F05. How to limit some application (for example, FTP) bandwidth usage? ............. 204
F06. What’s the routing order of policy route, dynamic route, and static route and
direct connect subnet table? ....................................................................................... 204
F07. Why ZyWALL USG 2000 cannot ping the Internet host, but PC from LAN side
can browse internet WWW? ...................................................................................... 205
F08. Why can’t I ping to the, Internet, after I shutdown the prim ary WAN interface?205
F09. Why the virtual server or port trigger does not work? ....................................... 205
F10. Why port trigger does not work? ....................................................................... 205
F11. How do I use the traffic redirect feature in ZyWALL USG 2000? .................... 206
F12. Why can’t ZyWALL learn the route from RIP and/or OSPF? ........................... 206
G. VPN and Certificate ...................................................................................................... 207
G01. Why can't the VPN connections dial to a remote gateway? .............................. 207
G02. VPN connections are dialed successfully, but the traffic still cannot go through
the IPsec tunnel. ......................................................................................................... 207
G03. Why ZyWALL USG 2000 VPN tunnel had been configured correctly and the
VPN connection status is connected but the traffic still can not reach the remote
I05. What is the difference between BWM (bandwidth management) in Policy Route
5
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
and App. Patrol ? ........................................................................................................ 213
I06. Do I have to purchase iCards specifically for using AppPatrol feature? ............ 214
I07. Can I configure different access level based on application for different users? 214
I08. Can I migrate AppPatrol policy and bandwidth management control from
ZLD1.0x to ZLD2.0x? ............................................................................................... 214
J. lDP FAQ ......................................................................................................................... 215
J01. Why doesn’t the IDP work? Why has the signature updating failed? ................ 215
J02. When I use a web browser to configure the IDP, sometimes it will popup
"wait data timeout". .................................................................................................... 215
J03. When I want to configure the packet inspection (signatures), the GUI becomes
very slow. ................................................................................................................... 215
J04. After I select "Auto Update" for IDP, when will it update the signatures? ........ 215
J05. If I want to use IDP service, will it is enough if I just complete the registration
and turn on IDP? ........................................................................................................ 215
J06. What are the major design differences in IDP in ZLD1.0x and latest IDP/ADP
in ZLD2.0x? ............................................................................................................... 215
J07. Does IDP subscription have anything to do with AppPatrol? ............................ 216
J08. How to get a detailed description of an IDP signature? ..................................... 217
J09. After an IDP signature updated, does it require ZyWALL to reboot to make new
signatures take effect? ................................................................................................ 217
K. Content Filtering FAQ ................................................................................................... 218
K01. Why can’t I enable external web filtering service? Why does the external web
filtering service seem not to be working? .................................................................. 218
K02. Why can’t I use MSN after I enabled content filter and allowed trusted
P04. How many type of viruses can be recognized by the ZyWALL USG 2000? .... 226
P05. How frequent the AV signature will be updated? .............................................. 226
P06. How to retrieve the virus information in detail? ................................................ 226
P07. I cannot download a file from Internet through ZyWALL USG 2000 because
the Anti-Virus engine considers this file has been infected by the virus; however, I
am very sure this file is not infected because the file is nothing but a plain text file.
How do I resolve this problem? ................................................................................. 226
P08. Does ZyWALL USG 2000 Anti-Virus engine support Passive FTP? ................ 227
P09. What kinds of protocol are currently supported on ZyWALL USG 2000
All contents copyright (c) 2008 ZyXEL Communications Corporation.
7
ZyWALL USG 2000 Support Notes
The comparison of ZyNOS and ZLD
Since ZyXEL USG 2000 adopt ZLD 2.10 as their network operating system. Additionally,
ZLD 2.10 provides many new features and new design in GUI. Hence, the layout in ZyNOS
might not be the same as the one in ZLD 2.10. Accordingly, we provide a comparison table for
your reference.
Platform
Feature/Term
NAT
VPN
ZyNOS ZLD Chapter in
Advanced > NAT >
Address Mapping
Advanced > NAT Port
forwarding
Advanced > NAT Port
Trigger
Policy Route
Network >
LAN/DMZ/WLAN> IP
alias
Wireless > Wi-Fi Network > Interface >
Wireless > 3G Network > Interface >
Security > Auth Server Object > AAA Server
All contents copyright (c) 2008 ZyXEL Communications Corporation.
Network > Interface >
LAN/DMZ/VLAN/Brid
ge> V irtual Interface
WLAN
Cellular
2.4 Mobility
Internet Access
8
ZyWALL USG 2000 Support Notes
1. Deploying VPN
VPN (Virtual Private Network) allows you to establish a virtual direct connection to remote
locations or for the telecommuters to access the internal network in the office. VPN is a
replacement for the traditional site-to-site lease lines like T1 or ISDN. Through the VPN
applications, it reduces setup cost, works for various types of Internet connection devices
(ISDN modem, ADSL modem and FTTX…) and is easy to troubleshoot.
VPN gives you site-to-site connection flexibility. However, with multiple VPN connections
between sites, it can become more difficult to maintain. Typically, an administrator has to
configure many site-to-site VPN connections to allow a truly global VPN network.
VPN connection management is made easily using the VPN concentrator. The VPN
concentrator routes VPN traffic across multiple remote sites without complex setting, thus
reduces the configuration overhead and the possibility of improper configuration. The VPN
concentrator is also a centralized management tool for administrators because all the traffic
sent between remote sites has to go through the central office first and administrators can set
up different access control rules. These are based on the source address, remote address, user
and schedule to enhance VPN security. To help to reduce network intrusion attacks,
administrators can configure the built-in IDP engine to inspect VPN traffic. For easy
9
All contents copyright (c) 2008 ZyXEL Communications Corporation.
The ZyXEL VPN solutions primarily can be used to extend the intranet and deliver increased
connectivity between operation sites. The branch office subnet will be considered a part of
main office internet. Therefore, user behind branch office also can use the internal network
resources as if he was in the main office. Because of the VPN connection, user will feel like he
is using a local LAN even though he is accessing the network resources via Internet. Use of a
VPN for smaller branch offices, franchise sites and remote workers provides nearly the same
level of connectivity and reliability as a private network. The remote connection cost also can
decrease by leveraging the Internet connections to replace expensive leased lines.
USG 2000
USG2000
1.1.2 Site to Site VPN solutions (ZyWALL 1050 Ù ZyWALL USG 2000):
Site to Site VPN is the basic VPN solution between local and remote gateway. This type of
VPN connection is used to extend and join local networks of both sites into a single intranet.
There are two kinds of connection interface. Static IP and dynamic DNS.
11
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
Configure ZyWALL 1050 with Static IP address:
ZyWALL 1050 uses the static IP address for VPN connection. The topology is shown on the
following figure.
User needs to configure the static IP address and then apply to the VPN Gateway
configuration page. The configuration steps are stated below:
1) Login ZyWALL 1050 GUI, setup the ge2 interface for internet connection and manually
assign a static IP. The configuration path in ZyWALL 1050 is Network > Interface > Ethernet >Edit > ge2
2) Switch to VPN > IPSec VPN > VPN Gateway select interface ge2 as My Address and
12
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
then in Security Gateway Address field set the remote gateway IP to 167.35.4.3. The
Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and
167.35.4.3.
3) User can refer to the user guide to complete the rest of the settings for VPN tunnel.
4) The ZyWALL1050 and ZyWALL USG 2000 VPN are route-based VPN. This means the
VPN tunnel can be an interface to route the VPN traffic. Thus, we need to configure a
policy route for VPN traffic from the local subnet to the remote subnet after configuring
the VPN gateway and connection (phase1 and phase2). The purpose of this policy route is
to tell the ZyWALL1050 to send the traffic to VPN tunnel when the traffic flows from the
local subnet to a destination that is in the remote subnet. Switch to ZyWALL 1050 >
Network > Routing > Policy Route and add a new policy route. The source and the
destination addresses are the local and remote subnets. The Next-Hop type is VPN tunnel.
Then choose the corresponding VPN connection rule from the VPN tunnel drop down
menu. Now, the VPN tunnel and routing is configured and user can start to test it.
13
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
5) Login ZyWALL USG 2000 GUI, setup the ge2 interface for internet connection and
manually assign a static IP. The configuration path in ZyWALL USG 2000 menu is
ZyWALL > VPN > IPSec VPN >VPN Gateway > Add. Select Static site to site VPN and
then create an object if you have not created any wan interface.
14
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
6) Switch to VPN > IPSec VPN > VPN Gateway > Edit select interface ge2 as My Address
and then in Security Gateway Address field set the remote gateway IP to 210.110.7.1.
The Local ID Type and content are IP and 167.35.4.3, Peer ID Type and content are IP
and 210.110.7.1.
15
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
7) Create VPN by selecting ZyWALL > VPN > IPSec VPN > VPN Connection > Edit. As
for more detail, user can refer to the user guide to complete the rest of the settings for VPN
tunnel.
8) The ZyWALL1050 and ZyWALL USG 2000 VPN are route-based VPN. This means the
VPN tunnel can be an interface to route the VPN traffic. Thus, we need to configure a
policy route for VPN traffic from the local subnet to the remote subnet after configuring
the VPN gateway and connection (phase1 and phase2). The purpose of this policy route is
to tell the ZyWALL1050 to send the traffic to VPN tunnel when the traffic flows from the
local subnet to a destination that is in the remote subnet. Switch to ZyWALL 1050 >
Network > Routing > Policy Route and add a new policy route. The source and the
destination addresses are the local and remote subnets. The Next-Hop type is VPN tunnel.
Then choose the corresponding VPN connection rule from the VPN tunnel drop down
menu. Now, the VPN tunnel and routing is configured and user can start to test it.
Tips for application:
1. Make sure the presharekey is the same in both local and remote gateways.
2. Make sure the IKE & IPSec proposal is the same in both local and remote gateways.
16
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
3. Select the correct interface for VPN connection.
4. The Local and Peer ID type and content must the opposite and contain the same.
Make sure the VPN policy route has been configured in ZyWALL1050.
17
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
1.2 Extranet Deployment
The VPN provides the access to extranets which can provide the security path over internet to
improve the client service, vendor support and company communication. Different flexible
business models have been developed based on the global VPN extranet architecture. For
example, customers can order equipment over the VPN and also suppliers can check the orders
electronically. Another result of its application is that the employees across different branches
can collaborate on project documents and share the different site’s internal resource to
complete the project.
USG 2000
Partner Site
The ZyWALL USG 2000 can be placed as a VPN gateway in the central site. It can
communicate with other ZyXEL’s VPN-capable products as well as VPN products from other
major vendors in the network device industry, e.g. Cisco PIX/IOS VPN products, Check Point
VPN Pro, Juniper NetScreen 100/200 and others…
18
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
1.2.1 Site to site VPN solutions (ZyWALL USG 2000 to ZyWALL70)
The exciting ZyWALL35 or 70 in central office gateway can be replaced by ZyWALL USG
2000, and the ZyWALL35 or 70 moved to a remote office. The ZyWALL USG 2000 can
provide higher VPN throughput and deal with multiple VPN tunnels at the same time. To show
how to build tunnel between ZyWALL5/35/70 and ZyWALL USG 2000 we used ZyWALL 70
as an example.
Static IP address
210.110.7.1
Static IP address
167.35.4.3
Internet
CenterOffice GatewayBranch Gateway
LAN: 192.168.1.X
1) Login ZyWALL USG 2000 GUI and setup the ge2 interface for the internet connection
and manually assign a static IP. The configuration path is ZyWALL USG 2000 > Network
> Interface > Edit > ge2
LAN: 192.168.2.X
2) Switch to VPN > IPSec VPN > VPN Gateway, select My Address as interface ge2 and
then in Security Gateway Address field set the remote gateway IP to 167.35.4.3. The
Local ID Type and content are IP and 210.110.7.1, Peer ID Type and content are IP and
19
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
167.35.4.3.
3) Login to ZyWALL70 and go to Security > VPN > Gateway Policy, add a new gateway
policy to connect with central office’s ZyWALL USG 2000. My Address and Remote
Gateway Address are ZyWALL70 and ZyWALL USG 2000 WAN IP addresses. The
Pre-Shared Key configured on both sides must exactly the same Local ID Type &
content and Peer ID Type & content are reverse to the Local ZyWALL USG 2000.
4) The IKE Proposal is very important setting when configuring the VPN tunnel. The
proposal includes Negotiation Mode, Encryption and Authentication Algorithm and….
Make sure the IKE proposal parameters are must the same on both ends.
5) Switch to Network > IPSec VPN > VPN Connection, add a new VPN connection (IPSec
phase2). Setup the Phase2 proposal and local and remote policies. The chosen phase2
proposal chosen must be the same as on the remote site’s ZyWALL70.
20
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
6) In ZyWALL70, VPN is a rule based VPN. This means that whether the traffic is going to
the tunnel or not will depend on the local and remote policies. In this example,
ZyWALL70 local and remote policies are 192.168.2.0 and 192.168.1.0 and the traffic
from 192.168.2.X subnet to 192.168.1.X subnet will go through the VPN tunnel to the
remote site as predefined. The ZyWALL USG 2000 local and remote policies must be
reverse to the ZyWALL70’s settings, otherwise the tunnel will not be built up.
7) Check whether the IPSec proposal on both sites is the same and the configuration is done
on both sites.
5
7
6
8) The ZyWALL USG 2000 VPN is a route-based VPN, this means the VPN tunnel can be an
interface to route the VPN traffic. Thus, we need to configure a policy route for VPN
traffic from the local subnet to the remote subnet after configuring the VPN gateway and
21
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
the connection (phase1 and phase2). The purpose for this policy route is to tell the
ZyWALL USG 2000 to send the traffic to the VPN tunnel when the traffic goes from the
local subnet to the destination that is in a remote subnet. Switch to Network> Routing > Policy > Policy Route and add a new policy route, the source and destination address are
the local and remote subnet and the Next-Hop type is a VPN tunnel. Then choose the
corresponding VPN connection rule from the VPN tunnel drop down menu. Now, the VPN
tunnel and routing is built and user can start to test it.
8
9) After configuring both sides of the VPN, click the “Dial up” icon to test the VPN
All contents copyright (c) 2008 ZyXEL Communications Corporation.
22
ZyWALL USG 2000 Support Notes
9
10
Tips for application:
1. Make sure the presharekey is the same in both the local and the remote gateways.
2. Make sure the IKE & IPSec proposal is the same in both the local and the remote
gateways.
3. Select the correct interface for the VPN connection.
4. The Local and Peer ID type and content must be the opposite and not of the same content.
5. Make sure the VPN policy route had been setup in ZyWALL USG 2000.
1.2.2 Interoperability – VPN with other vendors
1.2.2.1 ZyWALL with FortiGate VPN Tunneling
This page guides how to setup a VPN connection between the ZyWALL USG 2000 and
FortiGate 200A.
As on the figure shown below, the tunnel between Central and Remote offices ensures the
packet flow between them are secure, because the packets go through the IPSec tunnel are
23
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
encrypted. To setup this VPN tunnel, the required settings for ZyWALL and FortiGate are
explained in the following sections.
Static IP address
210.110.7.1
Static IP address
167.35.4.3
Internet
Central Office Gateway
ZyWALL
LAN: 192.168.1.X
The central office gateway ZyWALL USG 2000’s interface and VPN setting retain the same
setting as in the previous example. If you jumped this section first, please refer to ‘ZyWALL
Branch Gateway
FortiGate 200A
LAN: 192.168.2.X
USG 2000 to ZYWALL70 VPN tunnel setting’ on page 8.
This list below is to briefly show the VPN phase1 and phase2 configuration parameters:
ZyWALL FortiGate
WAN: 210.110.7.1
LAN: 192.168.1.0/24
Phase 1
Negotiation Mode : Main
Pre-share key: 123456789
Encryption :DES
Authentication :MD5
Key Group :DH1
Phase2
Encapsulation: Tunnel
Active Protocol: ESP
Encryption: DES
WAN: 167.35.4.3
LAN: 192.168.2.0/24
Phase 1
Negotiation Mode : Main
Pre-share key: 123456789
Encryption :DES
Authentication :MD5
Key Group :DH1
Phase2
Encapsulation: Tunnel
Active Protocol: ESP
Encryption: DES
Authentication: SHA1
Perfect Forward Secrecy (PFS): None
Perfect Forward Secrecy (PFS): None
Authentication: SHA1
1) Configure the ZyWALL USG 2000 ‘s VPN gateway and VPN connection as on the list.
Also, remember to configure the policy route for the VPN traffic routing. Refer to the
24
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
previous scenario or user guide to find help on setting the ZyWALL USG 2000 VPN.
2) Login to the FortiGate GUI and switch to System > Network > Interface and set the wan1
interface to 167.35.4.3 and internal interface to 192.168.2.1/255.255.255.0.
2
Note: About the detail interface settings, refer to FortiGate user guide.
3) Switch to System > VPN > IPSEC and select the Auto Key (IKE) tab and click the Create
Phase 1 button. This will open a new page for VPN phase1 setup.
3
4) Fill-in the VPN phase1 setting according to the table listed. We don’t have to setup the ID
type and content because the FortiGate accepts any peer ID. Make sure both the pre-shares
key and proposal are the same as in the ZyWALL USG 2000.
25
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
4
5) Get back to the VPN configuration page again and click the Create Phase 2 button to add
a new Phase2 policy.
5
6) Select the “ZyWALL”(configured in the step 4) policy from the Phase 1 drop down menu
and click the Advanced… button to edit the phase 2 proposal and source and destination
address. Please make sure the phase 2 proposal is the same as in ZyWALL USG 2000
phase 2.
26
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
6
7) The VPN tunnel configuration is finished and the VPN IPSec page will show the VPN
phase 1 and phase 2 rules in the Auto Key (IKE) tab.
7
8) We need to setup the firewall rules for IPSec VPN traffic transmitting from ZyWALL to
FortiGate and from FortiGate to ZyWALL. Switch to Firewall > VPN >Address menu and
add two new address object which stand for ZyWALL LAN subnet and FortiGate LAN
subnet. Using the “Create New” button to create a new address object.
8
9) Switch to Firewall > Policy and click “Insert Policy Before” icon to add new policy for the
VPN traffic from FortiGate to ZyWALL.
All contents copyright (c) 2008 ZyXEL Communications Corporation.
9
27
ZyWALL USG 2000 Support Notes
10) We will setup the FortiGate to ZyWALL policy in the new page. The source interface is
internal and Address name is Fortinet (192.168.2.0/255.255.255.0 address object). The
destination interface is wan1 and Address name is Zynet (192.168.1.0/255.255.255.0
address object). Schedule and service type are “always” and “ANY” to ensure that all
kinds of traffic can pass through the VPN tunnel at any time. There are three kinds of
“Action” available for user to configure, because the traf fic is send from “internal” to
WAN and will be encrypted by IPSec VPN tunnel. Thus, we select “IPSEC” as action and
chose allow inbound and outbound traffic in the ZyWALL tunnel.
10
11) Switch to Firewall > Policy and click “Create New” button to add new policy for the VPN
traffic from ZyWALL to FortiGate.
11
12) We setup the ZyWALL to FortiGate policy in the new page. The source interface is wan1
and Address name is Zynet (192.168.1.0/255.255.255.0 address object). The destination
interface is internal and the Address name is Fortinet (192.168.2.0/255.255.255.0 address
object). Schedule and service type are always and ANY to ensure that all kinds of traffic
28
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
can pass through the VPN tunnel at any time. Select “ACCEPT” as an action this time
because the traffic sent from wan to internal must be decrypted first and only then can be
transmitted. Don’t select the IPSec as the Action in this VPN traffic flow direction.
12
13) The overall firewall policy is shown on the following figure. The VPN tunnel between
ZyWALL and FortiGate has been successfully setup.
13
Tips for application:
1. Make sure the Pre-Shared Key is the same in both local and remo te gateways.
2. Make sure both IKE and IPSec proposal are the same in both local and remote gateways.
3. Make sure the VPN policy route has been configured in ZyWALL USG 2000.
4. Make sure the Firewall rule has been configured in FortiGate.
29
All contents copyright (c) 2008 ZyXEL Communications Corporation.
ZyWALL USG 2000 Support Notes
1.2.2.2 ZyWALL with NetScreen VPN Tunneling
This section guides how to setup a VPN connection between the ZyWALL USG 2000 and
NetScreen 5GT.
As on the figure below, the tunnel between Central and Remote offices ensures the packet
flows between them are secure. This is because the packets flowing through the IPSec tunnel
are encrypted. The required settings to setup this VPN tunnel using ZyWALL and NetScreen
are stated in the following section.
Static IP address
210.110.7.1
Static IP address
167.35.4.3
Internet
Central Office Gateway
ZyWALL
LAN: 192.168.1.X
The central office gateway ZyWALL USG 2000’s interface and VPN setting retain the same
settings as in the previous example. If you jumped to this section first, please refer to
‘ZyWALL USG 2000 to ZYWALL70 VPN tunnel setting’ on the page 8.
This list below is to briefly show the VPN phase1 and phase2 configuration parameters:
ZyWALL NetScreen
WAN: 210.110.7.1
LAN: 192.168.1.0/24
Branch Gateway
NetScreen 5GT
LAN: 192.168.2.X
WAN: 167.35.4.3
LAN: 192.168.2.0/24
Phase 1
Negotiation Mode : Main
Pre-share key: 123456789
Negotiation Mode : Main
Pre-share key: 123456789
Encryption :DES
Authentication :MD5
Authentication :MD5
Key Group :DH1
All contents copyright (c) 2008 ZyXEL Communications Corporation.
Phase 1
Encryption :DES
Key Group :DH1
30
Loading...
+ 197 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.