How it Works
Zyxel
Loading...
USG2200
User Manual
1053 pgs29.78 Mb0
User Manual
8 pgs908.76 Kb0
Service Manual
774 pgs39.69 Mb0

Zyxel USG2200 Service Manual

www.zyxel.com
Default Login Details
LAN Port IP Address
https://192.168.1.1
User Name
admin
Password
1234
ZyWALL/USG/ATP Series
ATP200/ ATP500/ ATP800
USG20-VPN / USG20W-VPN / USG40 / USG40W / USG60 / USG60W / USG110 / UGS210 / USG310/ USG1100 /USG1900 / USG2200-VPN
Security Firewalls
Firmware Version 4.35 Edition 3, 10/2019
Handbook
1/774
www.zyxel.com
copyright © 2018 ZyXEL Communications Corporation
Table of Content
How to Configure Site-to-site IPSec VPN with Amazon VPC .................. 18
Set Up the IPSec VPN Tunnel on the Amazon VPC ............................ 19
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ............................. 23
Test the IPSec VPN Tunnel ..................................................................... 29
What Could Go Wrong? ....................................................................... 30
How to Configure Site-to-site IPSec VPN with Microsoft (MS) Azure ..... 31
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ............................. 32
Set Up the IPSec VPN Tunnel on the MS Azure ................................... 37
Test the IPSec VPN Tunnel ..................................................................... 44
What Could Go Wrong? ...................................................................... 47
How to Configure GRE over IPSec VPN Tunnel ........................................ 48
Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate
Network (HQ) ......................................................................................... 49
Set Up the ZyWALL/USG GRE over IPSec VPN Tunnel of Corporate
Network (Branch) .................................................................................. 54
Test the GRE over IPSec VPN Tunnel .................................................... 58
What Could Go Wrong? ....................................................................... 59
How to Configure Site-to-site IPSec VPN Where the Peer has a Static IP
Address ....................................................................................................... 61
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) .................................................................................................. 66
Test the IPSec VPN Tunnel ..................................................................... 70
What Could Go Wrong? ...................................................................... 71
How to Configure Site-to-site IPSec VPN Where the Peer has a Dynamic
IP Address ................................................................................................... 73
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ........................................................................................................ 73
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch has a Dynamic IP Address) ................................................... 77
Test the IPSec VPN Tunnel ..................................................................... 81
2/774
www.zyxel.com
What Could Go Wrong? ...................................................................... 83
How to Configure IPSec Site to Site VPN while one Site is behind a NAT
router ........................................................................................................... 85
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ........................................................................................................ 85
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) .................................................................................................. 89
Set Up the NAT Router (Using ZyWALL USG device in this example) 93
Test the IPSec VPN Tunnel ..................................................................... 95
What Could Go Wrong? ....................................................................... 96
How to Configure Hub-and-Spoke IPSec VPN ........................................ 97
Set Up the IPSec VPN Tunnel on the ZyWALL/USG by Using VPN
Concentrator Hub_HQ-to-Branch_A .................................................. 98
Hub_HQ-to-Branch_B .......................................................................... 102
Hub_HQ Concentrator ....................................................................... 106
Spoke_Branch_A ................................................................................. 107
Spoke_Branch_B .................................................................................. 112
Test the IPSec VPN Tunnel ................................................................... 117
What Could Go Wrong? .................................................................... 121
Set Up the IPSec VPN Tunnel of ZyWALL/USG without Using VPN
Concentrator Hub_HQ-to-Branch_A ................................................ 123
Hub_HQ-to-Branch_B .......................................................................... 126
Spoke_Branch_A ................................................................................. 129
Spoke_Branch_B .................................................................................. 132
Test the IPSec VPN Tunnel ................................................................... 135
What Could Go Wrong? .................................................................... 138
How to Use Dual-WAN to Perform Fail-Over on VPN Using the VPN
Concentrator ............................................................................................ 140
Set Up the IPSec VPN Tunnel on the ZyWALL/USG Hub_HQ-to-
Branch_A .............................................................................................. 141
Hub_HQ-to-Branch_B .......................................................................... 144
Hub_HQ Concentrator ....................................................................... 147
Spoke_Branch_A ................................................................................. 148
Spoke_Branch_B .................................................................................. 151
3/774
www.zyxel.com
Test the IPSec VPN Tunnel ................................................................... 155
What Could Go Wrong? .................................................................... 158
How to Configure IPSec VPN with ZyWALL IPSec VPN Client ............... 159
Set Up the ZyWALL/USG IPSec VPN Tunnel ....................................... 160
Set Up the ZyWALL IPSec VPN Client ................................................. 164
Test the IPSec VPN Tunnel ................................................................... 167
What Can Go Wrong? ........................................................................ 169
How to Configure Site-to-site IPSec VPN with FortiGate ....................... 171
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 172
Set Up the IPSec VPN Tunnel on the FortiGate ................................. 175
Test the IPSec VPN Tunnel ................................................................... 180
What Could Go Wrong? .................................................................... 181
How to Configure Site-to-site IPSec VPN with WatchGuard ................ 183
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 184
Set Up the IPSec VPN Tunnel on the WatchGuard .......................... 187
Test the IPSec VPN Tunnel ................................................................... 193
What Could Go Wrong? .................................................................... 194
How to Configure Site-to-site IPSec VPN with Cisco ............................. 196
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 197
Set Up the IPSec VPN Tunnel on the Cisco ....................................... 202
Test the IPSec VPN Tunnel ................................................................... 207
What Could Go Wrong? .................................................................... 209
How to Configure Site-to-site IPSec VPN with a SonicWALL router ..... 210
Set Up the IPSec VPN Tunnel on the ZyWALL/USG ........................... 211
Set Up the IPSec VPN Tunnel on the SonicWALL .............................. 218
Test the IPSec VPN Tunnel ................................................................... 222
What Could Go Wrong? .................................................................... 224
How to Configure IPSec VPN Failover .................................................... 227
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ...................................................................................................... 228
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) ................................................................................................ 231
Set up the WAN Trunk (ZyWALL/USG_HQ) ........................................ 236
4/774
www.zyxel.com
Set up the Failover Command Line (ZyWALL/USG HQ) .................. 237
Test the IPSec VPN Tunnel ................................................................... 238
What Could Go Wrong? .................................................................... 240
How to Configure L2TP over IPSec VPN while the ZyWALL/USG is behind
a NAT router .............................................................................................. 242
Set Up the L2TP VPN Tunnel on the ZyWALL/USG_HQ ...................... 243
Set Up the NAT Router (Using ZyWALL USG device in this example)
............................................................................................................... 247
Test the L2TP over IPSec VPN Tunnel .................................................. 250
What Could Go Wrong? ..................................................................... 253
How to Configure L2TP VPN with Android 5.0 Mobile Devices ............ 255
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 256
Set Up the L2TP VPN Tunnel on the Android Device ........................ 260
Test the L2TP over IPSec VPN Tunnel ................................................. 263
What Could Go Wrong? .................................................................... 265
How to Configure L2TP VPN with iOS 8.4 Mobile Devices ..................... 267
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 267
Set Up the L2TP VPN Tunnel on the iOS Device ................................ 273
Test the L2TP over IPSec VPN Tunnel ................................................. 274
What Could Go Wrong? .................................................................... 277
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Windows 10
................................................................................................................... 279
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 279
Export a Certificate from ZyWALL/USG and Import it to Windows 10
Operating System ............................................................................... 284
Set Up the L2TP VPN Tunnel on the Windows 10 ............................... 290
Test the L2TP over IPSec VPN Tunnel ................................................. 294
What Could Go Wrong? .................................................................... 296
How to Import ZyWALL/USG Certificate for L2TP over IPsec in IOS mobile
phone ........................................................................................................ 298
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 298
Export a Certificate from ZyWALL/USG and Import it to iOS Mobile
Phone ................................................................................................... 303
5/774
www.zyxel.com
Set Up the L2TP VPN Tunnel on the iOS Mobile Device ................... 303
Test the L2TP over IPSec VPN Tunnel ................................................. 306
What Could Go Wrong? .................................................................... 308
How to Configure 2 factor for VPN connection? ................................... 309
Set up the ZyWALL/USG IPSec VPN Tunnel ....................................... 310
Set up the ZyWALL IPSec VPN Client ................................................. 315
Set up notification for 2 factor authentication ................................ 319
Set up authentication for 2 factor VPN connection ....................... 320
Test the Result ...................................................................................... 321
What could went wrong .................................................................... 324
How to Import ZyWALL/USG Certificate for L2TP over IPsec in Android
mobile phone ........................................................................................... 324
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 325
Export a Certificate from ZyWALL/USG and Import it to Android
Mobile Phone ...................................................................................... 329
Set Up the L2TP VPN Tunnel on the Android Mobile Device ........... 330
Test the L2TP over IPSec VPN Tunnel ................................................. 334
What Could Go Wrong? .................................................................... 336
How to Configure the L2TP VPN with Apple MAC OS X 10.11 Operating
System ....................................................................................................... 338
Set Up the L2TP VPN Tunnel on the ZyWALL/USG ............................. 338
Set Up the L2TP VPN Tunnel on the Apple MAC OS X 10.11 El
Capitan Operating System ................................................................ 343
Test the L2TP over IPSec VPN Tunnel ................................................. 346
What Could Go Wrong? .................................................................... 348
How to configure if I want user can only see SSL VPN Login button in
web portal login page ............................................................................. 350
Set Up the DNS Service ........................................................................ 351
Set Up the ZyWALL/USG SSL VPN Setting ............................................ 351
Set Up the ZyWALL/USG System Setting ............................................. 352
Test the SSL VPN ................................................................................... 353
How to Deploy SSL VPN with Apple Mac OS X 10.10 Operating System
................................................................................................................... 357
6/774
www.zyxel.com
Set Up the SSL VPN Tunnel on the ZyWALL/USG ............................... 358
Set Up the SSL VPN Tunnel on the Apple MAC OS X 10.10 Operating
System ................................................................................................... 361
Test the SSL VPN Tunnel ....................................................................... 365
What Could Go Wrong? .................................................................... 368
How To Configure SSL VPN for Remote Access Mobile Devices ......... 370
Set Up the SSL VPN Tunnel on the ZyWALL/USG ............................... 371
Test the SSL VPN Tunnel ....................................................................... 374
What Could Go Wrong? .................................................................... 376
How to Configure an SSL VPN Tunnel (with SecuExtender version 4.0.0.1)
on the Windows 10 Operating System ................................................... 377
Set up the SSL VPN Tunnel with Windows 10 .................................... 377
What Can Go Wrong? ....................................................................... 381
How to redirect multiple LAN interface traffic to the VPN tunnel ........ 383
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(HQ) ...................................................................................................... 384
Set Up the ZyWALL/USG IPSec VPN Tunnel of Corporate Network
(Branch) ................................................................................................ 387
Set up the Policy Route (ZyWALL/USG_HQ) ..................................... 391
Set up the Policy Route (ZyWALL/USG_Branch) .............................. 392
Test the IPSec VPN Tunnel ................................................................... 394
What Could Go Wrong? .................................................................... 395
How to Create VTI and Configure VPN Failover with VTI ...................... 397
VTI Deployment Flow .......................................................................... 397
Set Up the ZyWALL/USG VTI of Corporate Network (HQ) ............... 398
Set Up the ZyWALL/USG VTI of Corporate Network (Branch) ........ 403
Test the IPSec VPN Tunnel .................................................................. 409
What Can Go Wrong? ....................................................................... 411
How to configure the USG when using a Cloud Based SIP system ..... 413
Set Up the SIP ALG ............................................................................... 414
Test result .............................................................................................. 414
What could go wrong? ...................................................................... 415
7/774
www.zyxel.com
How to block HTTPS websites by Domain Filter without applying SSL
Inspection ................................................................................................. 415
Set Up the Content Filter on the ZyWALL/USG ................................. 416
Set Up the Security Policy on the ZyWALL/USG ............................... 419
Set Up the System Policy on the ZyWALL/USG ................................. 419
Test the Result ...................................................................................... 419
How to Configure Content Filter 2.0 with Geo IP Blocking ................... 422
Set Up the Address Objet with Geo IP on the ZyWALL/USG ........... 423
Set Up the Security Policy on the ZyWALL/USG ............................... 423
Test the Result ...................................................................................... 424
What Could Go Wrong? .................................................................... 425
How to Configure Content Filter 2.0 with HTTPs Domain Filter .............. 426
Application Scenario .......................................................................... 426
Set Up the Content Filter on the ZyWALL/USG .................................. 427
Set Up the Security Policy on the ZyWALL/USG ............................... 429
Set Up the System Policy on the ZyWALL/USG ................................. 430
Test the Result ...................................................................................... 431
What Could Wrong? ........................................................................... 431
How to block the client accessing to certain country using Geo IP and
Content Filter ............................................................................................ 432
Check Geo IP License Status on the ZyWALL/USG ........................... 433
Set Up the Address Objet with Geo IP on the ZyWALL/USG ........... 434
Set Up the Security Policy on the ZyWALL/USG ............................... 435
Test the Result ...................................................................................... 436
How to Restrict Web Portal access from the Internet ........................... 439
Set Up the ZyWALL/USG System Setting ............................................. 439
Test the Web Access ........................................................................... 440
How to Setup and Configure Daily Report ............................................. 443
Set Up the ZyWALL/USG Email Daily Report Setting ........................... 444
Test the Daily Log Report .................................................................... 445
What Could Go Wrong? .................................................................... 447
How to Setup and Configure Email Logs ............................................... 448
8/774
www.zyxel.com
Set Up the ZyWALL/USG Email Logs Setting ........................................ 449
Test the Email Log ................................................................................ 450
What Could Go Wrong? .................................................................... 451
How to Setup and send logs to a Syslog Server .................................... 452
Set Up the Syslog Server (Use Papertrail syslog in this example) ....... 452
Set Up the ZyWALL/USG Remote Server Setting ................................ 455
Test the Remote Server ....................................................................... 456
What Could Go Wrong? .................................................................... 457
How to Setup and send logs to a Vantage Reports Server .................. 458
Set Up the VRPT Server ........................................................................ 459
Set Up the ZyWALL/USG Remote Server Setting ................................ 462
Test the Remote Server ....................................................................... 463
What Could Go Wrong? .................................................................... 463
How to Setup and send logs to the USB storage ................................... 464
Set Up the USB System Settings ........................................................... 465
Set Up the USB Log Storage ................................................................ 466
Check the USG Log Files .................................................................... 467
How to Activate a Free Access Hotspot ................................................ 467
Set up the Free Access Hotspot ........................................................ 469
Test the User Agreement and Advertisement Webpage .............. 470
What could Go Wrong? ..................................................................... 472
Set up Enable the Free Time Feature ................................................ 472
Test Free Time Feature ........................................................................ 478
What Can Go Wrong? ....................................................................... 481
How to Setup IPv6 Interfaces for Pure IPv6 Routing .............................. 483
Setting Up the IPv6 Interface ............................................................. 484
Set up the Prefix Delegation and Router Advertisement ............... 486
Test ........................................................................................................ 490
What Can Go Wrong? ....................................................................... 491
Test ........................................................................................................ 493
How to Perform and Use the Packet Capture Feature on the
ZyWALL/USG ............................................................................................. 493
Set Up the Packet Capture Feature ................................................... 494
9/774
www.zyxel.com
Check the Capture Files ..................................................................... 497
How to Automatically Reboot the ZyWALL/USG by Schedule ............. 498
Set Up the Shell Script .......................................................................... 499
Set Up the Schedule Run ..................................................................... 500
Check the Reboot Status ................................................................... 502
How To Schedule YouTube Access ........................................................ 504
Set Up the Schedule on the ZyWALL/USG ......................................... 504
Create the Application Objects on the ZyWALL/USG ..................... 505
Set Up SSL Inspection on the ZyWALL/USG ........................................ 505
Set Up the Security Policy on the ZyWALL/USG ................................. 506
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 507
Test the Result ...................................................................................... 513
What Could Go Wrong? .................................................................... 513
How to continuously run a ZySH script ................................................... 515
Set Up the Shell Script .......................................................................... 515
Set Up the Schedule Run ..................................................................... 517
Check the Result ................................................................................. 517
How To Register Your Device and Services at myZyXEL.com ............. 518
Account Creation ............................................................................... 519
Device Registration ............................................................................. 521
Service Registration (In the Case of Standard License) ................. 522
Device Management (In the Case of Registering Bundled Licenses)
............................................................................................................... 523
Refresh Service .................................................................................... 524
What Could Go Wrong? .................................................................... 524
How To Exempt Specific Users From Security Control .......................... 526
Set Up the Security Policy on the ZyWALL/USG for Employees ....... 527
Set Up the Security Policy on the ZyWALL/USG for Executives ........ 529
Test the Result ...................................................................................... 531
What Could Go Wrong? .................................................................... 532
How To Detect and Prevent TCP Port Scanning with ADP .................... 533
Set Up the ADP Profile on the ZyWALL/USG ...................................... 534
10/774
www.zyxel.com
Test the Result ...................................................................................... 537
What Could Go Wrong? .................................................................... 538
How To Block Facebook ......................................................................... 539
Set Up the Content Filter on the ZyWALL/USG .................................. 540
Set Up the SSL Inspection on the ZyWALL/USG ................................. 540
Set Up the Security Policy on the ZyWALL/USG ................................. 542
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 543
Test the Result ...................................................................................... 548
What Could Go Wrong? .................................................................... 549
How To Exempt Specific Users From a Blocked Website ..................... 550
Set Up the Security Policy on the ZyWALL/USG for Employees ....... 551
Set Up the Security Policy on the ZyWALL/USG for Executives ........ 553
Test the Result ...................................................................................... 556
What Could Go Wrong? .................................................................... 557
How To Control Access To Google Drive ............................................... 558
Set Up the SSL Inspection on the ZyWALL/USG ................................. 559
Set Up the Security Policy on the ZyWALL/USG ................................. 560
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 560
Test the Result ...................................................................................... 566
What Could Go Wrong? .................................................................... 567
How To Block HTTPS Websites Using Content Filtering and SSL Inspection
................................................................................................................... 568
Set Up the Content Filter on the ZyWALL/USG .................................. 569
Set Up SSL Inspection on the ZyWALL/USG ........................................ 570
Set Up the Security Policy on the ZyWALL/USG ................................. 572
Export Certificate from ZyWALL/USG and Import it to Windows 7
Operation System ............................................................................... 573
Test the Result ...................................................................................... 578
What Could Go Wrong? .................................................................... 579
How To Block the Spotify Music Streaming Service .............................. 580
Set Up IDP Profile on the ZyWALL/USG ............................................... 581
11/774
www.zyxel.com
Test the Result ...................................................................................... 582
What Could Go Wrong? .................................................................... 583
How does Anti-Malware work ................................................................ 584
Enable Anti-Malware function to protecting your traffic ............... 585
Test the result ....................................................................................... 586
Additional configuration ........................................................................... 586
What can go wrong ........................................................................... 587
How to Configure an Email Security Policy with Mail Scan and DNSBL588
Set Up the Email Security on ATP Series .............................................. 588
Test the result ....................................................................................... 591
What can go wrong ........................................................................... 592
How to Configure Botnet Filter on ATP series? ....................................... 593
Prerequisites before setting up Botnet Filter function ..................... 594
License activation ............................................................................... 594
Update Botnet Filter Signatures ......................................................... 594
Set Up the IP Blocking on the ATP series ........................................... 596
Test the Result ...................................................................................... 596
Set up the URL Blocking on the ATP series ........................................ 597
Test the Result ...................................................................................... 597
How to Use Sandboxing to Detect Unknown Malware ........................ 599
Set Up Sandboxing on ATP ................................................................. 600
Test the Result ....................................................................................... 602
What Can Go Wrong? ........................................................................ 605
How to Configure Bandwidth Management for FTP and HTTP Traffic .. 606
Set Up the Bandwidth Management for FTP on the ZyWALL/USG 607 Set Up the Bandwidth Management for HTTP on the ZyWALL/USG
............................................................................................................... 608
Set Up the Bandwidth Management Global Setting on the
ZyWALL/USG ......................................................................................... 610
Test the Result ...................................................................................... 611
What Could Go Wrong? .................................................................... 612
How to Limit BitTorrent or Other Peer-to-Peer Traffic ............................. 613
Set Up the Application Patrol Profile on the ZyWALL/USG ............... 614
12/774
www.zyxel.com
Set Up the Bandwidth Management for BitTorrent on the
ZyWALL/USG ......................................................................................... 615
Set Up the Bandwidth Management Global Setting on the
ZyWALL/USG ......................................................................................... 617
Test the Result ...................................................................................... 617
What Could Go Wrong? .................................................................... 618
How to Configure a Trunk for WAN Load Balancing with a Static or
Dynamic IP Address ................................................................................. 619
Set Up the Available Bandwidth on WAN1 Interfaces on the
ZyWALL/USG ......................................................................................... 620
Set Up the Available Bandwidth on WAN2 Interfaces on the
ZyWALL/USG ......................................................................................... 621
Set Up the WAN Trunk on the ZyWALL/USG ...................................... 621
Test the Result ...................................................................................... 622
What Could Go Wrong? .................................................................... 623
How to Configure DNS Inbound Load Balancing to balance DNS Queries
Among Interfaces .................................................................................... 624
Set Up the DNS Inbound Load Balancing on the ZyWALL/USG ..... 625
Set Up the NAT Rule on the ZyWALL/USG ......................................... 626
Test the Result ...................................................................................... 627
What Could Go Wrong? .................................................................... 628
How to Manage Voice Traffic ................................................................. 629
Set Up the SIP ALG on the ZyWALL/USG ........................................... 630
Set Up the Bandwidth Management for SIP on the ZyWALL/USG . 630 Set Up the Bandwidth Management for P2P on the ZyWALL/USG 631 Set Up the Bandwidth Management for FTP on the ZyWALL/USG 632
Test the Result ...................................................................................... 634
What Could Go Wrong? .................................................................... 635
How to Manage ZyWALL/USG Configuration Files ................................ 636
Rename the Configuration Files from the ZyWALL/USG ................. 637
Download the Configuration Files on the ZyWALL/USG ................. 637
Copy the Configuration Files on the ZyWALL/USG .......................... 638
Apply the Configuration Files on the ZyWALL/USG ......................... 639
13/774
www.zyxel.com
Upload the Configuration Files from the ZyWALL/USG ................... 640
What Could Go Wrong? .................................................................... 640
How to Manage ZyWALL/USG Firmware ................................................ 641
Download the Current Firmware Version from ZyXEL.com ............ 642
Upload the Firmware on the ZyWALL/USG ....................................... 643
What Could Go Wrong? .................................................................... 646
How to Get Started Using the Wizards .................................................... 647
Set Up the Internet Access (Ethernet) Wizard on the ZyWALL/USG
............................................................................................................... 647
Set Up the Internet Access (PPPoE) Wizard on the ZyWALL/USG .. 651
Set Up the Internet Access (PPTP) Wizard on the ZyWALL/USG ..... 654
Set Up the Wireless Settings Wizard on the ZyWALL/USG ................ 658
Set Up the Device Registration on the ZyWALL/USG ...................... 660
How to Configure the 3G/LTE Interface on the ZyWALL/USG as a WAN
Backup ...................................................................................................... 662
Set Up the 3G/LTE Interface on the ZyWALL/USG ........................... 663
Set Up the Trunk on the ZyWALL/USG ............................................... 664
Test the Result ...................................................................................... 665
What Could Go Wrong? .................................................................... 666
How to Configure Two Different WAN Interfaces with Different IP
Addresses in the Same VLAN .................................................................. 667
Set Up the Port Grouping on the ZyWALL/USG ................................ 668
Set Up the VLAN on the ZyWALL/USG ............................................... 668
Set Up the Routing on the ZyWALL/USG ........................................... 670
Test the Result ...................................................................................... 670
What Could Go Wrong? .................................................................... 671
How to Let a Server Use the Same Public IP Address as the WAN
Interface Using the Bridge Interface ...................................................... 671
Set Up the Bridge Interface on the ZyWALL/USG ............................ 672
Test the Result ...................................................................................... 674
What Could Go Wrong? .................................................................... 675
How to Allow Public Access to a Server Behind ZyWALL/USG ............ 675
Set Up the NAT on the ZyWALL/USG ................................................. 676
14/774
www.zyxel.com
Set Up the Security Policy on the ZyWALL/USG ............................... 677
Test the Result ...................................................................................... 678
What Could Go Wrong? .................................................................... 678
How to Set Up a WiFi Network with ZyXEL APs ....................................... 680
Set Up the AP Management on the ZyWALL/USG .......................... 681
Test the Result ...................................................................................... 683
What Could Go Wrong? .................................................................... 684
How to Set Up Guest WiFi Network Accounts ........................................ 685
Set Up the WiFi Guest Account, Address Range and Service Rule on
the ZyWALL/USG .................................................................................. 686
Set Up the Web Authentication on the ZyWALL/USG ..................... 688
Set Up the Security Policy on the ZyWALL/USG ............................... 689
Test the Result ...................................................................................... 690
What Could Go Wrong? .................................................................... 693
How to create a Wi-Fi VLAN interfaces to separate staff network and
Guest network .......................................................................................... 695
Set up Wi-Fi VLAN interfaces .............................................................. 696
Test result .............................................................................................. 706
What could go wrong ........................................................................ 708
How to Set Up WiFi Networks with Microsoft Active Directory
Authentication .......................................................................................... 710
Set Up the Wi-Fi Guest Account and Authentication Method on the
ZyWALL/USG ......................................................................................... 711
Set Up the Active Directory Server Account on the ZyWALL/USG 712
Set Up the Security Policy on the ZyWALL/USG ............................... 713
Test the Result ...................................................................................... 714
What Could Go Wrong? .................................................................... 716
How to Set Up IPv6 Interfaces for Pure IPv6 Routing ............................. 717
Enable the IPv6 on the ZyWALL/USG ................................................ 718
Set Up the WAN IPv6 Interface on the ZyWALL/USG ....................... 719
Set Up the LAN IPv6 Interface on the ZyWALL/USG ........................ 719
Test the Result ...................................................................................... 720
What Could Go Wrong? .................................................................... 722
15/774
www.zyxel.com
How to Set Up an IPv6 6to4 Tunnel ......................................................... 722
Set Up the LAN IPv6 Interface on the ZyWALL/USG ........................ 723
Set Up the 6to4 Tunnel on the ZyWALL/USG .................................... 725
Test the Result ...................................................................................... 726
What Could Go Wrong? .................................................................... 727
How to Set Up an IPv6-in-IPv4 Tunnel ..................................................... 727
Set Up the LAN IPv6 Interface on the ZyWALL/USG ........................ 728
Set Up the 6to4 Tunnel on the ZyWALL/USG .................................... 729
Set Up the Policy Route on the ZyWALL/USG ................................... 730
Test the Result ...................................................................................... 731
What Could Go Wrong? .................................................................... 732
How to Update Firmware Automatically from a USB Storage .............. 733
Automatic USB Firmware Upgrade Flow ............................................... 733
Enable the USB Firmware Upgrade Function by CLI Command ... 734
Save the Firmware on the USB ........................................................... 734
Plug the USB into the Device ............................................................. 735
The Device Checks Running Partition for the Model ID and the
Firmware Version ................................................................................. 735
Check Firmware Status ....................................................................... 736
What Can Go Wrong? ........................................................................ 737
How to Configure DHCP Option 60 – Vendor Class Identifier .............. 739
DHCP Option 60 Deployment Flow ....................................................... 740
Setting Up DHCP Option 60 on the Web GUI ................................... 740
Setting Up DHCP Option 60 on the CLI ............................................. 741
Test DHCP Option 60 ........................................................................... 742
What Can Go Wrong? ....................................................................... 742
How to Configure Device HA Pro ........................................................... 743
Device HA Pro License ....................................................................... 744
Behavior of the Device HA Pro .......................................................... 744
Device-HA Pro Setting Screen ........................................................... 744
Suggestions .......................................................................................... 746
How do I Configure Device HA Pro in My Current Environment? . 747
What can go wrong? ......................................................................... 751
16/774
www.zyxel.com
How to setup Two-Factor Authentication for admin login ................... 752
Setup SMTP function on your device ................................................ 752
Create admin type user on device .................................................. 753
Setup Two-Factor Authentication for admin on your device ........ 754
Test the Result ....................................................................................... 755
What Can Go Wrong? ........................................................................ 757
How to configure Email Security for Phishing mail? .............................. 759
How it works ......................................................................................... 759
Set up Phishing on ATP ........................................................................ 760
Test the Result ....................................................................................... 761
What Can Go Wrong? ........................................................................ 761
How to setup Email to SMS ...................................................................... 763
Setup SMTP function on your device ................................................ 763
Setup Email to SMS Provider configuration ...................................... 764
Create admin type user on device .................................................. 765
Setup Two-Factor Authentication for admin on your device ........ 765
Test the Result ....................................................................................... 766
What Can Go Wrong? ........................................................................ 768
How to Use IP Reputation to Detect Threats .......................................... 769
Activating Reputation Filter Service .................................................. 770
Enabling IP Blocking on ATP ............................................................... 770
Selecting specific type of IP addresses to block ............................. 771
Adding IP addresses to white list and black list ............................... 771
Monitoring statistics for IP detection ................................................. 772
Test the Result ....................................................................................... 772
What Can Go Wrong? ........................................................................ 774
17/774
www.zyxel.com
Note:
All network IP addresses and subnet masks are used as examples in this article.
Please replace them with your actual network IP addresses and subnet masks.
This example was tested using USG110 (Firmware Version: ZLD 4.25) and Amazon
VPC (June, 2016).
How to Configure Site-to-site IPSec VPN with Amazon VPC
This example shows how to use the VPN Setup Wizard to create a site-to-site
VPN between a ZyWALL/USG and an Amazon VPC platform. The example
instructs how to configure the VPN tunnel between each site. When the VPN
tunnel is configured, each site can be accessed securely.
ZyWALL/USG Site-to-site IPSec VPN with Amazon VPC
18/774
www.zyxel.com
Set Up the IPSec VPN Tunnel on the Amazon VPC
1 Sign into the Amazon AWS Management Console. Go to Networking > VPC.
Amazon AWS Management Console > Networking > VPC
2 In the upper left-hand of the screen, click Start VPC Wizard.
Amazon VPC Management Console > Networking > VPC > Start VPC Wizard
19/774
www.zyxel.com
3 Select a VPC Configuration, select VPC with a Private Subnet Only and Hardware
VPN Access, and then click Select.
Select a VPC Configuration > VPC with a Private Subnet Only and Hardware VPN
Access
4 VPC with a Private Subnet Only and Hardware VPN, add your IP CIDR block and
Private subnet. Click Next.
VPC with a Private Subnet Only and Hardware VPN
20/774
www.zyxel.com
5 Configure your VPN, add your ZyWALL/USG public IP address into Customer
Gateway IP. Name your Customer Gateway name and VPN Connection name.
Click Create VPC at the bottom of the blade.
Configure your VPN
6 In the VPC Dashboard, go to VPN Connections. Select Download Configuration
from the upper bar. Select Vendor and Platform to be Generic. Click Yes,
Download.
21/774
www.zyxel.com
VPC Dashboard > VPN Connections
7 Open the downloaded configuration txt. file, it displays IKE SA, IPSec SA and
Gateway IP address. Please make sure all the settings match your ZyWALL/USG’s
setting.
Configuration txt. File
22/774
www.zyxel.com
Set Up the IPSec VPN Tunnel on the ZyWALL/USG
In the ZyWALL/USG, go to Quick Setup > VPN Setup Wizard, use the VPN Settings
wizard to create a VPN rule that can be used with the Amazon VPC. Click Next.
Quick Setup > VPN Setup Wizard > Welcome
23/774
www.zyxel.com
Choose Advanced to create a VPN rule with the customize phase 1, phase 2
settings and authentication method. Click Next.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type
Type the Rule Name used to identify this VPN connection (and VPN gateway).
You may use 1-31 alphanumeric characters. This value is case-sensitive. Select
the rule to be Site-to-site. Click Next.
Quick Setup > VPN Setup Wizard > Wizard Type > VPN Settings (Scenario)
24/774
www.zyxel.com
Then, configure the Secure Gateway IP as the peer Amazon VPC’s Gateway IP
address (in the example, 52.39.135.203); select My Address to be the interface
connected to the Internet.
Set the Negotiation, Encryption, Authentication, Key Group and SA Life Time
which Amazon VPC supports. Type a secure Pre-Shared Key.
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings (Phase 1
Setting)
25/774
www.zyxel.com
Continue to Phase 2 Settings to select the Encapsulation, Encryption,
Authentication, and SA Life Time settings which Amazon VPC supports.
Set Local Policy to be the IP address range of the network connected to the
ZyWALL/USG and Remote Policy to be the IP address range of the network
connected to the Amazon VPC. Click OK.
26/774
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Phase 2 Setting)
27/774
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings
(Summary)
Now the rule is configured on the ZyWALL/USG. The Phase 1 rule settings appear
in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings
appear in the VPN > IPSec VPN > VPN Connection screen. Click Close to exit the
wizard.
28/774
www.zyxel.com
Quick Setup > VPN Setup Wizard > Welcome > Wizard Type > VPN Settings >
Wizard Completed
Test the IPSec VPN Tunnel
Go to ZyWALL/USG CONFIGURATION > VPN > IPSec VPN > VPN Connection, click
Connect on the upper bar. The Status connect icon is lit when the interface is
connected.
CONFIGURATION > VPN > IPSec VPN > VPN Connection
Go to ZyWALL/USG MONITOR > VPN Monitor > IPSec and verify the tunnel Up
Time and the Inbound(Bytes)/Outbound(Bytes) traffic.
MONITOR > VPN Monitor > IPSec
To test whether or not a tunnel is working, ping from a Local LAN to AWS VPC private
Subnet for verification. Ensure that both computers have Internet access.
29/774
www.zyxel.com
Ping from Local LAN to AWS VPC private Subnet for verification:
What Could Go Wrong?
If you see below [info] or [error] log message, please check ZyWALL/USG Phase
1 Settings. Make sure your ZyWALL/USG Phase 1 Settings are supported in the
Amazon VPC IKE Phase 1 setup list.
MONITOR > Log
If you see that Phase 1 IKE SA process done but still get below [info] log
message, please check ZyWALL/USG Phase 2 Settings. Make sure your
ZyWALL/USG Phase 2 Settings are supported in the Amazon VPC IKE Phase 2
setup list.
MONITOR > Log
30/774
Loading...
+ 744 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use