Go to page of
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL USG 300, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL USG 300 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of ZyXEL USG 300. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of ZyXEL USG 300 should contain:
- informations concerning technical data of ZyXEL USG 300
- name of the manufacturer and a year of construction of the ZyXEL USG 300 item
- rules of operation, control and maintenance of the ZyXEL USG 300 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL USG 300 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL USG 300, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL USG 300.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL USG 300 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
www .zyxel.com www .zyxel.com ZyW ALL USG Series Unified Security Gateway Copyright © 201 1 ZyXEL Communications Corporation V ersion 3.00 Edition 1, 12/2011 Default Login Details LAN IP Address https://192.168.1.1 User Name admin Pa ss wo rd 1234[...]
-
Page 2
Videos ZyWALL USG 20-2000 U ser’s Guide 2 IMPORT ANT! READ CAREFULL Y BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Related Document ation •Q u i c k S t a r t G u i d e The Quick Start Guid shows how to connect the ZyW ALL and access the W eb Configurator wizards. (See the wizard real time help fo r in formation on configuring each screen.[...]
-
Page 3
Contents ZyWALL USG 20-2000 User’s Guide 3 Contents Introduction ................................................. ..................................................... ............. ........................ 5 1.1 Overview ................ ............. ................ ............. ................ ............. ................ ........... ...[...]
-
Page 4
Contents ZyWALL USG 20-2000 U ser’s Guide 4 5.1 How to Configure Bandwidth M anagement ...... ................ ............. ................ ............. ................ ..... 103 5.2 How to Configure a Tr unk for W AN Load Balancing . ................. ................ ................ ................ ..... 1 1 0 5.3 How to Use Multiple S ta[...]
-
Page 5
ZyWALL USG 20-2000 User’s Guide 5 C HAPTER 1 Introduction 1.1 Overview This guide covers the Z yWALL USG series and re fers to all models as “Z yWALL” . Features and interface names vary by model. K ey feature diffe rences between Z yWALL models are as follows. Other features are common to all models although features may vary slightly by mod[...]
-
Page 6
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 6 Figure 1 Applications: Security Router IPv6 Routing The ZyW ALL supports IPv6 Ethernet, P PP , VLAN, and bridge routing. Y ou may also create IPv6 policy routes and IPv6 objects. The Z yW ALL can also route IPv6 packets throu gh IPv4 networks using different tunneling methods. Figure 2 Ap[...]
-
Page 7
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 7 SSL VPN Network Access SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Z yWALL’ s web address and enters his user name and password to securely connect to the Z yWALL’ s network. Here full tunnel mode creates a virtual con[...]
-
Page 8
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 8 1.2 Default Zones, Interfaces, and Port s The default configur ations for zones, interfaces, an d ports are as follows. R eferences to interfaces may be generic r ather than the specific name used in y our model. For example, this guide ma y use “the WAN interface” r ather than “ge2[...]
-
Page 9
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 9 1.3 Management Overview Y ou can manage the Z yW ALL in the following ways. Web Configurator The W eb Configur ator allows easy ZyW ALL setup an d management using an Internet browser . This User’s Guide provides informat ion about the W eb Configur ator . Figure 8 Managing the ZyW ALL: W[...]
-
Page 10
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 10 Command-Line Interface (CLI) The CLI allows you to use text -based commands to configure the Z yWALL. Access it using remote management (for example, SSH or T elnet) or via the physical or W eb Configurator console port. See the Command Reference Guide for CLI details. The default settin[...]
-
Page 11
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 11 3 T ype the user name (default: “adm in”) and password (default: “1234”). If you hav e a O TP (One- Time P assword) token gener ate a number and enter it in the One-Time Password field. The number is only good for one login. Y ou must use the token to gener ate a new number the nex[...]
-
Page 12
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 12 1.4.2 Web Configurator Introduction V ideo Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 1.4.3 Web Configurator Screens Overview The W eb Configu[...]
-
Page 13
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 13 The title bar icons in the upper right corner pro vide the following functions. 1.4.4 Navigation Panel Use the navigation panel menu item s to open status and configuratio n screens. Click the arrow in the middle of the right edge of the navigation pa nel to h ide the panel or drag to resi[...]
-
Page 14
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 14 Configuration Menu Use the configur ation menu screens to configure the Z yW ALL’ s features. T r affic Statistics Collect and display tr affic statistics. Session Monitor Displays the st atus of all current sessions. DDNS Status Displays the statu s of the Z yWALL’ s DDNS domain n a[...]
-
Page 15
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 15 Interface Port Grouping Configure physical port groups. Port R ole Use this scre en to set t he ZyW ALL ’ s flexible ports as LAN1, WLAN, or DMZ. Ethernet Manage Ethernet interfaces an d virtual Ethernet interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a ce[...]
-
Page 16
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 16 AppPatrol General Enable or disable traffi c mana gement by application and see registration and sign ature information. Common Manage traffic of the m ost commonly used web , file tran sfer and e- mail protocols. IM Manage instant me ssenger traffic. Pee r t o Pe e r Manage peer-to-peer[...]
-
Page 17
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 17 User/Group User Create and manage users. Group Create and manage groups of users. Setting Manage default settings for all us ers, general s ettings for user sessions, and rules to fo rce user authent ication. Address Address Create and manage host, range, and network (subnet) addresses. Ad[...]
-
Page 18
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 18 Maintenance Menu Use the maintenance menu screens to manage configur ation and firmw are files, run diagnostics, and reboot or shut down the Z yW ALL. 1.4.5 T ables and List s W eb Configur ator tables and lists are flexible with sev eral options for how to display their entries. Click a[...]
-
Page 19
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 19 • Group entries by field • Show entries in groups • Filter by mathematical operators (<, >, or =) or searching for text Figure 12 Common T able Column Options Select a column heading cell’s right bo rder and drag to re-size the column. Figure 13 Resizing a T able Column Selec[...]
-
Page 20
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 20 Figure 16 Common T able Icons Here are descriptions for the most common table icons. Working with List s When a list of available entries displays next to a list of selected entries, you can often just double- click an entry to mov e it from one list to the other . In some lists you can [...]
-
Page 21
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 21 1.5 S topping the ZyW ALL Always use Maintenance > Shutdown > Shu tdown or the shutdown command before you turn off the Z yWALL or r emove the power . Not doing so can cause the firmw are to become corrupt. 1.6 Rack-mounting See T able 1 on page 5 for the ZyW ALL USG models that can [...]
-
Page 22
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 22 1.7 W all-mounting See T able 1 on page 5 for the ZyW ALL USG models that can be wall-mou nted. Do the following to attach your Z yW ALL to a wall. 1 Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the wall 15 0 mm apart (see the figure in step 2). Do not scre[...]
-
Page 23
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 23 Figure 18 ZyW ALL Front Panel 1.8.1 Dual Personality Interfaces A dual personality interface is a 1000Base- T/min i-GBIC combo port. For each interface you can connect either to the 1000Base- T port or the mini -GBIC port. The mini-GBIC port has priority over the 1000Base- T port so the 10[...]
-
Page 24
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 24 auto-crossover (auto-MDI/MDI - X) port automatically works with a straight -through or crossov er Ethernet cable. The factory default negotiation settings for the Ethernet ports on the ZyW ALL are speed: auto, duplex: auto , and flow control: on (you cannot configure the flow control set[...]
-
Page 25
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 25 1 Press down on the top of the fiber-optic cable where it connects to the tr ansceiver to release it. Then pull the fiber- optic cable out. 2 Open the transceiver’ s latch (latch styles vary). 3 Pull the transceiver out of the slot. 1.8.2 Maximizing Throughput A Z yWALL USG with dual int[...]
-
Page 26
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 26 1.8.3 Front Panel LEDs The following tables describe the LEDs. T able 8 ZyWALL USG 20 ~ USG 100 0 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyW ALL is turned off . Green On The Z yWALL is turned on. Red On There is a hardware component failur e. Shut down the device, wait[...]
-
Page 27
Chapter 1 Introduction ZyWALL USG 20-2000 User’s Guide 27 SYS Off The ZyW ALL is turned off . Green On The ZyW ALL is ready and operating normally . Flashing The ZyW ALL is self-testing. Red On The ZyW ALL is malfunctioning. AUX Off The AUX port is not connected. Orange On The AUX port has a di al-in manage ment connect ion. Flashing The AUX port[...]
-
Page 28
Chapter 1 Introductio n ZyWALL USG 20-2000 U ser’s Guide 28[...]
-
Page 29
ZyWALL USG 20-2000 User’s Guide 29 C HAPTER 2 How to Set Up Your Network Here are examples of using the W eb Configurator to set up your network in the Zy WALL. Note: The tutorials featured here require a basic understanding of connecting to and using the W eb Configurator , see Section 1.4 on page 10 for details. For field descriptions of indivi[...]
-
Page 30
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 30 •T h e wan1 interface uses a static IP address of 1.2.3.4. •A d d P5 (lan2) to the DMZ interface (Note: In USG 20/20W , use P4 (lan2) instead of P5 in th is example). The DMZ interface is used for a protected local network. It uses IP address 192.168.3.1 and serves as a[...]
-
Page 31
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 31 2.2.2 Configure Port Roles Here is how to take the P5 port from the lan2 interface and add it to the dmz interface. 1 Click Configuration > Network > Interface > Port Role . 2 Under P5 select the dmz (DMZ) ra dio button and click Apply . 2.2.3 Configure Zones In this[...]
-
Page 32
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 32 3 Back to the Configuration > Network > Zone screen and click Add in the User Configuration section . 4 Enter VPN as the new zone’ s name. Select WIZ_VPN and move it to the Member box and click OK . Then you can configure firewall rules to apply specific security se[...]
-
Page 33
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 33 Note: The Network Selection is set to auto by default. Thi s means that the 3G USB modem may connect to another 3G net work when your service provider is not in rang e or when necessary . Select Home t o h a v e t h e 3 G d e v i c e c o n n e c t o n l y t o y o u r home net[...]
-
Page 34
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 34 This way the Z yW ALL can automatically balance the traffic load am ongst the available W AN connections to enhance ov erall network throughput. Plus, if a WAN connection goes down, the Z yWALL still sends traffic through the remaining W AN connections. For a simple test, d[...]
-
Page 35
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 35 2 Edit this screen as follows. A (internal) name for the WLAN interface displa ys. Y ou can modify it if you w ant to. The Z yWALL’ s security settings are configured by zo nes. Select to which security zone you want the WLAN interface to belong (the WLAN zone in this examp[...]
-
Page 36
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 36 4 Configure your wireless clients to connect to the wireless network. 2.4.2.1 Wireless Client s Import the ZyW ALL’ s Certificate Y ou must import the ZyW ALL’ s certificate into the wireless clients if they are to validate the Z yW ALL’ s certif icate. Use the Config[...]
-
Page 37
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 37 The My Certificates screen indicates what type of information is being displayed, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). Repeat the steps to import the certificate into each wireless client computer that is to validate the Z yWAL[...]
-
Page 38
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 38 T able 10 Ethernet, PPP, VL AN, Bridge and Po licy Routing Screen Relationships Since firmware version 3.00, the Z yWA LL supports IPv6 configuration in these Et hernet , PPP , VLAN , Bridge and Policy Route screens under Configuration > Network > Interface and Config[...]
-
Page 39
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 39 2.6.1 Setting Up th e W AN IPv6 Interface 1 In the CONFIGURATION > Network > Interface > Ethernet screen’ s IPv6 Configuration section, double-click the wan1 . 2 The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6 . Select Enable Auto-Configur[...]
-
Page 40
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 40 Y ou have completed the settings on the Z yW ALL. But if you want to request a network address prefix from your IS P for your computers on the LAN, you can configure prefix delegation (see Section Section 2.6.4 on p age 41 ).[...]
-
Page 41
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 41 2.6.3 Pure IPv6 Routing Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 2.6.4 Prefix Delegation and Router Advertisement [...]
-
Page 42
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 42 Figure 23 Pure IPv6 Network Example Using Prefix Delegation 2.6.4.2 Setting Up the W AN IPv6 Interface 1 In the Configuration > Network > Interface > Ethernet scre en’ s IPv6 Configuration section, double-click the wan1 . 2 The Edit Ethernet screen appears. Selec[...]
-
Page 43
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 43 2.6.4.3 Setting Up the LAN Interface 1 In the Configuration > Network > Interface > Ethern et screen, double-click the lan1 in the IPv6 Configuration section. 2 The Edit Ethernet screen appears. Click Show Advanced Settings to display more settings on this screen. Se[...]
-
Page 44
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 44 2.6.5 T est 1 Connect a computer to the Z yW ALL’s LAN1.[...]
-
Page 45
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 45 2 Enable IPv6 support on you computer . In Windows XP , you nee d to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. Y ou can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection screen. 3 Y [...]
-
Page 46
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 46 2.6.7 What Can Go Wrong? 1 If you forgot to enable Auto-Configuration on the W AN1 IPv6 interface, you will not have an y default route to forward the LAN’ s IPv6 packets. 2 T o use prefix delegation, you must set the W AN interface to a DHCPv6 client, enable router adver[...]
-
Page 47
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 47 Figure 25 6to4 T unnel Configuration Concept 2.7.2 Setting Up th e LAN IPv6 Interface 1 In the CONFIGURATION > Network > Interface > Ethernet screen’ s IPv6 Configuration section, double-click the lan1 . 2 The Edit Ethernet screen appears. Select Enable Interface a[...]
-
Page 48
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 48 2.7.3 Setting Up the 6to4 T unnel 1 Click Add in the CONFIGURATION > Network > Interface > Tunnel screen. 2 The Add Tunnel screen appears. Select Enable . Enter tunnel0 as the Interface Name and select 6to4 as the Tunnel Mode . In the 6to4 Tunnel Parameter section,[...]
-
Page 49
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 49 2.7.5 Set Up an IPv6 6t o4 T unnel V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 2.7.6 What Can Go Wrong? 1 Do not ena[...]
-
Page 50
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 50 Note: For 6to4, y ou do not need to enable IPv6 in the wan1 since the IPv6 pack ets will be redirected into the 6to4 tunnel. 3 In Windows, some IPv6 related tunnels may be enabled by default such as T eredo and 6to4 tunnels. It may cause y our computer to handle IPv6 packet[...]
-
Page 51
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 51 2.8.3 Setting Up the LAN IPv6 Interface 1 Select lan1 in the IPv6 Configuration section in the CONFIGURATION > Network > Interface > Ethernet screen and click Edit . 2 The Edit Ethernet screen appears. Select Enable Interface and Enable IPv6 . Ty p e 2003:1111:1111:1[...]
-
Page 52
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 52 2.8.4 Setting Up the Policy Route 1 Go to the CONFIGURATION > Network > Routing screen and click Add in the IPv6 Configuration table. 2 The Add Policy Route screen appears. Click Create New Object to create an IPv6 address object with the address prefix of 2003:1111:1[...]
-
Page 53
Chapter 2 How to Set Up Your Network ZyWALL USG 20-2000 User’s Guide 53 2.8.5 T esting the IPv6-in-IPv4 T unnel 1 Connect a computer to the Z yWALL’ s LAN1. 2 Enable IPv6 support on you computer . In Windows XP , you nee d to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. Y ou can enable IPv6 in th[...]
-
Page 54
Chapter 2 How to Se t Up Your Network ZyWALL USG 20-2000 U ser’s Guide 54 2.8.6 Set Up an IPv6-in-IPv4 T unnel Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 2.8.7 What Can Go Wrong? 1 Y ou do[...]
-
Page 55
ZyWALL USG 20-2000 User’s Guide 55 C HAPTER 3 Protecting Your Network These sections cover configuring the Z yWALL to protect your network. • Firewall on page 55 • User-aw are Access Control on page 56 • Endpoint Security (E PS) on page 57 • Device and Service Registration on page 57 • Anti-Virus P olicy Configur ation on page 58 • ID[...]
-
Page 56
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 56 3.1.1 What Can Go Wrong • The Z yWALL checks the firew all rules in order and applies the first firewall rule the tr affic matches. If traff ic is unexpectedly blocked or allowed, mak e sure the firewall rule you w ant to apply to the traffic comes before an y other rules th[...]
-
Page 57
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 57 3.3 End p oint Security (EPS) Use endpoint security objects with authentication policies or SSL VPN to make sure users’ computers meet specific security requirements before they are allowed to access the network. 1 Configure endpoint security objects ( Configuration > Objec[...]
-
Page 58
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 58 3.5 Anti-V irus Policy Configuration This tutorial shows you how to configure an Anti- Virus policy . Note: Y ou need to first activ ate your Anti- Virus service license or trial. See Device and Service R egistr ation on page 57 . 1 Click Configuration > Anti-X > Anti-Vi[...]
-
Page 59
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 59 2 The policy configured in the prev ious step will display in the Policies section. Select Enable Anti- Virus and Anti-Spyware and click Apply . 3.5.1 What Can Go Wrong • The Z yWALL does not scan the following file/traffic types: • Simultaneous downloads of a file using mul[...]
-
Page 60
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 60 3.6 IDP Profile Configuration IDP (Intrusion, Detection and Prevention) detects malicious or suspicious packets and protects against network -based intrusions. Note: Y ou need to first activate your IDP service license or trial. See Device and Service Re gistrati on on page 57[...]
-
Page 61
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 61 3 Edit the default log options and actions. 3.7 ADP Profile Configuration ADP (Anomaly Detection and Prevention) protects ag ainst anomalies based on violations of protocol standards (RFCs – R equests for Comments) and abnormal traffic flows such as port scans. Y ou may want t[...]
-
Page 62
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 62 1 Click Configuration > Anti-X > ADP > Profile and in the Profile Management section of this screen, click the Add icon. A pop-up screen will appear allowing you to choose a base profile. Select a base profile to go to the profile details screen. Note: If Internet Exp[...]
-
Page 63
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 63 3 Click the Protocol Anomaly tab. T ype a new profile Name . Enable or disable individual rules by selecting a row and clicking Activate or Inactivate . Edit the default log options and actions by selecting a row and maki ng a selection in the Log or Acti on drop-down menus. Cli[...]
-
Page 64
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 64 3.8 Content Filter Profile Configuration Content filter allows you to control access to specific web sites or filter web content by checking against an external database. This tutorial show s you how to configure a Content Filt er profile. Note: Y ou need to first activ ate yo[...]
-
Page 65
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 65 2 Click the General tab and in the Policies section click Add . In the Add Policy screen that appears, select the Filter Profile you created in the previous step. Click OK . 3 In the General screen, the configured policy will appear in the Policies section. Select Enable Content[...]
-
Page 66
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 66 3.8.1 Content Filtering Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 3.9 V iewing Content Filter Report s Content filte[...]
-
Page 67
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 67 2 A welcome screen displays. Click your Z y W ALL’s model n ame and/or MAC address under Registered ZyXEL Products (the Z yW ALL 20W is shown as an example here). Y ou can change the descriptive name for your Z yWALL using the Renam e button in the Service Management screen. 3[...]
-
Page 68
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 68 4 In the Web Filter Home screen, click Commtouch Report or BlueCoat Report . 5 Select items under Global Reports to view the corresponding reports. 6 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the [...]
-
Page 69
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 69 7 A chart and/or list of requested web site cate gories display in the lower half of the screen. 8 Y ou can click a category in the Categories re p o rt o r c li c k URLs in the Report Home screen to see the URLs that were requested.[...]
-
Page 70
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 70 3.10 Anti-S p am Policy Configuration This tutorial shows you how to configure an Anti-Spam policy with Mail Scan functions and DNS Black List (DNSBL). Note: Y ou need to first activ ate your Anti- Spam service license or trial to use the Mail Scan funct ions (Sende r Reputati[...]
-
Page 71
Chapter 3 Protecting Your Network ZyWALL USG 20-2000 User’s Guide 71 3 Click the General tab. In the Policy Summary section, click Add to display the Add rule screen. Select from the list of available Scan Options and click OK to return to the General screen. 4 In the General screen, the policy configured in the previous step will display in the [...]
-
Page 72
Chapter 3 Protecti ng Your Network ZyWALL USG 20-2000 U ser’s Guide 72[...]
-
Page 73
ZyWALL USG 20-2000 User’s Guide 73 C HAPTER 4 Create Secure Connections Across the Internet These sections cover using VPN to create secure connections across the Internet. • IPSec VPN on page 73 • VPN Concentrator Example on page 75 • Hub-and-spoke IPSec VPN Without VPN Concentrator on page 77 • Z yWALL IPSec VPN Client Configuration Pro[...]
-
Page 74
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 74 4.1.3 What Can Go Wrong If the IPSec tunnel does not build properly , the problem is likely a configuration error at one of the IPSec routers. Log into both IPSec routers and check the settings in each field methodically and slowly . Mak e sure both the Z[...]
-
Page 75
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 75 • Multiple SAs connecting through a secure gateway must ha ve the same negotiation mode. If you hav e the Configuration > VPN > IPSec VPN > VPN Connection screen’ s Use Policy Route to control dynamic IPSec rules option enabled and the VPN conn[...]
-
Page 76
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 76 • Source: 192.168.11.0 • Destination: 192.168.12. 0 • Next Hop: VPN T unnel 1 Headquarters VPN Gateway (VPN T unnel 1): • My Address: 10.0.0.1 • Peer Gatew ay Address: 10.0.0.2 VPN Connection (VPN T unnel 1): • Local Policy: 192.168.1.0/255.25[...]
-
Page 77
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 77 • Source: 192.168.12.0 • Destination: 192.168.11. 0 • Next Hop: VPN T unnel 2 4.2.1 What Can Go Wrong Consider the following when using the VPN concentrator . • The local IP addresses configured in the VPN rules should not ov erlap. • The concentr[...]
-
Page 78
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 78 • Primary R emote Gateway: 10.0.0.1 Network Policy (Phase 2): Local Network: 192 .168.167.0/255.255.255 .0; Remote Network: 192.168.168.0~192. 168.169.255 Headquarters (ZLD-based ZyW ALL): VPN Gateway (VPN T unnel 1): • My Address: 10.0.0.1 • Peer G[...]
-
Page 79
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 79 • The hub router must have at least one separate VPN rule for each spoke. In the local policy , specify the IP addresses of the hub-and-spoke netw orks with which the spoke is to be able to have a VPN tunnel. This ma y require y ou to use more than one VP[...]
-
Page 80
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 80 Now user Charlotte can access the network behind the ZyW A LL through the VPN tunnel. Figure 32 ZyW ALL IPSec VPN Client with VPN T unnel Connected 4.4.2 Configuration Step s 1 In the ZyW ALL Quick Se tup wizard, use the VPN Settings for Configuration Pro[...]
-
Page 81
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 81 6 Click OK . The rule settings are now imported from th e Z yWALL into the Z yWALL IPSec VPN Client.[...]
-
Page 82
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 82 4.4.3 ZyW ALL IPSec VPN Client Conf iguration Provisioning V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y[...]
-
Page 83
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 83 • There’ s a network connectivity problem between the Z yWALL and the Z yWA LL IPSec VPN Client: Check that the correct ZyW ALL IP address and HTTPS port (if the default port was changed) was e nte red . Ping the Z yWALL from the computer on whic h the [...]
-
Page 84
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 84 4.5.1 SSL VPN V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 4.5.2 What Can Go Wrong • If you up[...]
-
Page 85
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 85 • Using RDP requires Internet Explorer • Sun’ s Runtime Environment (JRE) v ersion 1.6 or later installed and enabled. • Changing the HT TP/HT TPS configuration disconne cts S SL VPN network extension sessions. Users need to re-connect if this happe[...]
-
Page 86
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 86 Do the following to config ure the L2TP VPN example: 1 Click Configuration > VPN > IPSec VPN > VPN Gateway and double-click the Default_L2TP_VPN_GW entry . Select Enable . Set My Address . This example uses a WAN interface with static IP address [...]
-
Page 87
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 87 3 Click Configuration > VPN > L2TP VPN and then Create New Object > Address to create an IP address pool for the L2TP VPN clients. This example uses L2TP_POOL with a range of 192.168.10.10 to 1 92.168.10.20. Click Create New Object > Use r/Group[...]
-
Page 88
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 88 T o manage the Z yWALL through the L2TP VPN tu nnel, create a routing policy that sends the Z yWALL’ s return traffic back through the L2TP VPN tunnel. •S e t Incoming to ZyWALL. •S e t Destination Address to the L2TP address pool. • Set the next [...]
-
Page 89
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 89 •S e t t h e Next-Hop Type to Trunk an d select the appropriate WAN trunk.[...]
-
Page 90
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 90 4.6.3 Configuring L2TP VPN on the ZyW ALL Vide o Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 4.6.4 Con[...]
-
Page 91
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 91 4.6.5 Configuring L2TP VPN in iOS T o configure L2TP VPN in an iOS device, go to Settings > VPN > Add VPN Configuration > L2TP and configure as follows. The example settings here go along with the L2TP VPN configuration example in Section 4.6.1 on [...]
-
Page 92
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 92 5 Enter your Z yWALL user name an d password and click Create . 6 Click Close . Configure the Connection Object 1 In the Network and Sharing Center screen, click Connect to a network . Right -click the L2TP VPN connection and select Properties . 2 In Wind[...]
-
Page 93
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 93 3 Select Use preshared key for authentication and enter the pre-shared key of the VPN gateway entry the Z yWALL is using for L2TP VP N (top-secret in this example). Click OK t o s a v e y o u r c h a n g e s and close the Advanced Properties screen. Then cl[...]
-
Page 94
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 94 2 A window appears while the user name and password are verified. The Connect to a network screen shows Connected after the L2TP ov er IPSec VPN tunnel is built. 3 After the connection is up a co nnection icon displays in your system tray . Click it and t[...]
-
Page 95
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 95 6 Access a server or other network resource behind the Z yW ALL to make sure your access works. 4.6.6.2 Configuring L2TP VPN in Windows 7 V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking pla[...]
-
Page 96
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 96 4.6.6.3 Configuring L2TP in Windows XP In Windows XP , first issue the following comman d from the Windows command prompt (including the quotes) to make sure the computer is running the Microsoft IPSec service. net start "ipsec services" . Then [...]
-
Page 97
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 97 6 Select Do not dial the init ial connection and click Next . 7 Enter the domain name or W AN IP address configured as the My Address in the VPN gatew ay configuration that the Z yW ALL is using for L2TP VPN (172.16.1.2 in this example). 8 Click Finish . 9 [...]
-
Page 98
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 98 11 Select Optional encryption (connect even if no encryption) and the Allow thes e protocols radio button. Select Unencryp ted password (PAP) and clear all of the other check boxes. Click OK . 12 Click IPSec Settings . 13 Select the Use pre-shared key for[...]
-
Page 99
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 99 15 Enter the user name and password of your Z yW ALL account. Click Connect . 16 A window appears while the user name and password are verified. 17 A ZyW ALL-L2TP icon displays in y our system tra y . Double-click it to open a status screen. 18 Click Detail[...]
-
Page 100
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 100 19 Access a server or other network resource behind the Z yW ALL to make sure your access works. 4.6.7 What Can Go Wrong The IPSec VPN connection must: • Be enabled • Use transport m ode • Not be a manual key VPN connection •U s e Pre-Shared Key [...]
-
Page 101
Chapter 4 Create Secure Connections Across the Internet ZyWALL USG 20-2000 User’s Guide 101 1 Install the SafeW ord 2008 authentication server software on a compu ter . 2 Create user accounts on the ZyW ALL and in the SafeW ord 20 08 authentication server . 3 Import each Z yWALL O TPv2 token’ s database file (located on the included CD) into th[...]
-
Page 102
Chapter 4 Create Se cure Connections Across the Internet ZyWALL USG 20-2000 U ser’s Guide 102[...]
-
Page 103
ZyWALL USG 20-2000 User’s Guide 103 C HAPTER 5 Managing Traffic These sections cover controlling the tr affic going through the Z yWALL. • How to Configure Bandwidth Management on page 103 • How to Configure a T runk for WAN Load Balancing • How to Use Multiple Static Public W AN IP Addresses for LAN-to-W AN T raffic on page 113 • How to [...]
-
Page 104
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 104 5.1.1 Bandwid th Allocation Example Say a 10-person office has WAN1 connected to a 50 Mbps downstre am and 5 Mbps upstream VDSL line and you w ant to allocate bandwidth for the following: • SIP: Up to 10 simultaneous 100 Kbps calls guaranteed • Video conferencing: Up to 10 simult[...]
-
Page 105
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 105 • Inbound and outbound traffic are both guar anteed 1000 kbps and limited to 2000 kbps. Figure 37 SIP Any-to- W AN Guaranteed / Maximum Bandwidths Example 1 In the Configuration > BWM screen, click Add . 2 In the Add Policy screen, select Enable and type SIP Any-to-WAN as the pol[...]
-
Page 106
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 106 Figure 38 HT TP Any-to- W AN Bandwidth Management Example 1 In the Configuration > BWM screen, click Add . 2 In the Add Policy screen, select Enable and type HTTP Any-to-WAN as the policy’ s name. Leave the incoming interface to any and select wan1 as the outgoing interface. Sel[...]
-
Page 107
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 107 5.1.6 FTP W AN-to-DMZ Bandwi d th Management Example Suppose the office has an FTP server on the DMZ. Here is how to limit WAN1 to DMZ FTP traffic so it does not interfere with SIP and HT TP tr affic. • Allow remote users only 2048 kbps inbound for do wnloading from the DMZ FTP serv[...]
-
Page 108
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 108 5.1.7 FTP LAN-to-DMZ Band wid th Management Example FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but giv e it lower priority and limit it to av oid interference with other traffic. • Limit both outbound and inbou[...]
-
Page 109
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 109 1 In the Configuration > BWM screen, click Add . 2 In the Add Policy screen, select Enable and type FTP LAN-to-DMZ as the policy’ s name. Select lan1 as the incoming interface and dmz as the outgoing interface. Select App Patrol Servic e and ftp as the service type. Ty p e 10240 [...]
-
Page 110
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 0 5.1.8 Bandwid th Management V ideo Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 5.1.9 What Can Go Wrong? • The “outbound” in [...]
-
Page 111
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 111 respectively . As these connections have different bandwidth, use the Weighted Round Robin algorithm to send traffic to w an1 and wan2 (or cellular1) in a 2:1 ratio. Figure 41 T runk Example F or Dual W ANs Figure 42 T runk Example F or W AN and 3G Interface Y ou do not have to change[...]
-
Page 112
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 2 2 Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. 3 For 3G interface settings, go to Configuration > Network > Interface > Cellular . Double-click the cellular1 entry and set the egress bandwidth for cellular1 to 512 Kbps. 5.2.2 Configure the W AN T run[...]
-
Page 113
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 3 3 Select the trunk as the default trunk and click Apply . 5.3 How to Use Multiple S t atic Public W AN IP Addresses for LAN-to-W AN T raffic If your ISP gave you a r ange of static public IP addresses, this example shows how to configure a policy route to hav e the Z yWALL use them f[...]
-
Page 114
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 4 5.3.2 Configure the Policy Route Now you need to configure a policy rou te that has the Z yWALL use the r ange of public IP addresses as the source address for W AN to LAN traffic. Click Configuration > Network > Routing > Policy Route > Add (in IPv4 Confi guration ). It[...]
-
Page 115
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 5 Management Access IP Addresses For each interface y ou can configure an IP address in the same subnet as the interface IP address to use to manage the Z yW ALL whether it is the master or the backup. Synchronization Synchronize Z yWALLs of the same model and firm ware version to copy[...]
-
Page 116
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 6 5.4.2 Before Y ou S t art ZyW A L L A should already be configured. Y ou will use device HA to copy ZyW ALL A ’ s settings to B later (in Section 5.4.4 on page 117 ). T o avoid an IP address co nflict, do not connect ZyW ALL B to the LAN subnet until after y ou configure its devic[...]
-
Page 117
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 7 4 Click the General tab, enable device HA, and click Apply . 5.4.4 Configure the Backup ZyW ALL 1 Connect a computer to Z yW ALL B ’ s LAN interface and log into its W eb Configur ator . Connect ZyW A L L B to the Internet and subscribe it to the same subscription services (like co[...]
-
Page 118
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 11 8 4 Set the Device Rol e to Backup . Activate monitoring for the LAN and WAN interfaces. Set the Synchronization Server Address to 192.168.1 .1, the Port to 21, and the Password to “myS yncPassword” . Retype the password, select Auto Synchronize , and set the Interval to 60. Click[...]
-
Page 119
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 11 9 5.4.5 Depl oy the Backup ZyW ALL Connect Z yWALL B ’ s LAN interface to the LAN network. Connect Z yW ALL B ’ s WAN interface to the same router that Z yW ALL A ’s WA N interface uses for I nternet access. ZyW ALL B copies A ’s configuration (and re-sy nchronizes with A every[...]
-
Page 120
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 120 2 Click Add in the Configuration table. The following screen appears. Select Enable , enter *.example.com as the Query Domain Name . Enter 300 in the Time to Live field to have DNS query senders keep the resolved DNS entries on their computers for 5 minutes. Select any in the IP Addr[...]
-
Page 121
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 121 5.6 How to Allow Public Access to a W eb Server This is an example of making an HT TP (web) serv er in the DMZ z one accessible from the Internet (the W AN zone). In this example you have public IP address 1.1.1.1 that you will use on the W AN interface and map to the HT TP server’s[...]
-
Page 122
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 122 5.6.2 Set Up a Firewall Rule Create a firewall rule to allow the public to send HT TP tr affic to IP address 1.1.1.1 in order to access the HT TP server . If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server . Click Conf[...]
-
Page 123
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 123 5.6.3 What Can Go Wrong • The Z yWALL checks the firew all rules in order and applies the first firewall rule the tr affic matches. If traffic matches a rule that comes ea rlier in the list, it may be unexpectedly blocke d. • The Z yWALL does not apply the firewall rule. The Z yWA[...]
-
Page 124
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 124 Figure 47 Configuration > Network > AL G 5.7.1.2 Set Up a NA T Policy For H.323 In this example, you need a NA T policy to forward H.323 (TCP port 1720) traffic received on the Z yWALL’ s 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Netwo[...]
-
Page 125
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 125 5.7.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) tr affic received on the WAN_IP-for -H323 IP address to go to LAN IP address 192.168.1.56. 1 Click Configuration > Firewall > Add . In the From field select W AN. In the To field se[...]
-
Page 126
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 126 5.7.2 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the W AN zone). In this example you have public IP address 1.1.1.2 that you will use on the WAN interface and map to the IPPBX’s priv ate IP addr[...]
-
Page 127
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 127 5.7.2.2 Set Up a NA T Policy for the IPPBX Click Configuration > Network > NAT > Add > Create New O bject > Address and create an IPv4 host address object for the IPPBX’s priv ate DMZ IP address of 1 92.168.3.9. Repeat to create a host address object named IPPBX -Publ[...]
-
Page 128
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 128 5.7.2.4 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks tr affic from the DMZ zone to th e LAN1 z one by default so you need to create a firewall rule to allow the IPPBX to send SIP tr affic to the SIP clients on the LAN. 1 Click Configur ation > Firewal l > Add .[...]
-
Page 129
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 129 5.8 How to Limit W eb Surfi ng and MSN to S pecific People The following is an example of using application patrol (AppP atrol) to enforce web surfing and MSN policies for the sales department of a company . 5.8.1 Set Up We b Surfing Policies Before you configure an y policies, you mu[...]
-
Page 130
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 130 5 Click the Add icon in the policy list. In the new policy , select Sales as the user group allowed to browse the web. (The user group should be set in the Configuration > Object > User/Group > Group > Add screen.) Click OK . 5.8.2 Set Up MSN Policies In this part of the [...]
-
Page 131
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 131 4 Now you will need to set up a recurring schedule object first. Click Configur ation > Object > Schedule . Click the Add icon for recurring schedules. 5 Give the schedule a descriptive name such as WorkHours . Set up the da ys (Monday through Friday) and the times (08:00 - 17:3[...]
-
Page 132
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 132 Now only the sales group may use MSN during work hours on week days.[...]
-
Page 133
Chapter 5 Managing Traffic ZyWALL USG 20-2000 User’s Guide 133 5.8.3 AppPatrol Video Example Use Adobe Reader 9 or later or a recent v ersion of Fo xit Reader to play this video. After clicking play , you may need to confirm that you want to play the content and click pla y again. 5.8.4 What Can Go Wrong If you have not already subscribed for the[...]
-
Page 134
Chapter 5 Managing Traffic ZyWALL USG 20-2000 U ser’s Guide 134[...]
-
Page 135
ZyWALL USG 20-2000 User’s Guide 135 C HAPTER 6 Maintenance These sections cover managing and maintaining the Z yWALL. • How to Allow Management Service from W AN on page 135 • How to Use a RADIUS Server to Authenticate User Accounts based on Groups on page 138 • How to Use SSH for Secure T elnet Access on page 139 • How to Manage Z yW ALL[...]
-
Page 136
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 136 2 Check the Admin Service Control and User Service Control sections: • accept under Action means that the user is to access the Z yW ALL from the specified computers. • ALL under Zone me ans that all Z yWALL z ones are allowed to use this service. • ALL under Address means that all[...]
-
Page 137
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 137 In the Edit Fire wall Rule screen, you can also configure a schedule object, address object, or apply it to certain a user/user group. Refer to 24.1.4 Firewall Rule Configuration Example for details on firewall configuration.[...]
-
Page 138
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 138 6.2 How to Use a RADIUS Se rver to Authenticate User Account s based on Group s The previous example showed how to have a RADIUS server authenticate individual user accounts. If the RADIUS server has different user groups distinguished by the v alue of a specific attribute, you can mak e[...]
-
Page 139
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 139 3 Repeat the steps above if you need to add other user groups. 6.3 How to Use SSH fo r Secure T elnet Access This section shows two examples using a command interface and a gr aphical interface SSH client program to remotely access the Z yW ALL. The conf iguration and connection steps are [...]
-
Page 140
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 140 6.3.2 Example 2: Linux This section describes how to access the Z yW ALL using the OpenSSH client progr am that comes with most Linux distributions. 1 T est whether the SSH service is available on the Z yW ALL. Enter “ telnet 192.168.1.1 22 ” at a terminal pr ompt and press [ENTER] .[...]
-
Page 141
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 141 The default configur ation files are: • system-default.conf: This file contains all of the Z yWALL settings. If you apply this file, the Z yWALL’ s default IP address and password will be restored. • startup-config.conf: This is the configuration file that th e ZyW ALL is currently u[...]
-
Page 142
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 142 Y ou can find and download the latest firmware pa ckage for th e Zy WALL at www .zyxel.com in a *.zip file. After you unzip the file, you will find sev eral files contained in the package. The file that you should use for firmware upload is a *.bin file , for example “300BDS0C0.bin” [...]
-
Page 143
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 143 6.6.1 What Can Go Wrong When you run a shell script, the Z yWALL processes th e file line-by-line. The ZyW ALL checks the first line and applies the line if no errors are detected . Then it continues with the next line. If the Z yWALL finds an error , it stops applying the shell script. If[...]
-
Page 144
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 144 5 Use the handle to slide out the power module an d remove it. 6 Install the new ZyW ALL power module. 7 Tighten the power module’ s retaining screw .[...]
-
Page 145
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 145 8 Connect the power cord to the new Z yWALL power module. 9 Reconnect the power cord to the power outlet. 10 Push the Z yWALL power module switch to the on position. 6.8 How to Save System L ogs to a USB S torage Device The Z yWALL uses the memory space to store syst em logs. Once the memo[...]
-
Page 146
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 146 2 Go to Configuration > Syst em > USB S torage , select Activate USB storage service and click Apply to allow the ZyW ALL to save diagn ostic data to the connected USB device. 3 Go to Configuration > Log & Report > Log Setting , select the USB Storage entry and click Edit[...]
-
Page 147
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 147 5 In the Configuration > Log & Report > Log Setting screen, select the USB Storage entry again and click Activate . Click Apply to have the Z yW ALL start recording system logs to the USB device. 6 In the Maintenance > Dia gnostics > System Log screen, you can see a new log[...]
-
Page 148
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 148 6.8.1 What Can Go Wrong? • Before you physically remove a connected USB device, go t o Monitor > System Status > USB Storage and click Remove Now . • If you w ant to use the USB device and you hav e not physically remove it, click Use It in the same screen to mount the device. [...]
-
Page 149
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 149 2 Go to Configuration > Syst em > USB S torage , select Activate USB storage service and click Apply . 3 In the Maintenance > Dia gnostics > Collect screen, select Copy the diagnostic file to USB storage . Click Apply . 6.10 How to Capture Packet s on the ZyW ALL This example t[...]
-
Page 150
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 150 2 Click the St op button to end the packet-capture session when you think y ou have captured enough packets. How long it may take depends on the pack et type and network behavior that you w ant to capture. 3 Click the Files tab, you can see two files (CAP and TXT) gener ated for each int[...]
-
Page 151
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 151 The Z yWALL uses the flash space to store packet capture files. Once the flash is full, the Z yWALL stops generating the file or has new captured packets o verride old packets depending on your setting. If your Z yW ALL’s flash is full or the size of the packet capture files you w ant to[...]
-
Page 152
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 152 Figure 51 Packet Capture File Example 6.1 1 How to Get the ZyW ALL’ s Core Dump File When a process fails in the Z yWALL, it automatically gener ates a core dump file. Y ou can do the following to download it and pr ovide it to customer support. 1 Go to the Maintenance > Diagnostics[...]
-
Page 153
Chapter 6 Maintenance ZyWALL USG 20-2000 User’s Guide 153 1 Insert a USB storage device to any USB por t on your Z yWALL. In the Monitor > System Status > USB Storage screen, make sure the USB device’s file system doesn’t display “unknown” . 2 Go to Configuration > Syst em > USB S torage , select Activate USB storage service a[...]
-
Page 154
Chapter 6 Mai ntenance ZyWALL USG 20-2000 U ser’s Guide 154[...]
-
Page 155
ZyWALL USG 20-2000 User’s Guide 155 A PPENDIX A Legal Information Copyright Copyright © 2011 by Z yXEL Communicat ions Corporat ion. Th e co n te n ts o f t h is p ub l ic a t io n m a y n o t b e re p r od uc e d in a ny pa r t or as a w ho l e, t ra ns c ri b ed , st o re d in a re t ri e va l s y st e m, t r anslated into any language, or tr [...]
-
Page 156
Appendix A Legal Information ZyWALL USG 20-2000 U ser’s Guide 156 Cet appareil numéri que de la classe B es t conforme à la no rme NMB-003 du Ca nada. Certifications (Cla ss A for ZyW ALL USG 300, 1000, and 2000) Federal Commu nications Commission (FCC) Inter ference St atement This device co mplies with Part 15 of FC C rules. Operation is subj[...]
-
Page 157
Appendix A Legal Informa tion ZyWALL USG 20-2000 User’s Guide 157 Regulatory Information European Union The following i nformation applies if you use the prod uct within the Europ ean Union. Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) Compliance I nformation for 2.4GHz and 5GH z Wireless Pr oducts R eleva[...]
-
Page 158
Appendix A Legal Information ZyWALL USG 20-2000 U ser’s Guide 158 Ce produit peut être utilisé dans tous les pays de l’UE (et da ns tous les pays ayan t tr ansposés la di rective 1999/5/CE) sans au cune limitation, except é pour les pays ment ionnés ci-des sous: Questo prodotto è utilizzabile in tu tte i paesi EU (ed in tut ti gli altri p[...]
-
Page 159
Appendix A Legal Informa tion ZyWALL USG 20-2000 User’s Guide 159 • Do NOT o pen the device or unit. Opening or removing c overs can expos e you to dangerous high voltage poi nts or other risks. ONL Y qualified servi ce personnel s hould service or disas semble this de vice. Please con tact your vendor for furt her information . • Make sure t[...]
-
Page 160
Appendix A Legal Information ZyWALL USG 20-2000 U ser’s Guide 160[...]