How it Works
Zyxel
Loading...
USG1100
User Manual
12 pgs1.7 Mb0
operation manual
782 pgs41.57 Mb0
User Manual
1053 pgs29.78 Mb0
operation manual
1090 pgs36.46 Mb0
Quick guide
2 pgs296.67 Kb0

Zyxel USG1100 operation manual

www.zyxel.com
Default Login Details
LAN Port IP Address
https://192.168.1.1
User Name
admin
Password
1234
ZyWALL/USG/ATP /VPN Series
ATP100/ ATP100W/ ATP200/ ATP500/ ATP700 / ATP800
USG20-VPN / USG20W-VPN / USG40 / USG40W / USG60 / USG60W / USG110 / UGS210 / USG310/ USG1100 /USG1900 / USG2200-VPN USG FLEX 100/ USG FLEX 200/ USG FLEX 500
VPN50 / VPN100 /VPN300 /VPN1000
Security Firewalls
Edition 5, June/2020
Handbook
1/782
www.zyxel.com
copyright © 2020 ZyXEL Communications Corporation
Table of Content
How to Configure Site-to-site IPSec VPN with Amazon VPC .................. 20
Set Up the IPSec VPN Tunnel on the Amazon VPC ............................ 21
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ............................. 25
Test the IPSec VPN Tunnel ..................................................................... 31
What Could Go Wrong? ....................................................................... 32
How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure ..... 33
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ............................. 34
Set Up the IPSec VPN Tunnel on the MS Azure ................................... 39
Test the IPSec VPN Tunnel ..................................................................... 46
What Could Go Wrong? ...................................................................... 49
How to Configure GRE over IPSec VPN Tunnel ........................................ 50
Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate
Network (HQ) ......................................................................................... 51
Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate
Network (Branch) .................................................................................. 56
Test the GRE over IPSec VPN Tunnel .................................................... 60
What Could Go Wrong? ....................................................................... 61
How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP
Address ....................................................................................................... 63
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) .................................................................................................. 68
Test the IPSec VPN Tunnel ..................................................................... 72
What Could Go Wrong? ...................................................................... 73
How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic
IP Address ................................................................................................... 75
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ........................................................................................................ 75
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch has a Dynamic IP Address) ................................................... 79
Test the IPSec VPN Tunnel ..................................................................... 83
2/782
www.zyxel.com
What Could Go Wrong? ...................................................................... 85
How to Configure IPSec Site to Site VPN while one Site is behind a NAT
router ........................................................................................................... 87
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ........................................................................................................ 87
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) .................................................................................................. 91
Set Up the NAT Router (Using ZyWALL USG device in this example) 95
Test the IPSec VPN Tunnel ..................................................................... 97
What Could Go Wrong? ....................................................................... 98
How to Configure Hub-and-Spoke IPSec VPN ........................................ 99
Set Up the IPSec VPN Tunnel on the ZyWALL/USG by Using VPN
Concentrator Hub_HQ-to-Branch_A ................................................ 100
Hub_HQ-to-Branch_B .......................................................................... 104
Hub_HQ Concentrator ....................................................................... 108
Spoke_Branch_A ................................................................................. 109
Spoke_Branch_B .................................................................................. 114
Test the IPSec VPN Tunnel ................................................................... 119
What Could Go Wrong? .................................................................... 123
Set Up the IPSec VPN Tunnel of ZyWALL/USG without Using VPN
Concentrator Hub_HQ-to-Branch_A ................................................ 125
Hub_HQ-to-Branch_B .......................................................................... 128
Spoke_Branch_A ................................................................................. 131
Spoke_Branch_B .................................................................................. 134
Test the IPSec VPN Tunnel ................................................................... 137
What Could Go Wrong? .................................................................... 140
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN
Concentrator ............................................................................................ 142
Set Up the IPSec VPN Tunnel on the ZyWALL/USG Hub_HQ-to-
Branch_A .............................................................................................. 143
Hub_HQ-to-Branch_B .......................................................................... 146
Hub_HQ Concentrator ....................................................................... 149
Spoke_Branch_A ................................................................................. 150
Spoke_Branch_B .................................................................................. 153
3/782
www.zyxel.com
Test the IPSec VPN Tunnel ................................................................... 157
What Could Go Wrong? .................................................................... 160
How to Configure IPSec VPN with ZyWALL IPSec VPN Client ............... 161
Set Up the ZyWALL/USG IPSec VPN Tunnel ....................................... 162
Set Up the ZyWALL IPSec VPN Client ................................................. 166
Test the IPSec VPN Tunnel ................................................................... 169
What Can Go Wrong? ........................................................................ 171
How to Configure Site-to-site IPSec VPN with FortiGate ....................... 173
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 174
Set Up the IPSec VPN Tunnel on the FortiGate ................................. 177
Test the IPSec VPN Tunnel ................................................................... 182
What Could Go Wrong? .................................................................... 183
How to Configure Site-to-site IPSec VPN with WatchGuard ................ 185
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 186
Set Up the IPSec VPN Tunnel on the WatchGuard .......................... 189
Test the IPSec VPN Tunnel ................................................................... 195
What Could Go Wrong? .................................................................... 196
How to Configure Site-to-site IPSec VPN with Cisco ............................. 198
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 199
Set Up the IPSec VPN Tunnel on the Cisco ....................................... 204
Test the IPSec VPN Tunnel ................................................................... 209
What Could Go Wrong? .................................................................... 211
How to Configure Site-to-site IPSec VPN with a SonicWALL router ..... 212
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 213
Set Up the IPSec VPN Tunnel on the SonicWALL .............................. 220
Test the IPSec VPN Tunnel ................................................................... 224
What Could Go Wrong? .................................................................... 226
How to Configure IPSec VPN Failover .................................................... 229
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ...................................................................................................... 230
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) ................................................................................................ 233
Set up the WAN Trunk (ZyWALL/USG_HQ) ........................................ 238
4/782
www.zyxel.com
Set up the Failover Command Line (ZyWALL/USG HQ) .................. 239
Test the IPSec VPN Tunnel ................................................................... 240
What Could Go Wrong? .................................................................... 242
How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind
a NAT router .............................................................................................. 244
Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ ...................... 245
Set Up the NAT Router (Using ZyWALL USG device in this example)
............................................................................................................... 249
Test the L2TP over IPSec VPN Tunnel .................................................. 252
What Could Go Wrong? ..................................................................... 255
How to Configure L2TP VPN with Android 5.0 Mobile Devices ............ 257
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 258
Set Up the L2TP VPN Tunnel on the Android Device ........................ 262
Test the L2TP over IPSec VPN Tunnel ................................................. 265
What Could Go Wrong? .................................................................... 267
How to Configure L2TP VPN with iOS 8.4 Mobile Devices ..................... 269
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 269
Set Up the L2TP VPN Tunnel on the iOS Device ................................ 275
Test the L2TP over IPSec VPN Tunnel ................................................. 276
What Could Go Wrong? .................................................................... 279
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10
................................................................................................................... 281
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 281
Export a Certificate from ZyWALL/USG and Import it to Windows 10
Operating System ............................................................................... 286
Set Up the L2TP VPN Tunnel on the Windows 10 ............................... 291
Test the L2TP over IPSec VPN Tunnel ................................................. 296
What Could Go Wrong? .................................................................... 298
How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile
phone ........................................................................................................ 300
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 300
Export a Certificate from ZyWALL/USG and Import it to iOS Mobile
Phone ................................................................................................... 305
5/782
www.zyxel.com
Set Up the L2TP VPN Tunnel on the iOS Mobile Device ................... 305
Test the L2TP over IPSec VPN Tunnel ................................................. 308
What Could Go Wrong? .................................................................... 310
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android
mobile phone ........................................................................................... 311
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 312
Export a Certificate from ZyWALL/USG and Import it to Android
Mobile Phone ...................................................................................... 316
Set Up the L2TP VPN Tunnel on the Android Mobile Device ........... 317
Test the L2TP over IPSec VPN Tunnel ................................................. 320
What Could Go Wrong? .................................................................... 322
How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating
System ....................................................................................................... 324
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 324
Set Up the L2TP VPN Tunnel on the Apple MAC OS X 10.11 El
Capitan Operating System ................................................................ 329
Test the L2TP over IPSec VPN Tunnel ................................................. 332
What Could Go Wrong? .................................................................... 334
How to configure if I want user can only see SSL VPN Login button in
web portal login page ............................................................................. 336
Set Up the DNS Service ........................................................................ 337
Set Up the ZyWALL/USG SSL VPN Setting ............................................ 337
Set Up the ZyWALL/USG System Setting ............................................. 338
Test the SSL VPN ................................................................................... 339
How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System
................................................................................................................... 343
Set Up the SSL VPN Tunnel on the ZyWALL/USG ............................... 344
Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating
System ................................................................................................... 347
Test the SSL VPN Tunnel ....................................................................... 351
What Could Go Wrong? .................................................................... 354
How To Configure SSL VPN for Remote Access Mobile Devices ......... 356
Set Up the SSL VPN Tunnel on the ZyWALL/USG ............................... 357
6/782
www.zyxel.com
Test the SSL VPN Tunnel ....................................................................... 360
What Could Go Wrong? .................................................................... 362
How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1)
on the Windows 10 Operating System ................................................... 363
Set up the SSL VPN Tunnel with Windows 10 .................................... 363
What Can Go Wrong? ....................................................................... 367
How to redirect multiple LAN interface traffic to the VPN tunnel ........ 369
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ...................................................................................................... 370
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) ................................................................................................ 373
Set up the Policy Route (ZyWALL/USG_HQ) ..................................... 377
Set up the Policy Route (ZyWALL/USG_Branch) .............................. 378
Test the IPSec VPN Tunnel ................................................................... 380
What Could Go Wrong? .................................................................... 381
How to Create VTI and Configure VPN Failover with VTI ...................... 383
VTI Deployment Flow .......................................................................... 383
Set Up the ZyWALL/USG VTI of Corporate Network (HQ) ............... 384
Set Up the ZyWALL/USG VTI of Corporate Network (Branch) ........ 389
Test the IPSec VPN Tunnel .................................................................. 395
What Can Go Wrong? ....................................................................... 397
How to configure the USG when using a Cloud Based SIP system ..... 399
Set Up the SIP ALG ............................................................................... 400
Test result .............................................................................................. 400
What could go wrong? ...................................................................... 401
How to block HTTPS websites by Domain Filter without applying SSL
Inspection ................................................................................................. 401
Set Up the Content Filter on the ZyWALL/USG ................................. 402
Set Up the Security Policy on the ZyWALL/USG ............................... 405
Set Up the System Policy on the ZyWALL/USG ................................. 405
Test the Result ...................................................................................... 405
How to Configure Content Filter 2.0 with Geo IP Blocking ................... 408
Set Up the Address Objet with Geo IP on the ZyWALL/USG ........... 409
7/782
www.zyxel.com
Set Up the Security Policy on the ZyWALL/USG ............................... 409
Test the Result ...................................................................................... 410
What Could Go Wrong? .................................................................... 411
How to Configure Content Filter 2.0 with HTTPs Domain Filter .............. 412
Application Scenario .......................................................................... 412
Set Up the Content Filter on the ZyWALL/USG .................................. 413
Set Up the Security Policy on the ZyWALL/USG ............................... 415
Set Up the System Policy on the ZyWALL/USG ................................. 416
Test the Result ...................................................................................... 417
What Could Wrong? ........................................................................... 417
How to block the client accessing to certain country using Geo IP and
Content Filter ............................................................................................ 418
Check Geo IP License Status on the ZyWALL/USG ........................... 419
Set Up the Address Objet with Geo IP on the ZyWALL/USG ........... 420
Set Up the Security Policy on the ZyWALL/USG ............................... 421
Test the Result ...................................................................................... 422
How to Restrict Web Portal access from the Internet ........................... 425
Set Up the ZyWALL/USG System Setting ............................................. 425
Test the Web Access ........................................................................... 426
How to Setup and Configure Daily Report ............................................. 429
Set Up the ZyWALL/USG Email Daily Report Setting ........................... 430
Test the Daily Log Report .................................................................... 431
What Could Go Wrong? .................................................................... 433
How to Setup and Configure Email Logs ............................................... 434
Set Up the ZyWALL/USG Email Logs Setting ........................................ 435
Test the Email Log ................................................................................ 436
What Could Go Wrong? .................................................................... 437
How to Setup and send logs to a Syslog Server .................................... 438
Set Up the Syslog Server (Use Papertrail syslog in this example) ....... 438
Set Up the ZyWALL/USG Remote Server Setting ................................ 441
Test the Remote Server ....................................................................... 442
What Could Go Wrong? .................................................................... 443
How to Setup and send logs to a Vantage Reports Server .................. 444
8/782
www.zyxel.com
Set Up the VRPT Server ........................................................................ 445
Set Up the ZyWALL/USG Remote Server Setting ................................ 448
Test the Remote Server ....................................................................... 449
What Could Go Wrong? .................................................................... 449
How to Setup and send logs to the USB storage ................................... 450
Set Up the USB System Settings ........................................................... 451
Set Up the USB Log Storage ................................................................ 452
Check the USG Log Files .................................................................... 453
How to Setup IPv6 Interfaces for Pure IPv6 Routing .............................. 454
Setting Up the IPv6 Interface ............................................................. 455
Set up the Prefix Delegation and Router Advertisement ............... 457
Test ........................................................................................................ 461
What Can Go Wrong? ....................................................................... 462
Test ........................................................................................................ 464
How to Perform and Use the Packet Capture Feature on the
ZyWALL/USG ............................................................................................. 464
Set Up the Packet Capture Feature ................................................... 465
Check the Capture Files ..................................................................... 468
How to Automatically Reboot the ZyWALL/USG by Schedule ............. 469
Set Up the Shell Script .......................................................................... 470
Set Up the Schedule Run ..................................................................... 471
Check the Reboot Status ................................................................... 473
How To Schedule YouTube Access ........................................................ 475
Set Up the Schedule on the ZyWALL/USG ......................................... 475
Create the Application Objects on the ZyWALL/USG ..................... 476
Set Up SSL Inspection on the ZyWALL/USG ........................................ 476
Set Up the Security Policy on the ZyWALL/USG ................................. 477
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 478
Test the Result ...................................................................................... 484
What Could Go Wrong? .................................................................... 484
How to continuously run a ZySH script ................................................... 486
Set Up the Shell Script .......................................................................... 486
9/782
www.zyxel.com
Set Up the Schedule Run ..................................................................... 488
Check the Result ................................................................................. 488
How To Register Your Device and Services at myZyXEL.com ............. 489
Account Creation ............................................................................... 490
Device Registration ............................................................................. 492
Service Registration (In the Case of Standard License) ................. 493
Device Management (In the Case of Registering Bundled Licenses)
............................................................................................................... 494
Refresh Service .................................................................................... 495
What Could Go Wrong? .................................................................... 495
How To Exempt Specific Users From Security Control .......................... 497
Set Up the Security Policy on the ZyWALL/USG for Employees ....... 498
Set Up the Security Policy on the ZyWALL/USG for Executives ........ 500
Test the Result ...................................................................................... 502
What Could Go Wrong? .................................................................... 503
How To Detect and Prevent TCP Port Scanning with ADP .................... 504
Set Up the ADP Profile on the ZyWALL/USG ...................................... 505
Test the Result ...................................................................................... 508
What Could Go Wrong? .................................................................... 509
How To Block Facebook ......................................................................... 510
Set Up the Content Filter on the ZyWALL/USG .................................. 511
Set Up the SSL Inspection on the ZyWALL/USG ................................. 511
Set Up the Security Policy on the ZyWALL/USG ................................. 513
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 514
Test the Result ...................................................................................... 519
What Could Go Wrong? .................................................................... 520
How To Exempt Specific Users From a Blocked Website ..................... 521
Set Up the Security Policy on the ZyWALL/USG for Employees ....... 522
Set Up the Security Policy on the ZyWALL/USG for Executives ........ 524
Test the Result ...................................................................................... 527
What Could Go Wrong? .................................................................... 528
How To Control Access To Google Drive ............................................... 529
10/782
www.zyxel.com
Set Up the SSL Inspection on the ZyWALL/USG ................................. 530
Set Up the Security Policy on the ZyWALL/USG ................................. 531
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 531
Test the Result ...................................................................................... 537
What Could Go Wrong? .................................................................... 538
How To Block HTTPS Websites Using Content Filtering and SSL Inspection
................................................................................................................... 539
Set Up the Content Filter on the ZyWALL/USG .................................. 540
Set Up SSL Inspection on the ZyWALL/USG ........................................ 541
Set Up the Security Policy on the ZyWALL/USG ................................. 543
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 544
Test the Result ...................................................................................... 549
What Could Go Wrong? .................................................................... 550
How To Block the Spotify Music Streaming Service .............................. 551
Set Up IDP Profile on the ZyWALL/USG ............................................... 552
Test the Result ...................................................................................... 553
What Could Go Wrong? .................................................................... 554
How does Anti-Malware work ................................................................ 555
Enable Anti-Malware function to protecting your traffic ............... 556
Test the result ....................................................................................... 557
Additional configuration ........................................................................... 557
What can go wrong ........................................................................... 558
How to Configure an Email Security Policy with Mail Scan and DNSBL559
Set Up the Email Security on ATP Series .............................................. 559
Test the result ....................................................................................... 562
What can go wrong ........................................................................... 563
How to Configure Botnet Filter on ATP series? ....................................... 564
Prerequisites before setting up Botnet Filter function ..................... 565
License activation ............................................................................... 565
Update Botnet Filter Signatures ......................................................... 565
Set Up the IP Blocking on the ATP series ........................................... 567
11/782
www.zyxel.com
Test the Result ...................................................................................... 567
Set up the URL Blocking on the ATP series ........................................ 568
Test the Result ...................................................................................... 568
How to Use Sandboxing to Detect Unknown Malware ........................ 570
Set Up Sandboxing on ATP ................................................................. 571
Test the Result ....................................................................................... 573
What Can Go Wrong? ........................................................................ 576
How to Configure Bandwidth Management for FTP and HTTP Traffic .. 577
Set Up the Bandwidth Management for FTP on the ZyWALL/USG 578
Set Up the Bandwidth Management for HTTP on the ZyWALL/USG
............................................................................................................... 579
Set Up the Bandwidth Management Global Setting on the
ZyWALL/USG ......................................................................................... 581
Test the Result ...................................................................................... 582
What Could Go Wrong? .................................................................... 583
How to Limit BitTorrent or Other Peer-to-Peer Traffic ............................. 584
Set Up the Application Patrol Profile on the ZyWALL/USG ............... 585
Set Up the Bandwidth Management for BitTorrent on the
ZyWALL/USG ......................................................................................... 586
Set Up the Bandwidth Management Global Setting on the
ZyWALL/USG ......................................................................................... 588
Test the Result ...................................................................................... 588
What Could Go Wrong? .................................................................... 589
How to Configure a Trunk for WAN Load Balancing with a Static or
Dynamic IP Address ................................................................................. 590
Set Up the Available Bandwidth on WAN1 Interfaces on the
ZyWALL/USG ......................................................................................... 591
Set Up the Available Bandwidth on WAN2 Interfaces on the
ZyWALL/USG ......................................................................................... 592
Set Up the WAN Trunk on the ZyWALL/USG ...................................... 592
Test the Result ...................................................................................... 593
What Could Go Wrong? .................................................................... 594
12/782
www.zyxel.com
How to Configure DNS Inbound Load Balancing to balance DNS Queries
Among Interfaces .................................................................................... 595
Set Up the DNS Inbound Load Balancing on the ZyWALL/USG ..... 596
Set Up the NAT Rule on the ZyWALL/USG ......................................... 597
Test the Result ...................................................................................... 598
What Could Go Wrong? .................................................................... 599
How to Manage Voice Traffic ................................................................. 600
Set Up the SIP ALG on the ZyWALL/USG ........................................... 601
Set Up the Bandwidth Management for SIP on the ZyWALL/USG . 601
Set Up the Bandwidth Management for P2P on the ZyWALL/USG 602
Set Up the Bandwidth Management for FTP on the ZyWALL/USG 603
Test the Result ...................................................................................... 605
What Could Go Wrong? .................................................................... 606
How to Manage ZyWALL/USG Configuration Files ................................ 607
Rename the Configuration Files from the ZyWALL/USG ................. 608
Download the Configuration Files on the ZyWALL/USG ................. 608
Copy the Configuration Files on the ZyWALL/USG .......................... 609
Apply the Configuration Files on the ZyWALL/USG ......................... 610
Upload the Configuration Files from the ZyWALL/USG ................... 611
What Could Go Wrong? .................................................................... 611
How to Manage ZyWALL/USG Firmware ................................................ 612
Download the Current Firmware Version from ZyXEL.com ............ 613
Upload the Firmware on the ZyWALL/USG ....................................... 614
What Could Go Wrong? .................................................................... 617
How to Get Started Using the Wizards .................................................... 618
Set Up the Internet Access (Ethernet) Wizard on the ZyWALL/USG
............................................................................................................... 618
Set Up the Internet Access (PPPoE) Wizard on the ZyWALL/USG .. 622
Set Up the Internet Access (PPTP) Wizard on the ZyWALL/USG ..... 625
Set Up the Wireless Settings Wizard on the ZyWALL/USG ................ 629
Set Up the Device Registration on the ZyWALL/USG ...................... 631
How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN
Backup ...................................................................................................... 633
13/782
www.zyxel.com
Set Up the 3G/LTE Interface on the ZyWALL/USG ........................... 634
Set Up the Trunk on the ZyWALL/USG ............................................... 635
Test the Result ...................................................................................... 636
What Could Go Wrong? .................................................................... 637
How to Configure Two Different WAN Interfaces with Different IP
Addresses in the Same VLAN .................................................................. 638
Set Up the Port Grouping on the ZyWALL/USG ................................ 639
Set Up the VLAN on the ZyWALL/USG ............................................... 639
Set Up the Routing on the ZyWALL/USG ........................................... 641
Test the Result ...................................................................................... 641
What Could Go Wrong? .................................................................... 642
How to Let a Server Use the Same Public IP Address as the WAN
Interface Using the Bridge Interface ...................................................... 642
Set Up the Bridge Interface on the ZyWALL/USG ............................ 643
Test the Result ...................................................................................... 645
What Could Go Wrong? .................................................................... 646
How to Allow Public Access to a Server Behind ZyWALL/USG ............ 646
Set Up the NAT on the ZyWALL/USG ................................................. 647
Set Up the Security Policy on the ZyWALL/USG ............................... 648
Test the Result ...................................................................................... 649
What Could Go Wrong? .................................................................... 649
How to Set Up a WiFi Network with ZyXEL APs ....................................... 651
Set Up the AP Management on the ZyWALL/USG .......................... 652
Test the Result ...................................................................................... 654
What Could Go Wrong? .................................................................... 655
How to Set Up Guest WiFi Network Accounts ........................................ 656
Set Up the WiFi Guest Account, Address Range and Service Rule on
the ZyWALL/USG .................................................................................. 657
Set Up the Web Authentication on the ZyWALL/USG ..................... 659
Set Up the Security Policy on the ZyWALL/USG ............................... 660
Test the Result ...................................................................................... 661
What Could Go Wrong? .................................................................... 664
14/782
www.zyxel.com
How to create a Wi-Fi VLAN interfaces to separate staff network and
Guest network .......................................................................................... 666
Set up Wi-Fi VLAN interfaces .............................................................. 667
Test result .............................................................................................. 677
What could go wrong ........................................................................ 679
How to Set Up WiFi Networks with Microsoft Active Directory
Authentication .......................................................................................... 681
Set Up the Wi-Fi Guest Account and Authentication Method on the
ZyWALL/USG ......................................................................................... 682
Set Up the Active Directory Server Account on the ZyWALL/USG 683
Set Up the Security Policy on the ZyWALL/USG ............................... 684
Test the Result ...................................................................................... 685
What Could Go Wrong? .................................................................... 687
How to Set Up IPv6 Interfaces for Pure IPv6 Routing ............................. 688
Enable the IPv6 on the ZyWALL/USG ................................................ 689
Set Up the WAN IPv6 Interface on the ZyWALL/USG ....................... 690
Set Up the LAN IPv6 Interface on the ZyWALL/USG ........................ 690
Test the Result ...................................................................................... 691
What Could Go Wrong? .................................................................... 693
How to Set Up an IPv6 6to4 Tunnel ......................................................... 693
Set Up the LAN IPv6 Interface on the ZyWALL/USG ........................ 694
Set Up the 6to4 Tunnel on the ZyWALL/USG .................................... 696
Test the Result ...................................................................................... 697
What Could Go Wrong? .................................................................... 698
How to Set Up an IPv6-in-IPv4 Tunnel ..................................................... 698
Set Up the LAN IPv6 Interface on the ZyWALL/USG ........................ 699
Set Up the 6to4 Tunnel on the ZyWALL/USG .................................... 700
Set Up the Policy Route on the ZyWALL/USG ................................... 701
Test the Result ...................................................................................... 702
What Could Go Wrong? .................................................................... 703
How to Update Firmware Automatically from a USB Storage .............. 704
Automatic USB Firmware Upgrade Flow ............................................... 704
Enable the USB Firmware Upgrade Function by CLI Command ... 705
15/782
www.zyxel.com
Save the Firmware on the USB ........................................................... 705
Plug the USB into the Device ............................................................. 706
The Device Checks Running Partition for the Model ID and the
Firmware Version ................................................................................. 706
Check Firmware Status ....................................................................... 707
What Can Go Wrong? ........................................................................ 708
How to Configure DHCP Option 60 – Vendor Class Identifier .............. 710
DHCP Option 60 Deployment Flow ....................................................... 711
Setting Up DHCP Option 60 on the Web GUI ................................... 711
Setting Up DHCP Option 60 on the CLI ............................................. 712
Test DHCP Option 60 ........................................................................... 713
What Can Go Wrong? ....................................................................... 713
How to Configure Device HA Pro ........................................................... 714
Device HA Pro License ....................................................................... 715
Behavior of the Device HA Pro .......................................................... 715
Device-HA Pro Setting Screen ........................................................... 715
Suggestions .......................................................................................... 717
How do I Configure Device HA Pro in My Current Environment? . 718
What can go wrong? ......................................................................... 722
How to Upgrade Firmware on HA Pro Synchronized Devices? ........... 723
Firmware Upgrade Flow ..................................................................... 724
Running Firmware Version .................................................................. 724
Running Firmware Partition ................................................................ 724
Synchronization Status ........................................................................ 725
Upload the Firmware to the Active Device ..................................... 726
Test the Result ....................................................................................... 727
How to Downgrade Firmware on HA Pro Synchronized Devices? ...... 728
Firmware Downgrade Flow ................................................................ 729
Configuration File Backup .................................................................. 729
Switch Passive Device to Active Mode ............................................ 729
Ethernet Cable and Heartbeat Port Disconnection ....................... 730
Firmware Downgrade on Device 1 ................................................... 730
Backup Configuration Apply ............................................................. 731
16/782
www.zyxel.com
Connect All Ethernet Cables Back on Device 1 ............................. 732
Firmware Downgrade on Device 2 ................................................... 732
Enable Device HA Pro on Device 2 .................................................. 733
Test the Result ....................................................................................... 733
Appendix. Edit the Configuration File ......................................................... 734
How to replace one defect device of HA Pro ....................................... 736
Scenario and Topology ...................................................................... 736
Before redeploy the HA-Pro environment ........................................ 737
After received the New device (Device 3) ..................................... 738
Configuration on Device 1 ................................................................. 739
Configuration on Device 3 ................................................................. 739
Verification ........................................................................................... 741
How to reboot the Active device to the standby partition when two
partitions has different firmware version ................................................ 743
Change Partition Flow ........................................................................ 744
Check Firmware Version on Active and Passive devices .............. 744
Reboot passive device(Device 1) by standby partition ................ 745
Reboot active device(Device 1) by standby partition .................. 745
Make sure passive device(Device 1) sync process successfully ... 746
Configuration changed scenario ..................................................... 746
How to restore configuration file in Device HA mode? ........................ 748
Configuration file restore flow ............................................................ 749
Unplug all active device network link (Device 1), let network service
runs on passive device. ...................................................................... 749
Upload configuration file to active device (Device 1). ................. 749
Apply configuration file on active device (Device 1) .................... 750
Connect all network cables on Device 1. ....................................... 751
Reset passive device to system default. .......................................... 751
Deploy Device HA .............................................................................. 751
Make sure that passive device (Device 2) sync process successfully
............................................................................................................... 752
How to Check HA Pro Synchronization Status ......................................... 753
Check the sync status on web GUI ................................................... 753
Check the sync status on console .................................................... 754
17/782
www.zyxel.com
A. Check the synchronization status on Active device ............. 754
B. Check the synchronization status on Passive device ............ 755
C. Fail cases ..................................................................................... 757
D. Exception case .......................................................................... 758
What Can Go Wrong? ........................................................................ 759
How to setup Two-Factor Authentication for admin login ................... 760
Setup SMTP function on your device ................................................ 760
Create admin type user on device .................................................. 761
Setup Two-Factor Authentication for admin on your device ........ 762
Test the Result ....................................................................................... 763
What Can Go Wrong? ........................................................................ 765
How to configure Email Security for Phishing mail? .............................. 767
How it works ......................................................................................... 767
Set up Phishing on ATP ........................................................................ 768
Test the Result ....................................................................................... 769
What Can Go Wrong? ........................................................................ 769
How to setup Email to SMS ...................................................................... 771
Setup SMTP function on your device ................................................ 771
Setup Email to SMS Provider configuration ...................................... 772
Create admin type user on device .................................................. 773
Setup Two-Factor Authentication for admin on your device ........ 773
Test the Result ....................................................................................... 774
What Can Go Wrong? ........................................................................ 776
How to Use IP Reputation to Detect Threats .......................................... 777
Activating Reputation Filter Service .................................................. 778
Enabling IP Blocking on ATP ............................................................... 778
Selecting specific type of IP addresses to block ............................. 779
Adding IP addresses to white list and black list ............................... 779
Monitoring statistics for IP detection ................................................. 780
Test the Result ....................................................................................... 780
What Can Go Wrong? ........................................................................ 782
18/782
www.zyxel.com
19/782
www.zyxel.com
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks.
This example was tested using USG110 (Firmware Version: ZLD 4.25) and Amazon
VPC (June, 2016).
How to Configure Site-to-site IPSec VPN with Amazon VPC
This example shows how to use the VPN Setup Wizard to create a site-to-site
VPN between a ZyWALL/USG and an Amazon VPC platform. The example
instructs how to configure the VPN tunnel between each site. When the VPN
tunnel is configured, each site can be accessed securely.
ZyWALL/USG Site-to-site IPSec VPN with Amazon VPC
20/782
www.zyxel.com
Set Up the IPSec VPN Tunnel on the Amazon VPC
1 Sign into the Amazon AWS Management Console. Go to Networking > VPC.
Amazon AWS Management Console > Networking > VPC
2 In the upper left-hand of the screen, click Start VPC Wizard.
Amazon VPC Management Console > Networking > VPC > Start VPC Wizard
3 Select a VPC Configuration, select VPC with a Private Subnet Only and Hardware
VPN Access, and then click Select.
21/782
www.zyxel.com
Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN
Access
4 VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and
Private subnet. Click Next.
VPC with a Private Subnet Only and Hardware VPN
22/782
www.zyxel.com
5 Configure your VPN, add your ZyWALL/USG public IP address into Customer
Gateway IP. Name your Customer Gateway name and VPN Connection name.
Click Create VPC at the bottom of the blade.
Configure your VPN
6 In the VPC Dashboard, go to VPN Connections. Select Download Configuration
from the upper bar. Select Vendor and Platform to be Generic. Click Yes,
Download.
23/782
www.zyxel.com
VPC Dashboard > VPN Connections
7 Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and
Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s
setting.
Configuration txt. File
24/782
www.zyxel.com
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the Amazon VPC. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
25/782
www.zyxel.com
Choose Advanced to create a VPN rule with the customize phase 1, phase 2
settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select
the rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
26/782
www.zyxel.com
Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP
address (in the example, 52.39.135.203); select My Address to be the interface
connected to the Internet.
Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time
which Amazon VPC supports. Type a secure Pre-Shared Key.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1
Setting)
27/782
www.zyxel.com
Continue to Phase 2 Settings to select the Encapsulation, Encryption,
Authentication, and SA Life Time settings which Amazon VPC supports.
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the Amazon VPC. Click OK.
28/782
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Phase 2 Setting)
29/782
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
30/782
Loading...
+ 752 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use