How it Works
Zyxel
Loading...
ATP800
CLI Reference Guide
670 pgs4.91 Mb0
Datasheet
13 pgs3.52 Mb0
Handbook
865 pgs32.64 Mb0
Quick Start Guide
1 pgs3.42 Mb0
User Manual
857 pgs19.67 Mb0
User's Guide
1162 pgs27.86 Mb0
Table of contents
Loading...

Zyxel ATP800, ATP500, ATP200 User Manual

Download
Default Login Details
User’s Guide

ZyWALL ATP Series

LAN Port IP Address https://192.168.1.1 User Name admin Password 1234
Version 4.33 Edition 1, 01/2019
Copyright © 2019 Zyxel Communications Corporation
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE.
This is a User’s Guide for a series of products. Not all products support all firmware features. Screenshots and graphics in this book may differ slightly from your product due to differences in product features or web configurator brand style. Every effort has been made to ensure that the information in this manual is accurate.
The version number on the cover page refers to the latest firmware version supported by the Zyxel Device.
Related Documentation
•Quick Start Guide The Quick Start Guide shows how to connect the Zyxel Device and access the Web Configurator
wizards. (See the wizard real time help for information on configuring each screen.) It also contains a connection diagram and package contents list.
•CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the
Zyxel Device.
Note: It is recommended you use the Web Configurator to configure the Zyxel Device.
• Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information.
•More Information Go to support.zyxel.com to find other information on
Zyxel Device.
ZyWALL ATP Series User’s Guide
2

Document Conventions

Warnings and Notes
These are how warnings and notes are shown in this guide.
Warnings tell you about things that could harm you or your device.
Note: Notes tell you other important information (for example, other things you may need to
configure or helpful tips) or recommendations.
Syntax Conventions
• All models in this series may be referred to as the “Zyxel Device” in this guide.
• Product labels, screen names, field labels and field choices are all in bold font.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Configuration >
Network > Interface > Ethernet means you first click Configuration in the navigation panel, then Network, then the Interface sub menu and finally the Ethernet tab to get to that screen.
Icons Used in Figures
Figures in this user guide may use the following generic icons. The Zyxel Device icon is not an exact representation of your device.
Zyxel Device Generic Router Wireless Router / Access Point
Switch Firewall Server
Internet Network Cloud Smartphone
USB Dongle
ZyWALL ATP Series User’s Guide
3

Contents Overview

Contents Overview
Introduction ........................................................................................................................................... 24
Initial Setup Wizard ............................................................................................................................... 46
Hardware, Interfaces and Zones ........................................................................................................ 63
Quick Setup Wizards ............................................................................................................................. 70
Dashboard .......................................................................................................................................... 104
Monitor ................................................................................................................................................. 114
Licensing .............................................................................................................................................. 179
Wireless ................................................................................................................................................. 185
Interfaces ............................................................................................................................................. 206
Routing ................................................................................................................................................. 300
DDNS ................................................................................................................................................... 327
NAT ....................................................................................................................................................... 333
Redirect Service .................................................................................................................................. 341
ALG ....................................................................................................................................................... 347
UPnP ..................................................................................................................................................... 354
IP/MAC Binding ................................................................................................................................... 363
Layer 2 Isolation .................................................................................................................................. 368
DNS Inbound LB .................................................................................................................................. 372
IPnP ....................................................................................................................................................... 378
IPSec VPN ............................................................................................................................................ 380
SSL VPN ................................................................................................................................................ 416
L2TP VPN .............................................................................................................................................. 422
BWM (Bandwidth Management) ..................................................................................................427
Web Authentication .......................................................................................................................... 442
Security Policy ..................................................................................................................................... 471
Application Patrol ............................................................................................................................... 497
Content Filter ....................................................................................................................................... 506
Anti-Malware ....................................................................................................................................... 525
Botnet Filter .......................................................................................................................................... 537
IDP ........................................................................................................................................................ 541
Sandboxing ......................................................................................................................................... 558
Email Security ...................................................................................................................................... 560
SSL Inspection ...................................................................................................................................... 571
Object .................................................................................................................................................. 583
Device HA ........................................................................................................................................... 679
Cloud CNM ........................................................................................................................................ 686
System .................................................................................................................................................. 693
Log and Report ................................................................................................................................... 753
File Manager ....................................................................................................................................... 766
ZyWALL ATP Series User’s Guide
4
Contents Overview
Diagnostics ......................................................................................................................................... 781
Packet Flow Explore .......................................................................................................................... 798
Shutdown ............................................................................................................................................. 805
Troubleshooting .................................................................................................................................. 806
ZyWALL ATP Series User’s Guide
5

Table of Contents

Table of Contents
Document Conventions ............................................ ............................................ .... ... .......................3
Contents Overview .............................................................................................................................4
Table of Contents.................................................................................................................................6
Part I: User’s Guide.......................................................................................... 23
Chapter 1
Introduction ........................................................................................................................................24
1.1 Overview ......................................................................................................................................... 24
1.2 Registration at myZyxel .................................................................................................................. 24
1.2.1 Grace Period ......................................................................................................................... 25
1.2.2 Applications ........................................................................................................................... 25
1.3 Management Overview ................................................................................................................ 28
1.4 Web Configurator ........................................................................................................................... 29
1.4.1 Web Configurator Access .................................................................................................... 29
1.4.2 Web Configurator Screens Overview ................................................................................. 32
1.4.3 Navigation Panel .................................................................................................................. 35
1.4.4 Tables and Lists ...................................................................................................................... 42
Chapter 2
Initial Setup Wizard.............................................................................................................................46
2.1 Initial Setup Wizard Screens .......................................................................................................... 46
2.1.1 Internet Access Setup - WAN Interface ............................................................................. 46
2.1.2 Internet Access: Ethernet .................................................................................................... 47
2.1.3 Internet Access: PPPoE ......................................................................................................... 48
2.1.4 Internet Access: PPTP ........................................................................................................... 50
2.1.5 Internet Access: L2TP ............................................................................................................ 52
2.1.6 Internet Access Setup - Second WAN Interface ............................................................... 54
2.1.7 Internet Access: Congratulations ....................................................................................... 55
2.1.8 Date and Time Settings ........................................................................................................ 56
2.1.9 Register Device ..................................................................................................................... 56
2.1.10 Activate Service .................................................................................................................. 58
2.1.11 Service Settings .................................................................................................................... 59
2.1.12 Wireless Settings: AP Controller ......................................................................................... 60
2.1.13 Wireless Settings: SSID & Security ...................................................................................... 61
2.1.14 Remote Management ......................................................................................................61
ZyWALL ATP Series User’s Guide
6
Table of Contents
Chapter 3
Hardware, Interfaces and Zones......................................................................................................63
3.1 Hardware Overview ....................................................................................................................... 63
3.1.1 Front Panels ............................................................................................................................ 63
3.1.2 Rear Panels ............................................................................................................................ 65
3.2 Mounting ......................................................................................................................................... 66
3.2.1 Rack-mounting ...................................................................................................................... 66
3.2.2 Wall-mounting ....................................................................................................................... 67
3.3 Default Zones, Interfaces, and Ports ............................................................................................ 68
3.4 Stopping the Zyxel Device ............................................................................................................ 69
Chapter 4
Quick Setup Wizards..........................................................................................................................70
4.1 Quick Setup Overview ................................................................................................................... 70
4.2 WAN Interface Quick Setup .......................................................................................................... 71
4.2.1 Choose an Ethernet Interface .............................................................................................71
4.2.2 Select WAN Type ................................................................................................................... 72
4.2.3 Configure WAN IP Settings ................................................................................................... 72
4.2.4 ISP and WAN and ISP Connection Settings ........................................................................ 73
4.2.5 Quick Setup Interface Wizard: Summary ........................................................................... 76
4.3 VPN Setup Wizard ........................................................................................................................... 77
4.3.1 Welcome ................................................................................................................................ 77
4.3.2 VPN Setup Wizard: Wizard Type .......................................................................................... 78
4.3.3 VPN Express Wizard - Scenario ............................................................................................ 79
4.3.4 VPN Express Wizard - Configuration ................................................................................... 80
4.3.5 VPN Express Wizard - Summary ........................................................................................... 80
4.3.6 VPN Express Wizard - Finish .................................................................................................. 81
4.3.7 VPN Advanced Wizard - Scenario ..................................................................................... 82
4.3.8 VPN Advanced Wizard - Phase 1 Settings ........................................................................ 83
4.3.9 VPN Advanced Wizard - Phase 2 ....................................................................................... 85
4.3.10 VPN Advanced Wizard - Summary .................................................................................. 86
4.3.11 VPN Advanced Wizard - Finish ......................................................................................... 88
4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type ............................................. 89
4.4.1 Configuration Provisioning Express Wizard - VPN Settings ............................................... 89
4.4.2 Configuration Provisioning VPN Express Wizard - Configuration .................................... 90
4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary ........................ 91
4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish ................................ 92
4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario ................... 93
4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings ...... 94
4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2 .................... 96
4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard - Summary .................. 96
4.4.9 VPN Settings for Configuration Provisioning Advanced Wizard- Finish .......................... 99
4.5 VPN Settings for L2TP VPN Settings Wizard ................................................................................... 99
ZyWALL ATP Series User’s Guide
7
Table of Contents
4.5.1 L2TP VPN Settings ................................................................................................................ 100
4.5.2 L2TP VPN Settings ................................................................................................................ 101
4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary .................................................... 101
4.5.4 VPN Settings for L2TP VPN Setting Wizard Completed ................................................... 103
Chapter 5
Dashboard........................................................................................................................................104
5.1 Overview ....................................................................................................................................... 104
5.1.1 What You Can Do in this Chapter ..................................................................................... 104
5.2 The General Screen ..................................................................................................................... 104
5.2.1 Device Information Screen ................................................................................................106
5.2.2 System Status Screen .......................................................................................................... 107
5.2.3 Tx/Rx Statistics ...................................................................................................................... 107
5.2.4 The Latest Logs Screen ....................................................................................................... 108
5.2.5 System Resources Screen ................................................................................................... 108
5.2.6 DHCP Table Screen ............................................................................................................. 109
5.2.7 Number of Login Users Screen ........................................................................................... 110
5.2.8 Current Login User ............................................................................................................... 111
5.2.9 VPN Status ............................................................................................................................ 111
5.2.10 SSL VPN Status .................................................................................................................... 111
5.3 The Advanced Threat Protection Screen .................................................................................. 112
Part II: Technical Reference.........................................................................113
Chapter 6
Monitor..............................................................................................................................................114
6.1 Overview ....................................................................................................................................... 114
6.1.1 What You Can Do in this Chapter ..................................................................................... 114
6.2 The Port Statistics Screen ............................................................................................................ 116
6.2.1 The Port Statistics Graph Screen ....................................................................................... 117
6.3 Interface Status Screen ................................................................................................................ 118
6.4 The Traffic Statistics Screen .......................................................................................................... 121
6.5 The Session Monitor Screen ........................................................................................................ 124
6.6 The Login Users Screen ................................................................................................................ 126
6.7 IGMP Statistics ............................................................................................................................... 127
6.8 The DDNS Status Screen ............................................................................................................... 128
6.9 IP/MAC Binding ............................................................................................................................. 128
6.10 Cellular Status Screen ................................................................................................................ 129
6.10.1 More Information .............................................................................................................. 132
6.11 The UPnP Port Status Screen ..................................................................................................... 133
6.12 USB Storage Screen .................................................................................................................... 134
ZyWALL ATP Series User’s Guide
8
Table of Contents
6.13 Ethernet Neighbor Screen ........................................................................................................ 135
6.14 FQDN Object Screen ................................................................................................................ 136
6.15 AP Information: AP List ............................................................................................................... 138
6.15.1 AP List: More Information ................................................................................................ 140
6.15.2 AP List: Config AP ............................................................................................................. 143
6.16 AP Information: Radio List .......................................................................................................... 145
6.16.1 Radio List: More Information ............................................................................................147
6.17 AP Information: Top N APs ........................................................................................................ 148
6.18 AP Information: Single AP .......................................................................................................... 150
6.19 ZyMesh ......................................................................................................................................... 151
6.20 SSID Info ....................................................................................................................................... 152
6.21 Station Info: Station List .............................................................................................................. 152
6.22 Station Info: Top N Stations ........................................................................................................ 153
6.23 Station Info: Single Station ......................................................................................................... 154
6.24 Detected Device ....................................................................................................................... 155
6.25 The IPSec Screen ........................................................................................................................ 156
6.26 The SSL Screen ............................................................................................................................. 158
6.27 The L2TP over IPSec Screen ....................................................................................................... 158
6.28 The Content Filter Screen .......................................................................................................... 159
6.29 The App Patrol Screen ............................................................................................................... 161
6.30 The Anti-Malware Screen .......................................................................................................... 162
6.31 The IDP Screen ............................................................................................................................ 164
6.32 The Email Security Screens ......................................................................................................... 166
6.32.1 Email Security Summary ................................................................................................... 166
6.32.2 The Email Security Status Screen ..................................................................................... 168
6.33 The Botnet Filter Screen .............................................................................................................. 170
6.34 The Sandboxing Screen ............................................................................................................. 171
6.35 The SSL Inspection Screens ........................................................................................................ 172
6.35.1 Certificate Cache List ....................................................................................................... 173
6.36 Log Screens ................................................................................................................................. 174
6.36.1 View Log ............................................................................................................................ 174
6.36.2 View AP Log ....................................................................................................................... 176
Chapter 7
Licensing...........................................................................................................................................179
7.1 Registration Overview .................................................................................................................. 179
7.1.1 What you Need to Know ....................................................................................................179
7.1.2 Registration Screen ............................................................................................................. 180
7.1.3 Service Screen ..................................................................................................................... 180
7.2 Signature Update ......................................................................................................................... 182
7.2.1 What you Need to Know ....................................................................................................182
7.2.2 The Signature Screen .......................................................................................................... 183
7.2.3 Auto Update ........................................................................................................................ 183
ZyWALL ATP Series User’s Guide
9
Table of Contents
Chapter 8
Wireless.............................................................................................................................................185
8.1 Overview ....................................................................................................................................... 185
8.1.1 What You Can Do in this Chapter ..................................................................................... 185
8.2 Controller Screen ......................................................................................................................... 185
8.3 AP Management Screens ........................................................................................................... 186
8.3.1 Mgnt. AP List ....................................................................................................................... 186
8.3.2 AP Policy .............................................................................................................................. 190
8.3.3 AP Group ............................................................................................................................. 191
8.3.4 Firmware ............................................................................................................................... 197
8.4 MON Mode ................................................................................................................................... 198
8.4.1 Add/Edit Rogue/Friendly List .............................................................................................. 200
8.5 Auto Healing ................................................................................................................................. 201
8.6 RTLS Overview ............................................................................................................................... 201
8.6.1 What You Can Do in this Chapter ..................................................................................... 202
8.6.2 Before You Begin ................................................................................................................. 202
8.6.3 Configuring RTLS .................................................................................................................. 203
8.7 Technical Reference .................................................................................................................... 204
8.7.1 Dynamic Channel Selection .............................................................................................. 204
8.7.2 Load Balancing ................................................................................................................... 205
Chapter 9
Interfaces..........................................................................................................................................206
9.1 Interface Overview ...................................................................................................................... 206
9.1.1 What You Can Do in this Chapter ..................................................................................... 206
9.1.2 What You Need to Know ................................................................................................... 206
9.1.3 What You Need to Do First ................................................................................................. 211
9.2 Port Role ......................................................................................................................................... 211
9.3 Ethernet Summary Screen ........................................................................................................... 212
9.3.1 Ethernet Edit ........................................................................................................................ 214
9.3.2 Proxy ARP ............................................................................................................................. 229
9.3.3 Virtual Interfaces ................................................................................................................ 230
9.3.4 References ........................................................................................................................... 231
9.3.5 Add/Edit DHCPv6 Request/Release Options ................................................................... 232
9.3.6 Add/Edit DHCP Extended Options ................................................................................... 233
9.4 PPP Interfaces ............................................................................................................................... 234
9.4.1 PPP Interface Summary ...................................................................................................... 235
9.4.2 PPP Interface Add or Edit .................................................................................................. 236
9.5 Cellular Configuration Screen ..................................................................................................... 241
9.5.1 Cellular Choose Slot ........................................................................................................... 244
9.5.2 Add / Edit Cellular Configuration ...................................................................................... 244
9.6 Tunnel Interfaces .......................................................................................................................... 250
9.6.1 Configuring a Tunnel .......................................................................................................... 252
ZyWALL ATP Series User’s Guide
10
Table of Contents
9.6.2 Tunnel Add or Edit Screen .................................................................................................. 253
9.7 VLAN Interfaces ........................................................................................................................... 257
9.7.1 VLAN Summary Screen ....................................................................................................... 258
9.7.2 VLAN Add/Edit ................................................................................................................... 259
9.8 Bridge Interfaces .......................................................................................................................... 270
9.8.1 Bridge Summary .................................................................................................................. 272
9.8.2 Bridge Add/Edit .................................................................................................................. 273
9.9 VTI ................................................................................................................................................... 283
9.9.1 Restrictions for IPSec Virtual Tunnel Interface .................................................................. 284
9.9.2 VTI Screen ............................................................................................................................ 284
9.9.3 VTI Add/Edit ......................................................................................................................... 285
9.10 Trunk Overview ........................................................................................................................... 288
9.10.1 What You Need to Know ................................................................................................. 288
9.11 The Trunk Summary Screen ........................................................................................................ 291
9.11.1 Configuring a User-Defined Trunk ................................................................................... 292
9.11.2 Configuring the System Default Trunk ............................................................................ 294
9.12 Interface Technical Reference ................................................................................................. 296
Chapter 10
Routing..............................................................................................................................................300
10.1 Policy and Static Routes Overview ........................................................................................... 300
10.1.1 What You Can Do in this Chapter ................................................................................... 300
10.1.2 What You Need to Know ................................................................................................ 301
10.2 Policy Route Screen ................................................................................................................... 302
10.2.1 Policy Route Edit Screen .................................................................................................. 304
10.3 IP Static Route Screen ................................................................................................................ 309
10.3.1 Static Route Add/Edit Screen .......................................................................................... 309
10.4 Policy Routing Technical Reference ........................................................................................311
10.5 Routing Protocols Overview ..................................................................................................... 311
10.5.1 What You Need to Know ................................................................................................. 312
10.6 The RIP Screen ............................................................................................................................. 312
10.7 The OSPF Screen ......................................................................................................................... 314
10.7.1 Configuring the OSPF Screen .......................................................................................... 317
10.7.2 OSPF Area Add/Edit Screen ........................................................................................... 318
10.7.3 Virtual Link Add/Edit Screen ...........................................................................................320
10.8 BGP (Border Gateway Protocol) .............................................................................................. 321
10.8.1 Allow BGP Packets to Enter the Zyxel Device ................................................................ 322
10.8.2 Configuring the BGP Screen ............................................................................................ 322
10.8.3 The BGP Neighbors Screen .............................................................................................. 324
10.8.4 Example Scenario ............................................................................................................. 325
Chapter 11
DDNS ................................................................................................................................................327
ZyWALL ATP Series User’s Guide
11
Table of Contents
11.1 DDNS Overview ........................................................................................................................... 327
11.1.1 What You Can Do in this Chapter ................................................................................... 327
11.1.2 What You Need to Know ................................................................................................. 327
11.2 The DDNS Screen ........................................................................................................................ 328
11.2.1 The Dynamic DNS Add/Edit Screen ................................................................................ 329
Chapter 12
NAT....................................................................................................................................................333
12.1 NAT Overview ............................................................................................................................. 333
12.1.1 What You Can Do in this Chapter ................................................................................... 333
12.1.2 What You Need to Know ................................................................................................. 333
12.2 The NAT Screen ........................................................................................................................... 334
12.2.1 The NAT Add/Edit Screen .................................................................................................336
12.3 NAT Technical Reference .......................................................................................................... 339
Chapter 13
Redirect Service...............................................................................................................................341
13.1 Overview ..................................................................................................................................... 341
13.1.1 HTTP Redirect ..................................................................................................................... 341
13.1.2 SMTP Redirect .................................................................................................................... 341
13.1.3 What You Can Do in this Chapter ................................................................................... 342
13.1.4 What You Need to Know ................................................................................................. 342
13.2 The Redirect Service Screen ..................................................................................................... 344
13.2.1 The Redirect Service Edit Screen ..................................................................................... 345
Chapter 14
ALG....................................................................................................................................................347
14.1 ALG Overview ............................................................................................................................. 347
14.1.1 What You Need to Know ................................................................................................. 347
14.1.2 Before You Begin ............................................................................................................... 350
14.2 The ALG Screen .......................................................................................................................... 350
14.3 ALG Technical Reference ......................................................................................................... 352
Chapter 15
UPnP...................................................................................................................................................354
15.1 UPnP and NAT-PMP Overview ................................................................................................... 354
15.2 What You Need to Know ........................................................................................................... 354
15.2.1 NAT Traversal ..................................................................................................................... 354
15.2.2 Cautions with UPnP and NAT-PMP .................................................................................. 355
15.3 UPnP Screen ................................................................................................................................ 355
15.4 Technical Reference .................................................................................................................. 356
15.4.1 Turning on UPnP in Windows 7 Example ......................................................................... 356
15.4.2 Web Configurator Easy Access ....................................................................................... 360
ZyWALL ATP Series User’s Guide
12
Table of Contents
Chapter 16
IP/MAC Binding................................................................................................................................363
16.1 IP/MAC Binding Overview ......................................................................................................... 363
16.1.1 What You Can Do in this Chapter ................................................................................... 363
16.1.2 What You Need to Know ................................................................................................. 363
16.2 IP/MAC Binding Summary ......................................................................................................... 364
16.2.1 IP/MAC Binding Edit .......................................................................................................... 365
16.2.2 Static DHCP Edit ................................................................................................................ 366
16.3 IP/MAC Binding Exempt List ....................................................................................................... 367
Chapter 17
Layer 2 Isolation...............................................................................................................................368
17.1 Overview ..................................................................................................................................... 368
17.1.1 What You Can Do in this Chapter ................................................................................... 368
17.2 Layer-2 Isolation General Screen ............................................................................................. 368
17.3 White List Screen ......................................................................................................................... 369
17.3.1 Add/Edit White List Rule ................................................................................................... 370
Chapter 18
DNS Inbound LB................................................................................................................................372
18.1 DNS Inbound Load Balancing Overview ................................................................................. 372
18.1.1 What You Can Do in this Chapter ................................................................................... 372
18.2 The DNS Inbound LB Screen ...................................................................................................... 373
18.2.1 The DNS Inbound LB Add/Edit Screen ............................................................................ 374
18.2.2 The DNS Inbound LB Add/Edit Member Screen ............................................................ 376
Chapter 19
IPnP....................................................................................................................................................378
19.1 IPnP Overview ............................................................................................................................ 378
19.1.1 What You Can Do in this Chapter ................................................................................... 378
19.2 IPnP Screen .................................................................................................................................. 379
Chapter 20
IPSec VPN .........................................................................................................................................380
20.1 Virtual Private Networks (VPN) Overview ................................................................................. 380
20.1.1 What You Can Do in this Chapter ................................................................................... 382
20.1.2 What You Need to Know ................................................................................................. 382
20.1.3 Before You Begin ............................................................................................................... 385
20.2 The VPN Connection Screen ..................................................................................................... 385
20.2.1 The VPN Connection Add/Edit Screen .......................................................................... 387
20.3 The VPN Gateway Screen ......................................................................................................... 394
20.3.1 The VPN Gateway Add/Edit Screen ............................................................................... 395
20.4 VPN Concentrator ..................................................................................................................... 402
ZyWALL ATP Series User’s Guide
13
Table of Contents
20.4.1 VPN Concentrator Requirements and Suggestions ...................................................... 402
20.4.2 VPN Concentrator Screen ............................................................................................... 403
20.4.3 The VPN Concentrator Add/Edit Screen ........................................................................ 403
20.5 Zyxel Device IPSec VPN Client Configuration Provisioning .................................................... 404
20.6 IPSec VPN Background Information ......................................................................................... 406
Chapter 21
SSL VPN..............................................................................................................................................416
21.1 Overview ..................................................................................................................................... 416
21.1.1 What You Can Do in this Chapter ................................................................................... 416
21.1.2 What You Need to Know ................................................................................................. 416
21.2 The SSL Access Privilege Screen ................................................................................................ 417
21.2.1 The SSL Access Privilege Policy Add/Edit Screen ......................................................... 418
21.3 The SSL Global Setting Screen ................................................................................................... 420
Chapter 22
L2TP VPN..................................... ... .... ............................................ ....................................................422
22.1 Overview ..................................................................................................................................... 422
22.1.1 What You Can Do in this Chapter ................................................................................... 422
22.1.2 What You Need to Know ................................................................................................. 422
22.2 L2TP VPN Screen ......................................................................................................................... 423
22.2.1 Example: L2TP and Zyxel Device Behind a NAT Router ................................................ 425
Chapter 23
BWM (Bandwidth Management) .................................................................................................427
23.1 Overview ..................................................................................................................................... 427
23.1.1 What You Can Do in this Chapter ................................................................................... 427
23.1.2 What You Need to Know ................................................................................................ 427
23.2 The Bandwidth Management Configuration .......................................................................... 431
23.2.1 The Bandwidth Management Add/Edit Screen ............................................................ 434
Chapter 24
Web Authentication ........................................................................................................................442
24.1 Web Auth Overview ................................................................................................................... 442
24.1.1 What You Can Do in this Chapter ................................................................................... 442
24.1.2 What You Need to Know ................................................................................................. 443
24.2 Web Authentication General Screen ...................................................................................... 443
24.2.1 User-aware Access Control Example ............................................................................. 448
24.2.2 Authentication Type Screen ............................................................................................ 454
24.2.3 Custom Web Portal / User Agreement File Screen ....................................................... 458
24.3 SSO Overview .............................................................................................................................. 459
24.4 SSO - Zyxel Device Configuration ............................................................................................. 461
24.4.1 Configuration Overview ................................................................................................... 461
ZyWALL ATP Series User’s Guide
14
Table of Contents
24.4.2 Configure the Zyxel Device to Communicate with SSO .............................................. 461
24.4.3 Enable Web Authentication ............................................................................................ 462
24.4.4 Create a Security Policy ................................................................................................... 464
24.4.5 Configure User Information ..............................................................................................465
24.4.6 Configure an Authentication Method ........................................................................... 466
24.4.7 Configure Active Directory ..............................................................................................467
24.5 SSO Agent Configuration .......................................................................................................... 468
Chapter 25
Security Policy..................................................................................................................................471
25.1 Overview ..................................................................................................................................... 471
25.2 One Security ................................................................................................................................ 472
25.3 What You Can Do in this Chapter ............................................................................................ 475
25.3.1 What You Need to Know ................................................................................................. 475
25.4 The Security Policy Screen ......................................................................................................... 477
25.4.1 Configuring the Security Policy Control Screen ............................................................ 478
25.4.2 The Security Policy Control Add/Edit Screen ................................................................. 482
25.5 Anomaly Detection and Prevention Overview ...................................................................... 483
25.5.1 The Anomaly Detection and Prevention General Screen ........................................... 484
25.5.2 Creating New ADP Profiles ..............................................................................................485
25.5.3 Traffic Anomaly Profiles ................................................................................................... 486
25.5.4 Protocol Anomaly Profiles ................................................................................................ 489
25.6 The Session Control Screen ........................................................................................................ 492
25.6.1 The Session Control Add/Edit Screen .............................................................................. 493
25.7 Security Policy Example Applications ......................................................................................494
Chapter 26
Application Patrol............................................................................................................................497
26.1 Overview ..................................................................................................................................... 497
26.1.1 What You Can Do in this Chapter ................................................................................... 497
26.1.2 What You Need to Know ................................................................................................ 497
26.2 Application Patrol Profile ........................................................................................................... 498
26.2.1 Apply to a Security Policy ................................................................................................ 499
26.2.2 The Application Patrol Profile Add/Edit Screen - My Application ............................... 502
26.2.3 The Application Patrol Profile Add/Edit Screen - Query Result .................................... 503
Chapter 27
Content Filter ....................................................................................................................................506
27.1 Overview ..................................................................................................................................... 506
27.1.1 What You Can Do in this Chapter ................................................................................... 506
27.1.2 What You Need to Know ................................................................................................. 506
27.1.3 Before You Begin ............................................................................................................... 508
27.2 Content Filter Profile Screen ...................................................................................................... 508
ZyWALL ATP Series User’s Guide
15
Table of Contents
27.2.1 Apply to a Security Policy ................................................................................................ 509
27.2.2 Content Filter Add Profile Category Service .................................................................. 512
27.2.3 Content Filter Add Filter Profile Custom Service ........................................................... 518
27.3 Content Filter Trusted Web Sites Screen ................................................................................. 521
27.4 Content Filter Forbidden Web Sites Screen ............................................................................ 522
27.5 Content Filter Technical Reference ......................................................................................... 523
Chapter 28
Anti-Malware....................................................................................................................................525
28.1 Overview ..................................................................................................................................... 525
28.1.1 What You Can Do in this Chapter ................................................................................... 529
28.2 Anti-Malware Screen ................................................................................................................. 530
28.2.1 Anti-Malware Black List or White List Add/Edit ............................................................... 533
28.3 Anti-Malware Signature Searching ........................................................................................... 534
28.4 Anti-Malware Technical Reference ......................................................................................... 535
Chapter 29
Botnet Filter.......................................................................................................................................537
29.1 Overview ..................................................................................................................................... 537
29.1.1 What You Can Do in this Chapter ................................................................................... 537
29.2 Botnet Filter Screen ..................................................................................................................... 537
Chapter 30
IDP .....................................................................................................................................................541
30.1 Overview ..................................................................................................................................... 541
30.1.1 What You Can Do in this Chapter ................................................................................... 541
30.1.2 What You Need To Know ................................................................................................. 541
30.1.3 Before You Begin ............................................................................................................... 541
30.2 The IDP Screen ............................................................................................................................ 541
30.2.1 Query Example .................................................................................................................. 546
30.3 IDP Custom Signatures .............................................................................................................. 547
30.3.1 Add / Edit Custom Signatures ......................................................................................... 548
30.3.2 Custom Signature Example ............................................................................................. 552
30.3.3 Applying Custom Signatures ............................................................................................ 554
30.3.4 Verifying Custom Signatures ............................................................................................ 555
30.4 IDP Technical Reference ........................................................................................................... 555
Chapter 31
Sandboxing ......................................................................................................................................558
31.1 Overview ..................................................................................................................................... 558
31.1.1 What You Can Do in this Chapter ................................................................................... 558
31.2 Sandboxing Screen .................................................................................................................... 558
ZyWALL ATP Series User’s Guide
16
Table of Contents
Chapter 32
Email Security...................................................................................................................................560
32.1 Overview ..................................................................................................................................... 560
32.1.1 What You Can Do in this Chapter ................................................................................... 560
32.1.2 What You Need to Know ................................................................................................. 560
32.2 Before You Begin ........................................................................................................................ 561
32.3 The Email Security Screen .......................................................................................................... 562
32.4 The Black List / White List Screen ............................................................................................... 565
32.4.1 The Black or White List Add/Edit Screen ......................................................................... 566
32.4.2 Regular Expressions in Black or White List Entries ........................................................... 567
32.5 Email Security Technical Reference ......................................................................................... 567
Chapter 33
SSL Inspection...................................................................................................................................571
33.1 Overview ..................................................................................................................................... 571
33.1.1 What You Can Do in this Chapter ................................................................................... 571
33.1.2 What You Need To Know ................................................................................................. 571
33.1.3 Before You Begin ............................................................................................................... 572
33.2 The SSL Inspection Profile Screen .............................................................................................. 572
33.2.1 Apply to a Security Policy ................................................................................................ 573
33.2.2 Add / Edit SSL Inspection Profiles .................................................................................... 576
33.3 Exclude List Screen .................................................................................................................... 577
33.4 Certificate Update Screen ....................................................................................................... 579
33.5 Install a CA Certificate in a Browser ......................................................................................... 580
Chapter 34
Object...............................................................................................................................................583
34.1 Zones Overview .......................................................................................................................... 583
34.1.1 What You Need to Know ................................................................................................. 583
34.1.2 The Zone Screen ................................................................................................................ 584
34.2 User/Group Overview ................................................................................................................ 586
34.2.1 What You Need To Know ................................................................................................. 586
34.2.2 User/Group User Summary Screen .................................................................................. 588
34.2.3 User/Group Group Summary Screen .............................................................................. 591
34.2.4 User/Group Setting Screen ............................................................................................. 593
34.2.5 User/Group MAC Address Summary Screen ................................................................ 598
34.2.6 User /Group Technical Reference .................................................................................. 600
34.3 AP Profile Overview .................................................................................................................... 600
34.3.1 Radio Screen ..................................................................................................................... 601
34.3.2 SSID Screen ....................................................................................................................... 607
34.4 MON Profile ................................................................................................................................ 616
34.4.1 Overview ............................................................................................................................ 616
34.4.2 Configuring MON Profile ................................................................................................. 617
ZyWALL ATP Series User’s Guide
17
Table of Contents
34.4.3 Add/Edit MON Profile ....................................................................................................... 618
34.4.4 Technical Reference ........................................................................................................ 619
34.5 ZyMesh Overview ....................................................................................................................... 620
34.5.1 ZyMesh Profile .................................................................................................................... 622
34.5.2 Add/Edit ZyMesh Profile ................................................................................................... 623
34.6 Address/Geo IP Overview ......................................................................................................... 623
34.6.1 What You Need To Know ................................................................................................. 624
34.6.2 Address Summary Screen ................................................................................................ 624
34.6.3 Address Group Summary Screen .................................................................................... 628
34.6.4 Geo IP Summary Screen .................................................................................................. 630
34.7 Service Overview ........................................................................................................................ 632
34.7.1 What You Need to Know ................................................................................................. 632
34.7.2 The Service Summary Screen .......................................................................................... 633
34.7.3 The Service Group Summary Screen ............................................................................. 635
34.8 Schedule Overview ................................................................................................................... 636
34.8.1 What You Need to Know ................................................................................................. 637
34.8.2 The Schedule Screen ........................................................................................................ 637
34.8.3 The Schedule Group Screen ............................................................................................ 640
34.9 AAA Server Overview ............................................................................................................... 642
34.9.1 Directory Service (AD/LDAP) ........................................................................................... 642
34.9.2 RADIUS Server .................................................................................................................... 642
34.9.3 ASAS .................................................................................................................................... 643
34.9.4 What You Need To Know ................................................................................................. 643
34.9.5 Active Directory or LDAP Server Summary ..................................................................... 645
34.9.6 RADIUS Server Summary ...................................................................................................648
34.10 Auth. Method Overview ........................................................................................................ 651
34.10.1 Before You Begin ............................................................................................................. 651
34.10.2 Example: Selecting a VPN Authentication Method ................................................... 651
34.10.3 Authentication Method Objects ................................................................................... 652
34.10.4 Two-Factor Authentication ............................................................................................ 654
34.11 Certificate Overview ............................................................................................................... 657
34.11.1 What You Need to Know ............................................................................................... 657
34.11.2 Verifying a Certificate .................................................................................................... 659
34.11.3 The My Certificates Screen ............................................................................................ 660
34.11.4 The Trusted Certificates Screen .................................................................................... 667
34.11.5 Certificates Technical Reference ................................................................................. 672
34.12 ISP Account Overview ............................................................................................................ 672
34.12.1 ISP Account Summary ....................................................................................................672
34.13 DHCPv6 Overview .................................................................................................................... 675
34.13.1 The DHCPv6 Request Screen ......................................................................................... 675
34.13.2 The DHCPv6 Lease Screen ............................................................................................. 677
Chapter 35
Device HA.........................................................................................................................................679
ZyWALL ATP Series User’s Guide
18
Table of Contents
35.1 Device HA Overview .................................................................................................................. 679
35.1.1 What You Can Do in These Screens ................................................................................ 679
35.2 Device HA Status ........................................................................................................................ 679
35.3 Device HA Pro ............................................................................................................................. 681
35.3.1 Deploying Device HA Pro ................................................................................................ 682
35.3.2 Configuring Device HA Pro .............................................................................................. 682
35.4 View Log ...................................................................................................................................... 684
Chapter 36
Cloud CNM......................................................................................................................................686
36.1 Cloud CNM Overview ................................................................................................................ 686
36.1.1 What You Can Do in this Chapter ................................................................................... 686
36.2 Cloud CNM SecuManager ....................................................................................................... 686
36.3 Cloud CNM SecuReporter ......................................................................................................... 689
Chapter 37
System...............................................................................................................................................693
37.1 Overview ..................................................................................................................................... 693
37.1.1 What You Can Do in this Chapter ................................................................................... 693
37.2 Host Name ................................................................................................................................... 694
37.3 USB Storage ................................................................................................................................. 694
37.4 Date and Time ............................................................................................................................ 695
37.4.1 Pre-defined NTP Time Servers List ..................................................................................... 698
37.4.2 Time Server Synchronization ............................................................................................ 698
37.5 Console Port Speed ................................................................................................................... 699
37.6 DNS Overview ............................................................................................................................. 700
37.6.1 DNS Server Address Assignment ...................................................................................... 700
37.6.2 Configuring the DNS Screen ............................................................................................ 700
37.6.3 (IPv6) Address Record ...................................................................................................... 704
37.6.4 PTR Record ......................................................................................................................... 704
37.6.5 Adding an (IPv6) Address/PTR Record .......................................................................... 704
37.6.6 CNAME Record ................................................................................................................. 705
37.6.7 Adding a CNAME Record ................................................................................................ 705
37.6.8 Domain Zone Forwarder ................................................................................................. 706
37.6.9 Adding a Domain Zone Forwarder ................................................................................. 706
37.6.10 MX Record ...................................................................................................................... 707
37.6.11 Adding a MX Record ...................................................................................................... 707
37.6.12 Security Option Control .................................................................................................. 708
37.6.13 Editing a Security Option Control .................................................................................. 708
37.6.14 Adding a DNS Service Control Rule .............................................................................. 709
37.7 WWW Overview .......................................................................................................................... 710
37.7.1 Service Access Limitations ............................................................................................... 710
37.7.2 System Timeout .................................................................................................................. 710
ZyWALL ATP Series User’s Guide
19
Table of Contents
37.7.3 HTTPS ................................................................................................................................... 710
37.7.4 Configuring WWW Service Control ................................................................................. 711
37.7.5 Service Control Rules ........................................................................................................ 714
37.7.6 Customizing the WWW Login Page ................................................................................ 715
37.7.7 HTTPS Example ................................................................................................................... 720
37.8 SSH ............................................................................................................................................. 727
37.8.1 How SSH Works .................................................................................................................. 728
37.8.2 SSH Implementation on the Zyxel Device ...................................................................... 729
37.8.3 Requirements for Using SSH ..............................................................................................729
37.8.4 Configuring SSH ................................................................................................................. 729
37.8.5 Service Control Rules ........................................................................................................ 730
37.8.6 Secure Telnet Using SSH Examples .................................................................................. 731
37.9 Telnet ........................................................................................................................................... 732
37.9.1 Configuring Telnet ............................................................................................................. 732
37.9.2 Service Control Rules ........................................................................................................ 734
37.10 FTP .............................................................................................................................................. 734
37.10.1 Configuring FTP ................................................................................................................ 734
37.10.2 Service Control Rules ...................................................................................................... 736
37.11 SNMP ......................................................................................................................................... 736
37.11.1 SNMPv3 and Security ...................................................................................................... 737
37.11.2 Supported MIBs ............................................................................................................... 738
37.11.3 SNMP Traps ....................................................................................................................... 738
37.11.4 Configuring SNMP ........................................................................................................... 738
37.11.5 Add SNMPv3 User ............................................................................................................ 741
37.11.6 Service Control Rules ...................................................................................................... 741
37.12 Authentication Server .............................................................................................................. 742
37.12.1 Add/Edit Trusted RADIUS Client .................................................................................... 744
37.13 Notification > Mail Server ......................................................................................................... 744
37.14 Notification > SMS ..................................................................................................................... 746
37.15 Language Screen ..................................................................................................................... 747
37.16 IPv6 Screen ................................................................................................................................ 747
37.17 Zyxel One Network (ZON) Utility ............................................................................................. 748
37.17.1 Requirements ................................................................................................................... 748
37.17.2 Run the ZON Utility ........................................................................................................... 749
37.17.3 Zyxel One Network (ZON) System Screen .................................................................... 752
Chapter 38
Log and Report....... .... ... ............................................. ... ............................................. ......................753
38.1 Overview ..................................................................................................................................... 753
38.1.1 What You Can Do In this Chapter .................................................................................. 753
38.2 Email Daily Report ....................................................................................................................... 753
38.3 Log Setting Screens ................................................................................................................... 755
38.3.1 Log Setting Summary ........................................................................................................ 755
ZyWALL ATP Series User’s Guide
20
Table of Contents
38.3.2 Edit System Log Settings .................................................................................................. 756
38.3.3 Edit Log on USB Storage Setting ..................................................................................... 760
38.3.4 Edit Remote Server Log Settings ..................................................................................... 761
38.3.5 Log Category Settings Screen ......................................................................................... 763
Chapter 39
File Manager ....................................................................................................................................766
39.1 Overview ..................................................................................................................................... 766
39.1.1 What You Can Do in this Chapter ................................................................................... 766
39.1.2 What you Need to Know .................................................................................................. 766
39.2 The Configuration File Screen ................................................................................................... 768
39.3 Firmware Management ........................................................................................................... 773
39.3.1 Cloud Helper ..................................................................................................................... 773
39.3.2 The Firmware Management Screen ............................................................................... 775
39.3.3 Firmware Upgrade via USB Stick ...................................................................................... 778
39.4 The Shell Script Screen .............................................................................................................. 778
Chapter 40
Diagnostics ......................................................................................................................................781
40.1 Overview ..................................................................................................................................... 781
40.1.1 What You Can Do in this Chapter ................................................................................... 781
40.2 The Diagnostics Screens ............................................................................................................ 781
40.2.1 The Diagnostics Collect Screen ....................................................................................... 782
40.2.2 The Diagnostics Collect on AP Screen ........................................................................... 783
40.2.3 The Diagnostics Files Screen ............................................................................................784
40.3 The Packet Capture Screen ...................................................................................................... 785
40.3.1 The Packet Capture Files Screen .................................................................................... 787
40.4 The CPU / Memory Status Screen ............................................................................................. 788
40.5 The System Log Screen .............................................................................................................. 790
40.6 The Remote Assistance Screen ................................................................................................. 790
40.7 The Network Tool Screen ........................................................................................................... 792
40.8 The Routing Traces Screen ........................................................................................................ 794
40.9 The Wireless Frame Capture Screen ........................................................................................795
40.9.1 The Wireless Frame Capture Files Screen ...................................................................... 797
Chapter 41
Packet Flow Explore .......................................................................................................................798
41.1 Overview ..................................................................................................................................... 798
41.1.1 What You Can Do in this Chapter ................................................................................... 798
41.2 The Routing Status Screen ......................................................................................................... 798
41.3 The SNAT Status Screen .............................................................................................................. 802
Chapter 42
Shutdown..........................................................................................................................................805
ZyWALL ATP Series User’s Guide
21
Table of Contents
42.1 Overview ..................................................................................................................................... 805
42.1.1 What You Need To Know ................................................................................................. 805
42.2 The Shutdown Screen ................................................................................................................ 805
Chapter 43
Troubleshooting................................................................................................................................806
43.1 Resetting the Zyxel Device ........................................................................................................ 818
43.2 Getting More Troubleshooting Help .........................................................................................819
Appendix A Customer Support ..................................................................................................... 820
Appendix B Product Features........................................................................................................ 826
Appendix C Legal Information ...................................................................................................... 830
Index.................................................................................................................................................838
ZyWALL ATP Series User’s Guide
22
PART I

User’s Guide

23

1.1 Overview

Zyxel Device refers to these models as outlined below.
• ATP200
• ATP500
• ATP800
Most screen shots in this guide come from the ATP200.
Note the following differences between the device models:
• ATP500 and ATP800 support Device HA Pro.
• Some interface names vary by model - see Table 13 on page 68 and Table 14 on page 68 for default port / interface name mapping. See Table 15 on page 69 for default interface / zone mapping.
CHAPTER 1

Introduction

See the product’s datasheet for detailed information on a specific model.

1.2 Registration at myZyxel

myZyxel is Zyxel’s online services center where you can register your Zyxel Device and manage subscription services available for your Zyxel Device (see Configuration > Licensing > Registration > Service for services available for your Zyxel Device).
• For Zyxel Devices that already have firmware version 4.25 or later, you have to register your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device).
• For Zyxel Devices upgrading to firmware version 4.25 or later, you may skip registering your Zyxel Device and activating the corresponding service at myZyxel (through your Zyxel Device). However, it is highly recommended to at least register your Zyxel Device. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications, is free when you register your Zyxel Device.
Note: You need to create a myZyxel account at http://portal.myZyxel.com before you can
register your device and activate the services at myZyxel.
You may need your Zyxel Device’s serial number and LAN MAC address to register it at myZyxel. See the label at the back of the Zyxel Device’s for details.
ZyWALL ATP Series User’s Guide
24
Figure 1 myZyxel Login
1.2.1 Grace Period
Chapter 1 Introduction
SecuReporter and service licenses have a 15-day grace period after a license expires. Services will continue to work in this period during which you will receive notifications to renew your license(s). New license(s) are valid for 1 year from the date of purchase.
1.2.2 Applications
These are some Zyxel Device application scenarios.
Security Router
Security includes a Stateful Packet Inspection (SPI) firewall.
Figure 2 Applications: Security Router Applications: Security Router
ZyWALL ATP Series User’s Guide
25
Chapter 1 Introduction
IPv6 Routing
The Zyxel Device supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The Zyxel Device can also route IPv6 packets through IPv4 networks using different tunneling methods.
Figure 3 Applications: IPv6 Routing
VPN Connectivity
Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. AS is an Authentication Server in the below figure.
Figure 4 Applications: VPN Connectivity
SSL VPN Network Access
SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the Zyxel Device’s web address and enters his user name and password to securely connect to the Zyxel Device’s network. Here full tunnel mode creates a virtual connection for a remote user and gives him a private IP address in the same subnet as the local network so he can access network resources in the same way as if he were part of the internal network.
ZyWALL ATP Series User’s Guide
26
Chapter 1 Introduction
Web Mail File Share
Web-based Application
https://
Application Server
Non-Web
LAN (192.168.1.X)
Figure 5 SSL VPN With Full Tunnel Mode
User-Aware Access Control
Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it. In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in, so and cannot access either the Internet or the file server.
Figure 6 Applications: User-Aware Access Control
Load Balancing
Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them.
Figure 7 Applications: Multiple WAN Interfaces
ZyWALL ATP Series User’s Guide
27
Chapter 1 Introduction

1.3 Management Overview

You can manage the Zyxel Device in the following ways.
Web Configurator
The Web Configurator allows easy Zyxel Device setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator.
Figure 8 Managing the Zyxel Device: Web Configurator
Command-Line Interface (CLI)
The CLI allows you to use text-based commands to configure the Zyxel Device. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are:
Table 1 Console Port Default Settings
SETTING VALUE
Speed 115200 bps
Data Bits 8
Parity None
Stop Bit 1
Flow Control Off
FTP
Use File Transfer Protocol for firmware upgrades and configuration backup/restore.
SNMP
The device can be monitored and/or managed by an SNMP manager. See Section 37.11 on page 736.
ZyWALL ATP Series User’s Guide
28
Chapter 1 Introduction
CloudCNM
Use the CloudCNM screen (see Section 37.15 on page 747) to enable and configure management of the Zyxel Device by a Central Network Management system.
Management Authentication
Managers must be authenticated with a username and password, using one of:
•Local
• An external RADIUS server
• An external LDAP server
• Certificates
Zyxel Device authentication

1.4 Web Configurator

In order to use the Web Configurator, you must:
• Use one of the following web browser versions or later:
• Internet Explorer 10.x, 11.x
• Chrome latest version (45 or above)
• Firefox latest version (45 or above)
• Safari latest version (9.0 or above)
• Allow pop-up windows (blocked by default in some browsers)
• Enable JavaScripts, Java permissions, and cookies
The recommended screen resolution is 1024 x 768 pixels.
Note: Screenshots and graphics in this book may differ slightly from your product due to
differences in product features or web configurator brand style. Most screen shots in this guide come from the USG110 and USG60W.
1.4.1 Web Configurator Access
1 Make sure your Zyxel Device hardware is properly connected. See the Quick Start Guide.
2 In your browser go to http://192.168.1.1. By default, the Zyxel Device automatically routes this request to
its HTTPS server, and it is recommended to keep this setting. The Login screen appears.
ZyWALL ATP Series User’s Guide
29
Chapter 1 Introduction
3 Type the user name (default: “admin”) and password (default: “1234”).
4 Click Login. After you log in for the first time using the default user name and password, you must
change the default admin password in the Update Admin Info screen. Enter a new password of from 1 to 64 characters.
In Configuration > Object > User/Group > Setting, you can enable Password Complexity to require a new password to consist of at least 8 characters and at most 64, where at least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+. You can also require periodic changing of the password in that screen by configuring Password must changed every (days).
Make a note of your new password, enter it in the following screen, then click Apply.
5 A Terms of Use screen displays. Read the statement, then click Acknowledge to proceed.
Note: If you are using an Internet Explorer browser, the Terms of Use will be downloaded
automatically.
ZyWALL ATP Series User’s Guide
30
Chapter 1 Introduction
6 The Network Risk Warning screen displays any unregistered or disabled security services. If your Zyxel
Device is not registered, you will see a prompt to register it. Select how often to display the screen and click OK.
ZyWALL ATP Series User’s Guide
31
Chapter 1 Introduction
A
C
B
If you select Never and you later want to bring this screen back, use these commands (note the space before the underscore).
Router> enable Router# Router# configure terminal Router(config)# Router(config)# service-register _setremind after-10-days after-180-days after-30-days every-time never Router(config)# service-register _setremind every-time Router(config)#
See the Command Line Interface (CLI) Reference Guide (RG) for details on all supported commands.
7 Follow the directions in the Update Admin Info screen. If you change the default password, the Login
screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears.
1.4.2 Web Configurator Screens Overview
The Web Configurator screen is divided into these parts (as illustrated on page 32):
A - title bar
ZyWALL ATP Series User’s Guide
32
Chapter 1 Introduction
B - navigation panel
C - main window
Title Bar
Figure 9 Title Bar
The title bar icons in the upper right corner provide the following functions.
Table 2 Title Bar: Web Configurator Icons
LABEL DESCRIPTION
Logout Click this to log out of the Web Configurator.
Help Click this to open the help page for the current screen.
Forum Click this to go to the forum website for product discussions.
About Click this to display basic information about the Zyxel Device.
Site Map Click this to see an overview of links to the Web Configurator screens.
References Click this to check which configuration items reference an object.
CLI Click this to open a popup window that displays the CLI commands sent by the Web
Configurator to the Zyxel Device.
About
Click About to display basic information about the Zyxel Device.
Figure 10 About
Table 3 About
LABEL DESCRIPTION
Current Version This shows the firmware version of the Zyxel Device.
Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released.
OK Click this to close the screen.
Site Map
Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen.
ZyWALL ATP Series User’s Guide
33
Figure 11 Site Map
Chapter 1 Introduction
Reference
Click Reference to open the Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.
Figure 12 Reference
The fields vary with the type of object. This table describes labels that can appear in this screen.
Table 4 Reference
LABEL DESCRIPTION
Type Select an object type to see the services.
Name This identifies the object for which the configuration settings that use it are displayed. Click the
object’s name to display the object’s configuration screen in the main window.
# This field is a sequential value, and it is not associated with any entry.
ZyWALL ATP Series User’s Guide
34
Chapter 1 Introduction
Table 4 Reference (continued)
LABEL DESCRIPTION
Service This is the type of setting that references the selected object. Click a service’s name to display the
service’s configuration screen in the main window.
Priority If it is applicable, this field lists the referencing configuration item’s position in its list, otherwise N/A
displays.
Name This field identifies the configuration item that references the object.
Description If the referencing configuration item has a description configured, it displays here.
Refresh Click this to update the information in this screen. Cancel Click Cancel to close the screen.
CLI Messages
Click CLI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and then click some menus in the web configurator to display the corresponding commands.
Figure 13 CLI Messages
1.4.3 Navigation Panel
Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the Zyxel Device’s navigation panel menus and their screens.
ZyWALL ATP Series User’s Guide
35
Figure 14 Navigation Panel
Chapter 1 Introduction
Dashboard
The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See the Web Help for details on the dashboard.
Monitor Menu
The monitor menu screens display status and statistics information.
Table 5 Monitor Menu Screens Summary
FOLDER OR LINK TAB FUNCTION
System Status
Port Statistics Port Statistics Displays packet statistics for each physical port.
Interface Status Interface
Summary
Traffic Statistics Traffic
Statistics
Session Monitor Session
Monitor
Login Users Login Users Lists the users currently logged into the Zyxel Device.
IGMP Statistics IGMP
Statistics
DDNS Status DDNS Status Displays the status of the Zyxel Device’s DDNS domain names.
IP/MAC Binding IP/MAC
Binding
Cellular Status Cellular
Status
UPnP Port Status Port Statistics Displays details about UPnP connections going through the Zyxel Device.
Displays general interface information and packet statistics.
Collect and display traffic statistics.
Displays the status of all current sessions.
Collect and display IGMP statistics.
Lists the devices that have received an IP address from Zyxel Device interfaces using IP/MAC binding.
Displays details about the Zyxel Device’s mobile broadband connection status.
ZyWALL ATP Series User’s Guide
36
Chapter 1 Introduction
Table 5 Monitor Menu Screens Summary (continued)
FOLDER OR LINK TAB FUNCTION
USB Storage Storage
Information
Ethernet Neighbor
FQDN Object FQDN
Wireless
AP Information AP List Lists APs managed by the Zyxel Device.
ZyMesh ZyMesh Link
SSID Info SSID Info Display information about the SSID’s wireless clients.
Station Info Station List Lists wireless clients associated with the APs managed by the Zyxel Device.
Detected Device
VPN Monitor
IPSec IPSec Displays and manages the active IPSec SAs.
SSL SSL Lists users currently logged into the VPN SSL client portal. You can also log out
L2TP over IPSec L2TP over
Security Statistics
Content Filter Summary Collect and display content filter statistics
App Patrol Summary Displays application patrol statistics.
Anti-Malware Summary Collect and display statistics on the malware that the Zyxel Device has
IDP Summary Collect and display statistics on the intrusions that the Zyxel Device has
Email Security Summary Collect and display spam statistics.
Botnet Filter Summary Displays the IP addresses and URLs that are blocked by the Zyxel Device.
Sandboxing Summary Displays the sandboxing statistics.
SSL Inspection Report Collect and display SSL Inspection statistics.
Ethernet Neighbor
Object
Radio List Lists wireless details of APs managed by the Zyxel Device.
Top N APs Lists managed APs with the most wireless traffic usage and most associated
Single AP Lists APs wireless traffic usage and associated wireless stations for a managed
Info
Top N Stations
Single Station
Detected Device
IPSec
Status Displays how many mail sessions the ZyWALL is currently checking and DNSBL
Certificate Cache List
Displays details about USB device connected to the Zyxel Device.
View and manage the Zyxel Device’s neighboring devices via Smart Connect (Layer Link Discovery Protocol (LLDP)). Use the Zyxel One Network (ZON) utility to view and manage the Zyxel Device’s neighboring devices via the Zyxel Discovery Protocol (ZDP).
Displays FQDN (Fully Qualified Domain Name) object cache lists used in DNS queries.
wireless stations.
AP.
Display statistics about ZyMesh wireless connections between managed APs.
Lists wireless stations with the most wireless traffic usage.
Lists wireless traffic usage for an associated wireless station.
Display information about suspected rogue APs.
individual users and delete related session information.
Displays details about current L2TP sessions.
detected.
detected.
(Domain Name Service-based spam Black List) statistics.
Displays traffic to destination servers using certificates.
ZyWALL ATP Series User’s Guide
37
Chapter 1 Introduction
Table 5 Monitor Menu Screens Summary (continued)
FOLDER OR LINK TAB FUNCTION
Log View Log Lists log entries.
View AP Log Lists AP log entries.
Configuration Menu
Use the configuration menu screens to configure the Zyxel Device’s features.
Table 6 Configuration Menu Screens Summary
FOLDER OR LINK TAB FUNCTION
Quick Setup Quickly configure WAN interfaces or VPN connections.
Licensing
Registration Registration Register the device and activate trial services.
Service View the licensed service status and upgrade licensed services.
Signature Update
Wireless
Controller Configuration Configure manual or automatic controller registration.
AP Management
MON Profile Rogue/Friendly AP
Auto Healing Auto Healing Enable auto healing to extend the wireless service coverage area of
RTLS Real Time Location
Network
Interface Port Role Use this screen to set the Zyxel Device’s flexible ports such as LAN, OPT,
Signature Update signatures immediately or by a schedule.
Mgnt AP List Edit or remove entries in the lists of APs managed by the Zyxel Device.
AP Policy Configure the AP controller’s IP address on the managed APs and
AP Group Create groups of APs, define their radio, VLAN, port and load
Firmware Update the firmware on APs connected to your Zyxel Device.
List
System
Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces.
PPP Create and manage PPPoE and PPTP interfaces.
Cellular Configure a cellular Internet connection for an installed mobile
Tunnel Configure tunneling between IPv4 and IPv6 networks.
VLAN Create and manage VLAN interfaces and virtual VLAN interfaces.
Bridge Create and manage bridges and virtual bridge interfaces.
VTI Configure IP address assignment and interface parameters for VTI
Trunk Create and manage trunks (groups of interfaces) for load balancing.
determine the action the managed APs take if the current AP controller fails.
balancing settings.
Configure how the Zyxel Device monitors rogue APs.
the managed APs when one of the APs fails.
Use the managed APs as part of an Ekahau RTLS to track the location of Ekahau Wi-Fi tags.
WLAN, or DMZ.
broadband card.
(Virtual Tunnel Interface).
ZyWALL ATP Series User’s Guide
38
Chapter 1 Introduction
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK TAB FUNCTION
Routing Policy Route Create and manage routing policies.
Static Route Create and manage IP static routing information.
RIP Configure device-level RIP settings.
OSPF Configure device-level OSPF settings, including areas and virtual links.
BGP Configure exchange of Border Gateway Protocol (BGP) information
over an IPSec tunnel.
DDNS DDNS Define and manage the Zyxel Device’s DDNS domain names.
NAT NAT Set up and manage port forwarding rules.
Redirect Service
ALG ALG Configure SIP, H.323, and FTP pass-through settings.
UPnP UPnP Configure interfaces that allow UPnP and NAT-PMP connections.
IP/MAC Binding Summary Configure IP to MAC address bindings for devices connected to each
Layer 2 Isolation General Enable layer-2 isolation on the Zyxel Device and the internal
DNS Inbound LB DNS Load Balancing Configure DNS Load Balancing.
IPnP IPnP Enable IPnP on the Zyxel Device and the internal interface(s).
VPN
IPSec VPN VPN Connection Configure IPSec tunnels.
SSL VPN Access Privilege Configure SSL VPN access rights for users and groups.
L2TP VPN L2TP VPN Configure L2TP over IPSec tunnels.
BWM BWM Enable and configure bandwidth management rules.
Web Authentication
Security Policy
Policy Control Policy Create and manage level-3 traffic rules and apply Security Service
ADP General Display and manage ADP bindings.
Session Control Session Control Limit the number of concurrent client NAT/security policy sessions.
Redirect Service Set up and manage HTTP and SMTP redirection rules.
supported interface.
Exempt List Configure ranges of IP addresses to which the Zyxel Device does not
apply IP/MAC binding.
interface(s).
White List Enable and configure the white list.
VPN Gateway Configure IKE tunnels.
Concentrator Combine IPSec VPN connections into a single secure network
Configuration Provisioning
Global Setting Configure the Zyxel Device’s SSL VPN settings that apply to all
Web Authentication
General/
Authentication
Type/Custom Web
Portal File/Custom
User Agreement File
SSO Configure the Zyxel Device to work with a Single Sign On agent.
Profile Create and manage ADP profiles.
Set who can retrieve VPN rule settings from the Zyxel Device using the Zyxel Device IPSec VPN Client.
connections.
Define a web portal and exempt services from authentication.
profiles.
ZyWALL ATP Series User’s Guide
39
Chapter 1 Introduction
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK TAB FUNCTION
Security Service
Botnet Filter Botnet Filter Enable botnet filtering and specify the actions.
Content Filter Profile Create and manage the detailed filtering rules for content filtering
profiles and then apply to a traffic flow using a security policy.
Trusted Web Sites Create a list of allowed web sites that bypass content filtering policies.
Forbidden Web Sites Create a list of web sites to block regardless of content filtering
policies.
AppPatrol Profile Manage different types of traffic in this screen. Create App Patrol
Email Security Email Security Turn email security on or off and manage email security policies.
Black/White List Set up a black list to identify spam and a white list to identify
Anti-Malware Anti-Malware Enable, specify actions to take when encountering malware or
Signature Search for particular signatures to get more information about them.
IDP IDP Enable and configure IDP settings. Create, import, or export custom
Sandboxing Sandboxing Enable sandboxing, and specify the actions the Zyxel Device takes
SSL Inspection Profile Decrypt HTTPS traffic for Security Service inspection. Create SSL
Exclude List Configure services to be excluded from SSL Inspection.
Certificate Update Use this screen to update the latest certificates of servers using SSL
Object
Zone Zone Configure zone template(s) used to define various policies.
User/Group User Create and manage users.
Group Create and manage groups of users.
Setting Manage default settings for all users, general settings for user sessions,
MAC Address Configure the MAC addresses of wireless clients for MAC
AP Profile Radio Create template(s) of radio settings to apply to policies as an object.
SSID Create template(s) of wireless settings to apply to radio profiles or
MON Profile MON Profile Create and manage rogue AP monitoring files that can be
ZyMesh Profile ZyMesh Profile Create and manage ZyMesh files that can be associated with
template(s) of settings to apply to a traffic flow using a security policy.
Create email security template(s) of settings to apply to a traffic flow using a security policy.
legitimate email.
compressed files, and set up a black list to identify files with malware file patterns and a white list to identify files that should not be checked for malware.
signatures.
when malicious or suspicious files are detected.
Inspection template(s) of settings to apply to a traffic flow using a security policy.
connections to the Zyxel Device network.
and rules to force user authentication.
authentication using the local user database.
policies as an object.
associated with different APs.
different APs.
ZyWALL ATP Series User’s Guide
40
Chapter 1 Introduction
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK TAB FUNCTION
Address/Geo IP Address Create and manage host, range, and network (subnet) addresses.
Address Group Create and manage groups of addresses to apply to policies as a
single objects.
Geo IP Update the database of country-to-IP address mappings and
manually configure country-to-IP address mappings for geographic address objects that can be used in security policies.
Service Service Create and manage TCP and UDP services.
Service Group Create and manage groups of services to apply to policies as a single
object.
Schedule Schedule Create one-time and recurring schedules.
Schedule Group Create and manage groups of schedules to apply to policies as a
single object.
AAA Server Active Directory Configure the Active Directory settings.
LDAP Configure the LDAP settings.
RADIUS Configure the RADIUS settings.
Auth. Method Authentication
Method
Certificate My Certificates Create and manage the Zyxel Device’s certificates.
Trusted Certificates Import and manage certificates from trusted sources.
DHCPv6 Request Configure IPv6 DHCP request type and interface information.
Lease Configure IPv6 DHCP lease type and interface information.
Cloud CNM SecuManager Enable and configure management of the Zyxel Device by a Central
SecuReporter Enable SecuReporter logging and access the SecuReporter security
System
Host Name Host Name Configure the system and domain name for the Zyxel Device.
USB Storage Settings Configure the settings for the connected USB devices.
Date/Time Date/Time Configure the current date, time, and time zone in the Zyxel Device.
Console Speed Console Speed Set the console speed.
DNS DNS Configure the DNS server and address records for the Zyxel Device.
WWW Service Control Configure HTTP, HTTPS, and general authentication.
Login Page Configure how the login and access user screens look.
SSH SSH Configure SSH server and SSH service settings.
TELNET TELNET Configure telnet server settings for the Zyxel Device.
FTP FTP Configure FTP server settings.
SNMP SNMP Configure SNMP communities and services.
Auth. Server Auth. Server Configure the Zyxel Device to act as a RADIUS server.
Notification Mail Server Configure a mail server with authentication to send reports and
Language Language Select the Web Configurator language.
IPv6 IPv6 Enable IPv6 globally on the Zyxel Device here.
Create and manage ways of authenticating users.
Network Management system.
analytics portal that collects and analyzes logs from your Zyxel Device in order to identify anomalies, alert on potential internal / external threats, and report on network usage.
password expiration notification emails.
ZyWALL ATP Series User’s Guide
41
Chapter 1 Introduction
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK TAB FUNCTION
ZON ZON Use the Zyxel One Network (ZON) utility to view and manage the Zyxel
Device’s neighboring devices via the Zyxel Discovery Protocol (ZDP).
Log & Report
Email Daily Report
Log Settings Log Settings Configure the system log, email logs, and remote syslog servers.
Email Daily Report Configure where and how to send daily reports and what reports to
send.
Maintenance Menu
Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the Zyxel Device.
Table 7 Maintenance Menu Screens Summary
FOLDER OR LINK
File Manager
Diagnostics Diagnostics
TAB FUNCTION
Configuration File Manage and upload configuration files for the Zyxel Device.
Firmware Management
Shell Script Manage and run shell script files for the Zyxel Device.
View the current firmware version and upload firmware. Reboot with your choice of firmware.
Collect diagnostic information.
Collect on AP
Packet Capture Capture packets for analysis.
CPU/Memory Status
System Log Connect a USB device to the Zyxel Device and archive the Zyxel Device system
Remote Assistance Configure and schedule external access to the Zyxel Device for
Network Tool Identify problems with the connections. You can use Ping or Traceroute to help
Routing Traces Configure traceroute to identify where packets are dropped for
Wireless Frame Capture
Packet Flow Explore
Shutdown Shutdown Turn off the Zyxel Device.
Routing Status Check how the Zyxel Device determines where to route a packet.
SNAT Status View a clear picture on how the Zyxel Device converts a packet’s source IP
1.4.4 Tables and Lists
Collect
Files
View CPU and memory usage statistics.
logs to it here.
troubleshooting.
you identify problems.
troubleshooting.
Capture wireless frames from APs for analysis.
address and check the related settings.
Web Configurator tables and lists are flexible with several options for how to display their entries.
Click a column heading to sort the table’s entries according to that column’s criteria.
ZyWALL ATP Series User’s Guide
42
Chapter 1 Introduction
Figure 15 Sorting Table Entries by a Column’s Criteria
Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:
• Sort in ascending or descending (reverse) alphabetical order
• Select which columns to display
•Group entries by field
•Show entries in groups
• Filter by mathematical operators (<, >, or =) or searching for text
Figure 16 Common Table Column Options
Select a column heading cell’s right border and drag to re-size the column.
Figure 17 Resizing a Table Column
Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location.
ZyWALL ATP Series User’s Guide
43
Chapter 1 Introduction
Figure 18 Moving Columns
Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.
Figure 19 Navigating Pages of Table Entries
The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate.
Figure 20 Common Table Icons
Here are descriptions for the most common table icons.
Table 8 Common Table Icons
LABEL DESCRIPTION
Add Click this to create a new entry. For features where the entry’s position in the numbered list is
Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s
Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it
Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Connect To connect an entry, select it and click Connect. Disconnect To disconnect an entry, select it and click Disconnect. References Select an entry and click References to check which settings use the entry. Move To change an entry’s position in a numbered list, select it and click Move to display a field to type a
important (features where the Zyxel Device applies the table’s entries in order like the security policy for example), you can select an entry and click Add to create a new entry after the selected entry.
settings. In some tables you can just click a table entry and edit it directly in the table. For those types of tables small red triangles display for table entries with changes that you have not yet applied.
before doing so.
number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one.
ZyWALL ATP Series User’s Guide
44
Chapter 1 Introduction
Working with Lists
When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.
Figure 21 Working with Lists
ZyWALL ATP Series User’s Guide
45

Initial Setup Wizard

2.1 Initial Setup Wizard Screens

When you log into the Web Configurator for the first time or when you reset the Zyxel Device to its default configuration, the Initial Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services.
Note: For Zyxel Devices that already have firmware version 4.25 or later, you have to register
your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device).
This chapter provides information on configuring the Web Configurator's Initial Setup Wizard. See the feature-specific chapters in this User’s Guide for background information.
• Click the double arrow in the upper right corner to display or hide the help.
• Click Logout to exit the In itial Setup Wizard or click Next to continue the wizard. Click Finish at the end of the wizard to complete the wizard.
Figure 22 Initial Setup Wizard
CHAPTER 2
2.1.1 Internet Access Setup - WAN Interface
Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment.
ZyWALL ATP Series User’s Guide
46
Chapter 2 Initial Setup Wizard
The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field.
Note: Enter the Internet access information exactly as your ISP gave it to you. Leave a field
blank if you don’t have that information.
I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one. This option appears when you are configuring the first WAN interface.
Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet. Choose PPPoE, PPTP or L2TP for a dial-up connection according to the information from your ISP.
WAN Interface: This is the interface you are configuring for Internet access.
Zone: This is the security zone to which this interface and Internet connection belong.
IP Address Assignment: Select Auto if your ISP did not assign you a fixed IP address. Select Static if the ISP assigned a fixed IP address.
Figure 23 Internet Access
2.1.2 Internet Access: Ethernet
This screen is read-only if you set the previous screen’s IP Address Assignment field to Auto. If you set the previous screen’s IP Address Assignment field to Static, use this screen to configure your IP address settings.
Encapsulation: This displays the type of Internet connection you are configuring.
First WAN Interface: This is the number of the interface that will connect with your ISP.
Zone: This is the security zone to which this interface and Internet connection will belong.
IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.
The following fields display if you selected static IP address assignment.
IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.
ZyWALL ATP Series User’s Guide
47
Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway).
First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
2.1.2.1 Possible Errors
• Check that your cable connection is coming from the correct interface you’re using for the WAN connection on the Zyxel Device.
• Check that the interface is connected to the device you’re using for Internet access such as a broadband router and that the router is turned on. The LED of the interface you’re using for the WAN connection on the Zyxel Device should be orange.
• If your Zyxel Device was not able to obtain an IP address, check that your Internet access information uses DHCP as the WAN connection type. If it fails again, check with your Internet service provider or administrator for correct WAN settings.
• If your Zyxel Device was not able to use the IP address entered, check that you were given an IP address, subnet mask and gateway address as part of your Internet access information. Re-enter your IP address, subnet mask and gateway IP address exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
Figure 24 Internet Access: Ethernet Encapsulation
Chapter 2 Initial Setup Wizard
2.1.3 Internet Access: PPPoE
2.1.3.1 ISP Parameters
• Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long.
Authentication Type - Select an authentication protocol for outgoing connection requests. Options are:
Chap/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node.
ZyWALL ATP Series User’s Guide
48
Chapter 2 Initial Setup Wizard
Chap - Your Zyxel Device accepts CHAP only.
PAP - Your Zyxel Device accepts PAP only.
MSCHAP - Your Zyxel Device accepts MSCHAP only.
MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only.
• Type the User Name given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long.
•Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank.
•Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server.
2.1.3.2 WAN IP Address Assignments
WAN Interface: This is the name of the interface that will connect with your ISP.
Zone: This is the security zone to which this interface and Internet connection will belong.
IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.
First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
2.1.3.3 Possible Errors
• Check that you’re using the correct PPPoE Service Name and Authentication Type.
• Make sure that your Internet access information uses PPPoE as the WAN connection type. Re-enter your PPPoE user name and password exactly as given. If it fails again, check with your Internet service provider or administrator for correct WAN settings and user credentials.
• If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
ZyWALL ATP Series User’s Guide
49
Chapter 2 Initial Setup Wizard
Figure 25 Internet Access: PPPoE Encapsulation
2.1.4 Internet Access: PPTP
2.1.4.1 ISP Parameters
Authentication Type - Select an authentication protocol for outgoing calls. Options are:
Chap/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node.
Chap - Your Zyxel Device accepts CHAP only.
PAP - Your Zyxel Device accepts PAP only.
MSCHAP - Your Zyxel Device accepts MSCHAP only.
MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only.
• Type the User Name given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long.
•Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password in the next field to confirm it.
•Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server.
2.1.4.2 PPTP Configuration
Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router.
•Type a Base IP Address (static) assigned to you by your ISP.
• Type the IP Subnet Mask assigned to you by your ISP (if given).
Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway).
Server IP: Type the IP address of the PPTP server.
ZyWALL ATP Series User’s Guide
50
Chapter 2 Initial Setup Wizard
•Type a Connection ID or connection name. It must follow the “c:id” and “n:name” format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to 31 characters long.
2.1.4.3 WAN IP Address Assignments
First WAN Interface: This is the connection type on the interface you are configuring to connect with your ISP.
Zone This is the security zone to which this interface and Internet connection will belong.
IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.
First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
2.1.4.4 Possible Errors
• Check that you’re using the correct PPPT Service IP, Base IP Address, IP Subnet Mask, Gateway IP Address, Connection ID and Authentication Type.
• Make sure that your Internet access information uses PPTP as the WAN connection type. Re-enter your PPTP user name and password exactly as given. If it fails again, check with your Internet service provider or administrator for correct WAN settings and user credentials.
• If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
ZyWALL ATP Series User’s Guide
51
Chapter 2 Initial Setup Wizard
Figure 26 Internet Access: PPTP Encapsulation
2.1.5 Internet Access: L2TP
2.1.5.1 ISP Parameters
Authentication Type - Select an authentication protocol for outgoing connection requests. Options are:
Chap/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by the remote node.
Chap - Your Zyxel Device accepts CHAP only.
PAP - Your Zyxel Device accepts PAP only.
MSCHAP - Your Zyxel Device accepts MSCHAP only.
MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only.
• Type the User Name given to you by your ISP. You can use alphanumeric and -_@$./ characters, and it can be up to 31 characters long.
•Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank.
•Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server.
2.1.5.2 L2TP Configuration
Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router.
•Type a Base IP Address (static) assigned to you by your ISP.
ZyWALL ATP Series User’s Guide
52
Chapter 2 Initial Setup Wizard
IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.
Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway).
Server IP: Type the IP address of the L2TP server.
2.1.5.3 WAN IP Address Assignments
WAN Interface: This is the name of the interface that will connect with your ISP.
Zone: This is the security zone to which this interface and Internet connection will belong.
IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.
First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
2.1.5.4 Possible Errors
• Check that you’re using the correct L2PT Server IP, Subnet Mask, Gateway IP Address, IP Subnet Mask and Authentication Type.
• Make sure that your Internet access information uses L2TP as the WAN connection type. Re-enter your L2TP user name and password exactly as given. If it fails again, check with your Internet service provider or administrator for correct WAN settings and user credentials.
• If you were given an IP address and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings.
ZyWALL ATP Series User’s Guide
53
Chapter 2 Initial Setup Wizard
Figure 27 Internet Access: L2TP Encapsulation
2.1.6 Internet Access Setup - Second WAN Interface
If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see
Section 2.1.1 on page 46).
ZyWALL ATP Series User’s Guide
54
Chapter 2 Initial Setup Wizard
Figure 28 Internet Access: Step 3: Second WAN Interface
2.1.7 Internet Access: Congratulations
You have set up your Zyxel Device to access the Internet. A screen displays with your settings. Click Connection Test to check that you can access the Internet. If you cannot, click Back and confirm that you entered the settings correctly. If you have, check that you got the correct settings from your ISP or network administrator.
Figure 29 Internet Access: Summary
ZyWALL ATP Series User’s Guide
55
2.1.8 Date and Time Settings
It’s important to have correct date and time values in the logs. The Zyxel Device can automatically update the time and date by detecting your time zone and whether Daylight Savings is in effect in that time zone.
If your Zyxel Device cannot get the correct date and time, it may not able to connect to a time server. Check that the Zyxel Device has Internet access, then click Sync. Now.
Figure 30 Date and Time Settings
Chapter 2 Initial Setup Wizard
2.1.9 Register Device
Click the Register button in this screen to register your device at portal.myzyxel.com.
Note: The Zyxel Device must be connected to the Internet in order to register.
ZyWALL ATP Series User’s Guide
56
Figure 31 Register Device
Chapter 2 Initial Setup Wizard
You may need the Zyxel Device’s serial number and LAN MAC address to register it at myZyxel if you have not already done so. Refer to the label at the back of the Zyxel Device’s for details.
Figure 32 myZyxel Login
Click Refresh or use the Configuration > Licensing > Registration screen to update your Zyxel Device registration status.
ZyWALL ATP Series User’s Guide
57
Figure 33 Registered Device
2.1.10 Activate Service
Chapter 2 Initial Setup Wizard
After you register your Zyxel Device, you can register for the services supported by your model. Examples of services are:
• Web Security (to access a database that can block websites by category)
• Application Security (to use signature for Application Patrol inspection and signatures to recognize unsolicited commercial or junk email suspected of being sent by spammers.)
• Malware Blocker (to detect malware patterns in files)
• Intrusion Prevention (to use signatures for Intrusion Detection and Prevention attacks)
• Geo Enforcer (to access a database of country-to-IP address mappings)
• Sandboxing (to specify the actions the Zyxel Device takes when malicious or suspicious files are detected)
• Managed AP Service (to manage more APs than the default for your Zyxel Device when the AP controller is enabled)
Click Refresh and wait a few moments for the registration information to update in this screen. If the page does not refresh, make sure the Internet connection is working and click Refresh again. To check your Internet connection, try to access the Internet from a computer connected to a LAN port on the Zyxel Device. If you cannot, then check your Internet access settings on the Zyxel Device.
ZyWALL ATP Series User’s Guide
58
Figure 34 Activate Service
Figure 35 Activated Service
Chapter 2 Initial Setup Wizard
2.1.11 Service Settings
You can enable or disable the following features in this screen.
Botnet Filter: Use this feature to detect and block connection attempts to or from the C&C server or known botnet IP addresses.
Anti-Malware: Use this feature to protect your connected network from malware infection.
IDP: Use this feature to detect malicious or suspicious packets and respond instantaneously.
ZyWALL ATP Series User’s Guide
59
Chapter 2 Initial Setup Wizard
Sandboxing: Use this feature to provide a safe environment to separate running programs from your network and host devices.
Content Filter: Use this feature to control access to specific web sites or web content.
App Patrol: Use this feature to manage the use of various applications on the network.
Email Security: Use this feature to mark or discard spam (unsolicited commercial or junk email).
Figure 36 Service Settings
2.1.12 Wireless Settings: AP Controller
The Zyxel Device can act as an AP Controller that can manage APs in the same network as the Zyxel Device. Select Yes if you want your Zyxel Device to manage APs in your network; otherwise select No.
Figure 37 Wireless Settings: AP Controller
ZyWALL ATP Series User’s Guide
60
Chapter 2 Initial Setup Wizard
2.1.13 Wireless Settings: SSID & Security
Configure SSID and wireless security in this screen.
SSID Setting
SSID - Enter a descriptive name of up to 32 printable characters for the wireless LAN.
Security Mode - Select Pre-Shared Key to add security on this wireless network. Otherwise, select None to allow any wireless client to associate this network without authentication.
Pre-Shared Key - Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.
Hidden SSID - Select this option if you want to hide the SSID in the outgoing beacon frame. A wireless client then cannot obtain the SSID through scanning using a site survey tool.
Enable Intra-BSS Traffic Blocking - Select this option if you want to prevent crossover traffic from within the same SSID. Wireless clients can still access the wired network but cannot communicate with each other.
For Built-in Wireless AP Only
Bridged to: Zyxel Devices with W in the model name have a built-in AP. Select an interface to bridge with
the built-in AP wireless network. Devices connected to this interface will then be in the same broadcast domain as devices in the AP wireless network.
Figure 38 Wireless Settings: SSID & Security
2.1.14 Remote Management
Select this to allow access to the Zyxel Device using HTTP or HTTPS from the Internet.
ZyWALL ATP Series User’s Guide
61
Chapter 2 Initial Setup Wizard
Figure 39 Remote Management
HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object > Service > Service Group screen when you enable Remote Management.
Figure 40 Object > Service > Service Group - HTTPS
ZyWALL ATP Series User’s Guide
62
Hardware, Interfaces and

3.1 Hardware Overview

This section describes the front and rear panels for each model.
The following table summarizes the port features of the Zyxel Device by model.
Table 9 ATP Series Comparison Table
ATP MODELS ATP200 ATP500 ATP800
USB 3.0 Ports 2 2 2
1 Gbps SFP interface 1 1 2
10/100/1000 Mbps Ethernet WAN Ports 2 - -
10/100/1000 Mbps Ethernet Ports 4 7 12
Console Port 1 1 1
CHAPTER 3
Zones
3.1.1 Front Panels
The LED indicators are located on the front panel.
Figure 41 ATP200 Front Panel
Figure 42 ATP500 Front Panel
Figure 43 ATP800 Front Panel
ZyWALL ATP Series User’s Guide
63
Chapter 3 Hardware, Interfaces and Zones
The following table describes the front panel LEDs.
Table 10 LED Descriptions
LED COLOR STATUS DESCRIPTION
PWR Off The Zyxel Device is turned off.
Green On The Zyxel Device is turned on.
Red On There is a hardware component failure. Shut down the device, wait for a few
SYS Green Off The Zyxel Device is not ready or has failed.
On The Zyxel Device is ready and running.
Blinking The Zyxel Device is booting.
Red On The Zyxel Device has an error or has failed.
P1 (SFP)
LINK Yellow Off There is no connection on this port.
On This port has a successful 1000 Mbps link.
Green Off There is no connection on this port.
On This port has a successful 100 Mbps link.
ACT Green Off There is no traffic on this port.
Blinking The Zyxel Device is sending or receiving packets on this port at 100/1000 Mbps.
minutes and then restart the device. If the LED turns red again, then please contact your vendor.
P2, P3... (WAN/ LAN/ DMZ)
Yellow Off There is no connection on this port.
On This port has a successful 1000 Mbps link.
Blinking The Zyxel Device is sending or receiving packets on this port at 1000 Mbps.
Green Off There is no connection on this port.
On This port has a successful 10/100 Mbps link.
Blinking The Zyxel Device is sending or receiving packets on this port at 10/100 Mbps.
The following table describes the ports on the front panel.
Table 11 Front Panel Ports
LABEL DESCRIPTION
RESET Press the button in for about 5 seconds (or until the SYS LED starts to blink), then release it to
return the Zyxel Device to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.)
CONSOLE You can use the console port to manage the Zyxel Device using CLI commands. You will be
prompted to enter your user name and password. See the Command Reference Guide for more information about the CLI.
When configuring using the console port, you need a computer equipped with communications software configured to the following parameters:
• Speed 115200 bps
• Data Bits 8
•Parity None
•Stop Bit 1
• Flow Control Off
ZyWALL ATP Series User’s Guide
64
Table 11 Front Panel Ports (continued)
LABEL DESCRIPTION
USB Connect a storage device for system logs (see Maintenance > Diagnostics > System Log) and
P2-P7 (ATP200)
P2-P8 (ATP500)
P1-P12 (ATP800)
3.1.2 Rear Panels
The connection ports are located on the rear panel.
Figure 44 ATP200 Rear Panel
Chapter 3 Hardware, Interfaces and Zones
storage (see Configuration > System > USB Storage).
These are 1G RJ-45 Ethernet ports.
Figure 45 ATP500 Rear Panel
Figure 46 ATP800 Rear Panel
The following table describes the items on the rear panel.
Table 12 Rear Panel Items
LABEL DESCRIPTION
Console You can use the console port to manage the Zyxel Device using CLI commands. You will be
prompted to enter your user name and password. See the Command Reference Guide for more information about the CLI.
When configuring using the console port, you need a computer equipped with communications software configured to the following parameters:
• Speed 115200 bps
• Data Bits 8
•Parity None
•Stop Bit 1
• Flow Control Off
Power Use the included power cord to connect the power socket to a power outlet. Turn the power
switch on if your Zyxel Device has a power switch.
ZyWALL ATP Series User’s Guide
65
Table 12 Rear Panel Items (continued)
LABEL DESCRIPTION
Lock Attach a lock-and-cable from the Kensington lock (the small, metal-reinforced, oval hole) to a
permanent object, such as a pole, to secure the Zyxel Device in place.
Fan The fans are for cooling the Zyxel Device. Make sure they are not obstructed to allow maximum
ventilation.
Note: Use an 8-wire Ethernet cable to run your Gigabit Ethernet connection at 1000 Mbps.
Using a 4-wire Ethernet cable limits your connection to 100 Mbps. Note that the connection speed also depends on what the Ethernet device at the other end can support.

3.2 Mounting

The Zyxel Device can be mounted in a rack.
3.2.1 Rack-mounting
Chapter 3 Hardware, Interfaces and Zones
Use the following steps to mount the Zyxel Device on an EIA standard size, 19-inch rack or in a wiring closet with other equipment using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make the rack unstable or top-heavy. Take all necessary precautions to anchor the rack securely before installing the unit.
Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.
Use a #2 Phillips screwdriver to install the screws.
Note: Failure to use the proper screws may damage the unit.
1 Align one bracket with the holes on one side of the Zyxel Device and secure it with the included bracket
screws (smaller than the rack-mounting screws).
2 Attach the other bracket in a similar fashion.
3 After attaching both mounting brackets, position the Zyxel Device in the rack and match up the bracket
holes with the rack holes. Secure the Zyxel Device to the rack with the rack-mounting screws.
ZyWALL ATP Series User’s Guide
66
3.2.2 Wall-mounting
Do the following to attach your Zyxel Device to a wall. Only the ATP200 can be wall mounted.
1 Drill two holes 3 mm ~ 4 mm (0.12" ~ 0.16") wide, 20 mm ~ 30 mm (0.79” ~ 1.18”) deep and 150 mm (5.90”)
apart, into a wall. Place two screw anchors in the holes.
Chapter 3 Hardware, Interfaces and Zones
2 Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the screw anchors. Do not screw the
screws all the way in to the wall; leave a small gap between the head of the screw and the wall.
The gap must be big enough for the screw heads to slide into the screw slots and the connection cables to run down the back of the Zyxel Device.
Note: Make sure the screws are securely fixed to the wall and strong enough to hold the
weight of the Zyxel Device with the connection cables.
3 Use the holes on the bottom of the Zyxel Device to hang the Zyxel Device on the screws.
Wall-mount the Zyxel Device horizontally. The Zyxel Device's side panels with ventilation slots should not be facing up or down as this position is less safe.
ZyWALL ATP Series User’s Guide
67
Figure 47 Wall Mounting
Screw Specifications
Chapter 3 Hardware, Interfaces and Zones

3.3 Default Zones, Interfaces, and Ports

The default configurations for zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use “the WAN interface” rather than “wan1” or “wan2”, “ge2” or” ge3”.
An OPT (optional) Ethernet port can be configured as an additional WAN port, LAN, WLAN, or DMZ port.
The following table shows the default physical port and interface mapping for each model at the time of writing.
Table 13 Default Physical Port - Interface Mapping
PORT / INTERFACE P1 P2 P3 P4 P5 P6 P7 P8
• ATP500 ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8
• ATP200 sfp wan wan lan1 lan1 lan1 lan1
Table 14 Default Physical Port - Interface Mapping - ATP800
PORT / INTERFACE
ATP800 ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 ge9 ge10 ge11 ge12 ge13 ge14
P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14
ZyWALL ATP Series User’s Guide
68
Chapter 3 Hardware, Interfaces and Zones
The following table shows the default interface and zone mapping for each model at the time of writing.
Table 15 Default Zone - Interface Mapping
NO
ZONE / INTERFACE WAN LAN1 LAN2 DMZ OPT
DEFAULT
ZONE
• ATP200
WAN1
WAN1_PPP
WAN2
WAN2_PPP
LAN1 LAN2 DMZ SFP
SFP_PPP
GE7
GE7_PPP
GE8
GE8_PPP
Table 16 Default Zone - Interface Mapping
ZONE / INTERFACE WAN LAN DMZ OPT NO DEFAULT ZONE
• ATP500
• ATP800
GE2
GE2_PPP
GE3
GE3_PPP
GE1
GE1_PPP
GE2
GE2_PPP
GE4
GE5
GE3
GE4
GE6 GE1
GE1_PPP
GE5 GE13
GE13_PPP
GE14
GE14_PPP
GE7
GE7_PPP
GE8
GE8_PPP
GE6~GE12
GE6_PPP~GE12_PPP

3.4 Stopping the Zyxel Device

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the Zyxel Device or remove the power. Not doing so can cause the firmware to become corrupt.
ZyWALL ATP Series User’s Guide
69

Quick Setup Wizards

4.1 Quick Setup Overview

The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information.
In the Web Configurator, click Quick Setup to open the first Quick Setup screen.
Figure 48 Quick Setup
CHAPTER 4
• WAN Interface
Click this link to open a wizard to set up a WAN (Internet) connection. This wizard creates matching ISP account settings in the Zyxel Device if you use PPPoE or PPTP. See Section 4.2 on page 71.
• VPN Setup
Use VPN Setup to configure a VPN (Virtual Private Network) rule for a secure connection to another computer or network. Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the Zyxel Device IPSec VPN Client. You only need to enter a user name, password and the IP address of the Zyxel Device in the IPSec VPN Client to get all VPN settings automatically from the Zyxel Device. See Section 4.3 on page 77.Use VPN Settings for L2TP VPN Settings to configure the L2TP VPN for clients.
ZyWALL ATP Series User’s Guide
70
Chapter 4 Quick Setup Wizards
• Wizard Help If the help does not automatically display when you run the wizard, click the arrow to display it.

4.2 WAN Interface Quick Setup

Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the Internet. Click Next.
Figure 49 WAN Interface Quick Setup Wizard
4.2.1 Choose an Ethernet Interface
Select a WAN interface (names vary by model) that you want to configure for a WAN connection and click Next.
ZyWALL ATP Series User’s Guide
71
Figure 50 Choose an Ethernet Interface
4.2.2 Select WAN Type
WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when
the WAN port is used as a regular Ethernet.
Otherwise, choose PPPoE, PPTP or L2TP for a dial-up connection according to the information from your ISP.
Chapter 4 Quick Setup Wizards
Figure 51 WAN Interface Setup: Step 2
The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Note: Enter the Internet access information exactly as your ISP gave it to you.
4.2.3 Configure WAN IP Settings
Use this screen to select whether the interface should use a fixed or dynamic IP address.
ZyWALL ATP Series User’s Guide
72
Chapter 4 Quick Setup Wizards
Figure 52 WAN Interface Setup: Step 2 Ethernet Dynamic IP
Figure 53 WAN Interface Setup: Step 2 Ethernet Static IP
WAN Interface: This is the interface you are configuring for Internet access.
Zone: This is the security zone to which this interface and Internet connection belong.
IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static if you have a fixed IP address and enter the IP address, subnet mask, gateway IP address (optional) and DNS server IP address(es).
4.2.4 ISP and WAN and ISP Connection Settings
Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you select Ethernet and set the IP Address Assignment to Auto. If you set the IP Address Assignment to static and/or select PPTP or PPPoE, enter the Internet access information exactly as your ISP gave it to you.
Note: Enter the Internet access information exactly as your ISP gave it to you.
ZyWALL ATP Series User’s Guide
73
Chapter 4 Quick Setup Wizards
Figure 54 WAN and ISP Connection Settings: (PPTP)
Figure 55 WAN and ISP Connection Settings: (PPPoE)
ZyWALL ATP Series User’s Guide
74
Chapter 4 Quick Setup Wizards
Figure 56 WAN and ISP Connection Settings: (L2TP)
ISP Parameter: This section appears if the interface uses a PPPoE or PPTP Internet connection.
Encapsulation: This displays the type of Internet connection you are configuring.
Service Name: Type the PPPoE service name if you were given one by your ISP.
Authentication Type: Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:
CHAP/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by this remote node.
CHAP - Your Zyxel Device accepts CHAP only.
PAP - Your Zyxel Device accepts PAP only.
MSCHAP - Your Zyxel Device accepts MSCHAP only.
MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only.
User Name: Type the user name given to you by your ISP. You can use alphanumeric and -_ characters, and it can be up to 31 characters long.
Password: Type the password associated with the user name above. Use up to 64 ASCII characters except the [] and ?. This field can be blank.
Retype to Confirm: Type your password again for confirmation.
Nailed-Up: Select Nailed-Up if you do not want the connection to time out.
Idle Timeout: Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. 0 means no timeout.
PPTP Configuration: This section only appears if the interface uses a PPTP Internet connection.
Base Interface: This displays the identity of the Ethernet interface you configure to connect with a modem or router.
Base IP Address: Type the (static) IP address assigned to you by your ISP.
@$./
ZyWALL ATP Series User’s Guide
75
Chapter 4 Quick Setup Wizards
IP Subnet Mask: Type the subnet mask assigned to you by your ISP (if given).
Gateway IP Address: For PPTP or L2TP, type the gateway IP address if you were given one by your ISP.
Server IP: Type the IP address of the PPTP server.
Connection ID: Enter the connection ID or connection name in this field. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. You can use alphanumeric and -_ 31 characters long.
IP Address Assignment
WAN Interface: This displays the identity of the interface you configure to connect with your ISP.
Zone: This field displays to which security zone this interface and Internet connection will belong.
IP Address: This field is read-only when the WAN interface uses a dynamic IP address. If your WAN interface uses a static IP address, enter it in this field.
IP Subnet Mask: If your WAN interface uses Ethernet encapsulation with a static IP address, enter the subnet mask in this field.
Gateway IP Address: Type the IP address of the Ethernet device connected to this WAN port.
First DNS Server / Second DNS Server: These fields only display for an interface with a static IP address. Enter the DNS server IP address(es) in the field(s) to the right. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
: characters, and it can be up to
4.2.5 Quick Setup Interface Wizard: Summary
This screen displays an example WAN interface’s settings.
Figure 57 Interface Wizard: Summary WAN
Encapsulation: This displays what encapsulation this interface uses to connect to the Internet.
ZyWALL ATP Series User’s Guide
76
Chapter 4 Quick Setup Wizards
Service Name: This field only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account.
Server IP: This field only appears for a PPTP interface. It displays the IP address of the PPTP server.
User Name: This is the user name given to you by your ISP.
Nailed-Up: If No displays the connection will not time out. Yes means the Zyxel Device uses the idle timeout.
Idle Timeout: This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout.
Connection ID: If you specified a connection ID, it displays here.
WAN Interface: This identifies the interface you configure to connect with your ISP.
Zone: This field displays to which security zone this interface and Internet connection will belong.
IP Address Assignment: This field displays whether the WAN IP address is static or dynamic (Auto).
IP Address: This field displays the current IP address of the Zyxel Device WAN interface selected in this wizard.
IP Subnet Mask: This field displays the subnet mask of the Zyxel Device WAN interface selected in this wizard.
Gateway IP Address: This field displays the IP address of the Ethernet device connected to this WAN port.
First DNS Server /Second DNS Server: If the IP Address Assignment is Static, these fields display the DNS server IP address(es).

4.3 VPN Setup Wizard

Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen.
Figure 58 VPN Setup Wizard
4.3.1 Welcome
Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Connection screen.
VPN Settings configures a VPN tunnel for a secure connection to another computer or network.
ZyWALL ATP Series User’s Guide
77
Chapter 4 Quick Setup Wizards
VPN Settings for Configuration Provisioning sets up a VPN rule the Zyxel Device IPSec VPN Client can retrieve. Just enter a user name, password and the IP address of the Zyxel Device in the IPSec VPN Client to get the VPN settings automatically from the Zyxel Device.
VPN Settings for L2TP VPN Settings sets up a L2TP VPN rule that the Zyxel Device IPSec L2TP VPN client can retrieve.
Figure 59 VPN Setup Wizard Welcome
4.3.2 VPN Setup Wizard: Wizard Type
Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD-based Zyxel Device using a pre-shared key.
Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device.
Figure 60 VPN Setup Wizard: Wizard Type
ZyWALL ATP Series User’s Guide
78
Chapter 4 Quick Setup Wizards
4.3.3 VPN Express Wizard - Scenario
Click the Express radio button as shown in Figure 60 on page 78 to display the following screen.
Figure 61 VPN Express Wizard: Scenario
IKE (Internet Key Exchange) Version: IKEv1 and IKEv2
IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
Scenario
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select.
Site-to-site - The remote IPSec device has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel.
Site-to-site with Dynamic Peer - The remote IPSec device has a dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.
Remote Access (Server Role) - Allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.
ZyWALL ATP Series User’s Guide
79
Chapter 4 Quick Setup Wizards
Remote Access (Client Role) - Connect to an IPSec server. This Zyxel Device is the client (dial-in user) and can initiate the VPN tunnel.
4.3.4 VPN Express Wizard - Configuration
Figure 62 VPN Express Wizard: Configuration
My Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device.
Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.
Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends.
Local Policy (IP/Mask): Type the IP address of a computer on your network that can use the tunnel. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
Remote Policy (IP/Mask): Any displays in this field if it is not configurable for the chosen scenario. Otherwise, type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device.
4.3.5 VPN Express Wizard - Summary
This screen provides a read-only summary of the VPN tunnel’s configuration and commands that you can copy and paste into another ZLD-based Zyxel Device’s command line interface to configure it.
ZyWALL ATP Series User’s Guide
80
Chapter 4 Quick Setup Wizards
Figure 63 VPN Express Wizard: Summary
Rule Name: Identifies the VPN gateway policy.
Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1 IKE negotiation.
Local Policy: IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel.
Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
• Copy and paste the Configuration for Secure Gateway commands into another ZLD-based Zyxel Device’s command line interface to configure it to serve as the other end of this VPN tunnel. You can also use a text editor to save these commands as a shell script file with a “.zysh” filename extension. Use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list.
4.3.6 VPN Express Wizard - Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection
screen.
ZyWALL ATP Series User’s Guide
81
Chapter 4 Quick Setup Wizards
Figure 64 VPN Express Wizard: Finish
Click Close to exit the wizard.
4.3.7 VPN Advanced Wizard - Scenario
Click the Advanced radio button as shown in Figure 60 on page 78 to display the following screen.
Figure 65 VPN Advanced Wizard: Scenario
ZyWALL ATP Series User’s Guide
82
Chapter 4 Quick Setup Wizards
IKE (Internet Key Exchange) Version: IKEv1 and IKEv2
IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
Scenario
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31
alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select.
Site-to-site - The remote IPSec device has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel.
Site-to-site with Dynamic Peer - The remote IPSec device has a dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.
Remote Access (Server Role) - Allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.
Remote Access (Client Role) - Connect to an IPSec server. This Zyxel Device is the client (dial-in user) and can initiate the VPN tunnel.
4.3.8 VPN Advanced Wizard - Phase 1 Settings
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).
ZyWALL ATP Series User’s Guide
83
Chapter 4 Quick Setup Wizards
Figure 66 VPN Advanced Wizard: Phase 1 Settings
Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec device has a dynamic WAN IP address.
My Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device.
Negotiation Mode: This displays Main or Aggressive:
Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to
establish the IKE SA
Aggressive is faster but does not encrypt the identities.
The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the security (this may affect throughput). Both sender and receiver must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key, and AES256 uses a 256-bit key.
Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The stronger the algorithm the slower it is.
Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.
SA Life Time: Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices).
ZyWALL ATP Series User’s Guide
84
Chapter 4 Quick Setup Wizards
Note: The remote IPSec device must also have NAT traversal enabled. See the help in the
main IPSec VPN screens for more information.
Dead Peer Detection (DPD) has the Zyxel Device make sure the remote IPSec device is there before transmitting data through the IKE SA. If there has been no traffic for at least 15 seconds, the Zyxel Device sends a message to the remote IPSec device. If it responds, the Zyxel Device transmits the data. If it does not respond, the Zyxel Device shuts down the IKE SA.
Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the Zyxel Device’s certificates.
4.3.9 VPN Advanced Wizard - Phase 2
Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.
Figure 67 VPN Advanced Wizard: Phase 2 Settings
Active Protocol: ESP is compatible with NAT, AH is not.
Encapsulation: Tunnel is compatible with NAT, Transport is not.
Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The stronger the algorithm the slower it is.
SA Life Time: Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure, yet slower).
Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
ZyWALL ATP Series User’s Guide
85
Chapter 4 Quick Setup Wizards
Remote Policy (IP/Mask): Type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device.
Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the Zyxel Device automatically renegotiate the IPSec SA when the SA life time expires.
4.3.10 VPN Advanced Wizard - Summary
This is a read-only summary of the VPN tunnel settings.
Figure 68 VPN Advanced Wizard: Summary
Rule Name: Identifies the VPN connection (and the VPN gateway).
Secure Gateway: IP address or domain name of the remote IPSec device.
Pre-Shared Key: VPN tunnel password.
Certificate: The certificate the Zyxel Device uses to identify itself when setting up the VPN tunnel.
Local Policy: IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel.
Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel.
ZyWALL ATP Series User’s Guide
86
Chapter 4 Quick Setup Wizards
Phase 1
Negotiation Mode: This displays Main or Aggressive:
Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to
establish the IKE SA
Aggressive is faster but does not encrypt the identities.
The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly).
DES uses a 56-bit key.
3DES uses a 168-bit key.
AES128 uses a 128-bit key
AES192 uses a 192-bit key
AES256 uses a 256-bit key.
Authentication Algorithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is.
MD5 gives minimal security.
SHA1 gives higher security
SHA256 gives the highest security.
Key Group: This displays the Diffie-Hellman (DH) key group used. DH5 is more secure than DH1 or DH2 (although it may affect throughput).
DH1 uses a 768 bit random number.
DH2 uses a 1024 bit (1Kb) random number.
DH5 uses a 1536 bit random number.
Phase 2
Active Protocol: This displays ESP (compatible with NAT) or AH.
Encapsulation: This displays Tunnel (compatible with NAT) or Transport.
Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly).
DES uses a 56-bit key.
3DES uses a 168-bit key.
AES128 uses a 128-bit key
AES192 uses a 192-bit key
AES256 uses a 256-bit key.
Null uses no encryption.
Authentication Algorithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is.
MD5 gives minimal security.
SHA1 gives higher security
SHA256 gives the highest security.
ZyWALL ATP Series User’s Guide
87
Chapter 4 Quick Setup Wizards
Copy and paste the Configuration for Remote Gateway commands into another ZLD-based Zyxel Device’s command line interface.
Click Save to save the VPN rule.
4.3.11 VPN Advanced Wizard - Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection
screen.
Figure 69 VPN Wizard: Finish
Click Close to exit the wizard.
ZyWALL ATP Series User’s Guide
88
Chapter 4 Quick Setup Wizards

4.4 VPN Settings for Configuration Provisioning Wizard: Wizard Type

Use VPN Settings for Configuration Provisioning to set up a VPN rule that can be retrieved with the Zyxel
Device IPSec VPN Client.
VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must not contain the following settings:
AH active protocol
NULL encryption
SHA512 authentication
• A subnet or range remote policy
Choose Express to create a VPN rule with the default phase 1 and phase 2 settings and to use a pre- shared key.
Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key in the VPN rule.
Figure 70 VPN Settings for Configuration Provisioning Express Wizard: Wizard Type
4.4.1 Configuration Provisioning Express Wizard - VPN Settings
Click the Express radio button as shown in the previous screen to display the following screen.
ZyWALL ATP Series User’s Guide
89
Chapter 4 Quick Setup Wizards
Figure 71 VPN for Configuration Provisioning Express Wizard: Settings Scenario
IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1­31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
4.4.2 Configuration Provisioning VPN Express Wizard - Configuration
Click Next to continue the wizard.
ZyWALL ATP Series User’s Guide
90
Chapter 4 Quick Setup Wizards
Figure 72 VPN for Configuration Provisioning Express Wizard: Configuration
My Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device.
Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends.
Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
Remote Policy (IP/Mask): Any displays in this field because it is not configurable in this wizard.
4.4.3 VPN Settings for Configuration Provisioning Express Wizard - Summary
This screen has a read-only summary of the VPN tunnel’s configuration and commands you can copy and paste into another ZLD-based Zyxel Device’s command line interface to configure it.
ZyWALL ATP Series User’s Guide
91
Chapter 4 Quick Setup Wizards
Figure 73 VPN for Configuration Provisioning Express Wizard: Summary
Rule Name: Identifies the VPN gateway policy.
Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1 IKE negotiation.
Local Policy: (Static) IP address and subnet mask of the computers on the network behind your Zyxel Device that can be accessed using the tunnel.
Remote Policy: Any displays in this field because it is not configurable in this wizard.
• The Configuration for Secure Gateway displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device.
• Click Save to save the VPN rule.
4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Connection screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec
VPN Client to get all these VPN settings automatically from the Zyxel Device.
ZyWALL ATP Series User’s Guide
92
Chapter 4 Quick Setup Wizards
Figure 74 VPN for Configuration Provisioning Express Wizard: Finish
Click Close to exit the wizard.
4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard ­Scenario
Click the Advanced radio button as shown in the screen shown in Figure 70 on page 89 to display the following screen.
ZyWALL ATP Series User’s Guide
93
Chapter 4 Quick Setup Wizards
Figure 75 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings
IKE (Internet Key Exchange) is a protocol used in security associations to send data securely. IKE uses certificates or pre-shared keys for authentication and a Diffie–Hellman key exchange to set up a shared session secret from which encryption keys are derived.
IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise authentication systems.
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1­31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Application Scenario: Only the Remote Access (Server Role) is allowed in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Click Next to continue the wizard.
4.4.6 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 1 Settings
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).
ZyWALL ATP Series User’s Guide
94
Chapter 4 Quick Setup Wizards
Figure 76 VPN for Configuration Provisioning Advanced Wizard: Phase 1 Settings
Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
My Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device.
Negotiation Mode: This displays Main or Aggressive:
Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to
establish the IKE SA
Aggressive is faster but does not encrypt the identities.
The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the security (this may affect throughput). Both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168­bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key.
Authentication Algorithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it is.
Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.
SA Life Time: Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the Zyxel Device’s certificates.
ZyWALL ATP Series User’s Guide
95
Chapter 4 Quick Setup Wizards
4.4.7 VPN Settings for Configuration Provisioning Advanced Wizard - Phase 2
Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.
Figure 77 VPN for Configuration Provisioning Advanced Wizard: Phase 2 Settings
Active Protocol: ESP is compatible with NAT. AH is not available in this wizard.
Encapsulation: Tunnel is compatible with NAT, Transport is not.
Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
Authentication Algorithm: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. MD5 gives minimal security. SHA1 gives higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it is.
SA Life Time: Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure, yet slower).
Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
Remote Policy (IP/Mask): Any displays in this field because it is not configurable in this wizard.
Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the Zyxel Device automatically renegotiate the IPSec SA when the SA life time expires.
4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard ­Summary
This is a read-only summary of the VPN tunnel settings.
ZyWALL ATP Series User’s Guide
96
Chapter 4 Quick Setup Wizards
Figure 78 VPN for Configuration Provisioning Advanced Wizard: Summary
Summary
Rule Name: Identifies the VPN connection (and the VPN gateway).
Secure Gateway: Any displays in this field because it is not configurable in this wizard. It allows incoming connections from the Zyxel Device IPSec VPN Client.
Pre-Shared Key: VPN tunnel password.
Local Policy: IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel.
Remote Policy: Any displays in this field because it is not configurable in this wizard.
Phase 1
Negotiation Mode: This displays Main or Aggressive:
Main encrypts the ZyWALL/USG’s and remote IPSec router’s identities but takes more time to
establish the IKE SA
ZyWALL ATP Series User’s Guide
97
Chapter 4 Quick Setup Wizards
Aggressive is faster but does not encrypt the identities.
The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly).
DES uses a 56-bit key.
3DES uses a 168-bit key.
AES128 uses a 128-bit key
AES192 uses a 192-bit key
AES256 uses a 256-bit key.
Authentication Algorithm: This displays the authentication algorithm used. The stronger the algorithm, the slower it is.
MD5 gives minimal security.
SHA1 gives higher security
SHA256 gives the highest security.
Key Group: This displays the Diffie-Hellman (DH) key group used. DH5 is more secure than DH1 or DH2 (although it may affect throughput).
DH1 uses a 768 bit random number.
DH2 uses a 1024 bit (1Kb) random number.
DH5 uses a 1536 bit random number.
Phase 2
Active Protocol: This displays ESP (compatible with NAT) or AH.
Encapsulation: This displays Tunnel (compatible with NAT) or Transport.
Encryption Algorithm: This displays the encryption method used. The longer the key, the higher the security, the lower the throughput (possibly).
DES uses a 56-bit key.
3DES uses a 168-bit key.
AES128 uses a 128-bit key
AES192 uses a 192-bit key
AES256 uses a 256-bit key.
Null uses no encryption.
Authentication Algorithm the slower it is.
MD5 gives minimal security.
SHA1 gives higher security
SHA256 gives the highest security.
The Configuration for Secure Gateway displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device.
: This displays the authentication algorithm used. The stronger the algorithm,
Click Save to save the VPN rule.
ZyWALL ATP Series User’s Guide
98
Chapter 4 Quick Setup Wizards
4.4.9 VPN Settings for Configuration Provisioning Advanced Wizard- Finish
Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection
screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device.
Figure 79 VPN for Configuration Provisioning Advanced Wizard: Finish
Click Close to exit the wizard.

4.5 VPN Settings for L2TP VPN Settings Wizard

Use VPN Settings for L2TP VPN Settings to set up an L2TP VPN rule. Click Configuration > Quick Setup > VPN Setup and select VPN Settings for L2TP VPN Settings to see the following screen.
ZyWALL ATP Series User’s Guide
99
Chapter 4 Quick Setup Wizards
Figure 80 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings
Click Next to continue the wizard.
4.5.1 L2TP VPN Settings
Figure 81 VPN Settings for L2TP VPN Settings Wizard: L2TP VPN Settings
Rule Name: Type the name used to identify this L2TP VPN connection (and L2TP VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule.
ZyWALL ATP Series User’s Guide
100
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use