es) in the Serv ice Con trol table to access the Z y WALL W eb Configurator using HT TP connections. Server P ort Y ou may change the server port number for a service if needed, ho[...]
-
Pagina 829
Chapter 50 System ZyWALL USG 300 User’s Guide 829 50.6.5 Service Control Rules Click Add or Edit in the Service Cont rol table in a WWW , SSH , Telnet , FTP or SNMP screen to add a service control rule. Figure 545 Configur ation > System > Service Control Rule > Edit The following table describes t he labels in this screen. 50.6.6 Custom[...]
-
Pagina 830
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 830 also customize the page that di splays after an access user l ogs into the W eb Configurator to access network serv ices like th e Internet. S ee Chapter 40 on page 715 for more on access user accounts. Figure 546 Configu ration > System > WWW > Login Page[...]
-
Pagina 831
Chapter 50 System ZyWALL USG 300 User’s Guide 831 The following figures identify the p arts you can customize in the login and access pages. Figure 547 Login Page Customization Figure 548 Access Page Customization Y ou can specify colors in one of the following w ays: Logo Ti t l e Message Note Message Background (last line of text) (color of all[...]
-
Pagina 832
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 832 •C l i c k Color to displa y a screen of web-safe colors from which to choose. • Enter the name of the desired color . • Enter a pound sig n (#) followed by the six -digit hexadecimal number that represents the desired color . F or example, use “#000000” for black. • Enter “rgb” f[...]
-
Pagina 833
Chapter 50 System ZyWALL USG 300 User’s Guide 833 50.6.7 HTTPS Example If you hav e n’t changed the default HT TP S port on the ZyW A L L, th en in your browser enter “https://Z yWALL IP Address/” as the web site address where “Z yWALL IP Address” is the IP address or domain name of the Z yWALL y ou wish to access. 50.6.7.1 Internet Exp[...]
-
Pagina 834
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 834 50.6.7.2 Net scape Na vigator W arning Messages When you attempt to access the Z yWALL HT TPS server , a Website Certified by an Unknown Authority scre en p op s up a ski ng if yo u trust the server certificate. Click Examine Certificate if you w ant to verif y that the certificate is from the Zy[...]
-
Pagina 835
Chapter 50 System ZyWALL USG 300 User’s Guide 835 • The issuing certificat e authority of the Z yWALL’ s HT TPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authorit y of the Z yWALL 's factory defa ul t certificate is t he Zy WALL itself since the certificate is a self -signed[...]
-
Pagina 836
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 836 Apply for a certificate from a Certificatio n Au thority (CA) that is trusted by the Z yWALL (see the Z yWALL’ s Trusted CA We b C o n f i g u r a t o r s c r e e n ) . Figure 553 ZyW ALL T rusted CA Screen The CA sends you a package containing the CA ’ s trusted certificate(s), your personal[...]
-
Pagina 837
Chapter 50 System ZyWALL USG 300 User’s Guide 837 50.6.7.5.2 Installing Y our Personal Certificate(s) Y ou need a password in advance. The CA may issue the password or you may have to specify it during th e enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to be[...]
-
Pagina 838
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 838 3 Enter the password g iven to yo u by the CA. Figure 557 Persona l Certificate Import Wizard 3 4 Have the wizard determine where the ce rtificate should be sav ed on your computer or se le ct Place all certificates in the following store and choose a different location. Figure 558 Persona l Cert[...]
-
Pagina 839
Chapter 50 System ZyWALL USG 300 User’s Guide 839 5 Click Finish to complet e the wi zard and begin the import process. Figure 559 Persona l Certificate Import Wizard 5 6 Y ou should see the fo llowing screen when the certificate is correctly installed on your com pu ter . Figure 560 Persona l Certificate Import Wizard 6 50.6.7.6 Using a Certific[...]
-
Pagina 840
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 840 2 When Authenticate Client Certificates is selected on the Z yW ALL, the following screen asks you t o select a personal cert ificate to send to th e ZyW ALL. This screen displays ev en if you only have a si ngle certificate as in the example. Figure 562 SSL Client Authentication 3 Y ou ne xt see[...]
-
Pagina 841
Chapter 50 System ZyWALL USG 300 User’s Guide 841 SSH is a secure communication protocol t hat combines authentication and data encryption to provide secure encryp ted communication between two hosts over an unsecured network. In the following figure , computer A on the Internet uses SSH to securely connect to the WAN port of the Z yWALL for a ma[...]
-
Pagina 842
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 842 2 Encryption Method Once the identification is v erified, both the client and server must agree on the type of encryption method t o use. 3 Authentication and Data T ransmi ssion After the identification i s verified and da ta encryp tion activ ated, a sec ure tunnel is established between the cl[...]
-
Pagina 843
Chapter 50 System ZyWALL USG 300 User’s Guide 843 Note: It is recommended that you disable T elnet and FTP when you configure SSH for secure connections. Figure 566 Configuration > Syst em > SSH The following table describes t he labels in this screen. T able 243 Configuration > Syste m > SSH LABEL DESCRIPTION Enable Select the check [...]
-
Pagina 844
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 844 50.7.5 Secure T elnet Using SSH Examples This section shows two examples usin g a command interface and a gr aphical interface SSH client progr am to remotely access the Z yWALL. The configur ation and connection steps are similar for most S SH client prog r ams. R efer to your SSH client progr a[...]
-
Pagina 845
Chapter 50 System ZyWALL USG 300 User’s Guide 845 Enter the password to log in to the Z yWALL. The CLI screen displays next. 50.7.5.2 Example 2: Linux This section describes how to access the Z yWALL using the OpenSSH client program t hat comes with most Linux dis tributions. 1 T est whether the SSH service is av ailable on the Z yWALL. Enter “[...]
-
Pagina 846
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 846 50.8.1 Configuring T elnet Click Configuration > System > TELNET to configure your Z yWALL for remote T elnet access. Use this screen to specify from which zones T elnet can be used to manage the Z yW ALL. Y ou can also specif y from which IP addresses t he access can come. Figure 570 Confi[...]
-
Pagina 847
Chapter 50 System ZyWALL USG 300 User’s Guide 847 50.9 FTP Y ou ca n upload and download the Z yWALL’ s firmware and configur ation files using FTP . T o use this feature, your computer must have an FTP client. Please see Chapter 52 on page 873 for more information about firmw are and configuration files. 50.9.1 Configuring FTP T o change your [...]
-
Pagina 848
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 848 be used to access the Z yWALL. Y ou can also specify from which IP addresses the access can come. Figure 571 Configu ration > System > FTP The following table describes t he labels in this screen. T able 245 Configuration > Syste m > FTP LABEL DESCRIPTION Enable Select the check box t[...]
-
Pagina 849
Chapter 50 System ZyWALL USG 300 User’s Guide 849 50.10 SNMP Simple Network Manageme nt Protocol is a protocol used for ex changing management information between network de vices. Y our Z yWALL supports SNMP agent functionality , which allows a manager station to manage and monitor the Z yW ALL through the network. The Z yWALL supports SNMP v e [...]
-
Pagina 850
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 850 and version two (SNMPv2c). The next fi gure illustrates an SNMP management operation. Figure 572 SNMP Manageme nt Model An SNMP managed network consists of two main types of component: agents and a manager . An agent is a management software module that resides in a ma naged de vice (the Z yWALL [...]
-
Pagina 851
Chapter 50 System ZyWALL USG 300 User’s Guide 851 • GetNext - Allows the manager to retriev e the next object variable from a tabl e or list within an agent. In SNMPv1, when a mana ger wants to retriev e all elements of a table from an agent, it initiates a Get operat ion, followed by a series of GetNext oper ations. • Set - Allows the manage[...]
-
Pagina 852
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 852 settings, including from which z ones SNMP can be used to access the Z y W ALL. Y ou can also specify from whi ch IP addresses the access can come. Figure 573 Configuration > Sy st em > SNMP The following table describes t he labels in this screen. T able 247 Configuration > Syste m >[...]
-
Pagina 853
Chapter 50 System ZyWALL USG 300 User’s Guide 853 50.1 1 Dial-in Management Connect an external serial modem t o the AUX port to provi de a management connection in case the Z yWALL’ s other WA N connections are down. This is like an auxiliary interface, except it is used fo r management connections coming in to the Zy W A L L i n s t e a d o f[...]
-
Pagina 854
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 854 Hang Up check box is selected, the Z yWALL uses this hardw are signal to force the WAN device to hang up, in addition to i ssuing the drop command ATH . Response Strings The response strings tell t he Zy WALL th e tags, or labels, immediately precedi ng the various call parameters sent f rom the [...]
-
Pagina 855
Chapter 50 System ZyWALL USG 300 User’s Guide 855 50.12 V ant age CNM V antage CNM (Centralized Network Management ) is a browser-based global management solution that allows an admi nistr ator from any location to easily configure, manage, monitor and troubleshoot Z yXEL devices located worldwide. See the V antage CNM User's Guide for detai[...]
-
Pagina 856
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 856 50.12.1 Configuring V ant age CNM V antage CNM is disabled on th e devi ce by default. Click Configuration > System > Vantage CNM to configure your device’ s V antage CNM settings. Figure 575 Configu ration > System > V antage CNM The following table describes t he labels in this sc[...]
-
Pagina 857
Chapter 50 System ZyWALL USG 300 User’s Guide 857 Tr a n s f e r Protocol Select whether the V antage CNM sessions should use regular HT TP connections or secure HT TPS connections. Note: HTTPS is recommended. The V antage CNM server must use the same setting. Device Management IP Select Auto to have the Z yWALL allow V antage CNM sessions to con[...]
-
Pagina 858
Chapter 50 Sy stem ZyWALL USG 300 User’s Guide 858 50.13 Language Screen Click Configuration > Sys tem > Language to open the following screen. Use this screen to select a d isplay language for the Z yWALL’ s W eb Configurator screens. Figure 576 Configu ration > System > Language The following table describes t he labels in this sc[...]
-
Pagina 859
ZyWALL USG 300 User’s Guide 859 C HAPTER 51 Log and Report 51.1 Overview Use these screens to configure da ily reportin g an d log sett in gs. 51.1.1 What Y ou Can Do In this Chapter •U s e t h e Email Daily Report screen ( Section 51.2 on page 859 ) to config ure where and how to send daily reports and what reports to s end. •U s e t h e Mai[...]
-
Pagina 860
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 860 Click Configuration > Log & Report > Email Daily Report to displa y the following screen. Configure this screen to have t h e ZyW ALL e-m a il you s yste m statistics ev ery day . Figure 577 Configur ation > Log & Report > Email Daily Report[...]
-
Pagina 861
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 861 The following table describes t he labels in this screen. 51.3 Log Setting Screens The Log Setting screens control log messages and alerts. A log message stores the info rmation fo r viewin g (for exam ple, in the View Log tab) or regular e- mailing later , and an alert is e-mailed immedia[...]
-
Pagina 862
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 862 The Log Setting tab also controls what information is saved in each log. Fo r the system log, you can also specify whic h log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. For alerts, the Log Settings tab controls which ev ents gener ate alerts and where [...]
-
Pagina 863
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 863 51.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes th e e-mail profiles). Go to the Log Settings Summary screen (see Section 51.3.1 on page 862 ), and cl ick the system log Edit icon. # This field is a [...]
-
Pagina 864
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 864 Figure 579 Configu ration > Log & Report > Log Setting > Edit (Syste m Log)[...]
-
Pagina 865
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 865 The following table describes t he labels in this screen. T able 253 Configuration > Log & Repo rt > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Se rv er 1/2 Active Sele ct this to send log messages and alerts according to the information in this section. Y ou spe[...]
-
Pagina 866
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 866 E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log me[...]
-
Pagina 867
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 867 Active Sele ct this to activate log consolidation. Log consolidation aggregates multiple log messages th at arrive within the specified Log Consolidation Interval . In the View Log tab , the text “[count= x ]” , where x is the number of original log messages, is appended at the end of [...]
-
Pagina 868
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 868 51.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 51.3.1 on page 862 ), and click a remote serv er Edit icon. Figure 580 Configu ration > Log &[...]
-
Pagina 869
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 869 The following table describes t he labels in this screen. T able 254 Configuration > Log & Repo rt > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this se[...]
-
Pagina 870
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 870 51.3.4 Active Log Summary Screen The Active Log Summar y screen allows you to view and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time. It does not let y ou change other lo g settings (for exampl e, where and how often log info r[...]
-
Pagina 871
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 871 The following table describes t he fields in this screen. T able 255 Configuration > Log & Repo rt > Log Setting > Active Log Summary LABEL DESCRIPTION System log Use the System Log drop-down list to change the log settings for all of the log categories. disable all logs (red [...]
-
Pagina 872
Chapter 51 Log and Report ZyWALL USG 300 User’s Guide 872 Syst em log Select whi ch events y ou want to log by Log Category . There are three choices: disable all logs (red X) - do not log any information from this category enable normal logs (green checkmark) - create log messages and alerts from this category enable normal logs and debug logs ([...]
-
Pagina 873
ZyWALL USG 300 User’s Guide 873 C HAPTER 52 File Manager 52.1 Overview Configuration files d efine the Z y WALL’ s settings. Shell scripts are files of commands that you can store on the Z y WALL and run when you need them. Y ou can apply a configuration file or run a sh ell script without the Z yWALL restarting. Y ou can store multiple configu[...]
-
Pagina 874
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 874 These files have the same syntax, which is also identical to the way y ou run CLI commands manually . An example is shown below . While configur ation files and shell scri pts have the same syntax, the ZyW ALL applies configur ation files differently than it runs shell scripts. This is expla[...]
-
Pagina 875
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 875 Y our configur ation files or shell scripts can use “exit” or a command line consisting of a single “! ” to have the Z yWALL exit sub c ommand mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyW ALL exit sub command mode. Line 3 in the following [...]
-
Pagina 876
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 876 52.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configur at ion files. Y ou can also download configuration files from the Z yWALL to y our computer[...]
-
Pagina 877
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 877 The following table describes t he labels in this screen. T able 257 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Ren a m e Use this button to change the label of a configuration file on the Z yWALL. Y ou can only rename manually saved configuration f iles. Y ou ca[...]
-
Pagina 878
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 878 Copy Use this button to sav e a duplicate of a configuration file on the ZyW ALL. Click a configuration file’ s row to select it and click Copy to open the Copy File screen. Figure 585 Maintenan ce > File Manager > Configuration F ile > Copy Specify a name for the duplicate config[...]
-
Pagina 879
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 879 Apply Use this button to have the Z yW ALL use a specific configuration file. Click a configuration file’ s row to select it and click Apply to have the Z yWALL use that configuration file. Th e Z yWALL does not have to restart in order to use a different configurat ion file, although you [...]
-
Pagina 880
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 880 52.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmw are to the ZyW ALL. File Name This column displays the label that identifies[...]
-
Pagina 881
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 881 Note: The Web Configurator is the recommended method for uploading firmware. Y ou only need to use the comma nd line interface if you need to recover the firmware. See the CLI Reference Guide for how to d etermine if you need to recover the firmware and how to recover it. Find the firm ware [...]
-
Pagina 882
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 882 After you see the Firmware Upload in Process screen, wait two minu tes befor e logging in to the ZyW ALL a ga i n. Figure 588 Firmware Upload In Process Note: The ZyW ALL automatically reboots aft er a successful upload. The Z yWALL automatically restarts causi ng a temporary network d iscon[...]
-
Pagina 883
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 883 Note: Y ou should include write commands in your script s. If you do not use the write command, the changes will be lost when the ZyW ALL rest arts. Y ou could use multiple write commands in a long script. Figure 591 Maintenance > F ile Manager > Shell Script Each field is desc ribed i[...]
-
Pagina 884
Chapter 52 File Manager ZyWALL USG 300 User’s Guide 884 Copy Use this button to save a duplicate of a shell script file on the Z yWALL. Click a shell script file’ s row to select it and click Copy to open the Copy File screen. Figure 593 Maintenance > File Ma nager > Shell Script > Copy Specify a name for the duplicate file. Use up to [...]
-
Pagina 885
ZyWALL USG 300 User’s Guide 885 C HAPTER 53 Diagnostics 53.1 Overview Use the diagnostics screen s for troubleshooting. 53.1.1 What Y ou Can Do in this Chapter •U s e t h e Maintenance > Diagnostics screen (see Sect ion 53.2 on page 885 ) to generate a file containing the ZyW ALL’s configur ation and diagnostic information if you need to p[...]
-
Pagina 886
Chapter 53 Diagnostics ZyWALL USG 300 User’s Guide 886 The following table describes t he labels in this screen. 53.3 The Packet Capture Screen Use this screen to capture network traffi c going throu gh th e Z yWALL’ s interf ace s. Studying these packet captures may help you i dentify network problems. Click Maintenance > Diagnostics > P[...]
-
Pagina 887
Chapter 53 Diagnostics ZyWALL USG 300 User’s Guide 887 The following table describes t he labels in this screen. T able 261 Maintenance > Diagnostics > Packet Ca pture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces . Select interfaces for which to capture packets and click t[...]
-
Pagina 888
Chapter 53 Diagnostics ZyWALL USG 300 User’s Guide 888 53.3.1 The Packet Capture Files Screen Click Maintenance > Diagnostics > Packet Capture > Files to open the packet capt ure files screen. This screen lists the files of pack et captures the Z yWALL has performed. Y ou can download the files to your computer where you can study them u[...]
-
Pagina 889
Chapter 53 Diagnostics ZyWALL USG 300 User’s Guide 889 53.3.2 Example of V iewing a Packet Capture File Here is an example of a packet capture file viewed in the Wiresh ark packet analyzer . Notice that the size of fr ame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The Z yWALL t runcated the fr ame because the capture[...]
-
Pagina 890
Chapter 53 Diagnostics ZyWALL USG 300 User’s Guide 890[...]
-
Pagina 891
ZyWALL USG 300 User’s Guide 891 C HAPTER 54 Reboot 54.1 Overview Use this to restart the device (for example, if the device beg ins behaving erratically). See also Secti on 1.5 on page 36 for information on d ifferent ways to start and stop the Z yWALL. 54.1.1 What Y ou Need T o Know If you applied changes in the W eb config ur ator , these were [...]
-
Pagina 892
Chapter 54 Reboot ZyWALL USG 300 User’s Guide 892[...]
-
Pagina 893
ZyWALL USG 300 User’s Guide 893 C HAPTER 55 Shutdown 55.1 Overview Use this to shutdown t he device in preparat ion for disconnecting the power . See also Section 1.5 on page 36 for information on different w ays to start and stop the Zy WA L L . Always use Maintenance > Shut down > Shut down or the shutdown command before you turn off the [...]
-
Pagina 894
Chapter 55 Shu tdo wn ZyWALL USG 300 User’s Guide 894[...]
-
Pagina 895
ZyWALL USG 300 User’s Guide 895 C HAPTER 56 Troubleshooting This chapter offers some suggestions to solv e problems you might encounter . • Y ou can also refer to the logs (see Chapter 10 on page 274 ). F or individual l og descriptions, Append ix A on pa ge 923 . For the ord er in which the Z yW ALL applies its features and chec ks, see Secti [...]
-
Pagina 896
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 896 • If you ’ve fo rgo tten the ZyWALL’s IP addre ss, yo u can u se t h e c omm a nds through the consol e port to check it. C onnect your compu ter to the CONSOLE port using a console cable. Y our computer should hav e a terminal emulation communications program (such as Hype rT [...]
-
Pagina 897
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 897 I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyW ALL not re-booted yet? The Zy WALL does not have to reboot when you upload new signatures. The content filter categor y service is not working. • Make sure y our Z yWALL has the cont en t filter categ[...]
-
Pagina 898
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 898 • The format of interface names other than the Eth ernet interface names is ver y strict. Each name consists of 2-4 letters (interface ty pe), followed by a number (x, limited by the maximum number of ea ch type of interface). For exampl e, VLAN interfaces are vlan0, vl an1, vlan2,[...]
-
Pagina 899
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 899 created a cellular interfac e but cannot connect through it. • Make sure y ou have a compatible 3G device inst alled or connected. See Chapter 57 on page 915 for details. • Make sure you ha ve the cellular interface enabled. • Make sure the cellular interface has the corr ect user [...]
-
Pagina 900
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 900 The ZyW ALL is not applying an interface’s configured ingress bandwid th limit. At the time of writing, the Z yWALL does not s upport ingress bandwidth management. The ZyW ALL is not applyi ng my application patrol bandwid th management settings. Bandwidth management in polic y rou[...]
-
Pagina 901
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 901 The ZyW ALL is deleting some zipped files. The anti-vi rus policy may b e set to dele te zipped fi les that the Z yWALL cannot unzip. The Z yWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Z y[...]
-
Pagina 902
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 902 The ZyW ALL’s performance seems sl ower after configuring ADP . Depending on your network top ology and traff ic load, applying an anomaly profile to each and every p acket direction may aff ect the ZyW ALL’s performance. The ZyW ALL routes and applies SNA T for traffic from some[...]
-
Pagina 903
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 903 I cannot get the application pa trol to manage SIP traf fic. Make su re yo u have t he SI P ALG e nab led. I cannot get the application pa trol to manage H.323 traf fic. Make sure you ha ve the H.323 ALG enabl ed. I cannot get the application pa trol to manage FTP traf fic. Make s u re y[...]
-
Pagina 904
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 904 Here are some general suggest ions. See also Chapter 25 on page 467 . • The system log can often help to identify a configur ation problem. • If you enable NA T trav ersal, the remo te IPSec device must also hav e NA T traversal enabled. • The Z yWALL and remote IPSec router mu[...]
-
Pagina 905
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 905 • If you set up a VPN tunnel ac ross the In ternet, make sure your ISP supports AH or ESP (whichever you are using). • If you ha ve the Z yWALL and remote IPSec rout er use certificates to authenticat e each other , Y ou must set up the certificates for the ZyW ALL and remote IPSec r[...]
-
Pagina 906
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 906 If you h ave the Configuration > VPN > IPSec VPN > VPN Connection screen’ s Use Policy Route to control dynamic IPSec rules option enabled, check the routing policies to see if they are sending traffic elsewhere instead of through the VPN tunnels. I uploaded a logo to show[...]
-
Pagina 907
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 907 option. The Z yWALL classifi es the firmware package as not being able to be decompressed and deletes it. Y ou can upload the firmware package to the ZyW ALL with the option enabled, so you only need to clear the Destroy compressed files that could not be decompressed option while you do[...]
-
Pagina 908
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 908 Device HA is not working. • Y ou may need to disable STP (Spanning T r ee Protocol). • The master and its backups must all use the same device HA mode (either active-passiv e or legacy). • Configure a static IP add re ss for each inte rface that you will have device HA monitor [...]
-
Pagina 909
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 909 user , the authentication attempt will always fail. (This is related to AAA servers and authentication method s, which are discussed in Chapter 44 on page 749 and Chapter 45 on page 759 , respectiv ely .) I cannot add the admin users to a user group with access users. Y ou cann ot put ac[...]
-
Pagina 910
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 910 1 For My Certificates , you can import a certificate that matches a corresponding certification request that w as generated by the Z yWALL. Y ou can also import a certificate in PKCS#12 format, includ ing th e certific ate’ s public and private k eys. 2 Y o u must remove any spaces[...]
-
Pagina 911
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 91 1 I uploaded a logo to display on the upper left corner of the W eb Configurator login screen and access page but it does not display properly . Make sure the logo file is a GIF , JPG, or PNG of 100 kilobytes or less. I uploaded a logo to use as the screen or window background but it does[...]
-
Pagina 912
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 912 I cannot get the firmware up loaded using the commands. The W eb Configurator is the recommended method for uploading firmw are. Y ou only need to use the command line interfac e if you need to recover the firmw are. See the CLI Reference Guide for how to determin e if you need to re[...]
-
Pagina 913
Chapter 56 Trou bleshooting ZyWALL USG 300 User’s Guide 913 If you w ant to reboot the device withou t changing the current configur ation, see Chapter 54 on page 891 . 1 Make sure the SYS LED is on and not blinking. 2 Press the RESET button and hold it until the SYS LED begins to blink. (Thi s usually takes about fiv e seconds.) 3 Release the RE[...]
-
Pagina 914
Chapter 56 Tro u blesh oo tin g ZyWALL USG 300 User’s Guide 914[...]
-
Pagina 915
ZyWALL USG 300 User’s Guide 915 C HAPTER 57 Product Specifications The followin g s pe cificat io ns are sub j ect to change without notice. See Chapter 2 on page 39 for a gener al overview of key f eatures. This table provides b asic device specifications. This table p r ov ides hardware s pe cificat i ons. T able 263 Default Login Information A[...]
-
Pagina 916
Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide 916 This table gives detail s about the Z y WALL’ s features. Storage Environment T emperature: -30 C to 60 C Humidity: 20% to 95% (non-condensing) MTBF Mean Time Between F ailures: 180,382 hours Dimensions 430 (W) x 201. 2 (D) x 42.0 (H) mm We i g h t 2 . 8 k g Rack -mounting Rack -[...]
-
Pagina 917
Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide 917 APPLICATION PATROL Maximum Rules for Other Protocols 32 32 32 Maximum Rules for Each Protocol 32 32 32 Allowed Ports NA NA 8 Default Ports 8 8 8 USER PROFILES Maximum L ocal Users 256 256 256 Maximum Admin Users 10 10 10 Maximum User Groups 128 128 128 Maximum Us ers in One User Gr[...]
-
Pagina 918
Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide 918 Maximum Number of VPN T unnels 200 200 200 Maximum Number of VPN Concentrators 888 CERTIFICATES Certificate Buffer Size 256K 256K 256K BUILT-IN SERVICES A record 128 128 128 NS record 16 16 16 MX record 16 16 16 Maximum Number of Service Control Entries 16 per service 16 per servic[...]
-
Pagina 919
Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide 919 Maximum Number of Concurrent Mail Sessions 200 200 200 Maximum Number of Anti-Spam Rul es 32 32 32 Maximum Number of White List Entries 256 256 256 Maximum Number of Black List Entries 256 256 256 Maximum Number of DNSBLs 5 5 5 Maximum Number of Anti-Spam Statistics 500 500 500 Max[...]
-
Pagina 920
Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide 920 The following table, which is not exhaust ive, lists standards referenced by Z yW ALL features. T able 266 Standards Referenced by Features FEATUR E ST ANDARD S REFERENCED Interface-Bridge A subset of the ANSI/IEEE 802.1d standard Interface RFCs 2131, 2132, 1541 Interface-PPP RFCs [...]
-
Pagina 921
Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide 921 57.1 3G PCMCIA Card Inst allation Only insert a compatible 3G card. Slide th e connector end of the card into the slot. Note: Do not force, bend or twist the card.[...]
-
Pagina 922
Chapter 57 Product Specifications ZyWALL USG 300 User’s Guide 922[...]
-
Pagina 923
ZyWALL USG 300 User’s Guide 923 A PPENDIX A Log Descriptions This appendix provides descript ions of example log message s for the ZLD-based Z yWA LLs. The logs do not all apply to all of the ZLD-based Z yWALLs. Y ou will not necessecarily see al l of th ese logs in your de vice. T able 267 Content Filter Logs LOG MESSAGE DESCRIPTION Content filt[...]
-
Pagina 924
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 924 T able 269 Blocked Web Site Logs LOG MESSAGE DESCRIPTION %s :%s The rating server responded that the web site is in a specified category and access was blocked according to a content filter profile. 1st %s: website host 2nd %s: website category %s: Unrated The r ating server responded [...]
-
Pagina 925
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 925 %s: Proxy mode is detected The system detected a proxy connection an d blocked access according to a profile. %s: website host %s: Forbidden Web si te The web site is in forbidden web site list. %s: website host %s: Keyword blocking The web content matched a user defined keyword. %s: web[...]
-
Pagina 926
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 926 Black List checking has been activated. The anti-spam black list has been turned on. Black List checking has been deactivated. The anti-spam black list has been turned off . Black List rule %d has been added. The anti-spam black list rule with the specified index number (%d) has been a[...]
-
Pagina 927
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 927 T able 271 SSL VPN Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in SSLVPN A user has logged into SSL VPN. The first %s is the type of user account. The second %s is the user’s user name. The third %s is the name of the service the u ser is using (HT TP or HTTPS). %s %s from %s[...]
-
Pagina 928
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 928 The %s address-object is wrong type for 'network' in SSL Policy %s. The listed address object (first %s ) is not the right kind to be specified as a network in the listed SSL VPN policy (second %s). The SSL VPN policy %s has been changed 'ip- pool' value. The IP poo[...]
-
Pagina 929
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 929 %s %s is accessed. sent=<bytes> rcvd=<bytes> The listed SSL VPN access was used to send and receive the listed numbers of bytes. The first %s is the type of SS L VPN access (web application, file sharing, or network extension). The second %s is the name of the application. Th[...]
-
Pagina 930
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 930 T able 272 L2TP Over IPSec Logs LOG MESSAGE DESCRIPTION The configuration of L2TP over IPSec has been changed. The L2TP over IPSec configur ation has been modified. L2TP over IPSec may not work since Crypto Map %s using Manual Key. L2TP over IPSec does not support manual key management[...]
-
Pagina 931
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 931 The Z ySH logs deal with internal system errors. T able 273 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. ZySH daemon is instructed to reset by %d 1st:pid num System integrity error! Group OPS cannot close property group cannot close g[...]
-
Pagina 932
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 932 Can't remove %s 1st:zysh list name Table OPS %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of range! 1st:zysh table name %s: cannot set entry #%d 1st:zysh table name,2st: zysh entry num %s: table is full! 1st:zysh table name %s: invalid old/new index[...]
-
Pagina 933
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 933 T able 274 ADP Logs LOG MESSAGE DESCRIPTION from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The Z y WALL detected an anomaly in tr affic trav eling between the specified zones. The <type> = {scan-detection(&[...]
-
Pagina 934
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 934 T able 275 Anti-Virus Logs LOG MESSAGE DES CRIPTION Initializing Anti-Virus signature reference table has failed. The Z yWALL failed to initialize the anti-virus signatures due to an internal error . Reloading Anti-Virus signature database has failed. The Z yWALL failed to reload the a[...]
-
Pagina 935
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 935 AV signature update has failed. Can not update last update time. The anti-virus signatur es update did not succeed. AV signature update has failed. (Replacement failure) Anti-virus signatures update failed because th e ZyW ALL was not able to replace the old set of anti- virus signatures[...]
-
Pagina 936
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 936 Anti-Virus rule %d has been modified. The anti-virus rule of the specified number has bee n changed. Anti-Virus rule %d has been inserted. An anti-virus rule has been inserted. %d is the number of the new rule. Anti-Virus rule %d has been appended. The anti-virus rule with the listed n[...]
-
Pagina 937
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 937 T able 276 User Logs LOG MESSAGE DES CRIPTION %s %s from %s has logged in ZyWALL A user logged into the ZyW ALL. 1st %s: The type of user account. 2nd %s: The user ’s user name. 3rd %s: The name of the servi ce the user is using (HT TP , HTTPS, F T P , T e l ne t , SSH, or co nsol e). [...]
-
Pagina 938
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 938 Failed login attempt to ZyWALL from %s (login on a lockout address) A login attempt came from an IP address that the Z yWALL has locked out. %u.%u.%u.%u: the source address of the user’ s login attempt Failed login attempt to ZyWALL from %s (reach the max. number of user) The Z yWALL[...]
-
Pagina 939
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 939 Registration has failed. Because of lack must fields. The device received an incomplete response from the myZ yXEL.com server and it caused a parsing error for the device. %s:Trial service activation has failed:%s. T rail service activation failed for the specified service, an error mess[...]
-
Pagina 940
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 940 Do device register. The device started device registration. Do trial service activation. The device started tr ail service activation. Do standard service activation. The device started standard service activ ation. Do expiration check. The device started the service expiration day che[...]
-
Pagina 941
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 941 Device has latest signature file; no need to update The device already has the latest version of the signature file so no update is needed. Connect to update server has failed. The device cannot connect to the update server . Wrong format for packets received. The device cannot parse the[...]
-
Pagina 942
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 942 Get server response has failed. The device sent packets to the server , but did not receive a response. The root cause may be that the connection is abnormal. Expiration daily- check has failed:%s. The daily check for service expiration failed, an error m essage returned by the MyZyXEL[...]
-
Pagina 943
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 943 Self signed certificate. V erification of a server’ s certificate failed because it is self- signed. Self signed certificate in certificate chain. V erification of a server’s certificate failed because there is a self-signed certificate in the server’s certificate chain. Verify pee[...]
-
Pagina 944
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 944 Enable IDP engine succeeded. The device turned on the IDP engine. Disable IDP engine succeeded. The device turned off the IDP engine. IDP service is not registered. IDP will not be activated. The IDP service could has not been turned on and the IDP signatures will not be updated becaus[...]
-
Pagina 945
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 945 Add custom signature error: signature <sid> is over length. An attempt to add a custom IDP signature failed because the signature’s contents were too long. Edit custom signature error: signature <sid> is over length. An attempt to edit a custom IDP signature failed because [...]
-
Pagina 946
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 946 from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The Z yWALL detected an intrusion in tr affic trav eling between the specified zones. The <type> = {scan-detection(<attack>) | flood- detection(<att[...]
-
Pagina 947
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 947 Duplicate sid <sid> in import file at line <linenum>. The listed signature ID is duplicated at the listed line number in the signature file. IDP rule <num> has been deleted. The listed IDP rule has been removed. IDP rule <num> has been moved to <num>. The ID[...]
-
Pagina 948
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 948 Protocol %s has been enabled. The listed protocol has been turned on in the application patrol. Protocol %s has been disabled. The listed protocol has been turned off in the application patrol. Classification mode of protocol %s has been modified to portless. The device will now use th[...]
-
Pagina 949
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 949 T able 280 IKE Logs LOG MESSAGE DESCRIPTION Peer has not announced DPD capability The remote IPSec router has not announced its dead peer detection (DPD) capability to this device. [COOKIE] Invalid cookie, no sa found Cannot find SA according to the cookie. [DPD] No response from peer. U[...]
-
Pagina 950
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 950 [SA] : Tunnel [%s] Phase 1 invalid protocol %s is the tunnel name. When nego tiating Phase-1, the packet was not a ISKAMP pack et in the protocol field. [SA] : Tunnel [%s] Phase 1 invalid transform %s is the tunnel name. When negotiating Phase-1, the transform ID w as invalid. [SA] : T[...]
-
Pagina 951
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 951 Could not dial manual key tunnel "%s" %s is the tunnel name. The manual k ey tunnel cannot be dialed. DPD response with invalid ID When receiving a DPD response with invalid ID ignored. DPD response with no active request When receiving a DPD re sponse with no active query . IK[...]
-
Pagina 952
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 952 VPN gateway %s was enabled %s is the gatewa y name. An administrator enabled the VPN gateway . XAUTH fail! My name: %s %s is the my xauth name. This indicates that m y name is inv alid. XAUTH fail! Remote user: %s %s is the remote xauth name. This indicates that a remote user’s name [...]
-
Pagina 953
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 953 Get outbound transform fail When outgoing packet need to be transformed, the engine cannot obtain the transform context. Inbound transform operation fail After encryption or hardware accelerated processing, the hardware acceler ator dropped a packet (resource shortage, corrupt packet, in[...]
-
Pagina 954
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 954 Firewall %s %s rule %d was %s. 1st %s is from zone, 2nd %s is to zone, %d is the index of the rule 3rd %s is appended/inserted/modified Firewall %s %s rule %d has been moved to %d. 1st %s is from zone, 2nd %s is to zone, 1st %d is the old index of the rule 2nd %d is the new index of th[...]
-
Pagina 955
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 955 The policy route %d uses empty user group! Use an empty object group. %d: the policy route rule number The policy route %d uses empty source address group! Use an empty object group. %d: the policy route rule number The policy route %d uses empty destination address group! Use an empty o[...]
-
Pagina 956
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 956 HTTPS port has been changed to port %s. An administrator changed the port number for HT TPS. %s is port number HTTPS port has been changed to default port. An administrator chan ged the po rt number for HT TPS back to the default (443). HTTP port has changed to port %s. An administr at[...]
-
Pagina 957
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 957 Console baud has b een reset to %d. An administrator changed the console port baud r ate back to the default (115200). %d is default baud rate DHCP Server on Interface %s will not work due to Device HA status is Stand-By If interface is stand-by mode for de vice HA, DHCP server can'[...]
-
Pagina 958
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 958 DNS access control rule %u has been moved to %d. An administrator mo ved the rule %u to index %d. %u is previous index %d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS servers. The default record DNS servers is more than 128. [...]
-
Pagina 959
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 959 Access control rule %u of %s was modified. An access control rule was modified successfully . %u is the index of the access control rule. %s is HT TP/HTTPS/SSH/SNMP/FTP/TELNET . Access control rule %u of %s was deleted. An access control rule was removed successfully . %u is the index of[...]
-
Pagina 960
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 960 DHCP Server executed with cautious mode disabled DHCP Server ex ecuted with cautious mode disabled. Received packet is not an ARP response pack et A packet was received but it is not an ARP response packet. Receive an ARP response The device received an ARP response. Receive ARP respon[...]
-
Pagina 961
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 961 Device is rebooted by administrator! An administr ator restarted the device. Insufficient memory. Cannot allocate system memory . Connect to dyndns server has failed. Cannot connect to members.dyndns.org to update DDNS. Update the profile %s has failed because of strange server response.[...]
-
Pagina 962
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 962 Update the profile %s has failed because the feature requested is only available to donators. Update profile failed because the feature requested is only av ailable to donators, %s is the profile name. Update the profile %s has failed because of error response. Update profile failed be[...]
-
Pagina 963
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 963 The profile %s has been paused because the HA interface of VRRP status was standby. The profile is paused by Device-HA, because the VRRP status of that HA iface is standby , %s is the profile name . Update the profile %s has failed because HA interface was link- down. DDNS profile cannot[...]
-
Pagina 964
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 964 T able 287 Connectivity Check Logs LOG MESSAGE DESCRIPTION Can't open link_up2 Cannot recover routing status which is link -down. Can not open %s.pid Cannot open connectivity check process ID file. %s: interface name Can not open %s.arg Cannot open configuration file for connectiv[...]
-
Pagina 965
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 965 Can't use MULTICAST IP for destination The connectivity check process can't use multicast address to check link -status. The destination is invalid, because destination IP is broadcast IP The connectivity check process can't use broadcast address to check link -status. Can[...]
-
Pagina 966
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 966 %s file not existed, Skip syncing it fo r %s There is no file to be synchronized from the Master when syncing a object (A V/AS/IDP/Certificate/System Configuration), But in fact, there should be something in the Master for the device to synchronize with, 1st %s: The syncing object, 2ed[...]
-
Pagina 967
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 967 Device HA authentication type for VRRP group %s maybe wrong. A VRRP group’ s Authentication T ype (Md5 or IPSec AH) configuration ma y not match between the Backup and the Master . %s: The name of the VRRP group. Device HA authenticaton string of text for VRRP group %s maybe wrong. A V[...]
-
Pagina 968
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 968 T able 289 Routing Protocol Logs LOG MESSAGE DESCRIPTION RIP on interface %s has been stopped because Device-HA binds this interface. Device-HA is currently running on the interface %s, so all the local service have to be stopped including RIP . %s: Interface Name RIP on all interfaces[...]
-
Pagina 969
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 969 RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted. RIP redistribute OSPF routes has been disabled. RIP redistribute OSPF routes has been disabled. RIP redistri[...]
-
Pagina 970
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 970 Invalid OSPF virtual- link %s authentication of area %s. Virtual-link %s authentication has been set to same- as-area but the area has invalid authen tication co nf iguration. %s: Virtual-Link ID Invalid OSPF md5 authentication on interface %s. Inv alid OSPF md5 authentication is set o[...]
-
Pagina 971
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 971 Register SIP ALG signal port=%d failed. SIP ALG apply signal port failed. %d: Po rt number Register H.323 ALG extra port=%d failed. H323 ALG apply additional signal port failed. %d: Po rt number Register H.323 ALG signal port=%d failed. H323 ALG apply signal port failed. %d: Po rt number[...]
-
Pagina 972
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 972 SCEP enrollment "%s" successfully, CA "%s", URL "%s" The device used SCEP to enroll a certificate. 1st %s is a request name, 2nd %s is the CA name, 3rd %s is the URL . SCEP enrollment "%s" failed, CA "%s", URL "%s" The device [...]
-
Pagina 973
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 973 Export X509 certificate "%s" from "Trusted Certificate" successfully The device exported a x509 format certificate from T rusted Certificates. %s is the certificate request name. Export X509 certificate "%s" from "My Certificate" failed The device [...]
-
Pagina 974
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 974 25 Database method failed due to timeout. 26 Database method failed. 27 P ath was not verified. 28 Maximum path length reached. T able 292 Interface Logs LOG MESSAGE DESCRIPTION Interface %s has b een deleted. An administrator deleted an in terface. %s is the interface name. AUX Interf[...]
-
Pagina 975
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 975 Interface %s is enabled. An administrator enabled an in terface. %s: interface name. Interface %s is disabled. An administrator disabled an interface. %s: interface name. %s MTU > (%s MTU - 8), %s may not work correctly. An administrator configured a PPP interface, PPP interface MTU &[...]
-
Pagina 976
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 976 Interface %s connect failed: MS-CHAP authentication failed. MS-CHAP authentication failed (the server must support MS- CHAP and verify that the authentication failed, this does n ot include cases where the server does not support MS-CHAP). %s: interface name. Interface %s connect faile[...]
-
Pagina 977
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 977 "SIM card has been successfully unlocked by PUK code on interface cellular%d. Y ou entered the correct PUK code and unlocked the SIM card for the cellular device associated with the listed cellular interface (%d). "Incorrect PUK code of interface cellular%d. Please check the PU[...]
-
Pagina 978
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 978 "Cellular device [%s %s] has been removed from %s. The cellular device (identified by its manufacturer and model) has been removed from the specified slot. Interface cellular%d required authentication password.Please set password in cellular%d edit page. Y ou need to manually ente[...]
-
Pagina 979
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 979 Station association has failed. Maximum associations have reached the maximum number. Interface: %s, MAC: %s. A wireless client with the specified MAC address (second %s) failed to connect to the specified WLAN interface (first %s) because the WLAN interface already has its maximum numbe[...]
-
Pagina 980
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 980 T able 295 Port Grouping Logs LOG MESSAGE DESCRIPTION Interface %s links up because of changing Port Group. Enable DHCP client. An administrator used port -grouping to assign a port to a representative Interface and this representative interface is set to DHCP client and only has one m[...]
-
Pagina 981
Appendix A Log Descriptions ZyWALL USG 300 User’s Guide 981 ERROR:#%s, %s R un script failed, this log will be what wrong CLI command is and what error message is. 1st %s is CLI command. 2nd %s is error message when apply CLI command. WARNING:#%s, %s Run script failed, this log will be what wrong CLI command is and what warning message is. 1st %s[...]
-
Pagina 982
Appendix A Log Descrip tio ns ZyWALL USG 300 User’s Guide 982 T able 299 E-mail Daily Report Logs LOG MESSAGE DESC RIPTION Email Daily Report has been activated. The daily e-mail report function has been turned on. The Z yW ALL will e-mai l a daily report about the selected items at the scheduled time if the required settings are configured corre[...]
-
Pagina 983
ZyWALL USG 300 User’s Guide 983 A PPENDIX B Common Services The following table lists some commonl y-used services and their associated protocols and port numbers. F or a comprehe nsiv e list of port numbers, ICMP type/ code numbers and services , visit the IANA (Internet Assigned Number Authority) web site. • Name : This is a short, descrip ti[...]
-
Pagina 984
Appendix B Com mon Servic es ZyWALL USG 300 User’s Guide 984 ESP (IPSEC_TUNNEL) User -Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP TCP TCP 20 21 File T ransfer Program, a progr am [...]
-
Pagina 985
Appendix B Common Services ZyWALL USG 300 User’s Guide 985 PPTP TCP 1723 Point -to-P oint T unneling Protocol enables secure transfer of data ov er public networks. This is the control channel. PPTP_TUNNEL (GRE) User -Defined 47 PPTP (P oint-to-Point T unneling Protocol) enables secure transfer of data over public networks. This is the data chann[...]
-
Pagina 986
Appendix B Com mon Servic es ZyWALL USG 300 User’s Guide 986 TFTP UDP 69 T rivial File T ransfer Protocol is an Internet file transfer protocol similar to FTP , but uses the UDP (User Datagram Protocol) r ather than TCP (T ransmission Control Protocol). VDOLIVE TCP 7000 Another videoconferencing solution. T able 302 Commonly Used Services (contin[...]
-
Pagina 987
ZyWALL USG 300 User’s Guide 987 A PPENDIX C Displaying Anti-V irus Alert Messages in Windows With the anti- v irus packet scan, when a v irus is detected, yo u can hav e the Z yW ALL display an alert message on Miscrosoft Windows-based computers. If the log shows that virus files are b eing dete cted but your Miscrosoft Windows- based computer is[...]
-
Pagina 988
Appendix C Dis playing Anti-Virus Alert Message s in Windows ZyWALL USG 300 User’s Guide 988 2 Select the Messenge r service and click Start . Figure 601 Windows XP: S tarting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services . Figure 602[...]
-
Pagina 989
Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 300 User’s Guide 989 2 Select the Messenge r service and click Start Service . Figure 603 Windows 2000 : S tarting the Messenger Service 3 Close the window when you are done. Windows 98 SE/Me For Windows 98 SE/Me, you must open the WinPopup window in order t o view real-time al[...]
-
Pagina 990
Appendix C Dis playing Anti-Virus Alert Message s in Windows ZyWALL USG 300 User’s Guide 990 1 Right- click on the program t ask bar and click Properties . Figure 605 WIndows 98 SE: Program T ask Bar 2 Click the Start Menu Programs tab and click Advanced .. . Figure 606 Windows 98 SE: T ask Bar Properties 3 Double-click Programs and click StartUp[...]
-
Pagina 991
Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 300 User’s Guide 991 4 Right- click in the StartUp pane and click New , Sho rtcut . Figure 607 Windows 98 SE: S tartUp 5 A Create Shortcut wi ndow displays. Enter “wi npopup” in the Command line field and click Next . Figure 608 Windows 98 SE: S tartup: Create Shortcut[...]
-
Pagina 992
Appendix C Dis playing Anti-Virus Alert Message s in Windows ZyWALL USG 300 User’s Guide 992 6 Specify a nam e for the shortcu t or accept the de fault and c lic k Finish . Figure 609 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created i n the StartUp pane. Restart the computer when prompted. Figure 610 Windows 98 SE:[...]
-
Pagina 993
ZyWALL USG 300 User’s Guide 993 A PPENDIX D Importing Certificates This appendix shows you how to import public k ey certificates into your web browser . Public key certificates are used by web br owsers to ensure that a secure web site is legitimate. When a certificate authorit y such as V eriSign, Comodo, or Network Solutions, to name a few , r[...]
-
Pagina 994
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 994 1 If your device’ s W eb Configurator is set to use S SL certification, then the first time you browse to i t you are presented with a certificati on error . Figure 61 1 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended) . Figure 612 Inter[...]
-
Pagina 995
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 995 4 In the Certificate dialog bo x, click Install Certificate . Figure 614 Internet Explorer 7: Cert ificate 5 In the Certificate Import Wizard , click Next . Figure 615 Internet Explorer 7: Cert ificate Import Wizard[...]
-
Pagina 996
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 996 6 If you w ant Internet Explorer to Automatically select certificate store based on the type of certificate , click Next again and then go to step 9. Figure 616 Internet Explorer 7: Cert ificate Import Wizard 7 Otherwise, se lect Place all certificates in the following store and th[...]
-
Pagina 997
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 997 8 In the Select Certificate Store dialog box, choose a location in which to sa ve the certificate and then clic k OK . Figure 618 Internet Explorer 7: Select Certificate S tore 9 In the Completing the Certificate Import Wizard screen, click Finish . Figure 619 Internet Explorer 7:[...]
-
Pagina 998
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 998 10 If you are presented with another Security Warning , c lick Yes . Figure 620 Internet Explorer 7: Security W arning 11 Finally , click OK when presented with the successful certificate install ation message. Figure 621 Internet Explorer 7: Cert ificate Import Wizard 12 The next [...]
-
Pagina 999
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 999 Inst alling a St and-Alone Certific ate File in Internet Explorer Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public k ey certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Double-click the public[...]
-
Pagina 1000
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1000 1 Open Internet Explorer and click Tools > Internet Options . Figure 625 Internet Explorer 7: T ools Menu 2 In the Internet Options dialog box, cl ick Conte nt > Certificates . Figure 626 Internet Explorer 7: I nternet Options[...]
-
Pagina 1001
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1001 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificat e that yo u w ant to delete, and then click Remove . Figure 627 Internet Explorer 7: Cert ificates 4 In the Certificates confirmation, click Yes . Figure 628 Internet Expl[...]
-
Pagina 1002
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1002 6 The next time you go to the web site that issued the public k ey certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however , the screens can also apply to Firefox 2 on all platforms. 1 If[...]
-
Pagina 1003
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1003 3 The certificate is stored and you ca n now connect securely to the W eb Configurator . A sealed padlock appears in the address bar , which you can click to open the Page Info > Security windo w to view the web page’ s security informat ion. Figure 631 Firefox 2: Page Info [...]
-
Pagina 1004
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1004 1 Open Firefox and click Tools > Options . Figure 632 Firefox 2: T ools Menu 2 In the Options dialog bo x, cli ck Advanced > Encryption > View Certifica t es . Figure 633 Firefox 2: Options[...]
-
Pagina 1005
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1005 3 In the Certificate Manager dialog box, cl ick Web S ites > Import . Figure 634 Firefox 2: Cert ificate Manager 4 Use the Select File dialog bo x to locate the certificate and then click Op en . Figure 635 Firefox 2: Select File 5 The next time you visit the web site, click t[...]
-
Pagina 1006
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1006 Removing a Certificate in Firefox This section shows y ou how to remove a public key certificate in Fi refox 2. 1 Open Firefox and click Tools > Options . Figure 636 Firefox 2: T ools Menu 2 In the Options dialog bo x, cli ck Advanced > Encryption > View Certifica t es . [...]
-
Pagina 1007
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1007 3 In the Certificate Manager dialog box, select the Web Sites tab , select the certificate that you w ant to remove, and then click Delete . Figure 638 Firefox 2: Cert ificate Manager 4 In the Delete Web Site Certificates dialog bo x, cli ck OK . Figure 639 Firefox 2: Delete W eb[...]
-
Pagina 1008
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1008 1 If your device’ s W eb Configurator is set to use S SL certification, then the first time you browse to i t you are presented with a certificati on error . 2 Click Install to accept the certi ficate. Figure 640 Opera 9: Certificate signer not found 3 The next time you visit th[...]
-
Pagina 1009
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1009 Inst alling a St and-Alone Ce rtifica te File in Opera Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public k ey certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Open Opera and click Tools > P[...]
-
Pagina 1010
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1010 2 In Preferences , click Advanced > Security > Manage certificates . Figure 643 Opera 9: Prefer ences[...]
-
Pagina 1011
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 101 1 3 In the Certificates Manager , click Authorities > Import . Figure 644 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 645 Opera 9: Import certif icate[...]
-
Pagina 1012
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1012 5 In the Install authority certificate dialog box, c lick Ins tall . Figure 646 Opera 9: Inst all authority certificate 6 Next, click OK . Figure 647 Opera 9: Inst all authority certificate 7 The next time you visit the web site, click the padlock in the address bar to open the Se[...]
-
Pagina 1013
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1013 1 Open Opera and click Tools > Preferences . Figure 648 Opera 9: T ools Menu 2 In Preferences , Advanced > Security > Manage certificates . Figure 649 Opera 9: Prefer ences[...]
-
Pagina 1014
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1014 3 In the Certificates manager , sele ct the Authorities tab, select th e ce rtificat e that you wan t to rem ove , an d the n c lic k Delete . Figure 650 Opera 9: Certificate manager 4 The next time you go to the web site that issued the public k ey certificate you just removed, a[...]
-
Pagina 1015
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1015 2 Click Continue . Figure 651 Konquero r 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate. Figure 652 Konquero r 3.5: Server Authentication 4 Click the padlock in the addr ess bar to open the KDE SSL Information window and view the web page’ s [...]
-
Pagina 1016
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1016 Inst alling a St and-Alone Ce rtificate File in Konqueror Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public k ey certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you. 1 Double-click the public key cer[...]
-
Pagina 1017
Appendix D Importi ng Certificates ZyWALL USG 300 User’s Guide 1017 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Inf ormation window to view the web page’ s security details. Removing a Certificate in Konqueror This section shows y ou how to remove a public k e y certificate in K onqueror 3.5.[...]
-
Pagina 1018
Appendix D Importing Certificates ZyWALL USG 300 User’s Guide 1018 4 The next time you go to the web site that issued the public k ey certificate you just removed, a certification error appears. Note: There is no confirmation wh en you remove a certificate authority , so be absolutely certain you want to go through with it before clicking the but[...]
-
Pagina 1019
ZyWALL USG 300 User’s Guide 1019 A PPENDIX E W ireless LANs Wireless LAN T opologies This section discuss es ad-hoc and infr astructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configur ation is an in depend ent (Ad-hoc) WLAN that connect s a set of computers with wireless adapters (A, B, C). An y time two or m[...]
-
Pagina 1020
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1020 with each other . When Intr a-BSS is disabled , wireless client A and B can still access the wired network but cannot communicate with eac h other . Figure 660 Basic Service Set ESS An Extended Service Set (ESS) c onsists of a series of overlapping BS Ss, each containing an access point,[...]
-
Pagina 1021
Appendix E Wir eless LANs ZyWALL USG 300 User’s Guide 1021 An ESSID (ES S IDentification) uniquely id entifies each ESS . All access points and their associated wirel ess clients within the same ESS must have the same ESSID in order to comm u nicate. Figure 661 Infrastructure WLAN Channel A channel is the r adio frequency(ies) used by wirel ess d[...]
-
Pagina 1022
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1022 wireless gatewa y , but out -of-r ange of ea ch other , so they cannot "hear" each other , that is they do not know if the channel is currently being used. Therefore, they are consider ed hi dden from each other . Figure 662 RTS / C T S When station A sends data to the AP , it [...]
-
Pagina 1023
Appendix E Wir eless LANs ZyWALL USG 300 User’s Guide 1023 Note: Enabling the R TS Threshold causes redundant network overhead that could negatively affe ct the throughput performance instead of providin g a remedy . Fragment ation Threshold A Fragmentation Threshold is the maximum data fr agment size (between 256 and 2432 bytes) that can be sent[...]
-
Pagina 1024
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1024 (and vice versa) at 11 Mbps o r lowe r depe nding on range. IEEE 802.11g has sever al intermediate rate steps between the maximum and minimum data r ates. The IEEE 802.11g data rate and modulation are as follows: Wireless Security Overview Wireless security is vital to your ne tw ork to [...]
-
Pagina 1025
Appendix E Wir eless LANs ZyWALL USG 300 User’s Guide 1025 accounting and control features. It is su pported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows fo r roaming. • Support for RADIUS (R emote Authentication Dial In User Service, R FC 2138, 2139) for central iz[...]
-
Pagina 1026
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1026 The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: •A c c o u n t i n g - R e q u e s t Sent by the ac cess point requesting accounting. • Accounting-R esponse Sent by the RADIUS server to indicate th at it has sta[...]
-
Pagina 1027
Appendix E Wir eless LANs ZyWALL USG 300 User’s Guide 1027 authentication method does not support data encryption wi th dynamic session key . Y ou must configure WEP encry ption keys for data encrypti on. EAP-TLS (T ransport Layer Security) With EAP- TLS, digital certi fications are n eeded by both the server and the wireless clients for mutu al [...]
-
Pagina 1028
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1028 Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange For ad ded security , certificate-based au thentications (EAP- TLS, EAP- TTLS and PEAP) use dynamic keys for data encryption . They are often deployed in corporate environments, but for pub lic deployment, a simple user name and [...]
-
Pagina 1029
Appendix E Wir eless LANs ZyWALL USG 300 User’s Guide 1029 use Advanc ed Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP . TKIP uses 128-bit k eys that are dynami cal ly generated and d istributed by the authentication server . AES (A dv an[...]
-
Pagina 1030
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1030 authentication. These two features are op tional and ma y not be supported in all wireless dev ices. K ey caching allows a wireless client to store th e PMK it deriv e d through a successful authentication wit h an AP . The wi reless client uses the PMK when it tries to connect to the sa[...]
-
Pagina 1031
Appendix E Wir eless LANs ZyWALL USG 300 User’s Guide 1031 4 The RADIUS server distributes the PMK to the AP . The AP th en sets u p a key hierarchy and management system, usin g the PMK to dynamica lly generate unique data encryption k eys. The k eys are used to encrypt every data packet that is wirelessly communicated bet ween the AP and the wi[...]
-
Pagina 1032
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1032 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create tempor al encryption keys. They use these keys to encrypt data exchanged between them. Figure 664 WP A(2)-PSK Authentication Security Parameters Summary Re fer[...]
-
Pagina 1033
Appendix E Wir eless LANs ZyWALL USG 300 User’s Guide 1033 Antenna Overview An antenna couples RF signals onto air . A transmi tter within a wireless device sends an RF signal to the antenna, whic h propagates the signal through the air . The antenna also operates in reverse by capturing RF signals from the air . P ositioning the antennas properl[...]
-
Pagina 1034
Appendix E Wirele ss LA Ns ZyWALL USG 300 User’s Guide 1034 • Omni-directional antennas send the RF sign al out in all directions on a horizontal plane. The cover age area is torus-sh aped (like a donut) which makes these antennas ideal for a room environment. With a wide cove rage area, it is possible to make circular ov erlapping covera ge ar[...]
-
Pagina 1035
ZyWALL USG 300 User’s Guide 1035 A PPENDIX F Open Sof tware Announcement s End-User License Agreement for “ZyW ALL USG 300” WARNING: Z yXEL Communications Co rp. IS WILLING TO LICENSE THE SOFTWARE T O YOU ONL Y UPON THE CONDITION THA T YOU ACCEPT ALL OF THE TERMS CONT AINED IN THIS LICENSE AG REEMENT . PLEASE READ THE TERMS CAREFULL Y BEFORE [...]
-
Pagina 1036
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1036 Y ou may not remove any p roprietary notice of Z y XEL or any of its licensors from any copy of the Softw are or Documentation. 4.R estrictions Y ou may not publish, display , disclose, sell, rent, lease, modify , store, loan, distribute, or create deriv ative works of the [...]
-
Pagina 1037
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1037 6.No W arrant y THE SOFTWARE IS PROVIDED "AS IS." T O THE MAXIMUM EXTENT PERMITTED BY LAW , Z yXEL DISCLAIMS ALL W ARRANTIES OF ANY KIND , EITHER EXPRES SED OR IMPLIED, INCLUDING, WITHOUT LIMIT A TION, IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A P A RT[...]
-
Pagina 1038
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1038 9.Audit Rights Z yXEL SHALL HAVE THE RIGHT , A T ITS OWN EXPENSE, UPON REASONABLE PRIOR NOTICE, T O PERIODICALL Y INSPECT AN D AUDIT Y OUR RECORDS T O ENSURE YOUR COMPLIANCE WITH THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT . 10.T ermination This License Agreement is [...]
-
Pagina 1039
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1039 bridge-utils 0.9.5. http://linux-n et.osdl.org/in dex.php/Bridge dhcpcd-1.3.2 2-pl4 1.3.22-pl4 http://www .phystech.com/downl oad/ ppp-2.4.2 2.4.2 http://ppp .samba.org/ppp/in dex.html pptp-1.7.0 1.7.0 http://pptpclient.s ourceforge.net/ rp-pppoe-3.5 3.5 http://www .r oaring[...]
-
Pagina 1040
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1040 Notice Information herein is subject to change without notice. Comp anies, names, and data used in exampl es herein are fictit ious unless otherwise noted. No part may be reproduced or transmi tted in any fo rm or by any means, electronic or mechanical, for an y purpose, ex[...]
-
Pagina 1041
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1041 PPP License Copyright (c) 1993 The Austr alian National Universit y . All rights reserved. Re distribution and use in source and binary forms are permitted provided that the above copyri ght notice and this par agrap h are duplicated in all such forms and that any documentat[...]
-
Pagina 1042
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1042 All rights reserved. Re di stribution and use in source and bina ry forms, with or without modification , are permitted provided that the following conditions are met: 1.R edistributions of source code must retain the abov e copyright notice, this list of conditions and the[...]
-
Pagina 1043
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1043 This Product includes expat-1.95.6 softw are under the Expat License Expat License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd P ermission is hereby granted, free of ch arge, to an y person obtaining a copy of this software and associ ated documentati[...]
-
Pagina 1044
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1044 •This license is compatible with The GN U General Pu blic License, V ersion 2 This is j ust like a Simpl e Permissive li cense , but it requires that a copyrig ht notic e be main ta ined. ________________________________________ P ermission is hereby granted, free of ch a[...]
-
Pagina 1045
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1045 2. R edistributions in binary form must reproduce the above copyright notice, this list of conditions and the following d isclaimer in the documentation and/or other materials provided with the dis tribution. 3. All adve rtising materials mentioning fe atures or use of t his[...]
-
Pagina 1046
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1046 be it the RC4, RS A, lhash, DES, etc. , code; not just the SSL code. The SSL documentation included with this distribu tion i s covered by the same copyright terms except that the hol der is Tim Huds on (tjh@cryptsoft.com). Copyright remains Eric Y oung's, and as su ch[...]
-
Pagina 1047
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1047 This Product includes libevent - 1.1a and xinetd-2.3.14 software under the a 3- clause BSD License a 3-clause BSD-style license This is a Free Software Li cense •This license is compatible with The GN U General Pu blic License, V ersion 1 •This license is compatible with[...]
-
Pagina 1048
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1048 * Neither the name of [original copyright holder] nor the names of its cont ributors may be used to endors e or promote products deriv ed from this software without specific prior written permission. THIS SOF TWARE IS PROVIDED BY THE COPYRIGH T HOLDERS AND CONTRIBUTORS &quo[...]
-
Pagina 1049
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1049 DIRECT , INDIRECT , OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHA TSOEVER RESUL TING FROM LOSS OF USE, DA T A OR PROFITS, WHETHER IN AN ACTION OF CONTRACT , NEGLIGENCE OR O THER TOR TIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. $Id[...]
-
Pagina 1050
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1050 P ermission to use, copy , modify , and distri bute this software for an y purpose with or without fee is hereby gr anted, provided that th e above copy ri ght notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS " AND ISC DISCLA[...]
-
Pagina 1051
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1051 "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by th e copyrigh t owner that is granting the Licen s[...]
-
Pagina 1052
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1052 "Contributor" shall mean Lice nsor and any individual or Legal Entit y on behalf of whom a Contribution has been receiv ed by Licensor and subsequently incorporated wi thin the W ork. 2. Gr ant of Copyright Li cense. Subject to the terms and condit ions of this Li[...]
-
Pagina 1053
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1053 attribution notices within Deriv ative W orks that Y ou distribute, alongs ide or as an addendum to the NO TICE text from the W ork, provided that such additional attribution notices cannot be construed as modifyin g t he License. Y ou m ay add Y our own copyright statement [...]
-
Pagina 1054
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1054 Contributor harmless for any liabili ty incurred by , or claims asserted against, such Contributor by reason of your accepting an y such warranty or additional li ability . END OF TERMS AND CONDITIONS Ve r s i o n 1 . 1 Copyright (c) 1999-2003 The Apache Softw are Foundat i[...]
-
Pagina 1055
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1055 USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS SIBILITY OF SUCH DAMAGE. This software consis ts of voluntary contrib utions made by many individ uals on behalf of the Apache Softw are Found ati on. F or more inform ation on the Apache Software F oundation, please see <h[...]
-
Pagina 1056
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1056 guarantee y our freedom to share and chan ge free software--to mak e sure the software is free fo r all its use rs . This license, the Lesser Gener al Public License, appl ies to some specially designated softw are packages--typica lly libraries--of the Free Softw are Found[...]
-
Pagina 1057
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1057 Most GNU software, including so me libraries, is cov ered by the ordinary GNU General Publi c License. This lic ense, th e GNU Lesser Gener al Public License, applies to certain des ignated libraries, and is quite different from the ordinary General Public License. W e use t[...]
-
Pagina 1058
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1058 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under t he terms of this Lesser Gener al Public License (also called "this License&q[...]
-
Pagina 1059
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1059 still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a li brary to comp ute square roots has a purpose that is entirely well-defined indepe ndent of the application. Therefore, Subsection 2d requires that any applicat ion-[...]
-
Pagina 1060
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1060 "work that uses the Library". Such a work, in isolation, is not a derivati v e work of the Libr ary , and therefore fall s outside the sco pe of this License . However , linking a "work that uses the Libr ary" with the Library creates an executable that [...]
-
Pagina 1061
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1061 version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer , v a lid for at least three years, to giv e the same user the materials specified in Subs ection 6a, above, for a charge no more than the cost of perform[...]
-
Pagina 1062
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1062 10. Each time you redi stribute the Libr ar y (or any work base d on the Library), the recipient automatically recei ves a license from the original licensor to copy , distribute, li nk with or modify the Li br ary subject to these terms and c onditions. Y ou may not impose[...]
-
Pagina 1063
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1063 Library does not specify a license version number , you may choose any version ever published by the Fr ee Softw are Foundation. 14. If you wish t o incorpor ate parts of th e Libr ary into other free progr ams whose distribution conditions are incomp atible with these, wr i[...]
-
Pagina 1064
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1064 pcmcia-cs-3.2.8, lib eeprog, mgetty -1.1.35, gmp-4.1, msmtp-1. 4.12 and libqsearch 0.8 software under GPL license. GNU GENERAL PUBLIC LICENSE V ersion 2, June 1991 Copyright (C) 1989, 1991 Free Software F oundation, Inc. 59 T emple Place - Suite 330, Boston, MA 02111-1307, [...]
-
Pagina 1065
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1065 the software. Also, for each author's protec tion and ours, we want to make certain that everyone unde rs tan ds that there is no warr anty for this free software. If the software is modified by someone else an d p assed on, we want its recip ients to know that what the[...]
-
Pagina 1066
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1066 b) Y ou must cause any work that you distribute or publ ish, that in whole or in part contains or is deriv e d from the Program or any part thereof , to be licensed as a whole at no charge to all third p art ies under the terms of this License. c) If the modified program no[...]
-
Pagina 1067
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1067 source code means all the source code for all modules it contains, plus any associated interface definition fi les, plus the scripts used to control compil ation and i n s tall at ion of th e ex ecutable. However , as a special exception, the source code distributed need not[...]
-
Pagina 1068
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1068 whole is intended to apply in other circum stances. It is not the purpose of this section to induce you to infringe any pate nts or other property right c l aim s or to contest vali dity of an y such claims; this section has the sole purpose of protecting the integrity of t[...]
-
Pagina 1069
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1069 DEFECTIVE, YOU ASSUME THE COST OF ALL NECESS ARY SERVICING, REP AIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LA W OR AGREED T O IN WRITING WILL ANY COPYRIGHT HOLDER, OR AN Y OT HER P ARTY WHO MA Y MODIFY AND/ OR REDISTRIB UTE THE PROGRAM AS PERMIT TED ABO[...]
-
Pagina 1070
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1070 means a mechanism generally accept ed in the software dev elopment community for the el ectronic tr ansfer of data. 1.5. "Executable" means Covered Code in an y form other than Source Code. 1.6. "Initial Dev eloper" means the individual or entity identif[...]
-
Pagina 1071
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1071 1.11. "Source Code" means the preferred form of the Co vered Code for making modifications to it, includ in g all mod u les it cont a i ns , p lus an y associated interfac e definition files, scripts used to control compilati on and in stallation of an Ex ecutable,[...]
-
Pagina 1072
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1072 Subject to third party intellect ual property claims, each Contributor hereby gr ants Y ou a world-wide, royalty-free, non-exclusiv e license under intellectual propert y rights (other than patent or tradem ark) Licensable by Contributor , to use, reproduce, modify , di spl[...]
-
Pagina 1073
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1073 made av ailable via Electronic Distribution Mechanism, must remain av ailable for at least twelv e (12) months after the date it initially becam e available, or at leas t six (6) months after a subsequent version of that particular Modi fic ation has been made av ailable to [...]
-
Pagina 1074
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1074 Y ou must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particul ar Source Code file due to its stru cture, then Y ou must include such notice in a location (suc h as a relevant directory) where a user would[...]
-
Pagina 1075
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1075 regulation then Y ou must: (a) com ply wit h th e te rms of this Lic en s e to t he maximum extent possible; and (b) descri be the limitations and the code they affect. Such description must be included in the legal file described in Section 3.4 and must be included with all[...]
-
Pagina 1076
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1076 (not the initial developer or any other contributor) assume the cost of any necessary servicing, repair or correction. This disclaimer of warr anty constitutes an essential part of this license. No use of any cov e red code is authoriz ed hereunder except under this di scla[...]
-
Pagina 1077
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1077 granted by Y ou or any distributor hereun der prior to termin a t ion shall surv ive terminatio n. 9. Limitation of liability Under no circumstances and under no legal theory , whether tort (including negligence), contr act, or otherwise, shal l you, the init ial developer ,[...]
-
Pagina 1078
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1078 As between Initial Developer and the Contributors, each party is responsible for claims and damages arisi ng, directly or indirectly , out of its utilization of right s under this License and Y ou agree to work with Init ial Dev e loper and Contributors to distribute such r[...]
-
Pagina 1079
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1079 NOTE : The text of this Exhibit A ma y differ slightly from the t ext of the notices in the Source Code files of the Original Code . Y ou should use the text of this Exhib it A rather t han the text found in the Original Code Source Cod e for Y our Modifications. This Produc[...]
-
Pagina 1080
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1080 USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS SIBILITY OF SUCH DAMAGE. This Product includes libxml2-2. 6.8, Prototype 1.6. 0 and persis t -js-0.1. 0 softw are under the MIT License The MIT License Copyright (c) <year> <copyright holders> P ermission is hereb[...]
-
Pagina 1081
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1081 Re distribution and us e of this software and assoc iated documentation("Softw are"), wi th or wit hout modification, are permitted provid ed that the following conditi ons are met: 1. R edistributions in source form must retain copyright statements and notices, 2.[...]
-
Pagina 1082
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1082 Copyright 1999-2003 The OpenLD AP F oundation, Redwood City , California, USA. All Rights R eserved. P ermission to copy and distribut e verbatim copies of this document is gr anted. This Product includes gd-2.0.36RC1 softw are under the below License P o rt ions copyright [...]
-
Pagina 1083
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1083 use of gd. If you have questions, ask. "D erived works" incl udes all progr a ms that utilize the library . Credit must be giv en in user- accessible documentation. This software is pro vided "AS IS." The copyrig ht holders disclaim all warr anties, eithe[...]
-
Pagina 1084
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1084 Copyright (C) 1999, 2000, 2002 Aladdi n Enterprises. All right s reserved. This software is provided 'as-is', wi thou t an y express or implied warr anty . In no event will the aut hors be held liable for any damages arising from the use of this software. P ermiss[...]
-
Pagina 1085
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1085 3. This notice may not b e removed or altered from an y source distribution. COPYRIGHT NOTICE, DISCLAIMER, and LICENSE: * * If you modify libpng you may insert additional notices immediatel y following * this sentence. * * libpng versions 1. 2.6, August 15, 2004, through 1. [...]
-
Pagina 1086
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1086 * There is no w arranty against interference with y our enjoyment of the * libr ary or aga inst infringeme nt. There is no warranty that our * efforts or the libr ary wi ll fulfill any of your parti cul ar purposes * or needs. This library is provided with all fa ults, and [...]
-
Pagina 1087
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1087 * Greg R oelofs * T om T anner * * libpng versions 0. 5, May 1995, through 0.88, January 1996, are * Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc. * * F or the purposes of this copyri ght and license, "Contributing Authors" * is defined as the followin[...]
-
Pagina 1088
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1088 * to the following restrictions: * * 1. The origin of this source code must not be misrepresented. * * 2. Altered ve rsions must be plainly marked as such and * must not be misrepresented as being the original source. * * 3. This Copy ri gh t n otice may not be removed or a[...]
-
Pagina 1089
Appendix F Open Software Anno uncements ZyWALL USG 300 User’s Guide 1089 2. R edistributions in binary form must reproduce the above copyright notice, this list of conditions and the following d isclaimer in the documentation and/or other materials provided with the dis tribution. 3. Neither the name of the project nor th e names of its cont ri b[...]
-
Pagina 1090
Appendix F Op en Software Announceme nts ZyWALL USG 300 User’s Guide 1090 P AR TICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUT ORS BE LIABLE FOR ANY DIRE CT , INDIRECT , INCIDENT AL, SPECIAL, EXEMPLARY , OR CONSEQUENTIAL DAMAGE S (INCLUDIN G, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, [...]
-
Pagina 1091
ZyWALL USG 300 User’s Guide 1091 A PPENDIX G Legal Information Copyright Copyright © 2010 by Z yXEL Communications Corporation. The contents of this publication ma y not be reproduced in any part or as a whole, transcrib ed, stored in a retriev al syst em, tr anslated into any la nguage, or transmitted in an y form or by any me ans, electronic, [...]
-
Pagina 1092
Appendix G Legal In formation ZyWALL USG 300 User’s Guide 1092 • This device may not cause harmful interference. • This dev ice must acc e pt any interf erence received, including interference that may cause undesired operations. This device has been tested and found to comply with the limits for a Clas s B digital device pursuant to P art 15[...]
-
Pagina 1093
Appendix G Legal Information ZyWALL USG 300 User’s Guide 1093 Notices Changes or modifications not expressly appro ved by the party responsible for compliance could v oid the user's authority to oper ate the equipment. This Class B digital appar atus complies with Canadian ICES-003. Cet appareil numérique de la classe B est conforme à la n[...]
-
Pagina 1094
Appendix G Legal In formation ZyWALL USG 300 User’s Guide 1094 T o obtain the services of this warr anty , conta ct you r ven dor . Y ou may als o re fer to the warrant y policy for the region in wh ich you bought the devic e at http:// www .zyxel.com/ web/support_warr anty_info.php . Registration Re gister your product online t o receive e-mail [...]
-
Pagina 1095
Index ZyWALL USG 300 User’s Guide 1095 Index Symbols Numerics 1 to 1 NA T 98 1 to 1 SNA T 99 3322 Dynamic DNS 407 3DES 497 3G 11 8 3G see also cellular 31 1 A AAA Base DN 752 Bind DN 752 , 755 directory structure 751 Distinguished Name, see DN DN 752 , 753 , 755 , 756 password 755 port 754 , 757 search time limit 755 SSL 755 AAA server 749 AD 751[...]
-
Pagina 1096
Index ZyWALL USG 300 User’s Guide 1096 and SNMP 853 and SSH 844 and T elnet 847 and VPN connections 470 and WWW 829 HOST 731 RANGE 732 SUBNET 732 types of 731 where used 11 0 address record 819 admin user troubleshooting 909 admin users 715 multiple logins 726 see also users 715 ADP 623 base profiles 624 , 62 7 configuration o v erv iew 108 false[...]
-
Pagina 1097
Index ZyWALL USG 300 User’s Guide 1097 packet types 574 polymorphic virus 587 prerequisites 108 priority 577 real-time alert message 989 registration status 578 scanner types 587 signatures 584 statistics 263 trial service activation 280 troubleshooting 897 , 900 troubleshooting signatures update 896 updating signatures 284 virus 574 virus types [...]
-
Pagina 1098
Index ZyWALL USG 300 User’s Guide 1098 severity of 599 spam 600 trapdoor 60 1 trojan 601 truncated-address-header 64 1 truncated-header 641 , 642 truncated-options 641 truncated-timestamp-header 642 TTC P - d e t e c t e d 641 types of 600 u-encoding 640 undersize-len 641 undersize-offset 641 UTF-8-encoding 640 virus 574 , 601 worm 601 Authenex S[...]
-
Pagina 1099
Index ZyWALL USG 300 User’s Guide 1099 brackets 34 bridge interfaces 290 , 346 and virtual interfaces of members 346 basic characteristics 291 effect on routing table 346 member interfaces 346 virtual 356 bridges 345 broadcast storm troubleshooting 908 BSS 1019 buffer overflow 601 buffer overflow attacks 60 1 C CA 1027 and certificates 766 CA (Ce[...]
-
Pagina 1100
Index ZyWALL USG 300 User’s Guide 1 100 Common Even t Format (CE F) 863 , 869 common services 983 compression (stac) 790 computer names 301 , 327 , 342 , 352 , 361 , 546 computer virus 574 infection and prevention 587 see also virus concurrent e-mail sessions 272 , 678 configuration information 885 object-based 91 overview 99 web-based SSL applic[...]
-
Pagina 1101
Index ZyWALL USG 300 User’s Guide 11 0 1 D dashboard 49 , 51 , 221 Data Encryption Standard, see DES Data T erminal Ready , see DTR date 81 1 daylight savings 812 DDNS 407 backup mail exchanger 412 configuration o v erv iew 103 mail exchanger 412 prerequisites 103 service providers 407 status 248 troubleshooting 902 DDoS attacks 600 Dead Peer Det[...]
-
Pagina 1102
Index ZyWALL USG 300 User’s Guide 1 102 file structure 751 directory trav ersal attack 639 directory trav ersals 639 disclaimer 5 , 1091 Distinguished Name (DN) 752 , 753 , 75 5 , 756 Distributed Denial of Service (DDoS) attacks 600 distributed port scans 636 DN 752 , 753 , 755 , 756 DNS 327 , 815 address records 819 domain name forwarders 820 do[...]
-
Pagina 1103
Index ZyWALL USG 300 User’s Guide 11 0 3 and transport mode 503 ESS 1020 ESSID 32 5 Ethernet interfaces 11 5 , 290 and OSPF 296 and RIP 296 and routing protocols 294 basic characteristics 291 virtual 356 Ethernet ports 33 examples (tutorials) 11 5 exceptional services 444 experimental-options attack 641 extended authentication and VPN gateways 47[...]
-
Pagina 1104
Index ZyWALL USG 300 User’s Guide 1 104 flood detection 637 force user authentication policies prerequisites 111 forcing login 442 FQDN 819 fragmentation flag 61 3 fragmentation offset 613 fragmentation thresho ld 1023 fragmenting IPSec packets 471 front panel 35 front panel ports 33 FTP 847 additional signaling port 433 ALG 427 and address group[...]
-
Pagina 1105
Index ZyWALL USG 300 User’s Guide 11 0 5 code 614 datagram length 64 2 decoder 631 , 639 echo 637 flood attack 637 portsweep 636 sequence number 614 Time Stamp header length 642 type 614 unreachables 636 identification (IP) 612 identifying legitimate e-mail 675 spam 676 IDP 589 action 599 , 634 alerts 598 and services 738 applying custom signatur[...]
-
Pagina 1106
Index ZyWALL USG 300 User’s Guide 1 106 inline profile 596 , 628 inspection signatures 593 installation 33 Installation Setup Wizard 63 Instant Messenger (IM) 547 , 600 managing 547 interface bandwidth 554 external 96 , 298 internal 96 , 298 mapping 33 statistics 239 status 224 , 239 troubleshooting 897 type 96 , 298 types 93 interfaces 33 , 92 ,[...]
-
Pagina 1107
Index ZyWALL USG 300 User’s Guide 11 0 7 basic troubleshooting 903 certificates 486 connections 470 connectivity check 476 Default_L2TP_VPN_Conne ction 544 Default_L2TP_VPN_Conne ction example 185 Default_L2TP_VPN_GW 54 4 Default_L2TP_VPN_GW example 18 3 encapsulation 475 encryption 476 ESP 475 established in two phases 468 fragmentation 471 L2TP[...]
-
Pagina 1108
Index ZyWALL USG 300 User’s Guide 1 108 L L2TP VPN 543 configuration o v erv iew 107 configuring in Windows 2000 203 configuring in Windows Vista 187 configuring in Windows XP 197 Default_L2TP_VPN_Conne ction 544 Default_L2TP_VPN_Conne ction example 185 Default_L2TP_VPN_GW 54 4 Default_L2TP_VPN_GW example 18 3 DNS 546 example 183 IPSec configurat[...]
-
Pagina 1109
Index ZyWALL USG 300 User’s Guide 11 0 9 settings 861 syslog servers 861 system 861 types of 861 loose source routing 608 M MAC address and VLAN 335 Ethernet interface 298 filter 333 ran ge 224 macro virus 587 mail sessions threshold 678 main routing table 98 main window 57 maintenance menu 56 malware 655 managed web pages 653 management access t[...]
-
Pagina 1110
Index ZyWALL USG 300 User’s Guide 111 0 port forwarding, see NA T port translation, see NA T port triggering 386 port triggering, see also policy routes prerequisites 104 table 98 tra versal 501 trigger port, see also policy routes tutorial 165 , 168 NA T loopback 99 navigation panel 50 NBNS 301 , 327 , 34 2 , 352 , 36 1 , 514 NetBIOS Broad c ast[...]
-
Pagina 1111
Index ZyWALL USG 300 User’s Guide 1111 backbone (BR) 394 backup designated (BDR) 394 designated (DR) 394 internal (IR) 393 link state adv ertisements priority 394 types of 393 other documentation 3 OT P (One- Time Password) 750 outgoing bandwidth 317 oversize chunk -encoding attack 640 len attack 641 offset attack 641 request-uri-directory attack[...]
-
Pagina 1112
Index ZyWALL USG 300 User’s Guide 111 2 POP2 676 POP3 676 pop-up windows 47 port forwarding, see NA T port groups 11 5 , 290 , 293 and Ethernet interfaces 29 3 and physical ports 293 representative interfaces 293 port mapping 33 port scan, filtered 636 port scanning 635 port speed 855 port sweep 636 port translation, see NA T port triggering 386 [...]
-
Pagina 1113
Index ZyWALL USG 300 User’s Guide 111 3 registration 277 and content filtering 648 , 65 0 , 652 configuration o v erv iew 100 prerequisites 100 product 1094 subscription services, see subscription services registration status anti-virus 578 application patrol 558 IDP 592 regular expressions 260 reject (IDP) both 599 , 634 receiver 599 , 634 sende[...]
-
Pagina 1114
Index ZyWALL USG 300 User’s Guide 111 4 RT S (Request T o Send) 1022 threshold 1021 , 1023 S safety warnings 8 same IP 613 scan attacks 601 scanner types 587 SCEP (Simple Certificate Enrollment Protocol) 773 schedule troubleshooting 909 schedules 743 and content filtering 643 , 64 4 and current date/time 743 and firewall 447 , 462 , 564 , 567 , 5[...]
-
Pagina 1115
Index ZyWALL USG 300 User’s Guide 111 5 anti-virus 584 IDP 589 packet inspection 597 updating 283 SIM card 316 Simple Certificate Enrollment Protocol (SCEP) 773 Simple Mail T ransfer Protocol, see SMTP 676 Simple Network Management Protocol, see SNMP Simple T rav ersal of UDP through NA T , see STUN SIP 428 , 434 ALG 427 and firewall 429 and R TP[...]
-
Pagina 1116
Index ZyWALL USG 300 User’s Guide 111 6 SSL application object 791 file sharing 791 file sharing application 796 remote user screen links 791 summary 793 types 791 web-based 791 , 794 web-based example 792 where used 11 0 SSL policy add 512 edit 512 objects used 508 SSL V PN 507 access policy 508 configuration o v erv iew 106 full tunnel mode 43 [...]
-
Pagina 1117
Index ZyWALL USG 300 User’s Guide 111 7 T T/TCP 641 tables 59 target market 33 task bar properties 990 TCP 737 ACK (acknowledgment) 637 ACK number 614 attack packet 599 , 634 connections 737 decoder 631 , 639 decoy portscan 636 distributed portscan 636 flag bits 614 port numbers 738 portscan 635 portsweep 636 RST 636 SYN (synchronize) 637 SYN flo[...]
-
Pagina 1118
Index ZyWALL USG 300 User’s Guide 111 8 IDP 897 , 901 IDP signatures up date 896 interface 897 Internet access 896 , 907 IPSec VPN 903 L2TP VPN 905 LEDs 895 logo 91 1 logs 91 1 management access 910 packet capture 912 packet flow 96 performance 900 , 901 , 902 policy route 897 , 907 port triggering 902 PPP 898 RADIUS server 908 routing 902 schedu[...]
-
Pagina 1119
Index ZyWALL USG 300 User’s Guide 111 9 user accounts for WLAN 123 user authentication 715 external 716 local user database 751 user awareness 717 User Datagram Protocol, see UDP user group objects 715 user groups 153 , 715 , 71 7 and content filtering 643 and firewall 462 , 465 and policy routes 379 , 380 , 561 , 564 , 567 , 570 configuration o [...]
-
Pagina 1120
Index ZyWALL USG 300 User’s Guide 1 120 macro 587 mutation 587 polymorphic 587 scan 574 VLAN 335 advantages 336 and MAC address 335 ID 335 troubleshooting 899 VLAN interfaces 290 , 336 and Ethernet interfaces 33 6 , 899 basic characteristics 291 virtual 356 V oIP pass through 434 and firewall 430 and NA T 430 and policy routes 429 , 430 see also [...]
-
Pagina 1121
Index ZyWALL USG 300 User’s Guide 11 2 1 weighted round robin (for load balancing) 366 white list (anti-spam) 675 , 68 1 , 683 , 685 Wi-Fi Protected Access 1028 Windows Internet Naming Service, see WINS Windows Internet Naming Service, see WINS. Windows Internet Naming Service. See WINS. Windows Remote Desktop 792 WinPo pup window 989 WINS 301 , [...]