Zyxel ZYWALL 200, ZYWALL USG 100 user manual

ZyWALL USG 100/200 Series

Unified Security Gateway

Default Login Details

LAN1 Port P4
IP Address https://192.168.1.1
User Name admin
Password 1234

www.zyxel.com

Firmware Version 2.20
Edition 2, 9/2010

www.zyxel.com

Copyright © 2010
ZyXEL Communications Corporation

About This User's Guide

About This User's Guide

Intended Audience

This manual is intended for people who want to want to configure the ZyWALL
using the Web Configurator.

How To Use This Guide

•Read Chapter 1 on page 33 chapter for an overview of features available on the
ZyWALL.

•Read Chapter 3 on page 47 for web browser requirements and an introduction
to the main components, icons and menus in the ZyWALL Web Configurator.

•Read Chapter 4 on page 65 if you’re using the installation wizard for first time
setup and you want more detailed information than what the real time online
help provides.

•Read Chapter 5 on page 75 if you’re using the quick setup wizards and y ou want
more detailed information than what the real time online help provides.

• It is highly recommended you read Chapter 6 on page 93 for detailed
information on essential terms us ed in the ZyWALL, what prerequisites are
needed to configure a feature and how to use that feature.

• It is highly recommended you read Chapter 7 on page 117 for ZyWALL
application examples.

• Subsequent chapters are arranged by menu item as defined in the Web
Configurator. Read each chapter carefully for detailed information on that menu
item.

• To find specific information in this guide, use the Contents Overview, the
Table of Contents, the Index, or search the PDF file. E-mail
techwriters@zyxel.com.tw if you cannot find the information you require.

Related Documentation

•Quick Start Guide
The Quick Start Guide is designed to show you how to make the ZyWALL

hardware connections and access the Web Configurator wizards. (See the
wizard real time help for information on configuring each screen.) It also
contains a connection diagram and package contents list.

•CLI Reference Guide
The CLI Reference Guide explains how to use the Command-Line Interface (CLI)

to configure the ZyWALL.

Note: It is recommended you use the Web Configurator to configure the ZyWALL.

ZyWALL USG 100/200 Series User’s Guide

3

About This User's Guide

• Web Configurator Online Help
Click the help icon in any screen for help in configuring that screen and

supplementary information.

Documentation Feedback

Send your comments, questions or suggestions to: techwriters@zyxel.com.tw

Thank you!

The Technical Writing Team, ZyXEL Communications Corp.,
6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 30099, Taiwan.

Need More Help?

More help is available at www.zyx el.com.

• Download Library
Search for the latest product updates and documentation from this link. Read

the Tech Doc Overview to find out how to efficiently use the User Guide, Quick
Start Guide and Command Line Interface Reference Guide in order to better
understand how to use your product.

• Knowledge Base
If you have a specific question about your product, the answer may be here.

This is a collection of answers to previously asked questions about ZyXEL
products.

•Forum
This contains discussions on ZyXEL prod ucts. Learn from others who use ZyXEL

products and share your experiences as well.

Customer Support

Should problems arise that cannot be solved by the methods listed above, you
should conta ct your vendor. If you cannot contact your vendor, then contact a
ZyXEL office for the region in which you bought the device.

4

ZyWALL USG 100/200 Series User’s Guide

About This User's Guide

See http://www.zyxel.com/web/contact_us.php for contact information. Please
have the following informatio n ready when you contact an office.

• Product model and serial number.

•Warranty Information.

• Date that you received your device.

• Brief description of the problem and the steps you took to solve it.

Disclaimer

Graphics in this book may differ slightly from the product due to differences in
operating systems, operating system versions, or if you installed updated
firmware/software fo r y our dev ice. Ev ery effort has been made to ensur e that the
information in this manual is accurate.

ZyWALL USG 100/200 Series User’s Guide

5

Document Conventions

Warnings and Notes

These are how warnings and notes are shown in this User’s Guide.

Warnings tell you about things that could harm you or your device.

Note: Notes tell you other important information (for example, other things you may

need to configure or helpful tips) or recommendations.

Syntax Conventions

• The ZyWALL may be referred to as the “ZyWALL”, the “device”, the “system” or
the “product” in this User’s Guide.

• Product labels, screen names, field labels and field choices are all in bold font.

Document Conventions

• A key stroke is denoted by square brackets and uppercase text, for example,
[ENTER] means the “enter” or “ret urn” key on your keyboard.

• “Enter” means for you to type one or more characters and then press the
[ENTER] key. “Select” or “choose” means for you to use one of the predefined
choices.

• A right angle bracket ( > ) within a screen name denotes a mouse click. For
example, Maintenance > Log > Log Setting means you first click

Maintenance in the navigation panel, then the Log sub menu and finally the
Log Setting tab to get to that screen.

• Units of measurement may denote the “metric” value or the “scientific” value.
For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may
denote “1000000” or “1048576” and so on.

• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other
words”.

6

ZyWALL USG 100/200 Series User’s Guide

Document Conventions

Icons Used in Figures

Figures in this User’s Guide may use the following generic icons. The ZyWALL icon
is not an exact representation of your device.

ZyWALL Computer Notebook computer

Server Firewall Telephone

Switch Router

ZyWALL USG 100/200 Series User’s Guide

7

Safety Warnings

• Do NOT use this product near water, for example, in a wet basement or n ear a swimming
pool.

• Do NOT expose your device to dampness, dust or corrosive liquids.

• Do NOT store things on the device.

• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk
of electric shock from lightning.

• Connect ONLY suitable accessories to the device.

• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel should
service or disassemble this device. Please contact your vendor for further information.

• Make sure to connect the cables to the correct ports.

• Place connecting cables carefully so that no one will step on them or stumble over them.

• Always disconnect all cables from this device before servicing or disassembling.

• Use ONLY an appropriate power adaptor or cord for your device. Connect it to the right
supply voltage (for example, 110V AC in North America or 230V AC in Europe).

• Do NOT remove the plug and connect it to a power outlet by itself; always attach the plug
to the power adaptor first before connecting it to a power outlet.

• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the
product where anyone can walk on the power adaptor or cord.

• Do NOT use the device if the power adaptor or cord is damaged as it might cause
electrocution.

• If the power adaptor or cord is damaged, remove it from the device and the power
source.

• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a
new one.

• Do not use the device outside, and make sure all the connections are indoors. There is a
remote risk of electric shock from lightning.

• CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED BY AN
INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Dispose them at the applicable collection point for the recycling of electrical and
electronic equipment. For detailed information about recycling of this product, please
contact your local city office, your household waste disposal service or the store where
you purchased the product.

• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your
device.

Safety Warnings

8

Your product is marked with this symbol, which is known as the WEEE mark. WEEE
stands for Waste Electronics and Electrical Equipment. It means that used electrical
and electronic products should not be mixed with general waste. Used electrical and
electronic equipment should be treated separately.

ZyWALL USG 100/200 Series User’s Guide

Contents Overview

Contents Overview

User’s Guide ........................................................................................................ ...................31

Introducing the ZyWALL ............................................................................................................ 33

Features and Applications ......................................................................................................... 39

Web Configurator ............................................. ... ... ... .... ............................................. ... ... .......... 47

Installation Setup Wizard .................................... ............................................................. ..........65

Quick Setup ............................................................................................................................... 75

Configuration Basics .............. ... ... .............................................................................................. 93

Tutorials ...................................................................................................................................117

L2TP VPN Example .................................................................................................................187

Technical Reference ............................................................................................................225

Dashboard .............................................................................................................................. 227

Monitor .................................................................................................................................... 241

Registration ............................................................................................................................. 285

Signature Update .....................................................................................................................291

Interfaces ..................................... ....................................................... ..................................... 297

Trunks ..................................................................................................................................... 373

Policy and Static Routes ..........................................................................................................383

Routing Protocols ....................................................................................................................399

Zones .................................. ................... ................... .................... ................... ........................ 413

DDNS ...................................................................................................................................... 417

NAT .............................. ............................. ................................. ............................. ................. 423

HTTP Redirect ........................................................................................................................ 433

ALG ......................................................................................................................................... 439

IP/MAC Binding ...................................................................................................................... 447

Authentication Policy .......... ... ................................................ .... ... ........................................... 453

Firewall .................................................................................................................................... 461

IPSec VPN ................... ... .............................................. ... ... ... .... ... ... ........................................ 479

SSL VPN ................................................................................................................................. 521

SSL User Screens ................................................................................................................... 535

SSL User Application Screens ................................................................................................ 545

SSL User File Sharing ............................................................................................................. 547

ZyWALL SecuExtender .. .... ... ... ...............................................................................................555

L2TP VPN ................................................................................................................................ 559

Application Patrol .....................................................................................................................563

Anti-Virus ................................................................................................................................. 589

IDP .......................................................................................................................................... 605

ADP ........................................................................................................................................ 641

ZyWALL USG 100/200 Series User’s Guide

9

Contents Overview

Content Filtering ..................................................................................................................... 663

Content Filter Reports ............................................................................................................. 687

Anti-Spam ................................................................................................................................ 695

Device HA ................................................................................................................................ 713

User/Group .............................................................................................................................. 735

Addresses ............................................................................................................................... 751

Services ................................. ....................................................... ........................................... 757

Schedules ................................. ................................................. .............................................. 763

AAA Server ............................................................................................................................. 769

Authentication Method ................................. ................................................. ... ... .... ................. 779

Certificates ................................... ....................... ....................... ...................... ........................ 785

ISP Accounts ......................................... ... ... .... ... ... ..................................................................807

SSL Application ........................................................................................................................811

Endpoint Security .................................................................................................................... 819

System ................................................................................................................................... 829

Log and Report ......................................................................................................................881

File Manager ........................................................................................................................... 897

Diagnostics ............................................................................................................................. 909

Reboot ..................................................................................................................................... 919

Shutdown ......................................... ............................. ............................. .............................. 921

Troubleshooting ..................................................... .................................................................. 923

Product Specifications ............................................................................................................. 943

10

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

Table of Contents

About This User's Guide..........................................................................................................3

Document Conventions............................................................................................................6

Safety Warnings ........................................................................................................................8

Contents Overview ...................................................................................................................9

Table of Contents....................................................................................................................11

Part I: User’s Guide................................................................................ 31

Chapter 1

Introducing the ZyWALL ........................................................................................................33

1.1 Overview and Key Default Settings .....................................................................................33

1.2 Rack-mounted Installation ................................................................................................... 34

1.2.1 Rack-Mounted Installation Procedure ........................................................................ 34

1.3 Front Panel ......................................... ... .... ............................................. ... ... .... ... ... .............35

1.3.1 Front Panel LEDs .......................................... ............................................................. 36

1.4 Management Overview .......... .... ... ... ................................................ .... ... .............................36

1.5 Starting and Stopping the ZyWALL ............................ ... ................................................ .... ... 38

Chapter 2

Features and Applications.....................................................................................................39

2.1 Features ............................................. ... .... ... ............................................. ... .... ... ... .............39

2.2 Applications .................................................. ... ... .... ... ... ... .... ................................................ 41

2.2.1 VPN Connectivity ............. ............................................. ... ... ... .... ... ... .......................... 42

2.2.2 SSL VPN Network Access ........ ... .... ... ... ... .... ... ... ............................................. ... .... ... 42

2.2.3 User-Aware Access Control ....................................................................................... 44

2.2.4 Multiple WAN Interfaces ................... ... ... ... .... ... ... ....................................................... 44

2.2.5 Device HA .................... .... ............................................. ... ... ... .... ... ... ... ....................... 45

Chapter 3

Web Configurator....................................................................................................................47

3.1 Web Configurator Requirements ......................................................................................... 47

3.2 Web Configurator Access ....................................................................................................47

3.3 Web Configurator Screens Overview .................................................................................. 49

3.3.1 Title Bar .................................. ... ............................................. .... ... ... .......................... 50

ZyWALL USG 100/200 Series User’s Guide

11

Table of Contents

3.3.2 Navigation Panel .......... .... ... ... ... ................................................................................. 51

3.3.3 Main Window .......................... ... ............................................. .... ... ... ... .... ... ... .............57

3.3.4 Tables and Lists .. ... ... ... .... ............................................. ... ... ... .... ... ... ..........................59

Chapter 4

Installation Setup Wizard.......................................................................................................65

4.1 Installation Setup Wizard Screens ...................................................................................... 65

4.1.1 Internet Access Setup - WAN Interface ..................................................................... 66

4.1.2 Internet Access: Ethernet .......................................................................................... 66

4.1.3 Internet Access: PPPoE ............................................................................................. 68

4.1.4 Internet Access: PPTP .............................................................................................. 69

4.1.5 ISP Parameters ................................... ... ... .... ... ... ............................................. ... .... ... 70

4.1.6 Internet Access Setup - Second WAN Interface ........................................................ 71

4.1.7 Internet Access - Finish .............................................................................................72

4.2 Device Registration ........................................................................................................... 72

Chapter 5

Quick Setup.............................................................................................................................75

5.1 Quick Setup Overview ............................... ... ... ... .... ... ... ... .... ... ... .......................................... 75

5.2 WAN Interface Quick Setup .................................................................................................76

5.2.1 Choose an Ethernet Interface .................................................................... ... ... ... .... ... 76

5.2.2 Select WAN Type ............................. ... ... ............................................. .... ... ... ... .......... 76

5.2.3 Configure WAN Settings ............................................................................................ 77

5.2.4 WAN and ISP Connection Settings ............................................................................ 78

5.2.5 Quick Setup Interface Wizard: Summary ................................................................... 80

5.3 VPN Quick Setup .......... ... ... ... .... ............................................. ... ... ... .... ... ............................. 81

5.4 VPN Setup Wizard: Wizard Type ......................................................................................... 82

5.5 VPN Express Wizard - Scenario ......................................................................................... 83

5.5.1 VPN Express Wizard - Configuration ........................... ... ... ... .... ... ... ... ....................... 84

5.5.2 VPN Express Wizard - Summary ....................................................................... .... ... 85

5.5.3 VPN Express Wizard - Finish .................................................................................... 86

5.5.4 VPN Advanced Wizard - Scenario ............................................................................ 87

5.5.5 VPN Advanced Wizard - Phase 1 Settings ............................................................... 88

5.5.6 VPN Advanced Wizard - Phase 2 ............................................................................. 90

5.5.7 VPN Advanced Wizard - Summary ........................................................................... 91

5.5.8 VPN Advanced Wizard - Finish ................................................................................. 92

Chapter 6

Configuration Basics..............................................................................................................93

12

6.1 Object-based Configuration .......................................................................... .... ... ... .............93

6.2 Zones, Interfaces, and Physical Ports ................................................................................. 94

6.2.1 Interface Types .................................................... ... .... ... ... ... ... .... ... ... .......................... 95

6.2.2 Default Interface and Zone Configuration .................................................................. 96

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

6.3 Terminology in the ZyWALL ................... .... ... ... ... .... ............................................. ... ... ... .... ... 97

6.4 Packet Flow ........................................ ............................................. .... ... ... ... .... ... ... .............99

6.4.1 ZLD 2.20 Packet Flow Enhancements ....................................................................... 99

6.4.2 Routing Table Checking Flow Enhancements .......................................................... 100

6.4.3 NAT Table Checking Flow ............................. ... ... ... .... ... ... ... ..................................... 101

6.5 Feature Configuration Overview ....................................................................................... 102

6.5.1 Feature ...................................... ... .... ... ... ... .... ... ............................................. ... ... ..... 103

6.5.2 Licensing Registration ............................ ... .... ... ... ... .... ... ... ........................................ 103

6.5.3 Licensing Update ................................................... .... ... ... ... ... .... ... ... ... ..................... 103

6.5.4 Interface .................... ... .............................................. ... ... ... ... .... ... ... ........................ 104

6.5.5 Trunks ............. .... ... ............................................. ... .... ... ... ........................................ 104

6.5.6 Policy Routes ................... ............................................. ... ... ... .... ... ... ... ..................... 104

6.5.7 Static Routes .................................... ... ... ... .............................................. ... ... ... ... .....106

6.5.8 Zones ............................................................ ... ... ... ............................................. ..... 106

6.5.9 DDNS ..... ............................................. ... ... .... ... ............................................. ... ... ..... 106

6.5.10 NAT ........................................................................................................................ 106

6.5.11 HTTP Redirect ........................................................................................................ 107

6.5.12 ALG ........................................................................................................................ 108

6.5.13 Auth. Policy ............................................................................................................108

6.5.14 Firewall ................................................................................................................... 108

6.5.15 IPSec VPN ............................................................................................................. 109

6.5.16 SSL VPN ................................................................................................................ 109

6.5.17 L2TP VPN ...............................................................................................................110

6.5.18 Application Patrol ....................................................................................................110

6.5.19 Anti-Virus .................................................................................................................111

6.5.20 IDP ..........................................................................................................................111

6.5.21 ADP .........................................................................................................................111

6.5.22 Content Filter ...........................................................................................................111

6.5.23 Anti-Spam ................................................................................................................112

6.5.24 Device HA ...............................................................................................................112

6.6 Objects ............................................ ... ... .... ............................................. ... ... .... ... ...............113

6.6.1 User/Group ....................... ... ... ............................................. ... .... ... ... ... .... ..................113

6.7 System ............. ............................................. ... ... .... ... .........................................................114

6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM ............. .... .. 114

6.7.2 Logs and Reports ......................................................................................................115

6.7.3 File Manager ....................... ... ... ... .............................................................................115

6.7.4 Diagnostics ................ ... .... ... ... ... ... .............................................. ... ... ... .... ..................115

6.7.5 Shutdown .................. ... .............................................. ... ... ... ... .... ... ... .........................115

Chapter 7

Tutorials................................................................................................................................117

7.1 How to Configure Interfaces, Port Roles, and Zones .........................................................117

7.1.1 Configure a WAN Ethernet Interface ............................. ... ... ... .... ... ... ... .... ... ... ... ... .... ..118

ZyWALL USG 100/200 Series User’s Guide

13

Table of Contents

7.1.2 Configure the OPT Interface for a Local Network .....................................................119

7.1.3 Configure Zones ........................... .... ... ... ... .... ... ... ... ................................................. . 120

7.1.4 Configure Port Roles ................................................................................................ 121

7.2 How to Configure a Cellular Interface . ... .... ... ... ... .... ... ... ... .... .............................................. 122

7.3 How to Configure Load Balancing ..................................................................................... 124

7.3.1 Set Up Available Bandwidth on Ethernet Interfaces ................................................ 124

7.3.2 Configure the WAN Trunk ........................................................................................ 125

7.4 How to Set Up a Wireless LAN .......................................................................................... 127

7.4.1 Set Up User Accounts .............................................................................................. 127

7.4.2 Create the WLAN Interface ....... ... .... ... ... ................................................. ... ... ... ........128

7.4.3 Set Up the Wireless Clients to Use the WLAN Interface .......................................... 131

7.5 How to Set Up an IPSec VPN Tunnel ................................................................................ 143

7.5.1 Set Up the VPN Gateway ......................................................................................... 144

7.5.2 Set Up the VPN Connection ..................................................................................... 144

7.5.3 Configure Security Policies for the VPN Tunnel ...................................... ................. 146

7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator ................. 146

7.7 How to Configure User-aware Access Control .................................................................. 148

7.7.1 Set Up User Accounts .............................................................................................. 149

7.7.2 Set Up User Groups ................................................................................................. 150

7.7.3 Set Up User Authentication Using the RADIUS Server ............................. ... ... ... .....150

7.7.4 Web Surfing Policies With Bandwidth Restrictions .................................................. 152

7.7.5 Set Up MSN Policies ................................................................................................ 155

7.7.6 Set Up Firewall Rules ............................................................................................... 156

7.8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups ............. 157

7.9 How to Use Endpoint Security and Authentication Policies ............................................... 159

7.9.1 Configure the Endpoint Security Objects .................................................................159

7.9.2 Configure the Authentication Policy ......................................................................... 161

7.10 How to Configure Service Control ................................................................................... 162

7.10.1 Allow HTTPS Administrator Access Only From the LAN ....................................... 163

7.11 How to Allow Incoming H.323 Peer-to-peer Calls ............................................................ 165

7.11.1 Turn On the ALG .................................................................................................... 166

7.11.2 Set Up a NAT Policy For H.323 .............................................................................. 166

7.11.3 Set Up a Firewall Rule For H.323 ........................................................................... 168

7.12 How to Allow Public Access to a Web Server ............................. ... ....... ...... ....... ...... ....... . 169

7.12.1 Create the Address Objects ...................................................................................170

7.12.2 Configure NAT ........................................................................................................ 170

7.12.3 Set Up a Firewall Rule ........................................................................................... 171

7.13 How to Use an IPPBX on the DMZ ............................................................................. .... . 172

7.13.1 Turn On the ALG .................................................................................................... 174

7.13.2 Create the Address Objects ...................................................................................174

7.13.3 Setup a NAT Policy for the IPPBX ......................................................................... 175

7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP .........................................................176

7.13.5 Set Up a DMZ to LAN Firewall Rule for SIP ........................................................... 177

14

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

7.14 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic ............... 178

7.14.1 Create the Public IP Address Range Object ............ .............................................. 178

7.14.2 Configure the Policy Route .................................................................................... 179

7.15 How to Use Active-Passive Device HA ........................................................................... 179

7.15.1 Before You Start ..................................................................................................... 180

7.15.2 Configure Device HA on the Master ZyWALL ........................................................181

7.15.3 Configure the Backup ZyWALL .............................................................................. 183

7.15.4 Deploy the Backup ZyWALL .................................................................................. 185

7.15.5 Check Your Device HA Setup ................................................................................ 185

Chapter 8

L2TP VPN Example...............................................................................................................187

8.1 L2TP VPN Example ...........................................................................................................187

8.2 Configuring the Default L2TP VPN Gateway Example ...................................................... 187

8.3 Configuring the Default L2TP VPN Connection Example .................................................. 189

8.4 Configuring the L2TP VPN Settings Example ...................................................................190

8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 ..................................................... 191

8.5.1 Configuring L2TP in Windows Vista ......................................................................... 191

8.5.2 Configuring L2TP in Windows XP ............................................................................201

8.5.3 Configuring L2TP in Windows 2000 ......................................................................... 207

Part II: Technical Reference................................................................ 225

Chapter 9

Dashboard............................................................................................................................227

9.1 Overview ............. ............................................. ... .... ... ... ... .... .............................................. 227

9.1.1 What Yo u Can Do in this Chapter ............................................................................ 227

9.2 The Dashboard Screen ..................................................................................................... 227

9.2.1 The CPU Usage Screen ........................................................................................... 234

9.2.2 The Memory Usage Screen ................... ... .... ... ... ... .... .............................................. 235

9.2.3 The Session Usage Screen .......................................................... ........................... 236

9.2.4 The VPN Status Screen ...... ... ... ............................................................................... 237

9.2.5 The DHCP Table Screen ..........................................................................................237

9.2.6 The Number of Login Users Screen .............................. ... ... ..................................... 238

Chapter 10

Monitor..................................................................................................................................241

10.1 Overview .......................................................................................................................... 241

10.1.1 What You Can Do in this Chapter .......................................................................... 241

10.2 The Port Statistics Screen .............................................................................................. 242

10.2.1 The Port Statistics Graph Screen .......................................................................... 244

ZyWALL USG 100/200 Series User’s Guide

15

Table of Contents

10.3 Interface Status Screen ...................................................................................................245

10.4 The Traffic Statistics Screen ............................................................................................ 248

10.5 The Session Monitor Screen .......................................................................................... 251

10.6 The DDNS Status Screen ................................................................................................254

10.7 IP/MAC Binding Monitor .................................................................................................. 254

10.8 The Login Users Screen ...................................... ... ................................................ ... .... . 256

10.9 WLAN Interface Station Monitor Screen .......................................................................... 256

10.10 Cellular Status Screen ...................................................................................................258

10.11 USB Storage Screen ..................................................................................................... 260

10.12 Application Patrol Statistics ........................................................................................... 261

10.12.1 Application Patrol Statistics: General Setup ......................................................... 261

10.12.2 Application Patrol Statistics: Bandwidth Statistics ................................................ 262

10.12.3 Application Patrol Statistics: Protocol Statistics ................................................... 263

10.12.4 Application Patrol Statistics: Individual Protocol Statistics by Rule .....................264

10.13 The IPSec Monitor Screen ........................................................................................... 265

10.13.1 Regular Expressions in Searching IPSec SAs ..................................................... 267

10.14 The SSL Connection Monitor Screen ............................................................................ 268

10.15 L2TP over IPSec Session Monitor Screen .................................................................... 269

10.16 The Anti-Virus Statistics Screen .................................................................................... 270

10.17 The IDP Statistics Screen .............................................................................................. 272

10.18 The Content Filter Statistics Screen ..............................................................................274

10.19 Content Filter Cache Screen ......................................................................................... 275

10.20 The Anti-Spam Statistics Screen ................................................................................... 278

10.21 The Anti-Spam Status Screen ....................................................................................... 280

10.22 Log Screen ....................................................................................................................281

Chapter 11

Registration...........................................................................................................................285

11.1 Overview .......................................................................................................................... 285

11.1.1 What You Can Do in this Chapter ......................... .... ... ... ... ..................................... 285

11.1.2 What you Need to Know .........................................................................................285

11.2 The Registration Screen .................................................................................................. 287

11.3 The Service Screen ......................................................................................................... 289

Chapter 12

Signature Update..................................................................................................................291

12.1 Overview .......................................................................................................................... 291

12.1.1 What You Can Do in this Chapter .......................................................................... 291

12.1.2 What you Need to Know ........................................................................................ 291

12.2 The Antivirus Update Screen ........................................................................................... 292

12.3 The IDP/AppPatrol Update Screen .................................................................................. 293

12.4 The System Protect Update Screen ............................................................................... 295

16

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

Chapter 13

Interfaces...............................................................................................................................297

13.1 Interface Overview ........................................................................................................... 297

13.1.1 What You Can Do in this Chapter .......................................................................... 297

13.1.2 What You Need to Know ........................................................................................ 298

13.2 Port Role ......................................................................................................................... 301

13.3 Ethernet Summary Screen .............................................................................................. 302

13.3.1 Ethernet Edit .........................................................................................................304

13.3.2 Object References ................................................................................................. 312

13.4 PPP Interfaces ................................................................................................................ 313

13.4.1 PPP Interface Summary ......................................................................................... 314

13.4.2 PPP Interface Add or Edit ..................................................................................... 316

13.5 Cellular Configuration Screen (3G) ................................................................................. 320

13.5.1 Cellular Add/Edit Screen ......................... ............................................................... 322

13.6 WLAN Interface General Screen ..................................................................................... 329

13.6.1 WLAN Add/Edit Screen .. ... ... ... ... .... ... ... .................................................................. 332

13.6.2 WLAN Add/Edit: WEP Security ...................... ........................................................ 338

13.6.3 WLAN Add/Edit: WPA-PSK/WPA2-PSK Security ...................................................339

13.6.4 WLAN Add/Edit: WPA/WPA2 Security ...................................................................340

13.7 WLAN Interface MAC Filter ............................................................................................ 342

13.8 VLAN Interfaces ............................................................................................................. 344

13.8.1 VLAN Summary Screen ............. .... ... ..................................................................... 346

13.8.2 VLAN Add/Edit ...................................................................................................... 347

13.9 Bridge Interfaces ............................................................................................................ 354

13.9.1 Bridge Summary ....................................................................................................356

13.9.2 Bridge Add/Edit ..................................................................................................... 357

13.10 Auxiliary Interface ......................................................................................................... 363

13.10.1 Auxiliary Interface Overview ................................................................................. 363

13.10.2 Auxiliary ................................................................................................................ 363

13.11 Virtual Interfaces ............ ............................................. .... ... ... ... ... .... .............................. 365

13.11.1 Virtual Interfaces Add/Edit ..................... .... ... ... ... .... ... ... ... ... .................................. 366

13.12 Interface Technical Reference ....................................................................................... 367

Chapter 14

Trunks...................................................................................................................................373

14.1 Overview .......................................................................................................................... 373

14.1.1 What You Can Do in this Chapter .......................................................................... 373

14.1.2 What You Need to Know ........................................................................................ 374

14.2 The Trunk Summary Screen ................................................. ... ... ... .... ... ... ... .... ... ... ... ... .....378

14.3 Configuring a Trunk ........................................................................................................ 379

14.4 Trunk Technical Reference .............................................................................................. 381

ZyWALL USG 100/200 Series User’s Guide

17

Table of Contents

Chapter 15

Policy and Static Routes......................................................................................................383

15.1 Policy and Static Routes Overview .................................................................................. 383

15.1.1 What You Can Do in this Chapter .......................................................................... 383

15.1.2 What You Need to Know ....................................................................................... 384

15.2 Policy Route Screen ........................................................................................................ 386

15.2.1 Policy Route Edit Screen ....................................................................................... 389

15.3 IP Static Route Screen ....................................................................................................393

15.3.1 Static Route Add/Edit Screen ................................................................................. 394

15.4 Policy Routing Technical Reference ................................................................................ 395

Chapter 16

Routing Protocols .................................................................................................................399

16.1 Routing Protocols Overview ............................................................................................ 399

16.1.1 What You Can Do in this Chapter .......................................................................... 399

16.1.2 What You Need to Know ........................................................................................ 399

16.2 The RIP Screen ... ... .... ... ... ... .... ... ................................................ ... .... ... ........................... 400

16.3 The OSPF Screen ............... .... ... ... ................................................ .... ... ... ........................401

16.3.1 Configuring the OSPF Screen .................................. ......... .......... .......... ......... ........ 405

16.3.2 OSPF Area Add/Edit Screen .................................................................................408

16.3.3 Virtual Link Add/Edit Screen ................................................................................. 409

16.4 Routing Protocol Technical Reference ............................................................................ 410

Chapter 17

Zones .....................................................................................................................................413

17.1 Zones Overview ...............................................................................................................413

17.1.1 What You Can Do in this Chapter .......................................................................... 413

17.1.2 What You Need to Know ........................................................................................ 414

17.2 The Zone Screen ..................................... ... ................................................ .... ... ..............415

17.3 Zone Edit ........................................................................................................................ 416

Chapter 18

DDNS......................................................................................................................................417

18.1 DDNS Overview .............................................................................................................. 417

18.1.1 What You Can Do in this Chapter .......................................................................... 417

18.1.2 What You Need to Know ........................................................................................ 417

18.2 The DDNS Screen ...........................................................................................................418

18.2.1 The Dynamic DNS Add/Edit Screen ...................................................................... 420

Chapter 19

NAT.........................................................................................................................................423

19.1 NAT Overview .................................................................................................................. 423

19.1.1 What You Can Do in this Chapter .......................................................................... 423

18

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

19.1.2 What You Need to Know ........................................................................................ 424

19.2 The NAT Screen .................................. .... ... ................................................ .... ... ..............424

19.2.1 The NAT Add/Edit Screen . ... ... ... .... ........................................................................ 426

19.3 NAT Technical Reference ................................................................................................429

Chapter 20

HTTP Redirect......................................................................................................................433

20.1 Overview .......................................................................................................................... 433

20.1.1 What You Can Do in this Chapter .......................................................................... 433

20.1.2 What You Need to Know ........................................................................................ 434

20.2 The HTTP Redirect Screen ............................................................................................. 435

20.2.1 The HTTP Redirect Edit Screen ............................................................................. 436

Chapter 21

ALG ........................................................................................................................................439

21.1 ALG Overview ................................................................................................................. 439

21.1.1 What You Can Do in this Chapter .......................................................................... 439

21.1.2 What You Need to Know ........................................................................................ 440

21.1.3 Before You Begin ...................................................................................................443

21.2 The ALG Screen .............................................................................................................. 443

21.3 ALG Technical Reference ................................................................................................ 445

Chapter 22

IP/MAC Binding....................................................................................................................447

22.1 IP/MAC Binding Overview ............................................................................................... 447

22.1.1 What You Can Do in this Chapter .......................................................................... 447

22.1.2 What You Need to Know ........................................................................................ 448

22.2 IP/MAC Binding Summary ............................................................................................... 448

22.2.1 IP/MAC Binding Edit ............................................................................................... 449

22.2.2 Static DHCP Edit .................................................................................................... 450

22.3 IP/MAC Binding Exempt List ........................................................................................... 451

Chapter 23

Authentication Policy...........................................................................................................453

23.1 Overview .......................................................................................................................... 453

23.1.1 What You Can Do in this Chapter .......................................................................... 453

23.1.2 What You Need to Know ........................................................................................ 454

23.2 Authentication Policy Screen ........................................................................................... 454

23.2.1 Adding Exceptional Services .................................................................................. 456

23.2.2 Creating/Editing an Authentication Policy .............................................................. 457

Chapter 24

Firewall...................................................................................................................................461

ZyWALL USG 100/200 Series User’s Guide

19

Table of Contents

24.1 Overview .......................................................................................................................... 461

24.1.1 What You Can Do in this Chapter .......................................................................... 461

24.1.2 What You Need to Know ........................................................................................ 462

24.1.3 Firewall Rule Example Applications ....................................................................... 464

24.1.4 Firewall Rule Configuration Example ..................................................................... 467

24.2 The Firewall Screen ................. ... ... ... ... ................................................. ... ... .... ................. 469

24.2.1 Configuring the Firewall Screen ............................... .............................................. 470

24.2.2 The Firewall Add/Edit Screen ................................................................................. 473

24.3 The Session Limit Screen ................................................................................................474

24.3.1 The Session Limit Add/Edit Screen ........................................................................ 476

Chapter 25

IPSec VPN..............................................................................................................................479

25.1 IPSec VPN Overview .......................................................................................................479

25.1.1 What You Can Do in this Chapter .......................................................................... 479

25.1.2 What You Need to Know ........................................................................................ 480

25.1.3 Before You Begin ...................................................................................................482

25.2 The VPN Connection Screen .......................................................................................... 482

25.2.1 The VPN Connection Add/Edit (IKE) Screen ......................................................... 484

25.2.2 The VPN Connection Add/Edit Manual Key Screen .............................................. 491

25.3 The VPN Gateway Screen .............................................................................................. 494

25.3.1 The VPN Gateway Add/Edit Screen ...................................................................... 495

25.4 VPN Concentrator ..........................................................................................................503

25.4.1 IPSec VPN Concentrator Example ........................................................................ 503

25.4.2 VPN Concentrator Screen ...................................................................................... 506

25.4.3 The VPN Concentrator Add/Edit Screen .............................. .... ... ... ... .... ... ... ... ........506

25.5 IPSec VPN Background Information ............................................................................... 507

Chapter 26

SSL VPN.................................................................................................................................521

26.1 Overview .......................................................................................................................... 521

26.1.1 What You Can Do in this Chapter .......................................................................... 521

26.1.2 What You Need to Know ........................................................................................ 521

26.2 The SSL Access Privilege Screen ................................................................................... 524

26.2.1 The SSL Access Policy Add/Edit Screen .............................................................. 526

26.3 The SSL Global Setting Screen .................. ... ... .... ................................................ ... ... .... . 529

26.3.1 How to Upload a Custom Logo .............................................................................. 531

26.4 Establishing an SSL VPN Connection ............................................................................. 532

Chapter 27

SSL User Screens.................................................................................................................535

27.1 Overview .......................................................................................................................... 535

27.1.1 What You Need to Know ........................................................................................ 535

20

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

27.2 Remote User Login ..........................................................................................................536

27.3 The SSL VPN User Screens ................................................ ... ... ... .... ... ... ... .... ... ... ... ........541

27.4 Bookmarking the ZyWALL ............................................................................................... 542

27.5 Logging Out of the SSL VPN User Screens ....................................................................542

Chapter 28

SSL User Application Screens ............................................................................................545

28.1 SSL User Application Screens Overview ........................................................................ 545

28.2 The Application Screen ...................................................................................................545

Chapter 29

SSL User File Sharing ..........................................................................................................547

29.1 Overview .......................................................................................................................... 547

29.1.1 What You Need to Know ........................................................................................ 547

29.2 The Main File Sharing Screen ......................................................................................... 548

29.3 Opening a File or Folder ................................... ....................................................... ........548

29.3.1 Downloading a File ...................................... ......... ....... ......... .......... .......... ......... ..... 550

29.3.2 Saving a File ..........................................................................................................551

29.4 Creating a New Folder ......................... ....................... ....................... ...................... ........551

29.5 Renaming a File or Folder ............................................................................................... 552

29.6 Deleting a File or Folder ..................................................................................................552

29.7 Uploading a File ............................. ....................... ...................... ....................... .............. 553

Chapter 30

ZyWALL SecuExtender.........................................................................................................555

30.1 The ZyWALL SecuExtender Icon .................................................................................... 555

30.2 Statistics .......................................................................................................................... 556

30.3 View Log ..........................................................................................................................557

30.4 Suspend and Resume the Connection ....................... ..................................................... 557

30.5 Stop the Connection ........................................................................................................ 558

30.6 Uninstalling the ZyWALL SecuExtender .......................................................................... 558

Chapter 31

L2TP VPN...............................................................................................................................559

31.1 Overview .......................................................................................................................... 559

31.1.1 What You Can Do in this Chapter .......................................................................... 559

31.1.2 What You Need to Know ........................................................................................ 559

31.2 L2TP VPN Screen ............... .... ... ... ................................................ .... ... ... ........................561

Chapter 32

Application Patrol.................................................................................................................563

32.1 Overview .......................................................................................................................... 563

32.1.1 What You Can Do in this Chapter .......................................................................... 563

ZyWALL USG 100/200 Series User’s Guide

21

Table of Contents

32.1.2 What You Need to Know ....................................................................................... 564

32.1.3 Application Patrol Bandwidth Management Examples ........................................... 569

32.2 Application Patrol General Screen ..................................................................................573

32.3 Application Patrol Applications ........................................................................................ 574

32.3.1 The Application Patrol Edit Screen ........................................................................ 575

32.3.2 The Application Patrol Policy Edit Screen ............................................................. 579

32.4 The Other Applications Screen ........................................................................................ 582

32.4.1 The Other Applications Add/Edit Screen ................................................................ 585

Chapter 33

Anti-Virus...............................................................................................................................589

33.1 Overview .......................................................................................................................... 589

33.1.1 What You Can Do in this Chapter .......................................................................... 589

33.1.2 What You Need to Know ........................................................................................ 590

33.1.3 Before You Begin ...................................................................................................592

33.2 Anti-Virus Summary Screen ............. ................................................. ... ... ... .... ... ... ... ... .... . 592

33.2.1 Anti-Virus Policy Add or Edit Screen ......................................................................595

33.3 Anti-Virus Black List .........................................................................................................597

33.4 Anti-Virus Black List or White List Add/Edit ..................................................................... 598

33.5 Anti-Virus White List ...... ... ... .... ... ... ... ... .... ... ... ... ................................................. ... ... ... ..... 599

33.6 Signature Searching ........................................................................................................ 600

33.7 Anti-Virus Technical Reference ........................................................................................ 603

Chapter 34

IDP.........................................................................................................................................605

34.1 Overview .......................................................................................................................... 605

34.1.1 What You Can Do in this Chapter .......................................................................... 605

34.1.2 What You Need To Know ....................................................................................... 605

34.1.3 Before You Begin ...................................................................................................606

34.2 The IDP General Screen ................................................................................................. 607

34.3 Introducing IDP Profiles ................................................................................................. 609

34.3.1 Base Profiles ..........................................................................................................610

34.4 The Profile Summary Screen ...........................................................................................611

34.5 Creating New Profiles ...................................................................................................... 612

34.5.1 Procedure To Create a New Profile ........................................................................ 612

34.6 Profiles: Packet Inspection ............................................................................................. 613

34.6.1 Profile > Group View Screen .................................................................................. 613

34.6.2 Policy Types ........................................................................................................... 616

34.6.3 IDP Service Groups ...............................................................................................617

34.6.4 Profile > Query View Screen .................................................................................. 618

34.6.5 Query Example ...................................................................................................... 621

34.7 Introducing IDP Custom Signatures ............................................................................... 623

34.7.1 IP Packet Header ...................................................................................................623

22

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

34.8 Configuring Custom Signatures ..................... ....................... ...................... ..................... 624

34.8.1 Creating or Editing a Custom Signature ................................................................ 626

34.8.2 Custom Signature Example ........................................... ... ..................................... 632

34.8.3 Applying Custom Signatures ..................................................................................634

34.8.4 Verifying Custom Signatures .................................................................................. 635

34.9 IDP Technical Reference ................................................................................................. 636

Chapter 35

ADP .......................................................................................................................................641

35.1 Overview .......................................................................................................................... 641

35.1.1 ADP and IDP Comparison ..................................................................................... 641

35.1.2 What You Can Do in this Chapter ......................................................................... 641

35.1.3 What You Need To Know ....................................................................................... 641

35.1.4 Before You Begin ...................................................................................................642

35.2 The ADP General Screen ........................ ................................................... ..................... 6 43

35.3 The Profile Summary Screen .......................................................................................... 644

35.3.1 Base Profiles ..........................................................................................................645

35.3.2 Configuring The ADP Profile Summary Screen .....................................................645

35.3.3 Creating New ADP Profiles ............................ ........................................................ 646

35.3.4 Traffic Anomaly Profiles ........................................................................................ 646

35.3.5 Protocol Anomaly Profiles ................................... .... ... ... ... ..................................... 649

35.3.6 Protocol Anomaly Configuration ............................................................................. 649

35.4 ADP Technical Reference ................................................................................................ 653

Chapter 36

Content Filtering..................................................................................................................663

36.1 Overview .......................................................................................................................... 663

36.1.1 What You Can Do in this Chapter .......................................................................... 663

36.1.2 What You Need to Know ........................................................................................ 663

36.1.3 Before You Begin ...................................................................................................665

36.2 Content Filter General Screen .................... ....................................................... ..............665

36.3 Content Filter Policy Add or Edit Screen ......................................................................... 668

36.4 Content Filter Profile Screen ..........................................................................................670

36.5 Content Filter Categories Screen ................................................................................... 670

36.5.1 Content Filter Blocked and Warning Messages ..................................................... 682

36.6 Content Filter Customization Screen .............................................................................. 683

36.7 Content Filter Technical Reference ................................................................................. 685

Chapter 37

Content Filter Reports..........................................................................................................687

37.1 Overview .......................................................................................................................... 687

37.2 Viewing Content Filter Reports ............................................. ........................................... 687

ZyWALL USG 100/200 Series User’s Guide

23

Table of Contents

Chapter 38

Anti-Spam..............................................................................................................................695

38.1 Overview .......................................................................................................................... 695

38.1.1 What You Can Do in this Chapter .......................................................................... 695

38.1.2 What You Need to Know ........................................................................................ 695

38.2 Before You Begin ............................................................................................................. 697

38.3 The Anti-Spam General Screen ....................................................................................... 697

38.3.1 The Anti-Spam Policy Add or Edit Screen ................................................ .............. 699

38.4 The Anti-Spam Black List Screen .................................................................................... 701

38.4.1 The Anti-Spam Black or White List Add/Edit Screen ...................................... ... .... . 703

38.4.2 Regular Expressions in Black or White List Entries ............................................... 704

38.5 The Anti-Spam White List Screen ....................................................................................705

38.6 The DNSBL Screen ......................................................................................................... 706

38.7 Anti-Spam Technical Reference ...................................................................................... 708

Chapter 39

Device HA..............................................................................................................................713

39.1 Overview .......................................................................................................................... 713

39.1.1 What You Can Do in this Chapter .......................................................................... 713

39.1.2 What You Need to Know ........................................................................................ 713

39.1.3 Before You Begin ...................................................................................................714

39.2 Device HA General ..........................................................................................................715

39.3 The Active-Passive Mode Screen ................................................................................... 716

39.3.1 Configuring Active-Passive Mode Device HA ........................................................718

39.4 Configuring an Active-Passive Mode Monitored Interface ............................................... 721

39.5 The Legacy Mode Screen ............................................................................................... 723

39.6 Configuring the Legacy Mode Screen ........ ... ... .... ... ............................................. ... ... .... . 724

39.7 Device HA Technical Reference ...................................................................................... 728

Chapter 40

User/Group............................................................................................................................735

40.1 Overview .......................................................................................................................... 735

40.1.1 What You Can Do in this Chapter .......................................................................... 735

40.1.2 What You Need To Know ....................................................................................... 735

40.2 User Summary Screen .................................................................................................... 738

40.2.1 User Add/Edit Screen ........................... .......... .......... ......... .......... .......... ......... ........ 738

40.3 User Group Summary Screen ......................................................................................... 741

40.3.1 Group Add/Edit Screen .......................................................................................... 742

40.4 Setting Screen ................................................................................................................ 743

40.4.1 Default User Authentication Timeout Settings Edit Screens ..................................746

40.4.2 User Aware Login Example ............... ... ... .... ... ........................................................ 748

40.5 User /Group Technical Reference ................................................................................... 749

24

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

Chapter 41

Addresses.............................................................................................................................751

41.1 Overview .......................................................................................................................... 751

41.1.1 What You Can Do in this Chapter .......................................................................... 751

41.1.2 What You Need To Know ....................................................................................... 751

41.2 Address Summary Screen ....................... ........................................................................ 751

41.2.1 Address Add/Edit Screen ....................................................................................... 753

41.3 Address Group Summary Screen ............................... ....................... ......................... ..... 754

41.3.1 Address Group Add/Edit Screen ............................................................................ 755

Chapter 42

Services.................................................................................................................................757

42.1 Overview .......................................................................................................................... 757

42.1.1 What You Can Do in this Chapter .......................................................................... 757

42.1.2 What You Need to Know ........................................................................................ 757

42.2 The Service Summary Screen ....................... .......................... .......................... .............. 758

42.2.1 The Service Add/Edit Screen ............................ ..................................................... 760

42.3 The Service Group Summary Screen ........................ ... .... ... ... ... ... .... ... ... ... .... ................. 7 60

42.3.1 The Service Group Add/Edit Screen ...................................................................... 762

Chapter 43

Schedules..............................................................................................................................763

43.1 Overview .......................................................................................................................... 763

43.1.1 What You Can Do in this Chapter .......................................................................... 763

43.1.2 What You Need to Know ........................................................................................ 763

43.2 The Schedule Summary Screen ...................................................................................... 764

43.2.1 The One-Time Schedule Add/Edit Screen ............................................................. 765

43.2.2 The Recurring Schedule Add/Edit Screen ............................................... ... ... ... .... . 766

Chapter 44

AAA Server...........................................................................................................................769

44.1 Overview .......................................................................................................................... 769

44.1.1 Directory Service (AD/LDAP) ................................................................ ................. 769

44.1.2 RADIUS Server ...................................................................................................... 770

44.1.3 ASAS ...................................................................................................................... 770

44.1.4 What You Can Do in this Chapter .......................................................................... 770

44.1.5 What You Need To Know ....................................................................................... 771

44.2 Active Directory or LDAP Server Summary ..................................................................... 773

44.2.1 Adding an Active Directory or LDAP Server ............. ............ ............. ............. ........ 773

44.3 RADIUS Server Summary ............................................................................................... 775

44.3.1 Adding a RADIUS Server ...................................................................................... 777

ZyWALL USG 100/200 Series User’s Guide

25

Table of Contents

Chapter 45

Authentication Method.........................................................................................................779

45.1 Overview .......................................................................................................................... 779

45.1.1 What You Can Do in this Chapter .......................................................................... 779

45.1.2 Before You Begin ...................................................................................................779

45.1.3 Example: Selecting a VPN Authentication Method ................................................ 779

45.2 Authentication Method Objects ...................................... .................................... .............. 780

45.2.1 Creating an Authentication Method Object ........................................... ... ... ... ... .... . 781

Chapter 46

Certificates ............................................................................................................................785

46.1 Overview .......................................................................................................................... 785

46.1.1 What You Can Do in this Chapter .......................................................................... 785

46.1.2 What You Need to Know ........................................................................................ 785

46.1.3 Verifying a Certificate .............................................................................................787

46.2 The My Certificates Screen ............................................................................................. 789

46.2.1 The My Certificates Add Screen ............................................................................ 790

46.2.2 The My Certificates Edit Screen ........... ............................................. .... ... ... ... ... .... . 795

46.2.3 The My Certificates Import Screen ........................................................................ 798

46.3 The Trusted Certificates Screen ..................................................................................... 799

46.3.1 The Trusted Certificates Edit Screen .................................................................... 800

46.3.2 The Trusted Certificates Import Screen ................................................................804

46.4 Certificates Technical Reference ..................................................................................... 805

Chapter 47

ISP Accounts.........................................................................................................................807

47.1 Overview .......................................................................................................................... 807

47.1.1 What You Can Do in this Chapter .......................................................................... 807

47.2 ISP Account Summary .................................................................................................... 807

47.2.1 ISP Account Edit ................................................................................................... 808

Chapter 48

SSL Application ....................................................................................................................811

48.1 Overview ...........................................................................................................................811

48.1.1 What You Can Do in this Chapter ...........................................................................811

48.1.2 What You Need to Know .........................................................................................811

48.1.3 Example: Specifying a Web Site for Access .......................................................... 812

48.2 The SSL Application Screen .......................... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... . 813

48.2.1 Creating/Editing a Web-based SSL Application Object ......................................... 814

48.2.2 Creating/Editing a File Sharing SSL Application Object ........................... ............. . 816

Chapter 49

Endpoint Security.................................................................................................................819

26

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

49.1 Overview .......................................................................................................................... 819

49.1.1 What You Can Do in this Chapter .......................................................................... 820

49.1.2 What You Need to Know ........................................................................................ 820

49.2 Endpoint Security Screen ........ ................................................ ... ... .... ... ... ... .... ... ... ... ... .... . 821

49.3 Endpoint Security Add/Edit .............................................................................................. 823

Chapter 50

System.................................................................................................................................829

50.1 Overview .......................................................................................................................... 829

50.1.1 What You Can Do in this Chapter .......................................................................... 829

50.2 Host Name ....................................................................................................................... 830

50.3 USB Storage .................................................................................................................... 831

50.4 Date and Time ................................................................................................................ 832

50.4.1 Pre-defined NTP Time Servers List ............................................. ... ... .... ... ... ... ... .... . 834

50.4.2 Time Server Synchronization ................................................................................. 835

50.5 Console Port Speed ......................................................................................................... 836

50.6 DNS Overview ................................................................................................................. 836

50.6.1 DNS Server Address Assignment .......................................................................... 837

50.6.2 Configuring the DNS Screen ................................ .......................................... ........ 837

50.6.3 Address Record .................................................................................................... 840

50.6.4 PTR Record ........................................................................................................... 840

50.6.5 Adding an Address/PTR Record ............................................................................ 840

50.6.6 Domain Zone Forwarder ............... ............................................. ... ... .... ................. 841

50.6.7 Adding a Domain Zone Forwarder ................................. ........................................ 8 41

50.6.8 MX Record ............................................................................................................842

50.6.9 Adding a MX Record ..............................................................................................843

50.6.10 Adding a DNS Service Control Rule ................................................................... . 843

50.7 WWW Overview ..............................................................................................................844

50.7.1 Service Access Limitations .................................................................................... 845

50.7.2 System Timeout ..................................................................................................... 845

50.7.3 HTTPS ...................................................................................................................845

50.7.4 Configuring WWW Service Control ........................................................................ 846

50.7.5 Service Control Rules ............................................................................................ 850

50.7.6 Customizing the WWW Login Page ....................................................................... 850

50.7.7 HTTPS Example ....................................................................................................854

50.8 SSH .............................................................................................................................. 861

50.8.1 How SSH Works ......................................................... ... ... ... .... ... ... ........................ 862

50.8.2 SSH Implementation on the ZyWALL ..................................................................... 863

50.8.3 Requirements for Using SSH ................................................................................. 863

50.8.4 Configuring SSH ....................................................................................................863

50.8.5 Secure Telnet Using SSH Examples ...................................................................... 865

50.9 Telnet .............................................................................................................................. 866

50.9.1 Configuring Telnet .................................................................................................. 867

ZyWALL USG 100/200 Series User’s Guide

27

Table of Contents

50.10 FTP ............................................................................................................................... 868

50.10.1 Configuring FTP ...................................................................................................868

50.11 SNMP .................................... ... ... ... ............................................. .... ... ... ... .... ... ... ...........870

50.11.1 Supported MIBs ............ ... ... ... ... ............................................................................ 872

50.11.2 SNMP Traps ....................... ... ... .... ... ... ... .... ... ........................................................ 872

50.11.3 Configuring SNMP ........... ... ... ... .... ........................................................................ 872

50.12 Dial-in Management ......................................................................................................874

50.12.1 Configuring Dial-in Mgmt ...................................................................................... 875

50.13 Vantage CNM ...............................................................................................................876

50.13.1 Configuring Vantage CNM ................................................................................... 877

50.14 Language Screen .........................................................................................................879

Chapter 51

Log and Report ...................................................................................................................881

51.1 Overview .......................................................................................................................... 881

51.1.1 What You Can Do In this Chapter .......................................................................... 881

51.2 Email Daily Report ..........................................................................................................881

51.3 Log Setting Screens ....................................................................................................... 883

51.3.1 Log Setting Summary ............................................................................................. 884

51.3.2 Edit System Log Settings ......................................................................................885

51.3.3 Edit Log on USB Storage Setting .. ... ... ... .... ... ... ... ..................................................890

51.3.4 Edit Remote Server Log Settings .......................................................................... 892

51.3.5 Active Log Summary Screen ................................ ............. .......... ............. ............. . 894

Chapter 52

File Manager.........................................................................................................................897

52.1 Overview .......................................................................................................................... 897

52.1.1 What You Can Do in this Chapter .......................................................................... 897

52.1.2 What you Need to Know ........................................................................................ 897

52.2 The Configuration File Screen .............................. ...................................................... .....900

52.3 The Firmware Package Screen ...................................................................................... 904

52.4 The Shell Script Screen .......................... ....................................................... .................906

Chapter 53

Diagnostics...........................................................................................................................909

53.1 Overview .......................................................................................................................... 909

53.1.1 What You Can Do in this Chapter .......................................................................... 909

53.2 The Diagnostic Screen ....................................................................................................909

53.2.1 The Diagnostics Files Screen ................................................................................ 910

53.3 The Packet Capture Screen .............................................................................................911

53.3.1 The Packet Capture Files Screen .......................................................................... 914

53.3.2 Example of Viewing a Packet Capture File .............................. ... ... ... .... ... ... ... ... .....915

53.4 Core Dump Screen ..........................................................................................................916

28

ZyWALL USG 100/200 Series User’s Guide

Table of Contents

53.4.1 Core Dump Files Screen ......................... .......................................... ..................... 916

53.5 The System Log Screen .................................................................................................. 917

Chapter 54

Reboot....................................................................................................................................919

54.1 Overview .......................................................................................................................... 919

54.1.1 What You Need To Know ....................................................................................... 919

54.2 The Reboot Screen .........................................................................................................919

Chapter 55

Shutdown...............................................................................................................................921

55.1 Overview .......................................................................................................................... 921

55.1.1 What You Need To Know ....................................................................................... 921

55.2 The Shutdown Screen ..................................................................................................... 921

Chapter 56

Troubleshooting....................................................................................................................923

56.1 Resetting the ZyWALL .....................................................................................................940

56.2 Getting More Troubleshooting Help ................................................................................. 941

Chapter 57

Product Specifications.........................................................................................................943

57.1 3G or WLAN PCMCIA Card Installation .......................................................................... 952

57.2 Power Adaptor Specifications ..........................................................................................952

Appendix A Log Descriptions...............................................................................................955

Appendix B Common Services...........................................................................................1017

Appendix C Displaying Anti-Virus Alert Messages in Windows..........................................1021

Appendix D Importing Certificates......................................................................................1027

Appendix E Wireless LANs ................................................................................................1053

Appendix F Open Software Announcements.....................................................................1069

Appendix G Legal Information............................................................................................1127

Index.....................................................................................................................................1131

ZyWALL USG 100/200 Series User’s Guide

29

Table of Contents

30

ZyWALL USG 100/200 Series User’s Guide

PART I

User’s Guide

31

32

CHAPTER 1

Introducing the ZyWALL

This chapter gives an overview of the ZyWALL. It explains the front panel ports,
LEDs, introduces the management methods, and lists different ways to start or
stop the ZyWALL.

1.1 Overview and Key Default Settings

The ZyWALL is a comprehensive security device. Its flexible configuration helps
network administrators set up the network and enforce security policies efficiently.
In addition, the ZyWALL provides excellent throughput, making it an ideal solution
for reliable, secure service.

The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering,
IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and
Protection), and certificates. It also provides bandwidth management, Instant
Messaging (IM) and Peer to Peer (P2P) control, NAT, port forwarding, policy
routing, DHCP server and many other powerful features. Flexible configuration
helps you set up the network and enforce security policies efficiently. See Chapter

2 on page 39 for a more detailed overview of the ZyWALL’s features.

The ZyWALL provides ex cellent throughput with the reliability of dual WAN Gigabit
Ethernet ports and load balancing. You can also use a 3G cellular card (not
included) for a third WAN connection.

The ZyWALL lets you set up multiple networks for your company. The De­Militarized Zone (DMZ) increases LAN security by providing separate ports for
connecting publicly accessible servers. The ZyWALL also provides two separate
LAN networks. You can set ports to be part of the LAN1, WLAN, or DMZ.
Alternatively, you can deploy the ZyWALL as a transparent firewall in an existing
network with minimal configuration.

You can insert a wireless LAN card into the PCMCIA/CardBus slot to add an IEEE

802.11b/g-compliant wireless LAN.

Configure the ZyWALL USG 200’s OPT Gigabit Ethernet port as a third WAN port,
an additional LAN1, WLAN, or DMZ port or a separate network.

ZyWALL USG 100/200 Series User’s Guide

33

Chapter 1 Introducing the ZyWALL

1.2 Rack-mounted Installation

The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring
closet with other equipment. Follow the steps below to mount your ZyWALL on a
standard EIA rack using a rack-mounting kit. Make sure the rack will safely
support the combined weight of all the equipment it contains and that the position
of the ZyWALL does not make the rack unstable or top-heavy. Take all necessary
precautions to anchor the rack securely before installing the unit.

Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.

Use a #2 Phillips screwdriver to install the screws.

Note: Failure to use the proper screws may damage the unit.

1.2.1 Rack-Mounted Installation Procedure

1 Align one bracket with the holes on one side of the Z yW ALL and secure it with the

included bracket screws (smaller than the rack-mounting screws).

2 Attach the other bracket in a similar fashion.

Figure 1 Attaching Mounting Brackets and Screws

34

ZyWALL USG 100/200 Series User’s Guide

Chapter 1 Introducing the ZyWALL

3 After attaching both mounting brackets, position the ZyWALL in the rack by lining

up the holes in the brackets with the appropriate holes on the rack. Secure the
ZyWALL to the rack with the rack-mounting screws.

Figure 2 Rack Mounting

1.3 Front Panel

This section introduces the ZyWALL’s front panel.

Figure 3 ZyWALL Front Panel

ZyWALL USG 100/200 Series User’s Guide

35

Chapter 1 Introducing the ZyWALL

1.3.1 Front Panel LEDs

The following table describes the LEDs.

Table 1 Front Panel LEDs

LED COLOR STATUS DESCRIPTION

PWR Off The ZyWALL is turned off.

Green On The ZyWALL is turned on.
Red On There is a hardware component failure. Shut down

SYS Green Off The ZyWALL is not ready or has failed.

AUX Green Off The AUX port is not connected.

P1, P2, ... Green Off There is no traffic on this port.

Orange Off There is no connection on this port.

Card Green Off There is no card in the slot.

the device, wait for a few minutes and then restart
the device (see Section 1.5 on page 38). If the LED
turns red again, then please contact your vendor.

On The ZyWALL is ready and running.
Flashing The ZyWALL is restarting.

Flashing The AUX port is sending or receiving packets.
On The AUX port is connected.

Flashing The ZyWALL is sending or receiving packets on this

port.

On This port has a successful link.

On There is a card in the slot.
Flashing The card in the slot is sending or receiving traffic.

1.4 Management Overview

You can use the following ways to manage the ZyWALL.

36

ZyWALL USG 100/200 Series User’s Guide

Chapter 1 Introducing the ZyWALL

Web Configurator

The Web Configurator allows easy ZyWALL setup and management using an
Internet browser. This User’s Guide provides information about the Web
Configurator.

Figure 4 Managing the ZyWALL: Web Configurator

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the ZyWALL. You can
access it using remote management (for example, SSH or Telnet) or via the
console port. See the Command Reference Guide for more information about the
CLI.

Console Port

You can use the console port to manage the ZyWALL using CLI commands. See
the Command Reference Guide for more information about the CLI.

The default settings for the console port are as follows.

Table 2 Console Port Default Settings

SETTING VALUE

Speed 115200 bps
Data Bits 8
Parity None
Stop Bit 1
Flow Control Off

ZyWALL USG 100/200 Series User’s Guide

37

Chapter 1 Introducing the ZyWALL

1.5 Starting and Stopping the ZyWALL

Here are some of the ways to start and stop the ZyWAL L.

Always use Maintenance > Shutdown > Shut down or the shutdown
command before you turn off the ZyWALL or remove the power. Not
doing so can cause the firmware to become corrupt.

Table 3 Starting and Stopping the ZyWALL

METHOD DESCRIPTION

Turning on the
power

Rebooting the
ZyWALL

Using the RESET
button

Clicking

Maintenance >
Shutdown >
Shutdown or

using the shutdown
command

Disconnecting the
power

A cold start occurs when you turn on the power to the ZyWA LL. The
ZyWALL powers up, checks the hardware, and starts the system
processes.

A warm start (without powering down and powering up again)
occurs when you use the Reboot button in the Reboot screen or
when you use the reboot command. The ZyWALL writes all cached
data to the local storage, stops the system processes, and then does
a warm start.

If you press the RESET button, the ZyWALL sets the configuration
to its default values and then reboots.

Clicking Maintenance > Shutdown > Shutdown or using the
shutdown command writes all cached data to the local storage and
stops the system processes. Wait for the device to shut down and
then manually turn off or remove the power. It does not turn off the
power.

Power off occurs when you turn off the power to the ZyWALL. The
ZyWALL simply turns off. It does not stop the system processes or
write cached data to local storage.

38

The ZyWALL does not stop or start the system processes when you apply
configuration files or run shell scripts although you may temporarily lose access to
network resources.

ZyWALL USG 100/200 Series User’s Guide

CHAPTER 2

Features and Applications

This chapter introduces the main features and applications of the ZyWALL.

2.1 Features

The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering,
IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and
Protection), and certificates. It also provides bandwidth management, NAT, port
forwarding, policy routing, DHCP server and many other powerful features.

The rest of this section provides more information about the features of the
ZyWALL.

High Availability

To ensure the ZyWALL provides reliable, secure Internet access, set up one or
more of the following:

• Multiple WAN ports and configure load balancing between these ports.

• One or more 3G (cellular) connections.

• An auxiliary (backup) Internet connection.

• A backup ZyWALL in the event the master ZyWALL fails (device HA).

Virtual Private Networks (VPN)

Use IPSec, SSL, or L2TP VPN to provide secure communication between two sites
over the Internet or any insecure network that uses TCP/IP for communication.
The ZyWALL also offers hub-and-spoke IPSec VPN.

Flexible Security Zones

Many security settings are made by zone, not by interface, port, or network. As a
result, it is much simpler to set up and to change security settings in the ZyWALL.
You can create y our own custom zones. You can add interfaces and VPN tunnels to
zones.

ZyWALL USG 100/200 Series User’s Guide

39

Chapter 2 Features and Applications

Firewall

The ZyWALL’ s firew all is a stateful inspection firew all. The Z yWALL rest ricts access
by screening data packets against defined access rules. It can also inspect
sessions. For example, traffic from one zone is not allowed unless it is ini tiated by
a computer in another zone first.

Intrusion Detection and Prevention (IDP)

IDP (Intrusion Detection and Protection) can detect malicious or suspicious
packets and respond instantaneously. It detects pattern-based attacks in order to
protect against network-based intrusions. See Section 34.6.2 on page 616 for a
list of attacks that the ZyWALL can protect against. You can also create your own
custom IDP rules.

Anomaly Detection and Prevention (ADP)

ADP (Anomaly Detection and Prevention) can detect malicious or suspicious
packets and respond instantaneously. It can detect:

• Anomalies based on violations of protocol standards (RFCs – Requests for
Comments)

• Abnormal flows such as port scans.

The ZyWALL’s ADP protects against network-based intrusions. See Section 35.3.4

on page 646 and Section 35.3.5 on page 649 for more on the kinds of attacks that

the ZyWALL can protect against. You can also create your own custom ADP rules.

Bandwidth Management

Bandwidth management allows you to allocate network resources according to
defined policies. This policy-based bandwidth allocation helps your network to
better handle applications such as Internet access, e-mail, Voice-over-IP (VoIP),
video conferencing and other business-critical applications.

Content Filter

Content filtering allows schools and businesses to create and enforce Internet
access policies tailored to the needs of the organization.

You can also subscribe to category-based content filtering that allows your
ZyWALL to check web sites against an external database of dynamically-updated
ratings of millions of web sites. You then simply select categories to block or
monitor, such as pornography or racial intolerance, from a pre-defined list.

40

ZyWALL USG 100/200 Series User’s Guide

Chapter 2 Features and Applications

Anti-Virus Scanner

With the anti-virus packet scanner, your ZyWALL scans files transmitting through
the enabled interfaces into the network. The ZyWALL helps stop threats at the
network edge before they reach the local host computers.

Anti-Spam

The anti-spam feature can mark or discard spam. Use the white list to identify
legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also
check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are
suspected of being used by spammers.

Application Patrol

Application patrol (App. Patrol) manages instant messenger (IM), peer-to-peer
(P2P) applications like MSN and BitTorrent. You can even control the use of a
particular application’s individual features (like text messaging, voice, video
conferencing, and file transfers). Application patrol has powerful bandwidth
management including traffic prioritization to enhance the performance of delay­sensitive applications like voice and video. You can also use an option that gives
SIP priority over all other traffic. This maximizes SIP traffic throughput for
improved VoIP call sound quality.

2.2 Applications

These are some example applications for your ZyWALL. See also Chapter 7 on

page 117 for configuration tutorial examples.

ZyWALL USG 100/200 Series User’s Guide

41

Chapter 2 Features and Applications

2.2.1 VPN Connectivity

Set up VPN tunnels with other companies, branch offices, telecommuters, and
business travelers to provide secure access to your network. You can also set up
additional connections to the Internet to provide better service.

Figure 5 Applications: VPN Connectivity

2.2.2 SSL VPN Network Access

You can configure the ZyWALL to provide SSL VPN network access to remote
users. There are two SSL VPN network access modes: reverse proxy and full
tunnel.

2.2.2.1 Reverse Proxy Mode

In reverse proxy mode, the ZyWALL is a proxy that acts on behalf of the local
network servers (such as your web and mail servers). As the final destination, the
ZyWALL appears to be the serv er to remote users. This provides an added layer of
protection for your internal servers.

With reverse proxy mode, remote users can easily access any web-based
applications on the local network by clicking on links or entering the provided URL.

42

ZyWALL USG 100/200 Series User’s Guide

Chapter 2 Features and Applications

You do not have to install additional client software on the remote user computers
for access.

Figure 6 Network Access Mode: Reverse Proxy

https;//

2.2.2.2 Full Tunnel Mode

In full tunnel mode, a virtual connection is created for remote users with private
IP addresses in the same subnet as the local network. This allows them to access
network resources in the same way as if they were part of the internal network.

Figure 7 Network Access Mode: Full Tunnel Mode

192.168.1.100

https;//

LAN (192.168.1.X)

Web Mail File Share

Web-based Application

LAN (192.168.1.X)

ZyWALL USG 100/200 Series User’s Guide

Web Mail File Share

Web-based Application

Non-Web

Application
Server

43

Chapter 2 Features and Applications

2.2.3 User-Aware Access Control

Set up security policies that restrict access to sensitive information and shared
resources based on the user who is trying to access it.

Figure 8 Applications: User-Aware Access Control

2.2.4 Multiple WAN Interfaces

Set up multiple connections to the Internet on the same port, or set up multiple
connections on different ports. In either case, you can balance the loads between
them.

Figure 9 Applications: Multiple WAN Interfaces

44

ZyWALL USG 100/200 Series User’s Guide

2.2.5 Device HA

Set up an additional ZyWALL as a backup gateway to ensure the default gateway
is always available for the network.

Figure 10 Applications: Device HA

Chapter 2 Features and Applications

ZyWALL USG 100/200 Series User’s Guide

45

Chapter 2 Features and Applications

46

ZyWALL USG 100/200 Series User’s Guide

CHAPTER 3

Web Configurator

The ZyWALL Web Configurator allows easy ZyWALL setup and management using
an Internet browser. Unless otherwise specified, the ZyWALL USG 200 screens are
shown.

3.1 Web Configurator Requirements

In order to use the Web Configurator, you must

• Use Internet Explorer 7 or later, or Firefox 1.5 or later

• Allow pop-up windows (blocked by default in Windows XP Service Pack 2)

• Enable JavaScript (enabled by default)

• Enable Java permissions (enabled by default)

• Enable cookies

The recommended screen resolution is 1024 x 768 pixels.

3.2 Web Configurator Access

1 Make sure your ZyWALL hardware is properly connected. See the Quick Start

Guide.

ZyWALL USG 100/200 Series User’s Guide

47

Chapter 3 Web Configurator

2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL

automatically routes this request to its HTTPS server, and it is recommended to
keep this setting. The Login screen appears.

Figure 11 Login Screen

3 Type the user name (default: “admin”) and password (default: “1234”).

If your account is configured to use an ASAS auth entication server, use the OTP
(One-Time Password) token to generate a number. Enter it in the One-Time
Password field. The number is only good for one login. You must use the token to
generate a new number the next time you log in.

4 Click Login. If you logged in using the default user name and password, the

Update Admin Info screen (Figure 12 on page 48) appears. Otherwise, the

dashboard (Figure 13 on page 49) appears.

Figure 12 Update Admin Info Screen

48

ZyWALL USG 100/200 Series User’s Guide

Chapter 3 Web Configurator

5 The screen above appears every time you log in using the default user name and

default password. If you change the password for the default user account, this
screen does not appear anymore.

Follow the directions in this screen. If you change the default password, the Login
screen (Figure 11 on page 48) appears after you click Apply. If you click Ignore,
the Installation Setup Wizard opens if the ZyWALL is using its default
configuration (see Chapter 4 on page 65); otherwise the dashboard appears as
shown next.

Figure 13 Dashboard

A

C

B

3.3 Web Configurator Screens Overview

The Web Configurator screen is di vided into these parts (as illustr ated in Figure 13

on page 49):

• A - title bar

• B - navigation panel

• C - main window

ZyWALL USG 100/200 Series User’s Guide

49

Chapter 3 Web Configurator

3.3.1 Title Bar

The title bar provides some icons in the upper right corner.

Figure 14 Title Bar

The icons provide the following functions.

Table 4 Title Bar: Web Configurator Icons

LABEL DESCRIPTION

Logout Click this to log out of the Web Configurator.
Help Click this to open the help page for the current screen.
About Click this to display basic information about the ZyWALL.
Site Map Click this to see an overview of links to the Web Configurator screens.
Object

Reference
Console Click this to open the console in which you can use the command line

CLI Click this to open a popup window that displays the CLI commands sent

Click this to open a screen where you can check which configuration
items reference an object.

interface (CLI). See the CLI Reference Guide for details on the
commands.

by the Web Configurator.

3.3.1.1 About

Click this to display basic information about the ZyWALL.

Figure 15 About

50

ZyWALL USG 100/200 Series User’s Guide

The following table describes labels that can appear in this screen.

Table 5 About

LABEL DESCRIPTION

Boot Module This shows the version number of the software that handles the booting

process of the ZyWALL.

Current
Version

Released Date This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the

OK Click this to close the screen.

This shows the firmware version of the ZyWALL.

firmware is released.

3.3.2 Navigation Panel

Use the menu items on the navigation panel to open screens to configure Z yW ALL
features. Click the arrow in the middle of the right edge of the navigation panel to
hide the navigation panel menus or drag it to resize them. The following sections
introduce the ZyWALL’s navigation panel menus and their screens.

Chapter 3 Web Configurator

Figure 16 Navigation Panel

3.3.2.1 Dashboard

The dashboard displays general device information, system status, system
resource usage, licensed service status, and interface status in widgets that you
can re-arrange to suit your needs. See Chapter 9 on page 227 for details on the
dashboard.

ZyWALL USG 100/200 Series User’s Guide

51

Chapter 3 Web Configurator

3.3.2.2 Monitor Menu

The monitor menu screens display status and statistics information.

Table 6 Monitor Menu Screens Summary

FOLDER OR LINK TAB FUNCTION

System Status

Port Statistics Displays packet statistics for each physical port.
Interface Status Displays general interface information and packet

Traffic Statistics Collect and display traffic statistics.
Session Monitor Displays the status of all current sessions.
DDNS Status Displays the status of the ZyWALL’s DDNS domain names.
IP/MAC Binding Lists the devices that have received an IP address from

Login Users Lists the users currently logged into the ZyWALL.
WLAN Status Displays the connection status of the ZyWALL’s wireless

Cellular Status Displays details about the ZyWALL’ s 3G connection status.
USB Storage Displays information about a connected USB storage

AppPatrol Statistics Displays bandwidth and protocol statistics.
VPN Monitor

IPSec Displays and manages the active IPSec SAs.
SSL Lists users currently logged into the VPN SSL client portal.

L2TP over IPSec Displays and manages the ZyWA LL’s connected L2TP VPN

Anti-X Statistics

Anti-Virus Collect and display statistics on the viruses that the

IDP Collect and display statistics on the intrusions that the

Content Filter Report Collect and display content filter statistics

Anti-Spam Report Collect and display spam statistics.

Log Lists log entries.

statistics.

ZyWALL interfaces using IP/MAC binding.

clients.

device.

You can also log out individual users and delete related
session information.

sessions.

ZyWALL has detected.

ZyWALL has detected.

Cache Manage the ZyWALL’s URL cache.

Status Displays how many mail sessions the ZyWALL is currently

checking and DNSBL (Domain Name Service-based spam
Black List) statistics.

52

ZyWALL USG 100/200 Series User’s Guide

3.3.2.3 Configuration Menu

Use the configuration menu screens to configure the ZyWALL’s features.

Table 7 Configuration Menu Screens Summary

FOLDER OR
LINK

Quick Setup Quickly configure WAN interfaces or VPN

Licensing

Registration Registration Register the device and activate trial services.

Signature
Update

Network

Interface Port Role Use this screen to set the ZyWALL’s flexible ports

Routing Policy Route Create and manage routing policies.

Zone Configure zones used to define various policies.
DDNS Profile Define and manage the ZyWALL’s DDNS domain

NAT Set up and manage port forwarding rules.
HTTP Redirect Set up and manage HTTP redirection rules.

TAB FUNCTION

Service View the licensed service status and upgrade

Anti-Virus Update anti-virus signatures immediately or by a

IDP/AppPatrol Update IDP signatures immediately or by a

System Protect Update system-protect signatures immediately or

Ethernet Manage Ethernet interfaces and virtual Ethernet

PPP Create and manage PPPoE and PPTP interfaces.
Cellular Configure a cellular Internet connection for an

WLAN Configure settings for an installed wireless LAN

VLAN Create and manage VLAN interfaces and virtual

Bridge Create and manage bridges and virtual bridge

Auxiliary Manage the AUX port.
Trunk Create and manage trunks (groups of interfaces)

Static Route Create and manage IP static routing information.
RIP Configure device-level RIP settings.
OSPF Configure device-level OSPF settings, including

Chapter 3 Web Configurator

connections.

licensed services.

schedule.

schedule.

by a schedule.

as LAN1, WLAN, or DMZ.

interfaces.

installed 3G card.

card.

VLAN interfaces.

interfaces.

for load balancing and link High Availability (HA).

areas and virtual links.

names.

ZyWALL USG 100/200 Series User’s Guide

53

Chapter 3 Web Configurator

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR
LINK

ALG Configure SIP, H.323, and FTP pass-through

IP/MAC
Binding

Auth. Policy Define rules to force user authentication.
Firewall Firewall Create and manage level-3 traffic rules.

VPN

IPSec VPN VPN Connection Configure IPSec tunnels.

SSL VPN Access Privilege Configure SSL VPN access rights for users and

L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings.

AppPatrol General Enable or disable traffic management by

Anti-X

Anti-Virus General Turn anti-virus on or off, set up anti-virus policies

IDP General Display and manage IDP bindings.

TAB FUNCTION

settings.

Summary Configure IP to MAC address bindings for devices

connected to each supported interface.

Exempt List Configure ranges of IP addresses to which the

ZyWALL does not apply IP/MAC binding.

Session Limit Limit the number of concurrent client NAT/firewall

sessions.

VPN Gateway Configure IKE tunnels.
Concentrator Configure VPN concentrators (hub-and-spoke

VPN).

groups.

Global Setting Configure the ZyWALL’s SSL VPN settings that

apply to all connections.

application and see registration and signature
information.

Common Manage traffic of the most commonly used web,

file transfer and e-mail protocols.
IM Manage instant messenger traffic.
Peer to Peer Manage peer-to-peer traffic.
VoIP Manage VoIP traffic.
Streaming Manage streaming traffic.
Other Manage other kinds of traffic.

and check the anti-virus engine type and the anti-

virus license and signature status.
Black/White List Set up anti-virus black (blocked) and white

(allowed) lists of virus file patterns.
Signature Search for signatures by signature name or

attributes and configure how the ZyWALL uses

them.

Profile Create and manage IDP profiles.
Custom

Signatures

Create, import, or export custom signatures.

54

ZyWALL USG 100/200 Series User’s Guide

Chapter 3 Web Configurator

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR
LINK

ADP General Display and manage ADP bindings.

Content Filter General Create and manage content filter policies.

Anti-Spam General Turn anti-spam on or off and manage anti-spam

Device HA General Configure device HA global settings, and see the

Object

User/Group User Create and manage users.

Address Address Create and manage host, range, and network

Service Service Create and manage TCP and UDP services.

Schedule Create one-time and recurring schedules.
AAA Server Active Directory-

Auth. Method Create and manage ways of authenticating users.
Certificate My Certificates Create and manage the ZyWALL’s certificates.

TAB FUNCTION

Profile Create and manage ADP profiles.

Filter Profile Create and manage the detailed filtering rules for

content filtering policies.

policies.
Black/White List Set up a black list to identify spam and a white list

to identify legitimate e-mail.
DNSBL Have the ZyWALL check e-mail against DNS Black

Lists.

status of each interface monitored by device HA.
Active-Passive

Mode
Legacy Mode Configure legacy mode device HA for use with

Group Create and manage groups of users.
Setting Manage default settings for all users, general

Address Group Create and manage groups of addresses.

Service Group Create and manage groups of services.

Default
Active Directory-

Group
LDAP-Default Configure the default LDAP settings.
LDAP-Group Create and manage groups of LDAP servers.
RADIUS-Default Configure the default RADIUS settings.
RADIUS-Group Create and manage groups of RADIUS servers.

Trusted
Certificates

Configure active-passive mode device HA.

ZyWALLs that already have device HA setup using

a firmware version earlier than 2.10.

settings for user sessions, and rules to force user

authentication.

(subnet) addresses.

Configure the default Active Directory settings.

Create and manage groups of Active Directory

servers.

Import and manage certificates from trusted

sources.

ZyWALL USG 100/200 Series User’s Guide

55

Chapter 3 Web Configurator

Table 7 Configuration Menu Screens Summary (continued)

FOLDER OR
LINK

ISP Account Create and manage ISP account information for

SSL
Application

Endpoint
Security

System

Host Name Configure the system and domain name for the

USB Storage Enable or disable the ZyW ALL’ s use of a connected

Date/Time Configure the current date, time, and time zone in

Console
Speed

DNS Configure the DNS server and address records for

WWW Service Control Configure HTTP, HTTPS, and general

SSH Configure SSH server and SSH service settings.
TELNET Configure telnet server settings for the ZyWALL.
FTP Configure FTP server settings.
SNMP Configure SNMP communities and services.
Dial-in Mgmt. Conf igure settings for an out of band management

Vantage CNM Configure and allow your ZyWALL to be managed

Language Select the Web Configurator language.

Log & Report

Email Daily
Report

Log Setting Configure settings for recording log messages, e-

TAB FUNCTION

PPPoE/PPTP interfaces.

Create SSL web application or file sharing objects.

Create Endpoint Security (EPS) objects.

ZyWALL.

USB storage device.

the ZyWALL.

Set the console speed.

the ZyWALL.

authentication.
Login Page Configure how the login and access user screens

look.

connection through a modem connected to the

port.

by the Vantage CNM server.

Configure where and how to send daily reports and

what reports to send.

mailing them, and sending them to a remote

server.

56

ZyWALL USG 100/200 Series User’s Guide

3.3.2.4 Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files,
run diagnostics, and reboot or shut down the ZyWALL.

Table 8 Maintenance Menu Screens Summary

FOLDER OR
LINK

File Manager Configuration

Diagnostics Diagnostic Collect diagnostic information.

Reboot Restart the ZyWALL.
Shutdown Turn off the ZyWALL.

TAB FUNCTION

File
Firmware

Package
Shell Script Manage and run shell script files for the ZyWALL.

Packet Capture Capture packets for analysis.
Core Dump Save a process’s core dump to a USB storage

System Log Download files of system logs to your computer.

Chapter 3 Web Configurator

Manage and upload configuration files for the

ZyWALL.

View the current firmware version and to upload

firmware.

device connected to the ZyWALL if the process

terminates abnormally (crashes).

3.3.3 Main Window

The main window shows the screen you select in the navigation panel. The main
window screens are discussed in the rest of this document.

Right after you log in, the Dashboard screen is display ed. See Chapter 9 on page

227 for more information about the Dashboard screen.

3.3.3.1 Warning Messages

Warning messages, such as those resulting from misconfiguration, display in a
popup window.

Figure 17 Warning Message

ZyWALL USG 100/200 Series User’s Guide

57

Chapter 3 Web Configurator

3.3.3.2 Site Map

Click Site MAP to see an overview of links to the Web Configurator screens. Click
a screen’s link to go to that screen.

Figure 18 Site Map

3.3.3.3 Object Reference

Click Object Ref erence to open the Object Reference screen. Select the type of
object and the individual object and click Refresh to show which configuration
settings reference the object. The following example shows which configuration
settings reference the ldap-users user object (in this case the first firewall rule).

Figure 19 Object Reference

58

ZyWALL USG 100/200 Series User’s Guide

Chapter 3 Web Configurator

The fields vary with the type of object. The following table describes labels that
can appear in this screen.

Table 9 Object References

LABEL DESCRIPTION

Object Name This identifies the object for which the configuration settings that use it

are displayed. Click the object’s name to display the object’s

configuration screen in the main window.
# This field is a sequential value, and it is not associated with any entry.
Service This is the type of setting that references the selected object. Click a

service’s name to display the service’s configuration screen in the main

window.
Priority If it is applicable, this field lists the referencing configuration item’s

position in its list, otherwise N/A displays.
Name This field identifies the configuration item that references the object.
Description If the referencing configuration item has a description configured, it

displays here.
Refresh Click this to update the information in this screen.
Cancel Click Cancel to close the screen.

3.3.3.4 CLI Messages

Click CLI to look at the CLI commands sent by the Web Configurator. The se
commands appear in a popup window, such as the following.

Figure 20 CLI Messages

Click Clear to remove the currently displayed information.

See the Command Reference Guide for information about the commands.

3.3.4 Tables and Lists

The Web Configurator tables and lists are quite flexible and provide several
options for how to display their entries.

ZyWALL USG 100/200 Series User’s Guide

59

Chapter 3 Web Configurator

3.3.4.1 Manipulating Table Display

Here are some of the ways you can manipulate the We b Configurator tables.

1 Click a column heading to sort the table’s entries according to that column’s

criteria.

Figure 21 Sorting Table Entries by a Column’s Criteria

2 Click the down arrow next to a column heading for more options about how to

display the entries. The options available vary depending on the type of fields in
the column. Here are some examples of what you can do:

• Sort in ascending alphabetical order

• Sort in descending (reverse) alphabetical order

• Select which columns to display

• Group entries by field

• Show entries in groups

• Filter by mathematical operators (<, >, or =) or searching for text

Figure 22 Common Table Column Options

60

ZyWALL USG 100/200 Series User’s Guide

Chapter 3 Web Configurator

3 Select a column heading cell’s right border and drag to re-size the column.

Figure 23 Resizing a Table Column

4 Select a column heading and drag and drop it to change the column order. A green

check mark displays next to the column’s title when you drag the column to a valid
new location.

Figure 24 Changing the Column Order

5 Use the icons and fields at the bottom of the table to navigate to different pages of

entries and control how many entries display at a time.

Figure 25 Navigating Pages of Table Entries

ZyWALL USG 100/200 Series User’s Guide

61

Chapter 3 Web Configurator

3.3.4.2 Working with Table Entries

The tables have icons for working with table entries. A sample is shown next. You
can often use the [Shift] or [Ctrl] ke y t o sel e c t multiple entries to remove,
activate, or deactivate.

Figure 26 Common Table Icons

Here are descriptions for the most common table icons.

Table 10 Common Table Icons

LABEL DESCRIPTION

Add Click this to create a new entry. For features where the entry’s

position in the numbered list is important (features where the
ZyWALL applies the table’s entries in order like the firewall for
example), you can select an entry and click Add to create a new
entry after the selected entry.

Edit Double-click an entry or select it and click Edit to open a screen

where you can modify the entry’s settings. In some tables you can
just click a table entry and edit it directly in the table. For those types
of tables small red triangles display for table entries with changes
that you have not yet applied.

Remove To remove an entry, select it and click Remove. The ZyWALL

confirms you want to remove it before doing so.
Activate To turn on an entry, select it and click Activate.
Inactivate To turn off an entry, select it and click Inactivate.
Connect To connect an entry, select it and click Connect.
Disconnect To disconnect an entry, select it and click Disconnect.
Object References Select an entry and click Object References to open a screen that

shows which settings use the entry. See Section 13.3.2 on page 312

for an example.
Move To change an entry’s position in a numbered list, select it and click

Move to display a field to type a number for where you want to put

that entry and press [ENTER] to move the entry to the number that

you typed. For example, if you type 6, the entry you are moving

becomes number 6 and the previous entry 6 (if there is one) gets

pushed up (or down) one.

3.3.4.3 Working with Lists

When a list of available entries displays next to a list of selected entries, you can
often just double-click an entry to move it from one list to the other. In some lists

62

ZyWALL USG 100/200 Series User’s Guide

Chapter 3 Web Configurator

you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use
the arrow button to move them to the other list.

Figure 27 Working with Lists

ZyWALL USG 100/200 Series User’s Guide

63

Chapter 3 Web Configurator

64

ZyWALL USG 100/200 Series User’s Guide

CHAPTER 4

Installation Setup Wizard

4.1 Installation Setup Wizard Screens

If you log into the Web Configurator when the ZyWALL is using its default
configuration, the first Installation Setup Wizard screen displays. This wizard
helps you configure Internet connection settings and activate subscription
services. This chapter provides information on configuring the Web Configurator's
installation setup wizard. See the feature-specific chapters in this User’ s Guide for
background information.

Figure 28 Installation Setup Wizard

• Click the double arrow in the upper right corner to display or hide the help.

•Click Go to Dashboard to skip the installation setup wizard or click Next to
start configuring for Internet access.

ZyWALL USG 100/200 Series User’s Guide

65

Chapter 4 Installation Setup Wizard

4.1.1 Internet Access Setup - WAN Interface

Use this screen to set how many WAN interfaces to configure and the first WAN
interface’s type of encapsulation and method of IP address assignment.

The screens vary depending on the encapsulation type. Refer to information
provided by your ISP to know what to enter in each field. Leave a field blank if you
don’t have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.
Figure 29 Internet Access: Step 1

• I have two ISPs: Select this option to configure two Internet connections.
Leave it cleared to configure just one. This option appears when you are
configuring the first WAN interface.

• Encapsulation: Choose the Ethernet option when the WAN port is used as a
regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection
according to the information from your ISP.

• WAN Interface: This is the interface you are configuring for Internet access.

• Zone: This is the security zone to which this interface and Internet connection
belong.

• IP Address Assignment: Select Auto if your ISP did not assign you a fix ed IP
address.
Select Static if the ISP assigned a fixed IP address.

4.1.2 Internet Access: Ethernet

This screen is read-only if you set the previous screen’ s IP Address Assignment
field to Auto. Use this screen to configure your IP address settings.

66

ZyWALL USG 100/200 Series User’s Guide

Chapter 4 Installation Setup Wizard

Note: Enter the Internet access information exactly as given to you by your ISP.
Figure 30 Internet Access: Ethernet Encapsulation

• Encapsulation: This displays the type of Internet connection you are
configuring.

• First WAN Interface: This is the number of the interface that will connect with
your ISP.

• Zone: This is the security zone to which thi s int erface and Internet connection
will belong.

• IP Address: Enter your (static) public IP address. Auto d isplays if y ou selected
Auto as the IP Address Assignment in the previous screen.

The following fields display if you selected static IP address assignment.

• IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.

• Gateway IP Address: Enter the IP address of the router through which this
WAN connection will send traffic (the default gateway).

• First / Second DNS Server: These fields display if you selected static IP
address assignment. The Domain Name System (DNS) maps a domain name to
an IP address and vice versa. Enter a DNS server's IP address(es). The DNS
server is extremely important because without it, you must know the IP address
of a computer before you can access it. The ZyWALL uses these (in the order
you specify here) to resolve domain names for VPN, DDNS and the time server.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers.

ZyWALL USG 100/200 Series User’s Guide

67

Chapter 4 Installation Setup Wizard

4.1.3 Internet Access: PPPoE

Note: Enter the Internet access information exactly as given to you by your ISP.

Figure 31 Internet Access: PPPoE Encapsulation

4.1.3.1 ISP Parameters

• T ype the PPP oE Service Name from your service provider. PPPoE uses a service
name to identify and reach the PPPoE server. You can use alphanumeric and ­_@$./ characters, and it can be up to 64 characters long.

• Authentication Type - Select an authentication protocol for outgoing
connection requests. Options are:

• CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by
the remote node.

• CHAP - Your ZyWALL accepts CHAP only.

• PAP - Your ZyWALL accepts PAP only.

• MSCHAP - Your ZyWALL accepts MSCHAP only.

• MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.

• Type the User Name given to you by your ISP. You can use alphanumeric and ­_@$./ characters, and it can be up to 31 characters long.

• Type the Password associated with the user name. Use up to 64 ASCII
characters except the [] and ?. This field can be blank.

• Select Nailed-Up if you do not want the connection to time out. Otherwise,
type the Idle Timeout in seconds that elapses before the router automatically
disconnects from the PPPoE server.

68

ZyWALL USG 100/200 Series User’s Guide

4.1.3.2 WAN IP Address Assignments

• WAN Interface: This is the name of the interface that wi ll co n nect with your
ISP.

• Zone: This is the security zone to which thi s int erface and Internet connection
will belong.

• IP Address: Enter your (static) public IP address. Auto d isplays if y ou selected
Auto as the IP Address Assignment in the previous screen.

• First / Second DNS Server: These fields display if you selected static IP
address assignment. The Domain Name System (DNS) maps a domain name to
an IP address and vice versa. Enter a DNS server's IP address(es). The DNS
server is extremely important because without it, you must know the IP address
of a computer before you can access it. The ZyWALL uses these (in the order
you specify here) to resolve domain names for VPN, DDNS and the time server.
Leave the field as 0.0.0.0 if you do not w ant to configure DNS servers. If y ou do
not configure a DNS server, you must know the IP address of a machine in order
to access it.

4.1.4 Internet Access: PPTP

Chapter 4 Installation Setup Wizard

Note: Enter the Internet access information exactly as given to you by your ISP.
Figure 32 Internet Access: PPTP Encapsulation

ZyWALL USG 100/200 Series User’s Guide

69

Chapter 4 Installation Setup Wizard

4.1.5 ISP Parameters

• Authentication Type - Select an authentication protocol for outgoing calls.
Options are:

• CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by
the remote node.

• CHAP - Your ZyWALL accepts CHAP only.

• PAP - Your ZyWALL accepts PAP only.

• MSCHAP - Your ZyWALL accepts MSCHAP only.

• MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.

• Type the User Name given to you by your ISP. You can use alphanumeric and ­_@$./ characters, and it can be up to 31 characters long.

• Type the Password associated with the user name. Use up to 64 ASCII
characters except the [] and ?. This field can be blank. Re-type y our password in
the next field to confirm it.

• Select Nailed-Up if you do not want the connection to time out. Otherwise,
type the Idle Timeout in seconds that elapses before the router automatically
disconnects from the PPTP server.

4.1.5.1 PPTP Configuration

• Base Interface: This identifies the Ethernet interface you configure to connect
with a modem or router.

•Type a Base IP Address (static) assigned to you by your ISP.

• Type the IP Subnet Mask assigned to you by your ISP (if g iven).

• Server IP: Type the IP address of the PPTP server.

•Type a Connection ID or connection name. It must follow the “c:id” and
“n:name” format. For example, C:12 or N:My ISP. This field is optional and
depends on the requirements of your broadband modem or router. You can use
alphanumeric and -_: characters, and it can be up to 31 characters long.

4.1.5.2 WAN IP Address Assignments

• First WAN Interface: This is the connection type on the interface you are
configuring to connect with your ISP.

• Zone This is the security zone to whic h thi s in terface and Internet connection
will belong.

• IP Address: Enter your (static) public IP address. Auto displays if you selected
Auto as the IP Address Assignment in the previous screen.

• First / Second DNS Server: These fields display if you selected static IP
address assignment. The Domain Name System (DNS) maps a domain name to
an IP address and vice versa. Enter a DNS server's IP address(es). The DNS
server is extremely important because without it, you must know the IP address
of a computer before you can access it. The ZyWALL uses these (in the order
you specify here) to resolve domain names for VPN, DDNS and the time server.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers.

70

ZyWALL USG 100/200 Series User’s Guide

Chapter 4 Installation Setup Wizard

4.1.6 Internet Access Setup - Second WAN Interface

If you selected I have two ISPs, after you configure the First WAN Interface,
you can configure the Second WAN Interface. The screens for configuring the
second WAN interface are similar to the first (see Section 4.1.1 on page 66).

Figure 33 Internet Access: Step 3: Second WAN Interface

ZyWALL USG 100/200 Series User’s Guide

71

Chapter 4 Installation Setup Wizard

4.1.7 Internet Access - Finish

You have set up your ZyWALL to access the Internet. After configuring the WAN
interface(s), a screen displays with your settings. If they are not correct, click
Back.

Figure 34 Internet Access: Ethernet Encapsulation

Note: If you have not already done so, you can register your ZyWALL with

myZyXEL.com and activate trials of services like IDP.

Click Next and use the following screen to perform a basic registration (see

Section 4.2 on page 72). If you want to do a more detailed registration or manage

your account details, click myZyXEL.com.

Alternatively, close the window to exit the wizard.

4.2 Device Registration

Use this screen to register your ZyWALL with myZXEL.com and activate trial
periods of subscription security features if you have not already done so. If the
ZyWALL is already registered this screen displays your user name and which trial
services are activated (if any). You can still activate any un-activated trial
services.

Note: You must be connected to the Internet to register.

72

ZyWALL USG 100/200 Series User’s Guide

Chapter 4 Installation Setup Wizard

Use the Registration > Service screen to update your service subscription
status.

Figure 35 Registration

• Select new myZyXEL.com account if you haven’t created an account at
myZyXEL.com, select this option and configure the following fields to create an
account and register your ZyWALL.

• Select existing myZyXEL.com account if you already have an account at
myZyXEL.com and enter your user name and password in the fields below to
register your ZyWALL.

•Enter a User Name for your myZyXEL.com account. Use from six to 20
alphanumeric characters (and the underscore). Spaces are not allowed. Click
Check to verify that it is available.

• Password: Use six to 20 alphanumeric characters (and the underscore).
Spaces are not allowed. Type it again in the Confirm Password field.

• E-Mail Address: Enter your e-mail address. Use up to 80 alphanumeric
characters (periods and the underscore are also allowed) without spaces.

• Country Code: Select your country from the drop-down box list.

ZyWALL USG 100/200 Series User’s Guide

73

Chapter 4 Installation Setup Wizard

• Trial Service Activation: You can try a trial service subscription. The trial
period starts the day you activate the trial. After the trial expires, you can buy
an iCard and enter the license key in the Registration > Service screen to
extend the service.

Figure 36 Registration: Registered Device

74

ZyWALL USG 100/200 Series User’s Guide

CHAPTER 5

Quick Setup

5.1 Quick Setup Overview

The Web Configurator's quick setup wizards help you configure Internet and VPN
connection settings. This chapter provides information on configuring the quick
setup screens in the Web Configurator. See the feature-specific chapters in this
User’s Guide for background information.

In the Web Configurator, click Configuration > Quick Setup to open the first
Quick Setup screen.

Figure 37 Quick Setup

• WAN Interface

Click this link to open a wizard to set up a WAN (Internet) connection. This
wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or
PPTP. See Section 5.2 on page 76.

•VPN SETUP

Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for a
secure connection to another computer or network. See Section 5.4 on page 82.

ZyWALL USG 100/200 Series User’s Guide

75

Chapter 5 Quick Setup

5.2 WAN Interface Quick Setup

Click WAN Interface in the main Quick Setup screen to open the WAN
Interface Quick Setup Wizard Welcome screen. Use these screens to
configure an interface to connect to the internet. Click Next.

Figure 38 WAN Interface Quick Setup Wizard

5.2.1 Choose an Ethernet Interface

Select the Ethernet interface that you want to configure for a WAN connection and
click Next.

Figure 39 Choose an Ethernet Interface

5.2.2 Select WAN Type

76

WAN Type Selection: Select the type of encapsulation this connection is to use.
Choose Ethernet when the WAN port is used as a regular Ethernet.

ZyWALL USG 100/200 Series User’s Guide

Chapter 5 Quick Setup

Otherwise, choose PPPoE or PPTP for a dial-up connection according to the
information from your ISP.

Figure 40 WAN Interface Setup: Step 2

The screens vary depending on what encapsulation type you use. Refer to
information provided by your ISP to know what to enter in each field. Leave a field
blank if you don’t have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

5.2.3 Configure WAN Settings

Use this screen to select whether the interface should use a fixed or dynamic IP
address.

Figure 41 WAN Interface Setup: Step 2

• WAN Interface: This is the interface you are configuring for Internet access.

• Zone:

ZyWALL USG 100/200 Series User’s Guide

77

Chapter 5 Quick Setup

• IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP
address.
Select Static If the ISP assigned a fixed IP address.

5.2.4 WAN and ISP Connection Settings

Use this screen to configure the ISP and WAN interface settings. This screen is
read-only if you set the IP Address Assignment to Static.

Note: Enter the Internet access information exactly as your ISP gave it to you.

Figure 42 WAN and ISP Connection Settings: (PPTP Shown)

78

The following table describes the labels in this screen.

Table 11 WAN and ISP Connection Settings

LABEL DESCRIPTION

ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet

connection.

Encapsulation This displays the type of Internet connection you are configuring.

ZyWALL USG 100/200 Series User’s Guide

Chapter 5 Quick Setup

Table 11 WAN and ISP Connection Settings (continued)

LABEL DESCRIPTION

Authentication
Type

User Name Type the user name given to you by your ISP. You can use

Password T ype the password associated with the user name above. Use up to 64

Retype to
Confirm

Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout Type the time in seconds that elapses before the router automatically

PPTP
Configuration

Base Interface This displays the identity of the Ethernet interface you configure to

Base IP
Address

IP Subnet
Mask

Server IP Type the IP address of the PPTP server.
Connection ID Enter the connection ID or connection name in this field. It must

Use the drop-down list box to select an authentication protocol for
outgoing calls. Options are:

CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when
requested by this remote node.

CHAP - Your ZyWALL accepts CHAP only.
PAP - Your ZyWALL accepts PAP only.
MSCHAP - Your ZyWALL accepts MSCHAP only.
MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.

alphanumeric and -_
characters long.

ASCII characters except the [] and ?. This field can be blank.
Type your password again for confirmation.

disconnects from the PPPoE server. 0 means no timeout.
This section only appears if the interface uses a PPPoE or PPTP

Internet connection.

connect with a modem or router.
Type the (static) IP address assigned to you by your ISP.

Type the subnet mask assigned to you by your ISP (if given).

follow the "c:id" and "n:name" format. For example, C:12 or N:My
ISP.
This field is optional and depends on the requirements of your DSL
modem.

@$./ characters, and it can be up to 31

You can use alphanumeric and -_
characters long.

WAN Interface
Setup

WAN Interface This displays the identity of the interface you configure to connect

with your ISP.

Zone This field displays to which security zone this interface and Internet

connection will belong.

IP Address This field is read-only when the WAN interface uses a dynamic IP

address. If your WAN interface uses a static IP address, enter it in this
field.

ZyWALL USG 100/200 Series User’s Guide

: characters, and it can be up to 31

79

Chapter 5 Quick Setup

Table 11 WAN and ISP Connection Settings (continued)

LABEL DESCRIPTION

First DNS
Server

Second DNS
Server

Back Click Back to return to the previous screen.
Next Click Next to continue.

These fields only display for an interface with a static IP address.
Enter the DNS server IP address(es) in the field(s) to the right.

Leave the field as 0.0.0.0 if you do not want to configure DNS
servers. If you do not configure a DNS server, you must know the IP
address of a machine in order to access it.

DNS (Domain Name System) is for mapping a domain name to its
corresponding IP address and vice versa. The DNS server is ex tremely
important because without it, you must know the IP address of a
computer before you can access it. The ZyWALL uses a system DNS
server (in the order you specify here) to resolve domain names for
VPN, DDNS and the time server.

5.2.5 Quick Setup Interface Wizard: Summary

This screen displays the WAN interface’s settings.

Figure 43 Interface Wizard: Summary WAN (PPTP Shown)

The following table describes the labels in this screen.

Table 12 Interface Wizard: Summary WAN

LABEL DESCRIPTION

Encapsulation This displays what encapsulation this interface uses to connect to the

Internet.

Service Name This field only appears for a PPPoE interface. It displays the PPPoE

service name specified in the ISP account.

Server IP This field only appears for a PPTP interface. It displays the IP address of

the PPTP server.

80

ZyWALL USG 100/200 Series User’s Guide

Chapter 5 Quick Setup

Table 12 Interface Wizard: Summary WAN

LABEL DESCRIPTION

User Name This is the user name given to you by your ISP.
Nailed-Up If No displays the connection will not time out. Yes means the ZyWALL

uses the idle timeout.

Idle Timeout This is how many seconds the connection can be idle before the router

automatically disconnects from the PPPoE server. 0 means no timeout.
Connection ID If you specified a connection ID, it displays here.
WAN Interface This identifies the interface you configure to connect with your ISP.
Zone This field displays to which security zone this interface and Internet

connection will belong.
IP Address

Assignment
First DNS

Server
Second DNS

Server
Close Click Close to exit the wizard.

This field displays whether the WAN IP address is static or dynamic

(Auto).

If the IP Address Assignment is Static, these fields display the DNS

server IP address(es).

5.3 VPN Quick Setup

Click VPN Setup in the main Quick Setup screen to open the VPN Setup
Wizard Welcome screen. The VPN wizard creates corresponding VPN connection

and VPN gateway settings and address objects that you can use later in
configuring more VPN connections or other features. Click Next.

Figure 44 VPN Quick Setup Wizard

ZyWALL USG 100/200 Series User’s Guide

81

Chapter 5 Quick Setup

5.4 VPN Setup Wizard: Wizard Type

A VPN (Virtual Private Network) tunnel is a secure connection to another computer
or network. Use this screen to select which type of VPN connection you want to
configure.

Figure 45 VPN Setup Wizard: Wizard Type

Express: Use this wizard to create a VPN connection with another ZLD-based
ZyWALL using a pre-shared key and default security settings.

Advanced: Use this wizard to configure det a i led V PN security settings such as
using certificates. The VPN connection can be to another ZLD-based ZyWALL or
other IPSec device.

82

ZyWALL USG 100/200 Series User’s Guide

5.5 VPN Express Wizard - Scenario

Click the Express radio button as shown in Figure 45 on page 82 to display the
following screen.

Figure 46 VPN Express Wizard: Step 2

Chapter 5 Quick Setup

Rule Name: Type the name used to identify this VPN connection (and VPN
gateway). Y ou may use 1-31 alphanumeric char acters, underscores (_), or dashes
(-), but the first character cannot be a number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection. The figure
on the left of the screen changes to match the scenario you select.

• Site-to-site - Choose this if the remote IPSec device has a static IP address or a
domain name. This ZyWALL can initiate the VPN tunnel.

• Site-to-site with Dynamic Peer - Choose this if the remote IPSec device has a
dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.

• Remote Access (Server Role) - Choose this to allow incoming connections from
IPSec VPN clients. The clients have dynamic IP addresses and are also known as
dial-in users. Only the clients can initiate the VPN tunnel.

• Remote Access (Client Role) - Choose this to connect to an IPSec server. This
ZyWALL is the client (dial-in user) and can initiate the VPN tunnel.

ZyWALL USG 100/200 Series User’s Guide

83

Chapter 5 Quick Setup

5.5.1 VPN Express Wizard - Configuration

Figure 47 VPN Express Wizard: Step 3

• Secure Gateway: If Any displays in this field, it is not configurable for the
chosen scenario. If this field is configurable, enter the WAN IP address or
domain name of the remote IPSec device (secure gateway) to identify the
remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the
remote IPSec router has a dynamic WAN IP address.

• Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use
the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs
of hexadecimal (“0-9”, “A-F”) characters. Proceed a hexadecimal key with “0x”.
You will receive a PYLD_MALFORMED (payload malformed) packet if the same
pre-shared key is not used on both ends.

• Local Policy (IP/Mask): Type the IP address of a computer on your network.
You can also specify a subnet. This must match the remote IP address
configured on the remote IPSec device.

• Remote Policy (IP/Mask): If Any displays in this field, it is not configurable
for the chosen scenario. If this field is configurable, type the IP address of a
computer behind the remote IPSec device. You can also specify a subnet. This
must match the local IP address configured on the remote IPSec device.

84

ZyWALL USG 100/200 Series User’s Guide

5.5.2 VPN Express Wizard - Summary

This screen provides a read-only summary of the VPN tunnel’s configuration and
also commands that you can copy and paste into another ZLD-based ZyWALL’s
command line interface to configure it.

Figure 48 VPN Express Wizard: Step 4

Chapter 5 Quick Setup

• Rule Name: Identifies the VPN gateway policy.

• Secure Gateway: IP address or domain name of the remote IPSec device. If
this field displays Any, only the remote IPSec device can initiate the VPN
connection.

• Pre-Shared Key: VPN tunnel password. It identifies a communicating party
during a phase 1 IKE negotiation.

• Local Policy: (Static) IP address and subnet mask of the computers on the
network behind your ZyWALL that can use the tunnel.

• Remote Policy: (Static) IP address and subnet mask of the computers on the
network behind the remote IPSec device that can use the tunnel. If this field
displays Any, only the remote IPSec device can initiate the VPN connection.

• Copy and paste the Configuration for Secure Gateway commands into
another ZLD-based ZyWALL’s command line interface to configure it to serve as
the other end of this VPN tunnel. You can also use a text editor to save these
commands as a shell script file with a “.zysh” filename extension. Then you can
use the file manager to run the script in order to configure the VPN connection.
See the commands reference guide for details on the commands displayed in
this list.

ZyWALL USG 100/200 Series User’s Guide

85

Chapter 5 Quick Setup

5.5.3 VPN Express Wizard - Finish

Now you can use the VPN tunnel.

Figure 49 VPN Express Wizard: Step 6

86

Note: If you have not already done so, use the myZyXEL.com link and register your

ZyWALL with myZyXEL.com and activate trials of services like IDP.

Click Close to exit the wizard.

ZyWALL USG 100/200 Series User’s Guide

5.5.4 VPN Advanced Wizard - Scenario

Click the Advanced radio button as shown in Figure 45 on page 82 to di splay the
following screen.

Figure 50 VPN Advanced Wizard: Scenario

Chapter 5 Quick Setup

Rule Name: Type the name used to identify this VPN connection (and VPN
gateway). Y ou may use 1-31 alphanumeric char acters, underscores (_), or dashes
(-), but the first character cannot be a number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection. The figure
on the left of the screen changes to match the scenario you select.

• Site-to-site - Choose this if the remote IPSec device has a static IP address or a
domain name. This ZyWALL can initiate the VPN tunnel.

• Site-to-site with Dynamic Peer - Choose this if the remote IPSec device has a
dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.

• Remote Access (Server Role) - Choose this to allow incoming connections from
IPSec VPN clients. The clients have dynamic IP addresses and are also known as
dial-in users. Only the clients can initiate the VPN tunnel.

ZyWALL USG 100/200 Series User’s Guide

87

Chapter 5 Quick Setup

• Remote Access (Client Role) - Choose this to connect to an IPSec server. This
ZyWALL is the client (dial-in user) and can initiate the VPN tunnel.

5.5.5 VPN Advanced Wizard - Phase 1 Settings

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establ ishes an
IKE SA (Security Association).

Figure 51 VPN Advanced Wizard: Phase 1 Settings

• Secure Gateway: If Any displays in this field, it is not configurable for the
chosen scenario. If this field is configurable, enter the WAN IP address or
domain name of the remote IPSec device (secure gateway) to identify the
remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the
remote IPSec device has a dynamic WAN IP address.

• My Address (interface): Select an interface from the drop-down list box to
use on your ZyWALL.

• Negotiation Mode: Select Main for identity protection. Select Aggressive to
allow more incoming connections from dynamic IP addresses to use separate
passwords.

Note: Multiple SAs connecting through a secure gateway must have the same

negotiation mode.

• Encryption Algorithm: 3DES and AES use encryption. The longer the key, the
higher the security (this may affect throughput). Both sender and recei ver must
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES

88

ZyWALL USG 100/200 Series User’s Guide

Chapter 5 Quick Setup

that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a
192-bit key and AES256 uses a 256-bit key.

• Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher
security. MD5 (Message Digest 5) and SHA1 (Secure Has h Algorit hm) are hash
algorithms used to authenticate pac ket data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower.

• Key Group: DH5 is more secure than DH1 or DH2 (although it may affect
throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random
number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number.
DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.

• SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA
life time increases security, but renegotiation temporarily disconnects the VPN
tunnel.

• NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a
NAT router between the IPSec devices).

Note: The remote IPSec device must also have NAT traversal enabled. See VPN,

NAT, and NAT Traversal on page 512 for more information.

• Dead Peer Detection (DPD) has the ZyWALL make sure the remote IPSec
device is there before transmitting data through the IKE SA. If there has been
no traffic for at least 15 seconds, the ZyWALL sends a message to the remote
IPSec device. If it responds, the ZyWALL transmits the data. If it does not
respond, the ZyWALL shuts down the IKE SA.

• Authentication Method: Select Pre-Shared Key to use a password or
Certificate to use one of the ZyWALL’s certificates.

ZyWALL USG 100/200 Series User’s Guide

89

Chapter 5 Quick Setup

5.5.6 VPN Advanced Wizard - Phase 2

Phase 2 in an IKE uses the SA that was established in phase 1 to negot iate SAs for
IPSec.

Figure 52 VPN Advanced Wizard: Step 4

• Active Protocol: ESP is compatible with NAT, AH is not.

• Encapsulation: Tunnel is compatible with NAT, Transport is not.

• Encryption Algorithm: 3DES and AES use encryption. The longer the AES
key, the higher the security (this may affect throughput). Null uses no
encryption.

• Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher
security. MD5 (Message Digest 5) and SHA1 (Secure Has h Algorit hm) are hash
algorithms used to authenticate pac ket data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower.

• SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA
life time increases security, but renegotiation temporarily disconnects the VPN
tunnel.

• Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is
less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than
DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman
Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024
bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit
random number (more secure, yet slower).

• Local Policy (IP/Mask): Type the IP address of a computer on your network.
You can also specify a subnet. This must match the remote IP address
configured on the remote IPSec device.

90

• Remote Policy (IP/Mask): Type the IP address of a computer behind the
remote IPSec device. You can also specify a subnet. This must match the local
IP address configured on the remote IPSec device.

ZyWALL USG 100/200 Series User’s Guide

• Nailed-Up: This displays for the site-to-site and remote access client role
scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec
SA when the SA life time expires.

5.5.7 VPN Advanced Wizard - Summary

This is a read-only summary of the VPN tunnel settings.

Figure 53 VPN Advanced Wizard: Step 5

Chapter 5 Quick Setup

• Rule Name: Identifies the VPN connection (and the VPN gateway).

• Secure Gateway: IP address or domain name of the remote IPSec device.

• Pre-Shared Key: VPN tunnel password.

• Certificate: The certificate the ZyWALL uses to identify itself when setting up
the VPN tunnel.

• Local Policy: IP address and subnet mask of the computers on the network
behind your ZyWALL that can use the tunnel.

• Remote Policy: IP address and subnet mask of the computers on the network
behind the remote IPSec device that can use the tunnel.

• Copy and paste the Configuration for Remote Gateway commands into
another ZLD-based ZyWALL’s command line interface.

•Click Save to save the VPN rule.

ZyWALL USG 100/200 Series User’s Guide

91

Chapter 5 Quick Setup

5.5.8 VPN Advanced Wizard - Finish

Now you can use the VPN tunnel.

Figure 54 VPN Wizard: Step 6: Advanced

92

Note: If you have not already done so, you can register your ZyWALL with

myZyXEL.com and activate trials of services like IDP.

Click Close to exit the wizard.

ZyWALL USG 100/200 Series User’s Guide

CHAPTER 6

Configuration Basics

This information is provided to help you configure the ZyW ALL effectively. Some of
it is helpful when you are just gett i n g st a r t ed. Some of it is provided for your
reference when you configure various features in the ZyWALL.

• Section 6.1 on page 93 introduces the ZyWALL’s object-based configuration.

• Section 6.2 on page 94 introduces zones, interfaces, and port groups.

• Section 6.3 on page 97 introduces some differences in terminology and
organization between the ZyWALL and other routers, particularly ZyNOS
routers.

• Section 6.4 on page 99 covers the ZyWALL’s packet flow.

• Section 6.5 on page 102 identifies the features you should configure before and
after you configure the main screens for each feature. For example, if you want
to configure a trunk for load-balancing, you should configure the member
interfaces before you configure the trunk. After you configure the trunk, you
should configure a policy route for it as well. (You might also have to configure
criteria for the policy route.)

• Section 6.6 on page 113 identifies the objects that store information used by
other features.

• Section 6.7 on page 114 introduces some of the tools available for system
management.

6.1 Object-based Configuration

The ZyWALL stores information or settings as objects. You use these objects to
configure many of the ZyWALL’s features and settings. Once you configure an
object, you can reuse it in configuring other features.

When you change an object’s settings, the ZyWALL automatically updates al l the
settings or rules that use the object. For example, if you create a schedule objec t,
you can have firewall, applicat ion patrol, content filter, and other settings use it. If
you modify the schedule, all the firewall, application patrol, content filter, and
other settings that use the schedule automatically apply the updated schedule.

You can create address objects based on an interface’s IP address, subnet, or
gateway. The Z y WALL automatically updates every rule or setting that uses these

ZyWALL USG 100/200 Series User’s Guide

93

Chapter 6 Configuration Basics

objects whenever the interface’s IP address settings change. For example, if you
change an Ethernet interface’s IP address, the ZyWALL automatically updates the
rules or settings that use the interface-based, LAN subnet address object.

You can use the Configuration > Objects screens to create objects before you
configure features that use them. If you are in a screen that uses objects, you can
also usually select Create new Object to be able to configure a new object. F or a
list of common objects, see Section 6.6 on page 113.

Use the Object Reference screen (Section 3.3.3.3 on page 58) to see what
objects are configured and which configuration settings reference specific objects.

6.2 Zones, Interfaces, and Physical Ports

Zones (groups of interfaces and VPN tunnels) simplify security settings. Here is an
overview of zones, interfaces, and physical ports in the ZyWALL.

Figure 55 USG 100: Zones, Interfaces, and Physical Ethernet Ports

Zones

Interfaces

Physical Ports

Figure 56 USG 200: Zones, Interfaces, and Physical Ethernet Ports

Zones

Interfaces

Physical Ports

WAN

wan1 wan2

P1 P2 P3 P4 P5 P6 P7

WAN

wan1 wan2

P1 P2 P3 P4 P5 P6 P7

OPT

opt

LAN1

lan1 ext-wlan

LAN1

lan1

LAN2

lan2

LAN2

lan2

WLAN DMZ

WLAN DMZ

ext-wlan

dmz

dmz

94

ZyWALL USG 100/200 Series User’s Guide

Table 13 Zones, Interfaces, and Physical Ethernet Ports

Zones

(WAN, OPT, LAN,
DMZ)

Interfaces

(Ethernet,
VLAN,...)

Physical
Ethernet Ports

(P1, P2, ...)

A zone is a group of interfaces and VPN tunnels. Use zones to apply
security settings such as firewall, IDP, remote management, anti­virus, and application patrol. You can change the opt interface to be
part of a different zone.

Interfaces are logical entities that (layer-3) packets pass through.
Use interfaces in configuring VPN, zones, trunks, device HA, DDNS,
policy routes, static routes, HTTP redirect, and NAT.

Port roles combine physical ports into interfaces.
The physical port is where you connect a cable. In configuration, you

use physical ports when configuring port groups. You use interfaces
and zones in configuring other features.

6.2.1 Interface Types

There are many types of interfaces in the ZyWALL. In addition to being used in
various features, interfaces also describe the network that is directly connected to
the ZyWALL.

Chapter 6 Configuration Basics

• Ethernet interfaces are the foundation for defining other interfaces and
network policies. Y o u also configure RIP and OSPF in these interfaces.

• Port groups create a hardware connection between physical ports at the layer­2 (data link, MAC address) level. Port groups are created when you use the
Interface > Port Roles screen to set multiple physical ports to be part of the
same (lan1, ext-wlan or dmz) interface.

• PPP interfaces support Point-to-Point Protocols (PPPoE or PPTP). ISP accounts
are required for PPPoE/PPTP interfaces.

• VLAN interfaces recognize tagged frames. The ZyWALL automatically adds or
removes the tags as needed. Each VLAN can only be associated with one
Ethernet interface.

• Bridge interfaces create a software connection between Ethernet or VLAN
interfaces at the layer-2 (data link, MAC address) level. Then, you can configure
the IP address and subnet mask of the bridge. It is also possible to configure
zone-level security between the member interfaces in the bridge.

• Virtual interfaces increase the amount of routing information in the ZyWALL.
There are three types: virtual Ethernet interfaces (also known as IP alias),
virtual VLAN interfaces, and virtual bridge interfaces.

•The auxiliary interface, along with an external modem, provides an interface
the ZyWALL can use to dial out. This interface can be used as a backup WAN
interface, for example. The auxiliary interface controls the AUX port.

ZyWALL USG 100/200 Series User’s Guide

95

Chapter 6 Configuration Basics

6.2.2 Default Interface and Zone Configuration

This section introduces the ZyWALL’ s default zone member ph ysical interfaces and
the default configuration of those interfaces. The following figure uses letters to
denote public IP addresses or part of a private IP address.

Figure 57 Default Network Topology

Table 14 ZyWALL USG 200 Default Port, Interface, and Zone Configuration

PORT INTERFACE ZONE

P1, P2 wan1, wan2 WAN DHCP clients Connections to the Internet
P3 opt OPT None, DHCP server

P4 lan1 LAN1 192.168.1.1, DHCP

P5 lan2 LAN2 192.168.2.1, DHCP

P6 ext-wlan WLAN 10.59.0.1, DHCP server

P7 dmz DMZ 192.168.3.1, DHCP

AUX aux None None Auxiliary modem
CONSOLE n/a None None Local management

IP ADDRESS AND DHCP
SETTINGS

disabled

server enabled

server enabled

enabled

server disabled

SUGGESTED USE WITH
DEFAULT SETTINGS

Third WAN, additional LAN,
WLAN, or DMZ port or a
separate network.

Protected LAN

Protected LAN

Wireless access points

Public servers (such as
web, e-mail and FTP)

96

ZyWALL USG 100/200 Series User’s Guide

Chapter 6 Configuration Basics

Table 15 ZyWALL USG 100 Default Port, Interface, and Zone Configuration

PORT INTERFACE ZONE

P1, P2 wan1, wan2 WAN DHCP clients Connections to the

P3, P4 lan1 LAN1 192.168.1.1, DHCP

P5 lan2 LAN2 192.168.2.1, DHCP

P6 ext-wlan WLAN 10.59.0.1, DHCP server

P7 dmz DMZ 192.168.3.1, DHCP

AUX aux None None Auxiliary modem
CONSOLE n/a None None Local management

IP ADDRESS AND
DHCP SETTINGS

server enabled

server enabled

enabled

server enabled

SUGGESTED USE WITH
DEFAULT SETTINGS

Internet
Protected LAN

Protected LAN

Wireless access points

Public servers (such as
web, e-mail and FTP)

• The WAN zone contains the wan1 and wan2 interfaces (physical ports P1 and
P2). They use public IP addresses to connect to the Internet.

• OPT is specific to the ZyWALL USG 200.The OPT zone contains the opt interface
(physical port P3). The opt interface is the only default interface that you can
change to be part of a different zone. The opt interface belongs to the OPT zone
by default. The OPT zone is a separate zone and you can configure a different
set of security policies for it.

• The LAN1 zone contains the lan1 interface (a port group made up of physical
ports P4 and P5 on the ZyWALL USG 200 or P3, P4, and P5 on the ZyWALL
USG 100). The LAN1 zone is a protected zone. The lan1 interface uses

192.168.1.1 and the connected devices use IP addresses in the 192.168.1.2 to

192.168.1.254 range.

• The WLAN zone contains the ext-wlan interface (physical port P6). This is a
second protected zone for connecting wireless access points. The ext-wlan
interface uses private IP address 10.59.0.1 and the connected devices use IP
addresses in the 10.59.0.2 to 10.59.0.254 range.

• The DMZ zone contains the dmz interface (physical port P7). The DMZ zone has
servers that are available to the public. The dmz interface uses private IP
address 192.168.3.1 and the connected devices use private IP addresses in the

192.168.3.2 to 192.168.3.254 range.

6.3 Terminology in the ZyWALL

This section highlights some differences in terminology or organization between
the ZLD-based ZyWALL and other routers, particularly ZyNOS routers.

Table 16 ZLD ZyWALL Terminology That is Different Than ZyNOS

ZYNOS FEATURE / TERM ZLD ZYWALL FEATURE / TERM

IP alias Virtual interface
Gateway policy VPN gateway

ZyWALL USG 100/200 Series User’s Guide

97

Chapter 6 Configuration Basics

Table 16 ZLD ZyWALL Terminology That is Different Than ZyNOS (continued)

ZYNOS FEATURE / TERM ZLD ZYWALL FEATURE / TERM

Network policy (IPSec SA) VPN connection
Hub-and-spoke VPN (VPN) concentrator

Table 17 ZLD ZyWALL Terminology That Might Be Different Than Other Products

FEATURE / TERM ZLD ZYWALL FEATURE / TERM

Source NAT (SNAT) Policy route

Table 18 NAT: Differences Between ZLD ZyWALL and ZyNOS

ZYNOS FEATURE / SCREEN ZLD ZYWALL FEATURE / SCREEN

Trigger port, port triggering Policy route
Address mapping Policy route
Address mapping (VPN) IPSec VPN

Table 19 Bandwidth Management: Differences Between the ZLD ZyWALL and
ZyNOS

ZYNOS FEATURE / SCREEN ZLD ZYWALL FEATURE / SCREEN

Interface bandwidth management
(outbound)

OSI level-7 bandwidth management Application patrol
General bandwidth management Policy route

Interface

98

ZyWALL USG 100/200 Series User’s Guide

6.4 Packet Flow

Here is the order in which the ZyWALL applies its features and checks.

Figure 58 Packet Flow

Chapter 6 Configuration Basics

6.4.1 ZLD 2.20 Packet Flow Enhancements

ZLD version 2.20 has been enhanced to simplify configuration. The packet flow
has been changed as follows:

• Automatic SNAT and WAN trunk routing for traffic going from internal to
external interfaces (you don’t need to configure anything to all LAN to WAN or
WLAN to WAN traffic).

The ZyWALL automatically adds al l of the external interfaces to the default W AN
trunk. External interfaces include ppp, cellular, and AUX interfaces as well as
any Ethernet interfaces that are set as external interfaces.

Examples of internal interfaces are WLAN interfaces and any Ethernet interfaces
that you configure as internal interfaces.

• A policy route can be automatically disabled if the next-hop is dead.

• You do not need to set up policy routes for IPSec traffic.

• Policy routes can override direct routes.

ZyWALL USG 100/200 Series User’s Guide

99

Chapter 6 Configuration Basics

• You do not need to set up policy routes for 1:1 NAT entries.

• You can create Many 1:1 NAT entries to translate a range of private network
addresses to a range of public IP addresses

• Static and dynamic routes have their own category.

Even with these changes, you can still use an existing configuration file from the
previous version.

6.4.2 Routing Table Checking Flow Enhancements

When the ZyWALL receives packets it defragments them and applies destination
NAT. Then it examines the packets and determines how to route them. The
following figure shows how the ZLD 2.20 firmware’s routing table compares with
the earlier 2.1x firmware’s routing table.The checking flow is from top to bottom.
As soon as the packets match an entry in one of the sections, the ZyWALL stops
checking the packets against the routing table and moves on to the other checks,
for example the firewall check.

Figure 59 Routing Table Checking Flow Enhancements

100

1 Direct-connected Subnets: The ZyWALL first checks to see if the packets are

destined for an address in the same subnet as one of the ZyWALL’ s interfaces. You
can override this and have the ZyWALL check the policy routes first by enabling
the policy route feature’s Use Policy Route to Override Direct Route option
(see Section 15.1 on page 383).

ZyWALL USG 100/200 Series User’s Guide