Zyxel USG100-PLUS User Manual [ru]

Name: Zyxel USG100-PLUS
Brand: Zyxel
SKU: 2739507
Rating: 5 (1 reviews)

5 (1)

ZyWALL USG Series

Unified Security Gateway

Version 3.30

Edition 2, 9/2013

Quick Start Guide

User’s Guide

Default Login Details

LAN IP Address	http://192.168.1.1

User Name	admin

Passwordwww.zyxel.com 1234

IMPORTANT!

READ CAREFULLY BEFORE USE.

KEEP THIS GUIDE FOR FUTURE REFERENCE.

Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.

Introduction

1.1 Overview

This guide covers the ZyWALL USG series and refers to all models as “ZyWALL”. Features and interface names vary by model. Key feature differences between ZyWALL models are as follows. Other features are common to all models although features may vary slightly by model. See the specific product’s datasheet for detailed specifications.

Table 1 Model-Specific Features

FEATURE	ZYWALL USG
Application Patrol	50, 100, 100-PLUS, 200, 300,
	1000, 2000

Anti-Virus	50, 100, 100-PLUS, 200, 300,
	1000, 2000

Intrusion, Protection and Detection	50, 100, 100-PLUS, 200, 300,
	1000, 2000

Two Ethernet WAN Ports	50, 100, 100-PLUS

Two Plus Ethernet WAN Ports	200, 300, 1000, 2000

WiFi (embedded or optional card)	20W, 300, 100, 200

Dual Personality Interfaces (1000Base-T/mini-GBIC combo ports)	2000

Dual Internal Buses for Gigabit Interfaces	2000

Rack-mounting	50, 100, 100-PLUS, 200, 300,
	1000, 2000

Wall-mounting	20, 20W

Dual Power Modules	2000

Security Extender Module Slot	2000

Hard Disk SlotA	2000
Device High Availability	100, 200, 300, 1000, 2000

Auxiliary Port	100, 200, 300, 1000, 2000

A.Reserved for future use.

1.1.1Key Applications

Here are some ZyWALL application scenarios. The following chapters have configuration tutorials.

Security Router

Security features include a stateful inspection firewall, intrusion, detection & prevention, anomaly detection & prevention, content filtering, anti-virus, and anti-spam.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Figure 1 Applications: Security Router

IPv6 Routing

The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The ZyWALL can also route IPv6 packets through IPv4 networks using different tunneling methods.

Figure 2 Applications: IPv6 Routing

VPN Connectivity

Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also purchase the ZyWALL OTPv2 One-Time Password System for strong two-factor authentication for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins.

Figure 3 Applications: VPN Connectivity

*****

OTP PIN

SafeWord 2008

Authentication Server

File	Email	Web-based
Server	Server	Application

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

SSL VPN Network Access

SSL VPN lets remote users use their web browsers for a very easy-to-use VPN solution. A user just browses to the ZyWALL’s web address and enters his user name and password to securely connect to the ZyWALL’s network. Here full tunnel mode creates a virtual connection for a remote user and gives him a private IP address in the same subnet as the local network so he can access network resources in the same way as if he were part of the internal network.

Figure 4 SSL VPN With Full Tunnel Mode

LAN (192.168.1.X)

Web Mail File Share Non-Web

https://

Web-based Application Application Server

User-Aware Access Control

Set up security policies to restrict access to sensitive information and shared resources based on the user who is trying to access it. In the following figure user A can access both the Internet and an internal file server. User B has a lower level of access and can only access the Internet. User C is not even logged in and cannot access either.

Figure 5 Applications: User-Aware Access Control

Load Balancing

Set up multiple connections to the Internet on the same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them.

Figure 6 Applications: Multiple WAN Interfaces

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

1.2 Default Zones, Interfaces, and Ports

The default configurations for zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use “the WAN interface” rather than “ge2” or” ge3”.

Figure 7 Zones, Interfaces, and Physical Ethernet Ports

Zones	WAN	DMZ
Interfaces			ge7	ge8
USG 2000
USG 2000
Physical Ports
Physical Ports	P1 P2 P3	P4 P5 P6	P7	P8

Zones	LAN	WAN	DMZ
USG 1000 Interfaces
USG 1000 Interfaces
Physical Ports	P1	P2	P3 P4 P5

Zones	LAN	WAN	DMZ	WLAN
Interfaces
USG 300
USG 300
Physical Ports		P3	P4 P5	P6
Physical Ports	P1 P2	P3	P4 P5	P6

Configure the ZyWALL USG 200’s OPT (optional) Gigabit Ethernet port as a third WAN port, an additional LAN1, WLAN, or DMZ port or a separate network.

Zones					WLAN
Interfaces	wan2	opt	lan1	lan2	-wlan
USG 200

Physical Ports	P1 P2	P3	P4	P5	P6 P7

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Zones	WLAN
USG 100 Interfaces	wan2
Physical Ports	P1 P2 P3 P4 P5 P6 P7

	Zones
USG 100	Interfaces	wan2	lan1	lan2	dmz
USG 100
PLUS
PLUS	Physical Ports	P1 P2	P3 P4	P5	P6
	Physical Ports	P1 P2	P3 P4	P5	P6

	Zones	wan2		lan2
USG 50	Interfaces		lan1		dmz

	Physical Ports	P1 P2	P3 P4		P6
				P5

Zones

USG 20/20W Interfaces

Physical Ports

P2 P3 P4 P5

1.3 Management Overview

You can manage the ZyWALL in the following ways.

Web Configurator

The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Figure 8 Managing the ZyWALL: Web Configurator

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the ZyWALL. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are:

Table 2 Console Port Default Settings

SETTING	VALUE
Speed	115200 bps

Data Bits	8

Parity	None

Stop Bit	1

Flow Control	Off

Vantage CNM

The browser-based Vantage CNM (Centralized Network Management) global management tool lets administrators to manage multiple devices. Use the System > Vantage CNM screen to allow your ZyWALL to be managed by the Vantage CNM server. See the Vantage CNM User’s Guide for details.

1.4 Web Configurator

In order to use the Web Configurator, you must:

•Use one of the following web browser versions or later: Internet Explorer 7, Firefox 3.5, Chrome 9.0, Opera 10.0, Safari 4.0

•Allow pop-up windows (blocked by default in Windows XP Service Pack 2)

•Enable JavaScripts, Java permissions, and cookies

The recommended screen resolution is 1024 x 768 pixels.

1.4.1 Web Configurator Access

1 Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

2In your browser go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears.

3Type the user name (default: “admin”) and password (default: “1234”).

If you have a OTP (One-Time Password) token generate a number and enter it in the One-Time Password field. The number is only good for one login. You must use the token to generate a new number the next time you log in.

4Click Login. If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears.

5The Network Risk Warning screen displays any unregistered or disabled security services. Select how often to display the screen and click OK.

6Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

1.4.2 Web Configurator Screens Overview

The Web Configurator screen is divided into these parts (as illustrated on page 11):

•A - title bar

•B - navigation panel

•C - main window

Title Bar

Figure 9 Title Bar

The title bar icons in the upper right corner provide the following functions.

Table 3 Title Bar: Web Configurator Icons

LABEL	DESCRIPTION
Logout	Click this to log out of the Web Configurator.

Help	Click this to open the help page for the current screen.

About	Click this to display basic information about the ZyWALL.

Site Map	Click this to see an overview of links to the Web Configurator screens.

Object Reference	Click this to check which configuration items reference an object.

Console	Click this to open a Java-based console window from which you can run command line
	interface (CLI) commands. You will be prompted to enter your user name and password.
	See the Command Reference Guide for information about the commands.

CLI	Click this to open a popup window that displays the CLI commands sent by the Web
	Configurator to the ZyWALL.

1.4.3 Navigation Panel

Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the ZyWALL’s navigation panel menus and their screens.

Figure 10 Navigation Panel

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Dashboard

The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See the Web Help for details on the dashboard.

Monitor Menu

The monitor menu screens display status and statistics information.

Table 4 Monitor Menu Screens Summary

FOLDER OR LINK	TAB	FUNCTION
System Status

Port Statistics		Displays packet statistics for each physical port.

Interface		Displays general interface information and packet statistics.
Status

Traffic		Collect and display traffic statistics.
Statistics

Session		Displays the status of all current sessions.
Monitor

DDNS Status		Displays the status of the ZyWALL’s DDNS domain names.

IP/MAC Binding		Lists the devices that have received an IP address from ZyWALL interfaces using
		IP/MAC binding.

Login Users		Lists the users currently logged into the ZyWALL.

WLAN Status		Displays the connection status of the ZyWALL’s wireless clients.

Cellular Status		Displays details about the ZyWALL’s 3G connection status.

USB Storage		Displays details about USB device connected to the ZyWALL.

AppPatrol		Displays bandwidth and protocol statistics.
Statistics

VPN Monitor

IPSec		Displays and manages the active IPSec SAs.

SSL		Lists users currently logged into the VPN SSL client portal. You can also log out
		individual users and delete related session information.

L2TP over		Displays details about current L2TP sessions.
IPSec

Anti-X Statistics

Anti-Virus		Collect and display statistics on the viruses that the ZyWALL has detected.

IDP		Collect and display statistics on the intrusions that the ZyWALL has detected.

Content Filter	Report	Collect and display content filter statistics

	Cache	Manage the ZyWALL’s URL cache.

Anti-Spam	Report	Collect and display spam statistics.

	Status	Displays how many mail sessions the ZyWALL is currently checking and DNSBL
		(Domain Name Service-based spam Black List) statistics.

Log		Lists log entries.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Configuration Menu

Use the configuration menu screens to configure the ZyWALL’s features.

Table 5 Configuration Menu Screens Summary

FOLDER OR LINK	TAB	FUNCTION
Quick Setup		Quickly configure WAN interfaces or VPN connections.

Licensing

Registration	Registration	Register the device and activate trial services.

	Service	View the licensed service status and upgrade licensed services.

Signature	Anti-Virus	Update anti-virus signatures immediately or by a schedule.
Update
Update	IDP/AppPatrol	Update IDP signatures immediately or by a schedule.
	IDP/AppPatrol	Update IDP signatures immediately or by a schedule.

	System Protect	View system-protect signatures status.

Network

Interface	Port Grouping	Configure physical port groups.

	Port Role	Use this screen to set the ZyWALL’s flexible ports as LAN1, WLAN,
		or DMZ.

	Ethernet	Manage Ethernet interfaces and virtual Ethernet interfaces.

	PPP	Create and manage PPPoE and PPTP interfaces.

	Cellular	Configure a cellular Internet connection for an installed 3G card.

	Tunnel	Configure tunneling between IPv4 and IPv6 networks.

	WLAN	Configure settings for an installed wireless LAN card.

	VLAN	Create and manage VLAN interfaces and virtual VLAN interfaces.

	Bridge	Create and manage bridges and virtual bridge interfaces.

	Auxiliary	Manage the AUX port.

	Trunk	Create and manage trunks (groups of interfaces) for load balancing
		and link High Availability (HA).

Routing	Policy Route	Create and manage routing policies.

	Static Route	Create and manage IP static routing information.

	RIP	Configure device-level RIP settings.

	OSPF	Configure device-level OSPF settings, including areas and virtual
		links.

Zone		Configure zones used to define various policies.

DDNS	Profile	Define and manage the ZyWALL’s DDNS domain names.

NAT		Set up and manage port forwarding rules.

HTTP Redirect		Set up and manage HTTP redirection rules.

ALG		Configure SIP, H.323, and FTP pass-through settings.

IP/MAC	Summary	Configure IP to MAC address bindings for devices connected to
Binding		each supported interface.

	Exempt List	Configure ranges of IP addresses to which the ZyWALL does not
		apply IP/MAC binding.

DNS Inbound	DNS Load	Configure DNS Load Balancing.
LB	Balancing

Auth. Policy		Define rules to force user authentication.

Firewall	Firewall	Create and manage level-3 traffic rules.

	Session Limit	Limit the number of concurrent client NAT/firewall sessions.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Table 5 Configuration Menu Screens Summary (continued)

FOLDER OR LINK	TAB	FUNCTION
VPN

IPSec VPN	VPN Connection	Configure IPSec tunnels.

	VPN Gateway	Configure IKE tunnels.

	Concentrator	Combine IPSec VPN connections into a single secure network

	Configuration	Set who can retrieve VPN rule settings from the ZyWALL using the
	Provisioning	ZyWALL IPSec VPN Client.

SSL VPN	Access Privilege	Configure SSL VPN access rights for users and groups.

	Global Setting	Configure the ZyWALL’s SSL VPN settings that apply to all
		connections.

L2TP VPN	L2TP VPN	Configure L2TP over IPSec tunnels.

AppPatrol	General	Enable or disable traffic management by application and see
		registration and signature information.

	Query	Manage traffic management by application.

	Other	Manage other kinds of traffic.

BWM	BWM	Enable and configure bandwidth management rules.

Anti-X

Anti-Virus	General	Turn anti-virus on or off, set up anti-virus policies and check the
		anti-virus engine type and the anti-virus license and signature
		status.

	Black/White List	Set up anti-virus black (blocked) and white (allowed) lists of virus
		file patterns.

	Signature	Search for signatures by signature name or attributes and
		configure how the ZyWALL uses them.

IDP	General	Display and manage IDP bindings.

	Profile	Create and manage IDP profiles.

	Custom Signatures	Create, import, or export custom signatures.

ADP	General	Display and manage ADP bindings.

	Profile	Create and manage ADP profiles.

Content Filter	General	Create and manage content filter policies.

	Filter Profile	Create and manage the detailed filtering rules for content filtering
		policies.

	Trusted Web Sites	Create a list of allowed web sites that bypass content filtering
		policies.

	Forbidden Web	Create a list of web sites to block regardless of content filtering
	Sites	policies.

Anti-Spam	General	Turn anti-spam on or off and manage anti-spam policies.

	Mail Scan	Configure e-mail scanning details.

	Black/White List	Set up a black list to identify spam and a white list to identify
		legitimate e-mail.

	DNSBL	Have the ZyWALL check e-mail against DNS Black Lists.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Table 5 Configuration Menu Screens Summary (continued)

FOLDER OR LINK	TAB	FUNCTION
Device HA	General	Configure device HA global settings, and see the status of each
		interface monitored by device HA.

	Active-Passive	Configure active-passive mode device HA.
	Mode

	Legacy Mode	Configure legacy mode device HA for use with ZyWALLs that
		already have device HA setup using a firmware version earlier than
		2.10.

Object

User/Group	User	Create and manage users.

	Group	Create and manage groups of users.

	Setting	Manage default settings for all users, general settings for user
		sessions, and rules to force user authentication.

Address	Address	Create and manage host, range, and network (subnet) addresses.

	Address Group	Create and manage groups of addresses.

Service	Service	Create and manage TCP and UDP services.

	Service Group	Create and manage groups of services.

Schedule	Schedule	Create one-time and recurring schedules.

AAA Server	Active Directory	Configure the Active Directory settings.

	LDAP	Configure the LDAP settings.

	RADIUS	Configure the RADIUS settings.

Auth. Method	Authentication	Create and manage ways of authenticating users.
	Method

Certificate	My Certificates	Create and manage the ZyWALL’s certificates.

	Trusted Certificates	Import and manage certificates from trusted sources.

ISP Account	ISP Account	Create and manage ISP account information for PPPoE/PPTP
		interfaces.

SSL Application		Create SSL web application objects.

Endpoint		Create Endpoint Security (EPS) objects.
Security

DHCPv6	Request	Configure IPv6 DHCP request type and interface information.

	Lease	Configure IPv6 DHCP lease type and interface information.

System

Host Name		Configure the system and domain name for the ZyWALL.

USB Storage	Settings	Configure the settings for the connected USB devices.

Date/Time		Configure the current date, time, and time zone in the ZyWALL.

Console Speed		Set the console speed.

DNS		Configure the DNS server and address records for the ZyWALL.

WWW	Service Control	Configure HTTP, HTTPS, and general authentication.

	Login Page	Configure how the login and access user screens look.

SSH		Configure SSH server and SSH service settings.

TELNET		Configure telnet server settings for the ZyWALL.

FTP		Configure FTP server settings.

SNMP		Configure SNMP communities and services.

ZyWALL USG 20-2000 User’s Guide

		Chapter 1 Introduction

Table 5 Configuration Menu Screens Summary (continued)
FOLDER OR LINK	TAB	FUNCTION
Dial-in Mgmt.		Configure settings for an out of band management connection
		through a modem connected to the AUX port.

Vantage CNM		Configure and allow your ZyWALL to be managed by the Vantage
		CNM server.

Language		Select the Web Configurator language.

IPv6		Enable IPv6 globally on the ZyWALL here.

Log & Report

Email Daily		Configure where and how to send daily reports and what reports to
Report		send.

Log Setting		Configure the system log, e-mail logs, and remote syslog servers.

Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL.

Table 6 Maintenance Menu Screens Summary

FOLDER	TAB	FUNCTION
OR LINK	TAB	FUNCTION
OR LINK
File	Configuration File	Manage and upload configuration files for the ZyWALL.
Manager
Manager	Firmware Package	View the current firmware version and to upload firmware.
	Firmware Package	View the current firmware version and to upload firmware.

	Shell Script	Manage and run shell script files for the ZyWALL.

Diagnostics	Diagnostic	Collect diagnostic information.

	Packet Capture	Capture packets for analysis.

	System Log	Connect a USB device to the ZyWALL and archive the ZyWALL system logs
		to it here.

Packet	Routing Status	Check how the ZyWALL determines where to route a packet.
Flow
Flow	SNAT Status	View a clear picture on how the ZyWALL converts a packet’s source IP
Explore	SNAT Status
Explore		address and check the related settings.
		address and check the related settings.

Reboot		Restart the ZyWALL.

Shutdown		Turn off the ZyWALL.

1.4.4 Tables and Lists

Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table’s entries according to that column’s criteria.

Figure 11 Sorting Table Entries by a Column’s Criteria

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:

•Sort in ascending or descending (reverse) alphabetical order

•Select which columns to display

•Group entries by field

•Show entries in groups

•Filter by mathematical operators (<, >, or =) or searching for text Figure 12 Common Table Column Options

Select a column heading cell’s right border and drag to re-size the column.

Figure 13 Resizing a Table Column

Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location.

Figure 14 Moving Columns

Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Figure 15 Navigating Pages of Table Entries

The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate.

Figure 16 Common Table Icons

Here are descriptions for the most common table icons.

Table 7 Common Table Icons

LABEL	DESCRIPTION
Add	Click this to create a new entry. For features where the entry’s position in the numbered list is
	important (features where the ZyWALL applies the table’s entries in order like the firewall for
	example), you can select an entry and click Add to create a new entry after the selected entry.

Edit	Double-click an entry or select it and click Edit to open a screen where you can modify the
	entry’s settings. In some tables you can just click a table entry and edit it directly in the table.
	For those types of tables small red triangles display for table entries with changes that you have
	not yet applied.

Remove	To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it
	before doing so.

Activate	To turn on an entry, select it and click Activate.

Inactivate	To turn off an entry, select it and click Inactivate.

Connect	To connect an entry, select it and click Connect.

Disconnect	To disconnect an entry, select it and click Disconnect.

Object	Select an entry and click Object References to check which settings use the entry.
References

Move	To change an entry’s position in a numbered list, select it and click Move to display a field to
	type a number for where you want to put that entry and press [ENTER] to move the entry to the
	number that you typed. For example, if you type 6, the entry you are moving becomes number 6
	and the previous entry 6 (if there is one) gets pushed up (or down) one.

Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just doubleclick an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Figure 17 Working with Lists

1.5 Stopping the ZyWALL

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt.

1.6 Rack-mounting

See Table 1 on page 5 for the ZyWALL USG models that can be rack mounted. Use the following steps to mount the ZyWALL on an EIA standard size, 19-inch rack or in a wiring closet with other equipment using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make the rack unstable or top-heavy. Take all necessary precautions to anchor the rack securely before installing the unit.

Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.

Use a #2 Phillips screwdriver to install the screws.

Note: Failure to use the proper screws may damage the unit.

1Align one bracket with the holes on one side of the ZyWALL and secure it with the included bracket screws (smaller than the rack-mounting screws).

2Attach the other bracket in a similar fashion.

3After attaching both mounting brackets, position the ZyWALL in the rack and up the bracket holes with the rack holes. Secure the ZyWALL to the rack with the rack-mounting screws.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

1.7 Wall-mounting

See Table 1 on page 5 for the ZyWALL USG models that can be wall-mounted. Do the following to attach your ZyWALL to a wall.

1Screw two screws with 6 mm ~ 8 mm (0.24" ~ 0.31") wide heads into the wall 150 mm apart (see the figure in step 2). Do not screw the screws all the way in to the wall; leave a small gap between the head of the screw and the wall.

The gap must be big enough for the screw heads to slide into the screw slots and the connection cables to run down the back of the ZyWALL.

Note: Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the ZyWALL with the connection cables.

2Use the holes on the bottom of the ZyWALL to hang the ZyWALL on the screws.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

USG 20W

Wall-mount the ZyWALL horizontally. The ZyWALL's side panels with ventilation slots should not be facing up or down as this position is less safe.

1.8 Front Panel

This section introduces the ZyWALL’s front panel.

Figure 18 ZyWALL Front Panel

USG 2000

USG 1000

USG 300

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

USG 200

USG 100

PLUS

USG 100

USG 50

USG 20W

USG 20

1.8.1 Dual Personality Interfaces

A dual personality interface is a 1000Base-T/mini-GBIC combo port. For each interface you can connect either to the 1000Base-T port or the mini-GBIC port. The mini-GBIC port has priority over the 1000Base-T port so the 1000Base-T port is disabled if both are connected at the same time.

1000Base-T Ports

The 1000Base-T auto-negotiating, auto-crossover Ethernet ports support 100/1000 Mbps Gigabit Ethernet so the speed can be 100 Mbps or 1000 Mbps. The duplex mode is full at 1000 Mbps and half or full at 100 Mbps. An auto-negotiating port can detect and adjust to the optimum Ethernet speed (100/1000 Mbps) and duplex mode (full duplex or half duplex) of the connected device. An auto-crossover (auto-MDI/MDI-X) port automatically works with a straight-through or crossover Ethernet cable. The factory default negotiation settings for the Ethernet ports on the ZyWALL are speed: auto, duplex: auto, and flow control: on (you cannot configure the flow control setting, but the ZyWALL can negotiate with the peer and turn it off if needed)

Mini-GBIC Slots

These are slots for Small Form-Factor Pluggable (SFP) transceivers (not included). A transceiver is a single unit that houses a transmitter and a receiver. Use a transceiver to connect a fiber-optic cable to the ZyWALL. Use transceivers that comply with the Small Form-Factor Pluggable (SFP)

Transceiver MultiSource Agreement (MSA). See the SFF committee’s INF-8074i specification Rev

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

1.0 for details. You can change transceivers while the ZyWALL is operating. You can use different transceivers to connect to devices with different types of fiber-optic connectors.

•Type: SFP connection interface

•Connection speed: 1 Gigabit per second (Gbps)

To avoid possible eye injury, do not look into an operating fiber-optic module’s connectors or fiber-optic cable.

Transceiver and Fiber-optic Cable Installation

Use the following steps to install a mini GBIC transceiver (SFP module).

1Insert the transceiver into the slot with the exposed section of PCB board facing down.

2Press the transceiver firmly until it clicks into place.

3Push the end of the fiber-optic cable firmly into the transceiver until it locks into place. When the other end of the fiber-optic cable is connected, check the LEDs to verify the link status.

Fiber-optic Cable and Transceiver Removal

Use the following steps to remove a mini GBIC transceiver (SFP module).

1Press down on the top of the fiber-optic cable where it connects to the transceiver to release it. Then pull the fiberoptic cable out.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

2Open the transceiver’s latch (latch styles vary).

3Pull the transceiver out of the slot.

1.8.2Maximizing Throughput

A ZyWALL USG with dual internal buses (see Table 1 on page 5) for Gigabit interfaces has one internal bus for ports P1-P7 and another for port P8. To maximize the ZyWALL’s throughput, use P8 for your connection with the most traffic.

Figure 19 Gigabit Interfaces and Internal Buses

Some ZyWALLs (see Table 1 on page 5) let you add an optional Security Extension Module (SEM) to enhance the VPN or VPN and Unified Threat Management (UTM) capabilities.

Figure 20 Security Extension Module

•The VPN module (SEM-VPN) increases the maximum VPN throughput from 100 Mbps to 500 Mbps, the maximum number of IPSec VPN tunnels from 1,000 to 2,000 and the maximum number of SSL VPN users from 250 (with a license) to 750 (with a license).

•The SEM-DUAL module provides the VPN performance enhancements and increases the maximum anti-virus and IDP traffic throughput from 100 Mbps to 400 Mbps.

1.8.3Front Panel LEDs

The following tables describe the LEDs.

Table 8 ZyWALL USG 20 ~ USG 1000 Front Panel LEDs

LED	COLOR	STATUS	DESCRIPTION
PWR		Off	The ZyWALL is turned off.

	Green	On	The ZyWALL is turned on.

	Red	On	There is a hardware component failure. Shut down the device, wait for a few
			minutes and then restart the device (see Section 1.5 on page 20). If the LED
			turns red again, then please contact your vendor.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

Table 8 ZyWALL USG 20 ~ USG 1000 Front Panel LEDs (continued)

LED	COLOR	STATUS	DESCRIPTION
SYS	Green	Off	The ZyWALL is not ready or has failed.

		On	The ZyWALL is ready and running.

		Blinking	The ZyWALL is booting.

	Red	On	The ZyWALL had an error or has failed.

AUX	Green	Off	The AUX port is not connected.

		Flashing	The AUX port is sending or receiving packets.

		On	The AUX port is connected.

1, 2 ...	Green	Off	There is no traffic on this port.

		Blinking	The ZyWALL is sending or receiving packets on this port.

	Orange	Off	There is no connection on this port.

		On	This port has a successful link.

USB	Green	Off	No device is connected to the ZyWALL’s USB port or the connected device is
			not supported by the ZyWALL.

		On	A 3G USB card or USB storage device is connected to the USB port.

	Orange	On	Connected to a 3G network through the connected 3G USB card.

WLAN	Green	Off	The wireless function is disabled on the ZyWALL.

		On	The wireless function is enabled on the ZyWALL.

P1~P5	Green	Off	There is no traffic on this port.

		Blinking	The ZyWALL is sending or receiving packets on this port.

	Orange	Off	There is no connection on this port.

		On	This port has a successful link.

Card1,2	Green	Off	There is no card in the slot.

		On	There is a card in the slot.

		Flashing	The card in the slot is sending or receiving traffic.

Table 9 ZyWALL USG 2000 Front Panel LEDs
LED	COLOR	STATUS	DESCRIPTION
PWR1,		Off	Both power modules are turned off, not receiving power, or not functioning.
PWR2
PWR2	Green	On	The power module is operating.
	Green	On	The power module is operating.

	Red	On	The power module has malfunctioned. Turn the power module off, wait a few
			minutes, and turn the power module back on (see Section 1.5 on page 20).
			If the LED shines red again, then please contact your vendor.
SYS		Off	The ZyWALL is turned off.

	Green	On	The ZyWALL is ready and operating normally.

		Flashing	The ZyWALL is self-testing.

	Red	On	The ZyWALL is malfunctioning.

AUX		Off	The AUX port is not connected.

	Orange	On	The AUX port has a dial-in management connection.

		Flashing	The AUX port is sending or receiving packets for the dial-in management
			connection.
	Green	On	The AUX port has a dial backup connection.

		Flashing	The AUX port is sending or receiving packets for the dial backup connection.

ZyWALL USG 20-2000 User’s Guide

			Chapter 1 Introduction

Table 9 ZyWALL USG 2000 Front Panel LEDs (continued)
LED	COLOR	STATUS	DESCRIPTION
CARD	Green	Off	Reserved for future use. There is no card in the CARD SLOT.

		On	There is a card in the CARD SLOT.

HDD			This LED is reserved for future use.

P1~P8	Green	Off	There is no traffic on this port.

		Flashing	The ZyWALL is sending or receiving packets on this port.

	Orange	Off	There is no connection on this port.

		On	This port has a successful link.

LNK	Orange	Off	The Ethernet link is down.

		On	The Ethernet link is up.

ACT	Green	Off	The system is not transmitting/receiving Ethernet traffic.

		Blinking	The system is transmitting/receiving Ethernet traffic.

ZyWALL USG 20-2000 User’s Guide

Chapter 1 Introduction

ZyWALL USG 20-2000 User’s Guide

How to Set Up Your Network

Here are examples of using the Web Configurator to set up your network in the ZyWALL.

Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Section 1.4 on page 10 for details. For field descriptions of individual screens, see the Web Configurator Online Help.

•Wizard Overview on page 29

•How to Configure Interfaces, Port Roles, and Zones on page 29

•How to Configure a Cellular Interface on page 32

•How to Set Up a Wireless LAN on page 34

•How to Configure Ethernet, PPP, VLAN, Bridge and Policy Routing on page 37

•How to Set Up IPv6 Interfaces For Pure IPv6 Routing on page 38

•How to Set Up an IPv6 6to4 Tunnel on page 44

•How to Set Up an IPv6-in-IPv4 Tunnel on page 48

2.1Wizard Overview

Use the wizards to quickly configure Internet connection and VPN settings as well as activate subscription services.

WIZARD	DESCRIPTION
Installation Setup Wizard	Use this wizard the first time log into the Web Configurator to configure WAN
	connections and register your ZyWALL.

Quick Setup	You can find the following wizards in the CONFIGURATION navigation panel.

WAN Interface	Use these wizard screens to quickly configure a WAN interface’s encapsulation
	and IP address settings.

VPN Setup	Use these wizard screens to quickly configure an IPSec VPN or IPSec VPN
	configuration provisioning.

After you complete a wizard, you can go to the CONFIGURATION screens to configure advanced settings.

2.2 How to Configure Interfaces, Port Roles, and Zones

This tutorial shows how to configure Ethernet interfaces, port roles, and zones for the following example configuration.

ZyWALL USG 20-2000 User’s Guide

Chapter 2 How to Set Up Your Network

•The wan1 interface uses a static IP address of 1.2.3.4.

•Add P5 (lan2) to the DMZ interface (Note: In USG 20/20W, use P4 (lan2) instead of P5 in this example). The DMZ interface is used for a protected local network. It uses IP address 192.168.3.1 and serves as a DHCP server by default.

•You want to be able to apply specific security settings for the VPN tunnel created by the Quick Setup - VPN Setup wizard (named WIZ_VPN). So you create a new zone and add WIZ_VPN to it.

Figure 21 Ethernet Interface, Port Roles, and Zone Configuration Example

2.2.1 Configure a WAN Ethernet Interface

You need to assign the ZyWALL’s wan1 interface a static IP address of 1.2.3.4.

Click Configuration > Network > Interface > Ethernet and double-click the wan1 interface’s entry in the Configuration section. Select Use Fixed IP Address and configure the IP address, subnet mask, and default gateway settings and click OK.

ZyWALL USG 20-2000 User’s Guide

+ 120 hidden pages

Introduction...........................................................................................................................................		5
1.1	Overview .............................................................................................................................................	5
1.2	Default Zones, Interfaces, and Ports ...................................................................................................	8
1.3	Management Overview .......................................................................................................................	9
1.4	Web Configurator ..............................................................................................................................	10
1.5	Stopping the ZyWALL .......................................................................................................................	20
1.6	Rack-mounting ..................................................................................................................................	20
1.8	Front Panel ........................................................................................................................................	22
How to Set Up Your Network .............................................................................................................		29
2.1	Wizard Overview ...............................................................................................................................	29
2.2	How to Configure Interfaces, Port Roles, and Zones ........................................................................	29
2.3	How to Configure a Cellular Interface ...............................................................................................	32
2.4	How to Set Up a Wireless LAN .........................................................................................................	34
2.5	How to Configure Ethernet, PPP, VLAN, Bridge and Policy Routing ................................................	37
2.6	How to Set Up IPv6 Interfaces For Pure IPv6 Routing .....................................................................	38
2.7	How to Set Up an IPv6 6to4 Tunnel ..................................................................................................	44
2.8	How to Set Up an IPv6-in-IPv4 Tunnel .............................................................................................	48
Protecting Your Network....................................................................................................................		53
3.1	Firewall ..............................................................................................................................................	53
3.2	User-aware Access Control ..............................................................................................................	54
3.3	Endpoint Security (EPS) ...................................................................................................................	55
3.4	Device and Service Registration .......................................................................................................	55
3.5	Anti-Virus Policy Configuration ..........................................................................................................	56
3.6	IDP Profile Configuration ...................................................................................................................	58
3.7	ADP Profile Configuration .................................................................................................................	59
3.8	Content Filter Profile Configuration ...................................................................................................	61
3.9	Viewing Content Filter Reports .........................................................................................................	63
3.10 Anti-Spam Policy Configuration .......................................................................................................		66
Create Secure Connections Across the Internet .............................................................................		69
4.1	IPSec VPN ........................................................................................................................................	69
4.2	VPN Concentrator Example ..............................................................................................................	71
4.3	Hub-and-spoke IPSec VPN Without VPN Concentrator ...................................................................	73
4.4	ZyWALL IPSec VPN Client Configuration Provisioning ....................................................................	75
4.5 SSL VPN ...........................................................................................................................................		77
4.6	L2TP VPN with Android, iOS, and Windows .....................................................................................	79
4.7	One-Time Password Version 2 (OTPv2) ...........................................................................................	92
Managing Traffic ................................................................................................................................		95

Contents
5.1	How to Configure Bandwidth Management .......................................................................................	95
5.2	How to Configure a Trunk for WAN Load Balancing .......................................................................	102
5.3	How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic ..............................	104
5.4	How to Use Device HA to Backup Your ZyWALL ............................................................................	105
5.5	How to Configure DNS Inbound Load Balancing ............................................................................	110
5.6	How to Allow Public Access to a Web Server .................................................................................	112
5.7	How to Manage Voice Traffic ..........................................................................................................	114
5.8	How to Limit Web Surfing and MSN to Specific People ..................................................................	120
Maintenance ......................................................................................................................................		125
6.1	How to Allow Management Service from WAN ...............................................................................	125
6.2	How to Use a RADIUS Server to Authenticate User Accounts based on Groups ..........................	128
6.3	How to Use SSH for Secure Telnet Access ....................................................................................	129
6.4	How to Manage ZyWALL Configuration Files .................................................................................	130
6.5	How to Manage ZyWALL Firmware ................................................................................................	131
6.6	How to Download and Upload a Shell Script ..................................................................................	132
6.7	How to Change a Power Module ....................................................................................................	133
6.8	How to Save System Logs to a USB Storage Device .....................................................................	135
6.9	How to Get the ZyWALL’s Diagnostic File .......................................................................................	138
6.10 How to Capture Packets on the ZyWALL ......................................................................................		139
6.11 How to Use Packet Flow Explore for Troubleshooting ..................................................................		143
Appendix	A Legal Information..........................................................................................................	145

Zyxel USG100-PLUS User Manual [ru]

Contents

Introduction

1.1 Overview

1.1.1Key Applications

1.2 Default Zones, Interfaces, and Ports

1.3 Management Overview

1.4 Web Configurator

1.4.1 Web Configurator Access

1.4.2 Web Configurator Screens Overview

1.4.3 Navigation Panel

1.4.4 Tables and Lists

1.5 Stopping the ZyWALL

1.6 Rack-mounting

1.7 Wall-mounting

1.8 Front Panel

1.8.1 Dual Personality Interfaces

1.8.2Maximizing Throughput

1.8.3Front Panel LEDs

How to Set Up Your Network

2.1Wizard Overview

2.2 How to Configure Interfaces, Port Roles, and Zones

2.2.1 Configure a WAN Ethernet Interface