ZyXEL Communications USG 300 User Manual

ZyWALL USG 300

Unified Security Gateway
LAN Port P1 IP Address https://192.168.1.1 User Name admin Password 1234
www.zyxel.com
Version 2.20 Edition 1, 3/2010
www.zyxel.com
Copyright © 2010 ZyXEL Communications Corporation

About This User's Guide

About This User's Guide
Intended Audience
This manual is intended for people who want to want to configure the ZyWALL using the Web Configurator.
How To Use This Guide
•Read Chapter 1 on page 33 chapter for an overview of features available on the ZyWALL.
•Read Chapter 3 on page 47 for web browser requirements and an introduction to the main components, icons and menus in the ZyWALL Web Configurator.
•Read Chapter 4 on page 63 if you’re using the installation wizard for first time setup and you want more detailed information than what the real time online help provides.
•Read Chapter 5 on page 73 if you’re using the quick setup wizards and y ou want more detailed information than what the real time online help provides.
• It is highly recommended you read Chapter 6 on page 91 for detailed information on essential terms us ed in the ZyWALL, what prerequisites are needed to configure a feature and how to use that feature.
• It is highly recommended you read Chapter 7 on page 115 for ZyWALL application examples.
• Subsequent chapters are arranged by menu item as defined in the Web Configurator. Read each chapter carefully for detailed information on that menu item.
• To find specific information in this guide, use the Contents Overview, the Table of Contents, the Index, or search the PDF file. E-mail techwriters@zyxel.com.tw if you cannot find the information you require.
Related Documentation
•Quick Start Guide The Quick Start Guide is designed to show you how to make the ZyWALL
hardware connections and access the Web Configurator wizards. (See the wizard real time help for information on configuring each screen.) It also contains a connection diagram and package contents list.
•CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI)
to configure the ZyWALL.
Note: It is recommended you use the Web Configurator to configure the ZyWALL.
ZyWALL USG 300 User’s Guide
3
About This User's Guide
• Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and
supplementary information.
Documentation Feedback
Send your comments, questions or suggestions to: techwriters@zyxel.com.tw
Thank you!
The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 30099, Taiwan.
Need More Help?
More help is available at www.zyx el.com.
• Download Library Search for the latest product updates and documentation from this link. Read
the Tech Doc Overview to find out how to efficiently use the User Guide, Quick Start Guide and Command Line Interface Reference Guide in order to better understand how to use your product.
• Knowledge Base If you have a specific question about your product, the answer may be here.
This is a collection of answers to previously asked questions about ZyXEL products.
•Forum This contains discussions on ZyXEL prod ucts. Learn from others who use ZyXEL
products and share your experiences as well.
Customer Support
Should problems arise that cannot be solved by the methods listed above, you should conta ct your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device.
4
ZyWALL USG 300 User’s Guide
About This User's Guide
See http://www.zyxel.com/web/contact_us.php for contact information. Please have the following informatio n ready when you contact an office.
• Product model and serial number.
•Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
Disclaimer
Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software fo r y our dev ice. Ev ery effort has been made to ensur e that the information in this manual is accurate.
ZyWALL USG 300 User’s Guide
5

Document Conventions

Warnings and Notes
These are how warnings and notes are shown in this User’s Guide.
Warnings tell you about things that could harm you or your device.
Note: Notes tell you other important information (for example, other things you may
need to configure or helpful tips) or recommendations.
Syntax Conventions
• The ZyWALL may be referred to as the “ZyWALL”, the “device”, the “system” or the “product” in this User’s Guide.
• Product labels, screen names, field labels and field choices are all in bold font.
Document Conventions
• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the “enter” or “ret urn” key on your keyboard.
• “Enter” means for you to type one or more characters and then press the [ENTER] key. “Select” or “choose” means for you to use one of the predefined choices.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click
Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen.
• Units of measurement may denote the “metric” value or the “scientific” value. For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on.
• “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”.
6
ZyWALL USG 300 User’s Guide
Document Conventions
Icons Used in Figures
Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.
ZyWALL Computer Notebook computer
Server Firewall Telephone
Switch Router
ZyWALL USG 300 User’s Guide
7

Safety Warnings

• Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.
• Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
• Always disconnect all cables from this device before servicing or disassembling.
• Use ONLY an appropriate power adaptor or cord for your device. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
• If the power adaptor or cord is damaged, remove it from the device and the power source.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
• CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Dispose them at the applicable collection point for the recycling of electrical and electronic equipment. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.
Safety Warnings
8
Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately.
ZyWALL USG 300 User’s Guide

Contents Overview

Contents Overview
User’s Guide ........................................................................................................ ...................31
Introducing the ZyWALL ............................................................................................................ 33
Features and Applications ......................................................................................................... 39
Web Configurator ............................................. ... ... ... .... ............................................. ... ... .......... 47
Installation Setup Wizard .................................... ............................................................. ..........63
Quick Setup ............................................................................................................................... 73
Configuration Basics .............. ... ... .............................................................................................. 91
Tutorials ...................................................................................................................................115
L2TP VPN Example .................................................................................................................183
Technical Reference ............................................................................................................219
Dashboard .............................................................................................................................. 221
Monitor .................................................................................................................................... 235
Registration ............................................................................................................................. 277
Signature Update .....................................................................................................................283
Interfaces ..................................... ....................................................... ..................................... 289
Trunks ..................................................................................................................................... 363
Policy and Static Routes ..........................................................................................................373
Routing Protocols ....................................................................................................................389
Zones .................................. ................... ................... .................... ................... ........................ 403
DDNS ...................................................................................................................................... 407
NAT ................................. ............................. .............................. ............................. ................. 413
HTTP Redirect ........................................................................................................................ 423
ALG ......................................................................................................................................... 427
IP/MAC Binding ...................................................................................................................... 435
Authentication Policy .......... ... ................................................ .... ... ........................................... 441
Firewall .................................................................................................................................... 449
IPSec VPN ................... ... .............................................. ... ... ... .... ... ... ........................................ 467
SSL VPN ................................................................................................................................. 507
SSL User Screens ................................................................................................................... 519
SSL User Application Screens ................................................................................................ 529
SSL User File Sharing ............................................................................................................. 531
ZyWALL SecuExtender .. .... ... ... ...............................................................................................539
L2TP VPN ................................................................................................................................ 543
Application Patrol .....................................................................................................................547
Anti-Virus ................................................................................................................................. 573
IDP .......................................................................................................................................... 589
ADP ........................................................................................................................................ 623
ZyWALL USG 300 User’s Guide
9
Contents Overview
Content Filtering ..................................................................................................................... 643
Content Filter Reports ............................................................................................................. 667
Anti-Spam ................................................................................................................................ 675
Device HA ................................................................................................................................ 693
User/Group .............................................................................................................................. 715
Addresses ............................................................................................................................... 731
Services ................................. ....................................................... ........................................... 737
Schedules ................................. ................................................. .............................................. 743
AAA Server ............................................................................................................................. 749
Authentication Method ................................. ................................................. ... ... .... ................. 759
Certificates ................................... ....................... ....................... ...................... ........................ 765
ISP Accounts ......................................... ... ... .... ... ... ..................................................................787
SSL Application ....................................................................................................................... 791
Endpoint Security .................................................................................................................... 799
System ................................................................................................................................... 809
Log and Report ......................................................................................................................859
File Manager ........................................................................................................................... 873
Diagnostics ............................................................................................................................. 885
Reboot ..................................................................................................................................... 891
Shutdown ......................................... ............................. ............................. .............................. 893
Troubleshooting ..................................................... .................................................................. 895
Product Specifications ............................................................................................................. 915
10
ZyWALL USG 300 User’s Guide

Table of Contents

Table of Contents
About This User's Guide..........................................................................................................3
Document Conventions............................................................................................................6
Safety Warnings ........................................................................................................................8
Contents Overview ...................................................................................................................9
Table of Contents....................................................................................................................11
Part I: User’s Guide................................................................................ 31
Chapter 1
Introducing the ZyWALL ........................................................................................................33
1.1 Overview and Key Default Settings .....................................................................................33
1.2 Rack-mounted Installation ................................................................................................... 33
1.2.1 Rack-Mounted Installation Procedure ........................................................................ 34
1.3 Front Panel ......................................... ... .... ............................................. ... ... .... ... ... .............35
1.3.1 Front Panel LEDs .......................................... ............................................................. 35
1.4 Management Overview .......... .... ... ... ................................................ .... ... .............................35
1.5 Starting and Stopping the ZyWALL ............................ ... ... .... ................................................ 36
Chapter 2
Features and Applications.....................................................................................................39
2.1 Features ............................................. ... .... ... ............................................. ... .... ... ... .............39
2.2 Applications .................................................. ... ... .... ... ... ... .... ................................................ 41
2.2.1 VPN Connectivity ............. ............................................. ... ... ... .... ... ... .......................... 42
2.2.2 SSL VPN Network Access ........ ... .... ... ... ... .... ... ... ............................................. ... .... ... 42
2.2.3 User-Aware Access Control ....................................................................................... 44
2.2.4 Multiple WAN Interfaces ................... ... ... ... .... ... ... ....................................................... 44
2.2.5 Device HA .................... .... ............................................. ... ... ... .... ... ... ... ....................... 45
Chapter 3
Web Configurator....................................................................................................................47
3.1 Web Configurator Requirements ......................................................................................... 47
3.2 Web Configurator Access ....................................................................................................47
3.3 Web Configurator Screens Overview .................................................................................. 49
3.3.1 Title Bar .................................. ... ............................................. .... ... ... .......................... 50
ZyWALL USG 300 User’s Guide
11
Table of Contents
3.3.2 Navigation Panel .......... .... ... ... ... ................................................................................. 50
3.3.3 Main Window .......................... ... ............................................. .... ... ... ... .... ... ... .............57
3.3.4 Tables and Lists .. ... ... ... .... ... ... ............................................. ... .... ... ... ... .... ...................59
Chapter 4
Installation Setup Wizard.......................................................................................................63
4.1 Installation Setup Wizard Screens ...................................................................................... 63
4.1.1 Internet Access Setup - WAN Interface ..................................................................... 64
4.1.2 Internet Access: Ethernet .......................................................................................... 64
4.1.3 Internet Access: PPPoE ............................................................................................. 66
4.1.4 Internet Access: PPTP .............................................................................................. 67
4.1.5 ISP Parameters ................................... ... ... .... ... ... ............................................. ... .... ... 67
4.1.6 Internet Access Setup - Second WAN Interface ........................................................ 69
4.1.7 Internet Access - Finish .............................................................................................69
4.2 Device Registration ........................................................................................................... 70
Chapter 5
Quick Setup.............................................................................................................................73
5.1 Quick Setup Overview ............................... ... ... ... .... ... ... ... .... ... ... .......................................... 73
5.2 WAN Interface Quick Setup .................................................................................................74
5.2.1 Choose an Ethernet Interface .................................................................... ... ... ... .... ... 74
5.2.2 Select WAN Type ............................. ... ... ... .... ............................................. ... ... ... .......74
5.2.3 Configure WAN Settings ............................................................................................ 75
5.2.4 WAN and ISP Connection Settings ............................................................................ 76
5.2.5 Quick Setup Interface Wizard: Summary ................................................................... 78
5.3 VPN Quick Setup .......... ... ... ... .... ............................................. ... ... ... .... ... ............................. 79
5.4 VPN Setup Wizard: Wizard Type ......................................................................................... 80
5.5 VPN Express Wizard - Scenario ......................................................................................... 81
5.5.1 VPN Express Wizard - Configuration ........................... ... ... ... .... ... ... ... ....................... 82
5.5.2 VPN Express Wizard - Summary ....................................................................... .... ... 83
5.5.3 VPN Express Wizard - Finish .................................................................................... 84
5.5.4 VPN Advanced Wizard - Scenario ............................................................................ 85
5.5.5 VPN Advanced Wizard - Phase 1 Settings ............................................................... 86
5.5.6 VPN Advanced Wizard - Phase 2 ............................................................................. 88
5.5.7 VPN Advanced Wizard - Summary ........................................................................... 89
5.5.8 VPN Advanced Wizard - Finish ................................................................................. 90
Chapter 6
Configuration Basics..............................................................................................................91
12
6.1 Object-based Configuration .......................................................................... .... ... ... .............91
6.2 Zones, Interfaces, and Physical Ports ................................................................................. 92
6.2.1 Interface Types .................................................... ... .... ... ... ... ... .... ... ... .......................... 93
6.2.2 Default Interface and Zone Configuration .................................................................. 94
ZyWALL USG 300 User’s Guide
Table of Contents
6.3 Terminology in the ZyWALL ................... .... ... ... ... .... ... ... ............................................. ... .... ... 95
6.4 Packet Flow ........................................ ............................................. .... ... ... ... .... ... ... .............96
6.4.1 ZLD 2.20 Packet Flow Enhancements ....................................................................... 96
6.4.2 Routing Table Checking Flow Enhancements ............................................................ 97
6.4.3 NAT Table Checking Flow ............................. ... ... ... .... ... ... ... ....................................... 98
6.5 Feature Configuration Overview ......................................................................................... 99
6.5.1 Feature ...................................... ... .... ... ... ... .... ... ............................................. ... ... ..... 100
6.5.2 Licensing Registration ............................ ... .... ... ... ... .... ... ... ........................................ 100
6.5.3 Licensing Update ................................................... .... ... ... ... ... .... ... ... ... ..................... 100
6.5.4 Interface .................... ... .............................................. ... ... ... ... .... ... ... ........................ 101
6.5.5 Trunks ............. .... ... ............................................. ... .... ... ... ........................................ 101
6.5.6 Policy Routes ................... ............................................. ... ... ... .... ... ... ... ..................... 101
6.5.7 Static Routes .................................... ... ... ... .............................................. ... ... ... ... .....103
6.5.8 Zones ............................................................ ... ... ... ............................................. ..... 103
6.5.9 DDNS ..... ............................................. ... ... .... ... ............................................. ... ... ..... 103
6.5.10 NAT ........................................................................................................................ 103
6.5.11 HTTP Redirect ........................................................................................................ 104
6.5.12 ALG ........................................................................................................................ 105
6.5.13 Auth. Policy ............................................................................................................105
6.5.14 Firewall ................................................................................................................... 105
6.5.15 IPSec VPN ............................................................................................................. 106
6.5.16 SSL VPN ................................................................................................................ 106
6.5.17 L2TP VPN .............................................................................................................. 107
6.5.18 Application Patrol ...................................................................................................107
6.5.19 Anti-Virus ................................................................................................................ 108
6.5.20 IDP ......................................................................................................................... 108
6.5.21 ADP ........................................................................................................................ 108
6.5.22 Content Filter ..........................................................................................................108
6.5.23 Anti-Spam ...............................................................................................................109
6.5.24 Device HA .............................................................................................................. 109
6.6 Objects ............................................ ... ... .... ............................................. ... ... .... ... ...............110
6.6.1 User/Group ....................... ... ... ............................................. ... .... ... ... ... .... ..................110
6.7 System ............. ............................................. ... ... .... ... .........................................................111
6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM ............. .... ..111
6.7.2 Logs and Reports ......................................................................................................112
6.7.3 File Manager ....................... ... ... ... .............................................................................112
6.7.4 Diagnostics ................ ... .... ... ... ... ... .............................................. ... ... ... .... ..................112
6.7.5 Shutdown .................. ... .............................................. ... ... ... ... .... ... ... .........................112
Chapter 7
Tutorials................................................................................................................................115
7.1 How to Configure Interfaces, Port Grouping, and Zones . .... ... ............................................ 115
7.1.1 Configure a WAN Ethernet Interface ............................. ... ... ... .... ... ... ... .... ... ... ... ... .... ..116
ZyWALL USG 300 User’s Guide
13
Table of Contents
7.1.2 Configure Zones ........................... .... ... ... ... ................................................................116
7.1.3 Configure Port Grouping ...........................................................................................117
7.2 How to Configure a Cellular Interface . ... ................................................. ... ... ......................118
7.3 How to Configure Load Balancing ..................................................................................... 120
7.3.1 Set Up Available Bandwidth on Ethernet Interfaces ................................................ 121
7.3.2 Configure the WAN Trunk ........................................................................................ 122
7.4 How to Set Up a Wireless LAN .......................................................................................... 123
7.4.1 Set Up User Accounts .............................................................................................. 123
7.4.2 Create the WLAN Interface ....... ... .... ... ... ................................................. ... ... ... ........124
7.4.3 Set Up the Wireless Clients to Use the WLAN Interface .......................................... 127
7.5 How to Set Up an IPSec VPN Tunnel ................................................................................ 139
7.5.1 Set Up the VPN Gateway ......................................................................................... 140
7.5.2 Set Up the VPN Connection ..................................................................................... 140
7.5.3 Configure Security Policies for the VPN Tunnel ...................................... ................. 142
7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator ................. 142
7.7 How to Configure User-aware Access Control .................................................................. 144
7.7.1 Set Up User Accounts .............................................................................................. 145
7.7.2 Set Up User Groups ................................................................................................. 146
7.7.3 Set Up User Authentication Using the RADIUS Server ............................. ... ... ... .....146
7.7.4 Web Surfing Policies With Bandwidth Restrictions .................................................. 148
7.7.5 Set Up MSN Policies ................................................................................................ 151
7.7.6 Set Up Firewall Rules ............................................................................................... 152
7.8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups ............. 153
7.9 How to Use Endpoint Security and Authentication Policies ............................................... 155
7.9.1 Configure the Endpoint Security Objects .................................................................155
7.9.2 Configure the Authentication Policy ......................................................................... 157
7.10 How to Configure Service Control ................................................................................... 158
7.10.1 Allow HTTPS Administrator Access Only From the LAN ....................................... 159
7.11 How to Allow Incoming H.323 Peer-to-peer Calls ............................................................ 161
7.11.1 Turn On the ALG .................................................................................................... 162
7.11.2 Set Up a NAT Policy For H.323 .............................................................................. 162
7.11.3 Set Up a Firewall Rule For H.323 ........................................................................... 164
7.12 How to Allow Public Access to a Web Server ............................. ... ....... ...... ....... ...... ....... . 165
7.12.1 Create the Address Objects ...................................................................................166
7.12.2 Configure NAT ........................................................................................................ 166
7.12.3 Set Up a Firewall Rule ........................................................................................... 167
7.13 How to Use an IPPBX on the DMZ ............................................................................. .... . 168
7.13.1 Turn On the ALG .................................................................................................... 170
7.13.2 Create the Address Objects ...................................................................................170
7.13.3 Setup a NAT Policy for the IPPBX ......................................................................... 171
7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP .........................................................172
7.13.5 Set Up a DMZ to LAN Firewall Rule for SIP ........................................................... 173
7.14 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic ............... 174
14
ZyWALL USG 300 User’s Guide
Table of Contents
7.14.1 Create the Public IP Address Range Object ............ .............................................. 174
7.14.2 Configure the Policy Route .................................................................................... 175
7.15 How to Use Active-Passive Device HA ........................................................................... 175
7.15.1 Before You Start ..................................................................................................... 176
7.15.2 Configure Device HA on the Master ZyWALL ........................................................177
7.15.3 Configure the Backup ZyWALL .............................................................................. 179
7.15.4 Deploy the Backup ZyWALL .................................................................................. 181
7.15.5 Check Your Device HA Setup ................................................................................ 181
Chapter 8
L2TP VPN Example...............................................................................................................183
8.1 L2TP VPN Example ...........................................................................................................183
8.2 Configuring the Default L2TP VPN Gateway Example ...................................................... 183
8.3 Configuring the Default L2TP VPN Connection Example .................................................. 185
8.4 Configuring the L2TP VPN Settings Example ...................................................................186
8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 ..................................................... 187
8.5.1 Configuring L2TP in Windows Vista ......................................................................... 187
8.5.2 Configuring L2TP in Windows XP ............................................................................197
8.5.3 Configuring L2TP in Windows 2000 ......................................................................... 203
Part II: Technical Reference................................................................ 219
Chapter 9
Dashboard............................................................................................................................221
9.1 Overview ............. ............................................. ... .... ... ... ... .... .............................................. 221
9.1.1 What Yo u Can Do in this Chapter ............................................................................ 221
9.2 The Dashboard Screen ..................................................................................................... 221
9.2.1 The CPU Usage Screen ........................................................................................... 228
9.2.2 The Memory Usage Screen ................... ... .... ... ... ... .... .............................................. 229
9.2.3 The Session Usage Screen .......................................................... ........................... 230
9.2.4 The VPN Status Screen ...... ... ... ............................................................................... 231
9.2.5 The DHCP Table Screen ..........................................................................................231
9.2.6 The Number of Login Users Screen .............................. ... ... ..................................... 232
Chapter 10
Monitor..................................................................................................................................235
10.1 Overview .......................................................................................................................... 235
10.1.1 What You Can Do in this Chapter .......................................................................... 235
10.2 The Port Statistics Screen .............................................................................................. 236
10.2.1 The Port Statistics Graph Screen .......................................................................... 238
10.3 Interface Status Screen ...................................................................................................239
ZyWALL USG 300 User’s Guide
15
Table of Contents
10.4 The Traffic Statistics Screen ............................................................................................ 243
10.5 The Session Monitor Screen .......................................................................................... 246
10.6 The DDNS Status Screen ................................................................................................248
10.7 IP/MAC Binding Monitor .................................................................................................. 249
10.8 The Login Users Screen ...................................... ... ................................................ ... .... . 250
10.9 WLAN Interface Station Monitor Screen .......................................................................... 251
10.10 Cellular Status Screen ...................................................................................................252
10.11 Application Patrol Statistics .......................... ... .... ... ... ... .... ... ... ... .....................................254
10.11.1 Application Patrol Statistics: General Setup .................... ... .... ... ... ... .... ... ... ... ... .... . 254
10.11.2 Application Patrol Statistics: Bandwidth Statistics ..... ... ........................................ 255
10.11.3 Application Patrol Statistics: Protocol Statistics ...................................................256
10.11.4 Application Patrol Statistics: Individual Protocol Statistics by Rule ...................... 257
10.12 The IPSec Monitor Screen ........................................................................................... 258
10.12.1 Regular Expressions in Searching IPSec SAs ..................................................... 260
10.13 The SSL Connection Monitor Screen ............................................................................ 261
10.14 L2TP over IPSec Session Monitor Screen .................................................................... 262
10.15 The Anti-Virus Statistics Screen .................................................................................... 263
10.16 The IDP Statistics Screen .............................................................................................. 265
10.17 The Content Filter Statistics Screen ..............................................................................267
10.18 Content Filter Cache Screen ......................................................................................... 268
10.19 The Anti-Spam Statistics Screen ................................................................................... 271
10.20 The Anti-Spam Status Screen ....................................................................................... 273
10.21 Log Screen ....................................................................................................................274
Chapter 11
Registration...........................................................................................................................277
11.1 Overview .......................................................................................................................... 277
11.1.1 What You Can Do in this Chapter ......................... .... ... ... ... ... .... ... ... ........................ 277
11.1.2 What you Need to Know ......................................................................................... 277
11.2 The Registration Screen .................................................................................................. 279
11.3 The Service Screen ......................................................................................................... 281
Chapter 12
Signature Update..................................................................................................................283
12.1 Overview .......................................................................................................................... 283
12.1.1 What You Can Do in this Chapter .......................................................................... 283
12.1.2 What you Need to Know ........................................................................................ 283
12.2 The Antivirus Update Screen ........................................................................................... 284
12.3 The IDP/AppPatrol Update Screen .................................................................................. 285
12.4 The System Protect Update Screen ............................................................................... 287
Chapter 13
Interfaces...............................................................................................................................289
16
ZyWALL USG 300 User’s Guide
Table of Contents
13.1 Interface Overview ........................................................................................................... 289
13.1.1 What You Can Do in this Chapter .......................................................................... 289
13.1.2 What You Need to Know ........................................................................................ 290
13.2 Port Grouping ................................................................................................................. 293
13.2.1 Port Grouping Overview .................... .......................................... ........................... 293
13.2.2 Port Grouping Screen ............................................................................................ 293
13.3 Ethernet Summary Screen .............................................................................................. 294
13.3.1 Ethernet Edit .........................................................................................................296
13.3.2 Object References ................................................................................................. 303
13.4 PPP Interfaces ................................................................................................................ 304
13.4.1 PPP Interface Summary ......................................................................................... 305
13.4.2 PPP Interface Add or Edit ..................................................................................... 307
13.5 Cellular Configuration Screen (3G) ..................................................................................311
13.5.1 Cellular Add/Edit Screen ......................... ............................................................... 313
13.6 WLAN Interface General Screen ..................................................................................... 320
13.6.1 WLAN Add/Edit Screen .. ... ... ... ... .... ... ... .................................................................. 323
13.6.2 WLAN Add/Edit: WEP Security ...................... ........................................................ 329
13.6.3 WLAN Add/Edit: WPA-PSK/WPA2-PSK Security ...................................................330
13.6.4 WLAN Add/Edit: WPA/WPA2 Security ...................................................................331
13.7 WLAN Interface MAC Filter ............................................................................................ 333
13.8 VLAN Interfaces ............................................................................................................. 335
13.8.1 VLAN Summary Screen ............. .... ... ..................................................................... 337
13.8.2 VLAN Add/Edit ...................................................................................................... 338
13.9 Bridge Interfaces ............................................................................................................ 345
13.9.1 Bridge Summary ....................................................................................................347
13.9.2 Bridge Add/Edit ..................................................................................................... 348
13.10 Auxiliary Interface ......................................................................................................... 354
13.10.1 Auxiliary Interface Overview ................................................................................. 354
13.10.2 Auxiliary ................................................................................................................ 354
13.11 Virtual Interfaces ............ ... .... ............................................. ... ... ... .... ... ... ........................ 356
13.11.1 Virtual Interfaces Add/Edit ..................... .... ... ... ... .... ... ... ... ... .... ... ........................... 357
13.12 Interface Technical Reference ....................................................................................... 358
Chapter 14
Trunks...................................................................................................................................363
14.1 Overview .......................................................................................................................... 363
14.1.1 What You Can Do in this Chapter .......................................................................... 363
14.1.2 What You Need to Know ........................................................................................ 364
14.2 The Trunk Summary Screen ................................................. ... ... ... .... ... ... ... .... ... ... ... ... .....368
14.3 Configuring a Trunk ........................................................................................................ 369
14.4 Trunk Technical Reference .............................................................................................. 371
Chapter 15
Policy and Static Routes......................................................................................................373
ZyWALL USG 300 User’s Guide
17
Table of Contents
15.1 Policy and Static Routes Overview .................................................................................. 373
15.1.1 What You Can Do in this Chapter .......................................................................... 373
15.1.2 What You Need to Know ....................................................................................... 374
15.2 Policy Route Screen ........................................................................................................ 376
15.2.1 Policy Route Edit Screen ....................................................................................... 379
15.3 IP Static Route Screen ....................................................................................................383
15.3.1 Static Route Add/Edit Screen ................................................................................. 384
15.4 Policy Routing Technical Reference ................................................................................ 385
Chapter 16
Routing Protocols .................................................................................................................389
16.1 Routing Protocols Overview ............................................................................................ 389
16.1.1 What You Can Do in this Chapter .......................................................................... 389
16.1.2 What You Need to Know ........................................................................................ 389
16.2 The RIP Screen ... ... .... ... ... ... .... ... ................................................ ... .... ... ........................... 390
16.3 The OSPF Screen ............... .... ... ... ................................................ .... ... ... ........................391
16.3.1 Configuring the OSPF Screen .................................. ......... .......... .......... ......... ........ 395
16.3.2 OSPF Area Add/Edit Screen .................................................................................398
16.3.3 Virtual Link Add/Edit Screen ................................................................................. 399
16.4 Routing Protocol Technical Reference ............................................................................ 400
Chapter 17
Zones .....................................................................................................................................403
17.1 Zones Overview ...............................................................................................................403
17.1.1 What You Can Do in this Chapter .......................................................................... 403
17.1.2 What You Need to Know ........................................................................................ 404
17.2 The Zone Screen ..................................... ... ................................................ .... ... ..............405
17.3 Zone Edit ........................................................................................................................ 406
Chapter 18
DDNS......................................................................................................................................407
18.1 DDNS Overview .............................................................................................................. 407
18.1.1 What You Can Do in this Chapter .......................................................................... 407
18.1.2 What You Need to Know ........................................................................................ 407
18.2 The DDNS Screen ...........................................................................................................408
18.2.1 The Dynamic DNS Add/Edit Screen ...................................................................... 410
Chapter 19
NAT.........................................................................................................................................413
19.1 NAT Overview .................................................................................................................. 413
19.1.1 What You Can Do in this Chapter .......................................................................... 413
19.1.2 What You Need to Know ........................................................................................ 414
19.2 The NAT Screen .................................. .... ... ... ... .... ................................................ ... ... ..... 414
18
ZyWALL USG 300 User’s Guide
Table of Contents
19.2.1 The NAT Add/Edit Screen . ... ... ... .... ........................................................................ 416
19.3 NAT Technical Reference ................................................................................................419
Chapter 20
HTTP Redirect......................................................................................................................423
20.1 Overview .......................................................................................................................... 423
20.1.1 What You Can Do in this Chapter .......................................................................... 423
20.1.2 What You Need to Know ........................................................................................ 424
20.2 The HTTP Redirect Screen ............................................................................................. 425
20.2.1 The HTTP Redirect Edit Screen ............................................................................. 426
Chapter 21
ALG ........................................................................................................................................427
21.1 ALG Overview ................................................................................................................. 427
21.1.1 What You Can Do in this Chapter .......................................................................... 427
21.1.2 What You Need to Know ........................................................................................ 428
21.1.3 Before You Begin ...................................................................................................431
21.2 The ALG Screen .............................................................................................................. 431
21.3 ALG Technical Reference ................................................................................................ 433
Chapter 22
IP/MAC Binding....................................................................................................................435
22.1 IP/MAC Binding Overview ............................................................................................... 435
22.1.1 What You Can Do in this Chapter .......................................................................... 435
22.1.2 What You Need to Know ........................................................................................ 436
22.2 IP/MAC Binding Summary ............................................................................................... 436
22.2.1 IP/MAC Binding Edit ............................................................................................... 437
22.2.2 Static DHCP Edit .................................................................................................... 438
22.3 IP/MAC Binding Exempt List ........................................................................................... 439
Chapter 23
Authentication Policy...........................................................................................................441
23.1 Overview .......................................................................................................................... 441
23.1.1 What You Can Do in this Chapter .......................................................................... 441
23.1.2 What You Need to Know ........................................................................................ 442
23.2 Authentication Policy Screen ........................................................................................... 442
23.2.1 Creating/Editing an Authentication Policy .............................................................. 445
Chapter 24
Firewall...................................................................................................................................449
24.1 Overview .......................................................................................................................... 449
24.1.1 What You Can Do in this Chapter .......................................................................... 449
24.1.2 What You Need to Know ........................................................................................ 450
ZyWALL USG 300 User’s Guide
19
Table of Contents
24.1.3 Firewall Rule Example Applications ....................................................................... 452
24.1.4 Firewall Rule Configuration Example ..................................................................... 455
24.2 The Firewall Screen ................. ... ... ... ... ................................................. ... ... .... ................. 457
24.2.1 Configuring the Firewall Screen ............................... .............................................. 458
24.2.2 The Firewall Add/Edit Screen ................................................................................. 461
24.3 The Session Limit Screen ................................................................................................462
24.3.1 The Session Limit Add/Edit Screen ........................................................................ 464
Chapter 25
IPSec VPN..............................................................................................................................467
25.1 IPSec VPN Overview .......................................................................................................467
25.1.1 What You Can Do in this Chapter .......................................................................... 467
25.1.2 What You Need to Know ........................................................................................ 468
25.1.3 Before You Begin ...................................................................................................470
25.2 The VPN Connection Screen .......................................................................................... 470
25.2.1 The VPN Connection Add/Edit (IKE) Screen ......................................................... 472
25.2.2 The VPN Connection Add/Edit Manual Key Screen .............................................. 479
25.3 The VPN Gateway Screen .............................................................................................. 482
25.3.1 The VPN Gateway Add/Edit Screen ...................................................................... 483
25.4 VPN Concentrator ..........................................................................................................491
25.4.1 IPSec VPN Concentrator Example ........................................................................ 491
25.4.2 VPN Concentrator Screen ...................................................................................... 494
25.4.3 The VPN Concentrator Add/Edit Screen .............................. .... ... ... ... .... ... ... ... ........494
25.5 IPSec VPN Background Information ............................................................................... 495
Chapter 26
SSL VPN.................................................................................................................................507
26.1 Overview .......................................................................................................................... 507
26.1.1 What You Can Do in this Chapter .......................................................................... 507
26.1.2 What You Need to Know ........................................................................................ 507
26.2 The SSL Access Privilege Screen ................................................................................... 510
26.2.1 The SSL Access Policy Add/Edit Screen .............................................................. 512
26.3 The SSL Global Setting Screen .................. ... ... .... ................................................ ... ... .... . 514
26.3.1 How to Upload a Custom Logo .............................................................................. 516
26.4 Establishing an SSL VPN Connection ............................................................................. 517
Chapter 27
SSL User Screens.................................................................................................................519
27.1 Overview .......................................................................................................................... 519
27.1.1 What You Need to Know ........................................................................................ 519
27.2 Remote User Login ..........................................................................................................520
27.3 The SSL VPN User Screens ................................................ ... ... ... .... ... ... ... .... ... ... ... ........525
27.4 Bookmarking the ZyWALL ............................................................................................... 526
20
ZyWALL USG 300 User’s Guide
Table of Contents
27.5 Logging Out of the SSL VPN User Screens ....................................................................526
Chapter 28
SSL User Application Screens ............................................................................................529
28.1 SSL User Application Screens Overview ........................................................................ 529
28.2 The Application Screen ...................................................................................................529
Chapter 29
SSL User File Sharing ..........................................................................................................531
29.1 Overview .......................................................................................................................... 531
29.1.1 What You Need to Know ........................................................................................ 531
29.2 The Main File Sharing Screen ......................................................................................... 532
29.3 Opening a File or Folder ................................... ....................................................... ........532
29.3.1 Downloading a File ...................................... ......... ....... ......... .......... .......... ......... ..... 534
29.3.2 Saving a File ..........................................................................................................535
29.4 Creating a New Folder ......................... ....................... ....................... ...................... ........535
29.5 Renaming a File or Folder ............................................................................................... 536
29.6 Deleting a File or Folder ..................................................................................................536
29.7 Uploading a File ............................. ....................... ...................... ....................... .............. 537
Chapter 30
ZyWALL SecuExtender.........................................................................................................539
30.1 The ZyWALL SecuExtender Icon .................................................................................... 539
30.2 Statistics .......................................................................................................................... 540
30.3 View Log ..........................................................................................................................541
30.4 Suspend and Resume the Connection ....................... ..................................................... 541
30.5 Stop the Connection ........................................................................................................ 542
30.6 Uninstalling the ZyWALL SecuExtender .......................................................................... 542
Chapter 31
L2TP VPN...............................................................................................................................543
31.1 Overview .......................................................................................................................... 543
31.1.1 What You Can Do in this Chapter .......................................................................... 543
31.1.2 What You Need to Know ........................................................................................ 543
31.2 L2TP VPN Screen ............... .... ... ... ................................................ .... ... ... ........................545
Chapter 32
Application Patrol.................................................................................................................547
32.1 Overview .......................................................................................................................... 547
32.1.1 What You Can Do in this Chapter .......................................................................... 547
32.1.2 What You Need to Know ....................................................................................... 548
32.1.3 Application Patrol Bandwidth Management Examples ........................................... 553
32.2 Application Patrol General Screen ..................................................................................557
ZyWALL USG 300 User’s Guide
21
Table of Contents
32.3 Application Patrol Applications ........................................................................................ 558
32.3.1 The Application Patrol Edit Screen ........................................................................ 559
32.3.2 The Application Patrol Policy Edit Screen ............................................................. 563
32.4 The Other Applications Screen ........................................................................................ 566
32.4.1 The Other Applications Add/Edit Screen ................................................................ 569
Chapter 33
Anti-Virus...............................................................................................................................573
33.1 Overview .......................................................................................................................... 573
33.1.1 What You Can Do in this Chapter .......................................................................... 573
33.1.2 What You Need to Know ........................................................................................ 574
33.1.3 Before You Begin ...................................................................................................576
33.2 Anti-Virus Summary Screen ............. ................................................. ... ... ... .... ... ... ... ... .... . 576
33.2.1 Anti-Virus Policy Add or Edit Screen ......................................................................579
33.3 Anti-Virus Black List .........................................................................................................581
33.4 Anti-Virus Black List or White List Add/Edit ..................................................................... 582
33.5 Anti-Virus White List ...... ... ... .... ... ... ... ... .... ... ... ... ................................................. ... ... ... ..... 583
33.6 Signature Searching ........................................................................................................ 584
33.7 Anti-Virus Technical Reference ........................................................................................ 587
Chapter 34
IDP.........................................................................................................................................589
34.1 Overview .......................................................................................................................... 589
34.1.1 What You Can Do in this Chapter .......................................................................... 589
34.1.2 What You Need To Know ....................................................................................... 589
34.1.3 Before You Begin ...................................................................................................590
34.2 The IDP General Screen ................................................................................................. 591
34.3 Introducing IDP Profiles ................................................................................................. 593
34.3.1 Base Profiles ..........................................................................................................594
34.4 The Profile Summary Screen .......................................................................................... 595
34.5 Creating New Profiles ...................................................................................................... 596
34.5.1 Procedure To Create a New Profile ........................................................................ 596
34.6 Profiles: Packet Inspection ............................................................................................. 597
34.6.1 Profile > Group View Screen .................................................................................. 597
34.6.2 Policy Types ........................................................................................................... 600
34.6.3 IDP Service Groups ...............................................................................................601
34.6.4 Profile > Query View Screen .................................................................................. 602
34.6.5 Query Example ...................................................................................................... 605
34.7 Introducing IDP Custom Signatures ............................................................................... 607
34.7.1 IP Packet Header ...................................................................................................607
34.8 Configuring Custom Signatures ..................... ....................... ...................... ..................... 608
34.8.1 Creating or Editing a Custom Signature ................................................................ 610
34.8.2 Custom Signature Example ........................................... ... ..................................... 616
22
ZyWALL USG 300 User’s Guide
Table of Contents
34.8.3 Applying Custom Signatures ..................................................................................618
34.8.4 Verifying Custom Signatures .................................................................................. 619
34.9 IDP Technical Reference .................................................................................................620
Chapter 35
ADP .......................................................................................................................................623
35.1 Overview .......................................................................................................................... 623
35.1.1 ADP and IDP Comparison ..................................................................................... 623
35.1.2 What You Can Do in this Chapter ......................................................................... 623
35.1.3 What You Need To Know ....................................................................................... 623
35.1.4 Before You Begin ...................................................................................................624
35.2 The ADP General Screen ........................ ................................................... ..................... 6 25
35.3 The Profile Summary Screen .......................................................................................... 626
35.3.1 Base Profiles ..........................................................................................................627
35.3.2 Configuring The ADP Profile Summary Screen .....................................................627
35.3.3 Creating New ADP Profiles ............................ ........................................................ 628
35.3.4 Traffic Anomaly Profiles ........................................................................................ 628
35.3.5 Protocol Anomaly Profiles ................................... .... ... ... ... ..................................... 631
35.3.6 Protocol Anomaly Configuration ............................................................................. 631
35.4 ADP Technical Reference ................................................................................................ 635
Chapter 36
Content Filtering..................................................................................................................643
36.1 Overview .......................................................................................................................... 643
36.1.1 What You Can Do in this Chapter .......................................................................... 643
36.1.2 What You Need to Know ........................................................................................ 643
36.1.3 Before You Begin ...................................................................................................645
36.2 Content Filter General Screen .................... ....................................................... ..............645
36.3 Content Filter Policy Add or Edit Screen ......................................................................... 648
36.4 Content Filter Profile Screen ..........................................................................................650
36.5 Content Filter Categories Screen ................................................................................... 650
36.5.1 Content Filter Blocked and Warning Messages ..................................................... 662
36.6 Content Filter Customization Screen .............................................................................. 663
36.7 Content Filter Technical Reference ................................................................................. 665
Chapter 37
Content Filter Reports..........................................................................................................667
37.1 Overview .......................................................................................................................... 667
37.2 Viewing Content Filter Reports ............................................. ........................................... 667
Chapter 38
Anti-Spam..............................................................................................................................675
38.1 Overview .......................................................................................................................... 675
ZyWALL USG 300 User’s Guide
23
Table of Contents
38.1.1 What You Can Do in this Chapter .......................................................................... 675
38.1.2 What You Need to Know ........................................................................................ 675
38.2 Before You Begin ............................................................................................................. 677
38.3 The Anti-Spam General Screen ....................................................................................... 677
38.3.1 The Anti-Spam Policy Add or Edit Screen ................................................ .............. 679
38.4 The Anti-Spam Black List Screen .................................................................................... 681
38.4.1 The Anti-Spam Black or White List Add/Edit Screen ...................................... ... .... . 683
38.4.2 Regular Expressions in Black or White List Entries ............................................... 684
38.5 The Anti-Spam White List Screen ....................................................................................685
38.6 The DNSBL Screen ......................................................................................................... 686
38.7 Anti-Spam Technical Reference ...................................................................................... 688
Chapter 39
Device HA..............................................................................................................................693
39.1 Overview .......................................................................................................................... 693
39.1.1 What You Can Do in this Chapter .......................................................................... 693
39.1.2 What You Need to Know ........................................................................................ 693
39.1.3 Before You Begin ...................................................................................................694
39.2 Device HA General ..........................................................................................................695
39.3 The Active-Passive Mode Screen ................................................................................... 696
39.3.1 Configuring Active-Passive Mode Device HA ........................................................698
39.4 Configuring an Active-Passive Mode Monitored Interface ............................................... 701
39.5 The Legacy Mode Screen ............................................................................................... 703
39.6 Configuring the Legacy Mode Screen ........ ... ... .... ... ............................................. ... ... .... . 704
39.7 Device HA Technical Reference ...................................................................................... 708
Chapter 40
User/Group............................................................................................................................715
40.1 Overview .......................................................................................................................... 715
40.1.1 What You Can Do in this Chapter .......................................................................... 715
40.1.2 What You Need To Know ....................................................................................... 715
40.2 User Summary Screen .................................................................................................... 718
40.2.1 User Add/Edit Screen ........................... .......... .......... ......... .......... .......... ......... ........ 718
40.3 User Group Summary Screen ......................................................................................... 721
40.3.1 Group Add/Edit Screen .......................................................................................... 722
40.4 Setting Screen ................................................................................................................ 723
40.4.1 Default User Authentication Timeout Settings Edit Screens ..................................726
40.4.2 User Aware Login Example ............... ... ... .... ... ........................................................ 728
40.5 User /Group Technical Reference ................................................................................... 729
Chapter 41
Addresses.............................................................................................................................731
41.1 Overview .......................................................................................................................... 731
24
ZyWALL USG 300 User’s Guide
Table of Contents
41.1.1 What You Can Do in this Chapter .......................................................................... 731
41.1.2 What You Need To Know ....................................................................................... 731
41.2 Address Summary Screen ....................... ........................................................................ 731
41.2.1 Address Add/Edit Screen ....................................................................................... 733
41.3 Address Group Summary Screen ............................... ....................... ......................... ..... 734
41.3.1 Address Group Add/Edit Screen ............................................................................ 735
Chapter 42
Services.................................................................................................................................737
42.1 Overview .......................................................................................................................... 737
42.1.1 What You Can Do in this Chapter .......................................................................... 737
42.1.2 What You Need to Know ........................................................................................ 737
42.2 The Service Summary Screen ....................... .......................... .......................... .............. 738
42.2.1 The Service Add/Edit Screen ............................ ..................................................... 740
42.3 The Service Group Summary Screen ........................ ... .... ... ... ... ... .... ... ... ... .... ................. 7 40
42.3.1 The Service Group Add/Edit Screen ...................................................................... 742
Chapter 43
Schedules..............................................................................................................................743
43.1 Overview .......................................................................................................................... 743
43.1.1 What You Can Do in this Chapter .......................................................................... 743
43.1.2 What You Need to Know ........................................................................................ 743
43.2 The Schedule Summary Screen ...................................................................................... 744
43.2.1 The One-Time Schedule Add/Edit Screen ............................................................. 745
43.2.2 The Recurring Schedule Add/Edit Screen ............................................... ... ... ... .... . 746
Chapter 44
AAA Server...........................................................................................................................749
44.1 Overview .......................................................................................................................... 749
44.1.1 Directory Service (AD/LDAP) ................................................................ ................. 749
44.1.2 RADIUS Server ...................................................................................................... 750
44.1.3 ASAS ...................................................................................................................... 750
44.1.4 What You Can Do in this Chapter .......................................................................... 750
44.1.5 What You Need To Know ....................................................................................... 751
44.2 Active Directory or LDAP Server Summary ..................................................................... 753
44.2.1 Adding an Active Directory or LDAP Server ............. ............ ............. ............. ........ 753
44.3 RADIUS Server Summary ............................................................................................... 755
44.3.1 Adding a RADIUS Server ...................................................................................... 757
Chapter 45
Authentication Method.........................................................................................................759
45.1 Overview .......................................................................................................................... 759
45.1.1 What You Can Do in this Chapter .......................................................................... 759
ZyWALL USG 300 User’s Guide
25
Table of Contents
45.1.2 Before You Begin ...................................................................................................759
45.1.3 Example: Selecting a VPN Authentication Method ................................................ 759
45.2 Authentication Method Objects ...................................... .................................... .............. 760
45.2.1 Creating an Authentication Method Object ........................................... ... ... ... ... .... . 761
Chapter 46
Certificates ............................................................................................................................765
46.1 Overview .......................................................................................................................... 765
46.1.1 What You Can Do in this Chapter .......................................................................... 765
46.1.2 What You Need to Know ........................................................................................ 765
46.1.3 Verifying a Certificate .............................................................................................767
46.2 The My Certificates Screen ............................................................................................. 769
46.2.1 The My Certificates Add Screen ............................................................................ 770
46.2.2 The My Certificates Edit Screen ........... ............................................. .... ... ... ... ... .... . 775
46.2.3 The My Certificates Import Screen ........................................................................ 778
46.3 The Trusted Certificates Screen ..................................................................................... 779
46.3.1 The Trusted Certificates Edit Screen .................................................................... 780
46.3.2 The Trusted Certificates Import Screen ................................................................784
46.4 Certificates Technical Reference ..................................................................................... 785
Chapter 47
ISP Accounts.........................................................................................................................787
47.1 Overview .......................................................................................................................... 787
47.1.1 What You Can Do in this Chapter .......................................................................... 787
47.2 ISP Account Summary .................................................................................................... 787
47.2.1 ISP Account Edit ................................................................................................... 788
Chapter 48
SSL Application ....................................................................................................................791
48.1 Overview .......................................................................................................................... 791
48.1.1 What You Can Do in this Chapter .......................................................................... 791
48.1.2 What You Need to Know ........................................................................................ 791
48.1.3 Example: Specifying a Web Site for Access .......................................................... 792
48.2 The SSL Application Screen .......................... ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... . 793
48.2.1 Creating/Editing a Web-based SSL Application Object ......................................... 794
48.2.2 Creating/Editing a File Sharing SSL Application Object ........................... ............. . 796
Chapter 49
Endpoint Security.................................................................................................................799
26
49.1 Overview .......................................................................................................................... 799
49.1.1 What You Can Do in this Chapter .......................................................................... 800
49.1.2 What You Need to Know ........................................................................................ 800
49.2 Endpoint Security Screen ........ ................................................ ... ... .... ... ... ... .... ... ... ... ... .... . 801
ZyWALL USG 300 User’s Guide
Table of Contents
49.3 Endpoint Security Add/Edit .............................................................................................. 803
Chapter 50
System.................................................................................................................................809
50.1 Overview .......................................................................................................................... 809
50.1.1 What You Can Do in this Chapter .......................................................................... 809
50.2 Host Name ....................................................................................................................... 810
50.3 Date and Time .................................................................................................................811
50.3.1 Pre-defined NTP Time Servers List ............................................. ... ... .... ... ... ... ... .... . 813
50.3.2 Time Server Synchronization ................................................................................. 814
50.4 Console Port Speed ......................................................................................................... 815
50.5 DNS Overview ................................................................................................................. 815
50.5.1 DNS Server Address Assignment .......................................................................... 816
50.5.2 Configuring the DNS Screen ................................ .......................................... ........ 816
50.5.3 Address Record .................................................................................................... 819
50.5.4 PTR Record ........................................................................................................... 819
50.5.5 Adding an Address/PTR Record ............................................................................ 819
50.5.6 Domain Zone Forwarder ............... ............................................. ... ... .... ................. 820
50.5.7 Adding a Domain Zone Forwarder ................................. ........................................ 8 20
50.5.8 MX Record ............................................................................................................821
50.5.9 Adding a MX Record ..............................................................................................822
50.5.10 Adding a DNS Service Control Rule ................................................................... . 822
50.6 WWW Overview ..............................................................................................................823
50.6.1 Service Access Limitations .................................................................................... 824
50.6.2 System Timeout ..................................................................................................... 824
50.6.3 HTTPS ...................................................................................................................824
50.6.4 Configuring WWW Service Control ........................................................................ 825
50.6.5 Service Control Rules ............................................................................................ 829
50.6.6 Customizing the WWW Login Page ....................................................................... 829
50.6.7 HTTPS Example ....................................................................................................833
50.7 SSH .............................................................................................................................. 840
50.7.1 How SSH Works ......................................................... ... ... ... .... ... ... ........................ 841
50.7.2 SSH Implementation on the ZyWALL ..................................................................... 842
50.7.3 Requirements for Using SSH ................................................................................. 842
50.7.4 Configuring SSH ....................................................................................................842
50.7.5 Secure Telnet Using SSH Examples ...................................................................... 844
50.8 Telnet .............................................................................................................................. 845
50.8.1 Configuring Telnet .................................................................................................. 846
50.9 FTP ................................................................................................................................. 847
50.9.1 Configuring FTP .....................................................................................................847
50.10 SNMP ........................................................................................................................... 849
50.10.1 Supported MIBs ................................................................................................... 851
50.10.2 SNMP Traps ......................................................................................................... 851
ZyWALL USG 300 User’s Guide
27
Table of Contents
50.10.3 Configuring SNMP ............................................................................................... 851
50.11 Dial-in Management ..... ... ... .... ... ... ... ... ................................................. ... ... .....................853
50.11.1 Configuring Dial-in Mgmt ........................... ... ... ... .... ... ........................................... 854
50.12 Vantage CNM ...............................................................................................................855
50.12.1 Configuring Vantage CNM ................................................................................... 856
50.13 Language Screen .........................................................................................................858
Chapter 51
Log and Report ...................................................................................................................859
51.1 Overview .......................................................................................................................... 859
51.1.1 What You Can Do In this Chapter .......................................................................... 859
51.2 Email Daily Report ..........................................................................................................859
51.3 Log Setting Screens ....................................................................................................... 861
51.3.1 Log Setting Summary ............................................................................................. 862
51.3.2 Edit System Log Settings ......................................................................................863
51.3.3 Edit Remote Server Log Settings .......................................................................... 868
51.3.4 Active Log Summary Screen ................................ ............. .......... ............. ............. . 870
Chapter 52
File Manager.........................................................................................................................873
52.1 Overview .......................................................................................................................... 873
52.1.1 What You Can Do in this Chapter .......................................................................... 873
52.1.2 What you Need to Know ........................................................................................ 873
52.2 The Configuration File Screen .............................. ...................................................... .....876
52.3 The Firmware Package Screen ...................................................................................... 880
52.4 The Shell Script Screen .......................... ....................................................... .................882
Chapter 53
Diagnostics...........................................................................................................................885
53.1 Overview .......................................................................................................................... 885
53.1.1 What You Can Do in this Chapter .......................................................................... 885
53.2 The Diagnostic Screen ....................................................................................................885
53.3 The Packet Capture Screen ............................................................................................886
53.3.1 The Packet Capture Files Screen .......................................................................... 888
53.3.2 Example of Viewing a Packet Capture File .............................. ... ... ... .... ... ... ... ... .....889
Chapter 54
Reboot....................................................................................................................................891
54.1 Overview .......................................................................................................................... 891
54.1.1 What You Need To Know ....................................................................................... 891
54.2 The Reboot Screen .........................................................................................................891
Chapter 55
Shutdown...............................................................................................................................893
28
ZyWALL USG 300 User’s Guide
Table of Contents
55.1 Overview .......................................................................................................................... 893
55.1.1 What You Need To Know ....................................................................................... 893
55.2 The Shutdown Screen ..................................................................................................... 893
Chapter 56
Troubleshooting....................................................................................................................895
56.1 Resetting the ZyWALL .....................................................................................................912
56.2 Getting More Troubleshooting Help ................................................................................. 913
Chapter 57
Product Specifications.........................................................................................................915
57.1 3G PCMCIA Card Installation .................................. ........................................................ 921
Appendix A Log Descriptions...............................................................................................923
Appendix B Common Services.............................................................................................983
Appendix C Displaying Anti-Virus Alert Messages in Windows............................................987
Appendix D Importing Certificates........................................................................................993
Appendix E Wireless LANs ................................................................................................1019
Appendix F Open Software Announcements.....................................................................1035
Appendix G Legal Information............................................................................................1091
Index.....................................................................................................................................1095
ZyWALL USG 300 User’s Guide
29
Table of Contents
30
ZyWALL USG 300 User’s Guide
PART I

User’s Guide

31
32
CHAPTER 1

Introducing the ZyWALL

This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL.

1.1 Overview and Key Default Settings

The ZyWALL is a comprehensive security device. Its flexible configuration helps network administrators set up the network and enforce security policies efficiently. In addition, the ZyWALL provides excellent throughput, making it an ideal solution for reliable, secure service.
The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, Instant Messaging (IM) and Peer to Peer (P2P) control, NAT, port forwarding, policy routing, DHCP server and many other powerful features. Flexible configuration helps you set up the network and enforce security policies efficiently. See Chapter
2 on page 39 for a more detailed overview of the ZyWALL’s features.
The front panel physical Gigabit Ethernet ports (labeled 1, 2, 3, and so on) are mapped to Gigabit Ethernet (ge) interfaces. By default 1 is mapped to ge1, 2 is mapped to ge2 and so on.

1.2 Rack-mounted Installation

The ZyWALL can be mounted on an EIA standard size, 19-inch rack or in a wiring closet with other equipment. Follow the steps below to mount your ZyWALL on a standard EIA rack using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not make the rack unstable or top-heavy. Take all necessary precautions to anchor the rack securely before installing the unit.
Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.
ZyWALL USG 300 User’s Guide
33
Chapter 1 Introducing the ZyWALL
Use a #2 Phillips screwdriver to install the screws.
Note: Failure to use the proper screws may damage the unit.
1.2.1 Rack-Mounted Installation Procedure
1 Align one bracket with the holes on one side of the Z yW ALL and secure it with the
included bracket screws (smaller than the rack-mounting screws).
2 Attach the other bracket in a similar fashion.
Figure 1 Attaching Mounting Brackets and Screws
3 After attaching both mounting brackets, position the ZyWALL in the rack by lining
up the holes in the brackets with the appropriate holes on the rack. Secure the ZyWALL to the rack with the rack-mounting screws.
Figure 2 Rack Mounting
34
ZyWALL USG 300 User’s Guide

1.3 Front Panel

This section introduces the ZyWALL’s front panel.
Figure 3 ZyWALL Front Panel
1.3.1 Front Panel LEDs
The following table describes the LEDs.
Table 1 Front Panel LEDs
LED COLOR STATUS DESCRIPTION
PWR Off The ZyWALL is turned off.
Green On The ZyWALL is turned on. Red On There is a hardware component failure. Shut down
SYS Green Off The ZyWALL is not ready or has failed.
AUX Green Off The AUX port is not connected.
P1, P2 ... Green Off There is no traffic on this port.
Orange Off There is no connection on this port.
Card1,2 Green Off There is no card in the slot.
Chapter 1 Introducing the ZyWALL
the device, wait for a few minutes and then restart the device (see Section 1.5 on page 36). If the LED turns red again, then please contact your vendor.
On The ZyWALL is ready and running. Flashing The ZyWALL is restarting.
Flashing The AUX port is sending or receiving packets. On The AUX port is connected.
Flashing The ZyWALL is sending or receiving packets on this
port.
On This port has a successful link.
On There is a card in the slot. Flashing The card in the slot is sending or receiving traffic.

1.4 Management Overview

You can use the following ways to manage the ZyWALL.
ZyWALL USG 300 User’s Guide
35
Chapter 1 Introducing the ZyWALL
Web Configurator
The Web Configurator allows easy ZyWALL setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator.
Figure 4 Managing the ZyWALL: Web Configurator
Command-Line Interface (CLI)
The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI.
Console Port
You can use the console port to manage the ZyWALL using CLI commands. See the Command Reference Guide for more information about the CLI.
The default settings for the console port are as follows.
Table 2 Console Port Default Settings
SETTING VALUE
Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off

1.5 Starting and Stopping the ZyWALL

Here are some of the ways to start and stop the ZyWAL L.
36
ZyWALL USG 300 User’s Guide
Always use Maintenance > Shutdown > Shut down or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt.
Table 3 Starting and Stopping the ZyWALL
METHOD DESCRIPTION
Turning on the power
Rebooting the ZyWALL
Using the RESET button
Clicking
Maintenance > Shutdown > Shutdown or
using the shutdown command
Disconnecting the power
A cold start occurs when you turn on the power to the ZyWA LL. The ZyWALL powers up, checks the hardware, and starts the system processes.
A warm start (without powering down and powering up again) occurs when you use the Reboot button in the Reboot screen or when you use the reboot command. The ZyWALL writes all cached data to the local storage, stops the system processes, and then does a warm start.
If you press the RESET button, the ZyWALL sets the configuration to its default values and then reboots.
Clicking Maintenance > Shutdown > Shutdown or using the shutdown command writes all cached data to the local storage and stops the system processes. Wait for the device to shut down and then manually turn off or remove the power. It does not turn off the power.
Power off occurs when you turn off the power to the ZyWALL. The ZyWALL simply turns off. It does not stop the system processes or write cached data to local storage.
Chapter 1 Introducing the ZyWALL
The ZyWALL does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources.
ZyWALL USG 300 User’s Guide
37
Chapter 1 Introducing the ZyWALL
38
ZyWALL USG 300 User’s Guide
CHAPTER 2

Features and Applications

This chapter introduces the main features and applications of the ZyWALL.

2.1 Features

The ZyWALL’s security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features.
The rest of this section provides more information about the features of the ZyWALL.
High Availability
To ensure the ZyWALL provides reliable, secure Internet access, set up one or more of the following:
• Multiple WAN ports and configure load balancing between these ports.
• One or more 3G (cellular) connections.
• An auxiliary (backup) Internet connection.
• A backup ZyWALL in the event the master ZyWALL fails (device HA).
Virtual Private Networks (VPN)
Use IPSec, SSL, or L2TP VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke IPSec VPN.
Flexible Security Zones
Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ZyWALL. You can create y our own custom zones. You can add interfaces and VPN tunnels to zones.
ZyWALL USG 300 User’s Guide
39
Chapter 2 Features and Applications
Firewall
The ZyWALL’ s firew all is a stateful inspection firew all. The Z yWALL rest ricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is ini tiated by a computer in another zone first.
Intrusion Detection and Prevention (IDP)
IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. It detects pattern-based attacks in order to protect against network-based intrusions. See Section 34.6.2 on page 600 for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.
Anomaly Detection and Prevention (ADP)
ADP (Anomaly Detection and Prevention) can detect malicious or suspicious packets and respond instantaneously. It can detect:
• Anomalies based on violations of protocol standards (RFCs – Requests for Comments)
• Abnormal flows such as port scans.
The ZyWALL’s ADP protects against network-based intrusions. See Section 35.3.4
on page 628 and Section 35.3.5 on page 631 for more on the kinds of attacks that
the ZyWALL can protect against. You can also create your own custom ADP rules.
Bandwidth Management
Bandwidth management allows you to allocate network resources according to defined policies. This policy-based bandwidth allocation helps your network to better handle applications such as Internet access, e-mail, Voice-over-IP (VoIP), video conferencing and other business-critical applications.
Content Filter
Content filtering allows schools and businesses to create and enforce Internet access policies tailored to the needs of the organization.
You can also subscribe to category-based content filtering that allows your ZyWALL to check web sites against an external database of dynamically-updated ratings of millions of web sites. You then simply select categories to block or monitor, such as pornography or racial intolerance, from a pre-defined list.
40
ZyWALL USG 300 User’s Guide
Chapter 2 Features and Applications
Anti-Virus Scanner
With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers.
Anti-Spam
The anti-spam feature can mark or discard spam. Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Application Patrol
Application patrol (App. Patrol) manages instant messenger (IM), peer-to-peer (P2P) applications like MSN and BitTorrent. You can even control the use of a particular application’s individual features (like text messaging, voice, video conferencing, and file transfers). Application patrol has powerful bandwidth management including traffic prioritization to enhance the performance of delay­sensitive applications like voice and video. You can also use an option that gives SIP priority over all other traffic. This maximizes SIP traffic throughput for improved VoIP call sound quality.

2.2 Applications

These are some example applications for your ZyWALL. See also Chapter 7 on
page 115 for configuration tutorial examples.
ZyWALL USG 300 User’s Guide
41
Chapter 2 Features and Applications
2.2.1 VPN Connectivity
Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service.
Figure 5 Applications: VPN Connectivity
2.2.2 SSL VPN Network Access
You can configure the ZyWALL to provide SSL VPN network access to remote users. There are two SSL VPN network access modes: reverse proxy and full tunnel.
2.2.2.1 Reverse Proxy Mode
In reverse proxy mode, the ZyWALL is a proxy that acts on behalf of the local network servers (such as your web and mail servers). As the final destination, the ZyWALL appears to be the serv er to remote users. This provides an added layer of protection for your internal servers.
With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL.
42
ZyWALL USG 300 User’s Guide
Chapter 2 Features and Applications
You do not have to install additional client software on the remote user computers for access.
Figure 6 Network Access Mode: Reverse Proxy
https;//
2.2.2.2 Full Tunnel Mode
In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.
Figure 7 Network Access Mode: Full Tunnel Mode
192.168.1.100
https;//
LAN (192.168.1.X)
Web Mail File Share
Web-based Application
LAN (192.168.1.X)
ZyWALL USG 300 User’s Guide
Web Mail File Share
Web-based Application
Non-Web
Application Server
43
Chapter 2 Features and Applications
2.2.3 User-Aware Access Control
Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it.
Figure 8 Applications: User-Aware Access Control
2.2.4 Multiple WAN Interfaces
Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them.
Figure 9 Applications: Multiple WAN Interfaces
44
ZyWALL USG 300 User’s Guide
2.2.5 Device HA
Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network.
Figure 10 Applications: Device HA
Chapter 2 Features and Applications
ZyWALL USG 300 User’s Guide
45
Chapter 2 Features and Applications
46
ZyWALL USG 300 User’s Guide
CHAPTER 3

Web Configurator

The ZyWALL Web Configurator allows easy ZyWALL setup and management using an Internet browser.

3.1 Web Configurator Requirements

In order to use the Web Configurator, you must
• Use Internet Explorer 7 or later, or Firefox 1.5 or later
• Allow pop-up windows (blocked by default in Windows XP Service Pack 2)
• Enable JavaScript (enabled by default)
• Enable Java permissions (enabled by default)
• Enable cookies
The recommended screen resolution is 1024 x 768 pixels.

3.2 Web Configurator Access

1 Make sure your ZyWALL hardware is properly connected. See the Quick Start
Guide.
ZyWALL USG 300 User’s Guide
47
Chapter 3 Web Configurator
2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL
automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears.
Figure 11 Login Screen
3 Type the user name (default: “admin”) and password (default: “1234”).
If your account is configured to use an ASAS auth entication server, use the OTP (One-Time Password) token to generate a number. Enter it in the One-Time Password field. The number is only good for one login. You must use the token to generate a new number the next time you log in.
4 Click Login. If you logged in using the default user name and password, the
Update Admin Info screen (Figure 12 on page 48) appears. Otherwise, the
dashboard (Figure 13 on page 49) appears.
Figure 12 Update Admin Info Screen
48
ZyWALL USG 300 User’s Guide
Chapter 3 Web Configurator
5 The screen above appears every time you log in using the default user name and
default password. If you change the password for the default user account, this screen does not appear anymore.
Follow the directions in this screen. If you change the default password, the Login screen (Figure 11 on page 48) appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration (see Chapter 4 on page 63); otherwise the dashboard appears as shown next.
Figure 13 Dashboard
A
B
C

3.3 Web Configurator Screens Overview

The Web Configurator screen is di vided into these parts (as illustr ated in Figure 13
on page 49):
A - title bar
B - navigation panel
C - main window
ZyWALL USG 300 User’s Guide
49
Chapter 3 Web Configurator
3.3.1 Title Bar
The title bar provides some icons in the upper right corner.
Figure 14 Title Bar
The icons provide the following functions.
Table 4 Title Bar: Web Configurator Icons
LABEL DESCRIPTION
Logout Click this to log out of the Web Configurator. Help Click this to open the help page for the current screen. About Click this to display basic information about the ZyWALL. Site Map Click this to see an overview of links to the Web Configurator screens. Object
Reference Console Click this to open the console in which you can use the command line
CLI Click this to open a popup window that displays the CLI commands sent
Click this to open a screen where you can check which configuration items reference an object.
interface (CLI). See the CLI Reference Guide for details on the commands.
by the Web Configurator.
3.3.2 Navigation Panel
Use the menu items on the navigation panel to open screens to configure Z yW ALL features. Click the arrow in the middle of the right edge of the navigation panel to
50
ZyWALL USG 300 User’s Guide
Chapter 3 Web Configurator
hide the navigation panel menus or drag it to resize them. The following sections introduce the ZyWALL’s navigation panel menus and their screens.
Figure 15 Navigation Panel
3.3.2.1 Dashboard
The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 9 on page 221 for details on the dashboard.
3.3.2.2 Monitor Menu
The monitor menu screens display status and statistics information.
Table 5 Monitor Menu Screens Summary
FOLDER OR LINK TAB FUNCTION
System Status
Port Statistics Displays packet statistics for each physical port. Interface Status Displays general interface information and packet
Traffic Statistics Collect and display traffic statistics. Session Monitor Displays the status of all current sessions. DDNS Status Displays the status of the ZyWALL’s DDNS domain names. IP/MAC Binding Lists the devices that have received an IP address from
Login Users Lists the users currently logged into the ZyWALL. WLAN Status Displays the connection status of the ZyWALL’s wireless
statistics.
ZyWALL interfaces using IP/MAC binding.
clients.
ZyWALL USG 300 User’s Guide
51
Chapter 3 Web Configurator
Table 5 Monitor Menu Screens Summary (continued)
FOLDER OR LINK TAB FUNCTION
Cellular Status Displays details about the ZyW ALL’ s 3G connection status. AppPatrol Statistics Displays bandwidth and protocol statistics. VPN Monitor
IPSec Displays and manages the active IPSec SAs.
SSL Lists users currently logged into the VPN SSL client portal.
L2TP over IPSec Displays and manages the ZyWALL’s connected L2TP VPN
Anti-X Statistics
Anti-Virus Collect and display statistics on the viruses that the
IDP Collect and display statistics on the intrusions that the
Content Filter Report Collect and display content filter statistics
Anti-Spam Report Collect and display spam statistics.
Log Lists log entries.
You can also log out individual users and delete related session information.
sessions.
ZyWALL has detected.
ZyWALL has detected.
Cache Manage the ZyWALL’s URL cache.
Status Displays how many mail sessions the ZyWALL is currently
checking and DNSBL (Domain Name Service-based spam Black List) statistics.
3.3.2.3 Configuration Menu
Use the configuration menu screens to configure the ZyWALL’s features.
Table 6 Configuration Menu Screens Summary
FOLDER OR LINK
Quick Setup Quickly configure WAN interfaces or VPN
Licensing
Registration Registration Register the device and activate trial services.
Signature
Update
Network
TAB FUNCTION
Service View the licensed service status and upgrade
Anti-Virus Update anti-virus signatures immediately or by a
IDP/AppPatrol Update IDP signatures immediately or by a
System Protect Update system-protect signatures immediately or
connections.
licensed services.
schedule.
schedule.
by a schedule.
52
ZyWALL USG 300 User’s Guide
Chapter 3 Web Configurator
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK
Interface Port Grouping Configure physical port groups.
Routing Policy Route Create and manage routing policies.
Zone Configure zones used to define various policies.
DDNS Profile Define and manage the ZyWALL’s DDNS domain
NAT Set up and manage port forwarding rules.
HTTP Redirect Set up and manage HTTP redirection rules.
ALG Configure SIP, H.323, and FTP pass-through
IP/MAC
Binding
Auth. Policy Define rules to force user authentication. Firewall Firewall Create and manage level-3 traffic rules.
VPN
IPSec VPN VPN Connection Configure IPSec tunnels.
TAB FUNCTION
Ethernet Manage Ethernet interfaces and virtual Ethernet
interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a cellular Internet connection for an
installed 3G card. WLAN Configure settings for an installed wireless LAN
card. VLAN Create and manage VLAN interfaces and virtual
VLAN interfaces. Bridge Create and manage bridges and virtual bridge
interfaces. Auxiliary Manage the AUX port. Trunk Create and manage trunks (groups of interfaces)
for load balancing and link High Availability (HA).
Static Route Create and manage IP static routing information. RIP Configure device-level RIP settings. OSPF Configure device-level OSPF settings, including
areas and virtual links.
names.
settings. Summary Configure IP to MAC address bindings for devices
connected to each supported interface. Exempt List Configure ranges of IP addresses to which the
ZyWALL does not apply IP/MAC binding.
Session Limit Limit the number of concurrent client NAT/firewall
sessions.
VPN Gateway Configure IKE tunnels. Concentrator Configure VPN concentrators (hub-and-spoke
VPN).
ZyWALL USG 300 User’s Guide
53
Chapter 3 Web Configurator
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK
SSL VPN Access Privilege Configure SSL VPN access rights for users and
L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings.
AppPatrol General Enable or disable traffic management by
Anti-X
Anti-Virus General Turn anti-virus on or off, set up anti-virus policies
IDP General Display and manage IDP bindings.
ADP General Display and manage ADP bindings.
Content Filter General Create and manage content filter policies.
Anti-Spam General Turn anti-spam on or off and manage anti-spam
TAB FUNCTION
groups. Global Setting Configure the ZyWALL’s SSL VPN settings that
apply to all connections.
application and see registration and signature
information. Common Manage traffic of the most commonly used web,
file transfer and e-mail protocols. IM Manage instant messenger traffic. Peer to Peer Manage peer-to-peer traffic. VoIP Manage VoIP traffic. Streaming Manage streaming traffic. Other Manage other kinds of traffic.
and check the anti-virus engine type and the anti-
virus license and signature status. Black/White List Set up anti-virus black (blocked) and white
(allowed) lists of virus file patterns. Signature Search for signatures by signature name or
attributes and configure how the ZyWALL uses
them.
Profile Create and manage IDP profiles. Custom
Signatures
Profile Create and manage ADP profiles.
Filter Profile Create and manage the detailed filtering rules for
Black/White List Set up a black list to identify spam and a white list
DNSBL Have the ZyWALL check e-mail against DNS Black
Create, import, or export custom signatures.
content filtering policies.
policies.
to identify legitimate e-mail.
Lists.
54
ZyWALL USG 300 User’s Guide
Chapter 3 Web Configurator
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK
Device HA General Configure device HA global settings, and see the
Object
User/Group User Create and manage users.
Address Address Create and manage host, range, and network
Service Service Create and manage TCP and UDP services.
Schedule Create one-time and recurring schedules. AAA Server Active Directory-
Auth. Method Create and manage ways of authenticating users. Certificate My Certificates Create and manage the ZyWALL’s certificates.
ISP Account Create and manage ISP account information for
SSL Application
Endpoint Security
System
Host Name Configure the system and domain name for the
Date/Time Configure the current date, time, and time zone in
TAB FUNCTION
status of each interface monitored by device HA. Active-Passive
Mode Legacy Mode Configure legacy mode device HA for use with
Group Create and manage groups of users. Setting Manage default settings for all users, general
Address Group Create and manage groups of addresses.
Service Group Create and manage groups of services.
Default Active Directory-
Group LDAP-Default Configure the default LDAP settings. LDAP-Group Create and manage groups of LDAP servers. RADIUS-Default Configure the default RADIUS settings. RADIUS-Group Create and manage groups of RADIUS servers.
Trusted Certificates
Configure active-passive mode device HA.
ZyWALLs that already have device HA setup using
a firmware version earlier than 2.10.
settings for user sessions, and rules to force user
authentication.
(subnet) addresses.
Configure the default Active Directory settings.
Create and manage groups of Active Directory
servers.
Import and manage certificates from trusted
sources.
PPPoE/PPTP interfaces.
Create SSL web application or file sharing objects.
Create Endpoint Security (EPS) objects.
ZyWALL.
the ZyWALL.
ZyWALL USG 300 User’s Guide
55
Chapter 3 Web Configurator
Table 6 Configuration Menu Screens Summary (continued)
FOLDER OR LINK
Console Speed
DNS Configure the DNS server and address records for
WWW Service Control Configure HTTP, HTTPS, and general
SSH Configure SSH server and SSH service settings. TELNET Configure telnet server settings for the ZyWALL. FTP Configure FTP server settings. SNMP Configure SNMP communities and services. Dial-in Mgmt. Conf igure settings for an out of band management
Vantage CNM Configure and allow your ZyWALL to be managed
Language Select the Web Configurator language.
Log & Report
Email Daily Report
Log Setting Configure the system log, e-mail logs, and remote
TAB FUNCTION
Set the console speed.
the ZyWALL.
authentication. Login Page Configure how the login and access user screens
look.
connection through a modem connected to the
AUX port.
by the Vantage CNM server.
Configure where and how to send daily reports and
what reports to send.
syslog servers.
3.3.2.4 Maintenance Menu
Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL.
Table 7 Maintenance Menu Screens Summary
FOLDER OR LINK
File Manager Configuration
Diagnostics Diagnostic Collect diagnostic information.
Reboot Restart the ZyWALL. Shutdown Turn off the ZyWALL.
TAB FUNCTION
File Firmware
Package Shell Script Manage and run shell script files for the ZyWALL.
Packet Capture Capture packets for analysis.
Manage and upload configuration files for the
ZyWALL.
View the current firmware version and to upload
firmware.
56
ZyWALL USG 300 User’s Guide
3.3.3 Main Window
The main window shows the screen you select in the navigation panel. The main window screens are discussed in the rest of this document.
Right after you log in, the Dashboard screen is display ed. See Chapter 9 on page
221 for more information about the Dashboard screen.
3.3.3.1 Warning Messages
Warning messages, such as those resulting from misconfiguration, display in a popup window.
Figure 16 Warning Message
Chapter 3 Web Configurator
3.3.3.2 Site Map
Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen.
Figure 17 Site Map
3.3.3.3 Object Reference
Click Object Ref erence to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration
ZyWALL USG 300 User’s Guide
57
Chapter 3 Web Configurator
settings reference the object. The following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule).
Figure 18 Object Reference
The fields vary with the type of object. The following table describes labels that can appear in this screen.
Table 8 Object References
LABEL DESCRIPTION
Object Name This identifies the object for which the configuration settings that use it
are displayed. Click the object’s name to display the object’s
configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry. Service This is the type of setting that references the selected object. Click a
service’s name to display the service’s configuration screen in the main
window. Priority If it is applicable, this field lists the referencing configuration item’s
position in its list, otherwise N/A displays. Name This field identifies the configuration item that references the object. Description If the referencing configuration item has a description configured, it
displays here. Refresh Click this to update the information in this screen. Cancel Click Cancel to close the screen.
58
ZyWALL USG 300 User’s Guide
3.3.3.4 CLI Messages
Click CLI to look at the CLI commands sent by the Web Configurator. The se commands appear in a popup window, such as the following.
Figure 19 CLI Messages
Click Clear to remove the currently displayed information.
Chapter 3 Web Configurator
See the Command Reference Guide for information about the commands.
3.3.4 Tables and Lists
The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries.
3.3.4.1 Manipulating Table Display
Here are some of the ways you can manipulate the We b Configurator tables.
1 Click a column heading to sort the table’s entries according to that column’s
criteria.
Figure 20 Sorting Table Entries by a Column’s Criteria
2 Click the down arrow next to a column heading for more options about how to
display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:
ZyWALL USG 300 User’s Guide
59
Chapter 3 Web Configurator
• Sort in ascending alphabetical order
• Sort in descending (reverse) alphabetical order
• Select which columns to display
• Group entries by field
• Show entries in groups
• Filter by mathematical operators (<, >, or =) or searching for text
Figure 21 Common Table Column Options
3 Select a column heading cell’s right border and drag to re-size the column.
Figure 22 Resizing a Table Column
60
ZyWALL USG 300 User’s Guide
Chapter 3 Web Configurator
4 Select a column heading and drag and drop it to change the column order. A green
check mark displays next to the column’s title when you drag the column to a valid new location.
Figure 23 Changing the Column Order
5 Use the icons and fields at the bottom of the table to navigate to different pages of
entries and control how many entries display at a time.
Figure 24 Navigating Pages of Table Entries
3.3.4.2 Working with Table Entries
The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] ke y t o sel e c t multiple entries to remove, activate, or deactivate.
Figure 25 Common Table Icons
ZyWALL USG 300 User’s Guide
61
Chapter 3 Web Configurator
Here are descriptions for the most common table icons.
Table 9 Common Table Icons
LABEL DESCRIPTION
Add Click this to create a new entry. For features where the entry’s
Edit Double-click an entry or select it and click Edit to open a screen
Remove To remove an entry, select it and click Remove. The ZyWALL
Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Connect To connect an entry, select it and click Connect. Disconnect To disconnect an entry, select it and click Disconnect. Object References Select an entry and click Object References to open a screen that
Move To change an entry’s position in a numbered list, select it and click
position in the numbered list is important (features where the ZyWALL applies the table’s entries in order like the firewall for example), you can select an entry and click Add to create a new entry after the selected entry.
where you can modify the entry’s settings. In some tables you can just click a table entry and edit it directly in the table. For those types of tables small red triangles display for table entries with changes that you have not yet applied.
confirms you want to remove it before doing so.
shows which settings use the entry. See Section 13.3.2 on page 303 for an example.
Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one.
3.3.4.3 Working with Lists
When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.
Figure 26 Working with Lists
62
ZyWALL USG 300 User’s Guide
CHAPTER 4

Installation Setup Wizard

4.1 Installation Setup Wizard Screens

If you log into the Web Configurator when the ZyWALL is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services. This chapter provides information on configuring the Web Configurator's installation setup wizard. See the feature-specific chapters in this User’ s Guide for background information.
Figure 27 Installation Setup Wizard
• Click the double arrow in the upper right corner to display or hide the help.
•Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access.
ZyWALL USG 300 User’s Guide
63
Chapter 4 Installation Setup Wizard
4.1.1 Internet Access Setup - WAN Interface
Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment.
The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Note: Enter the Internet access information exactly as your ISP gave it to you. Figure 28 Internet Access: Step 1
I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one. This option appears when you are configuring the first WAN interface.
Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
WAN Interface: This is the interface you are configuring for Internet access.
Zone: Select the security zone to which you want this interface and Internet connection to belong.
IP Address Assignment: Select Auto if your ISP did not assign you a fix ed IP address. Select Static if the ISP assigned a fixed IP address.
4.1.2 Internet Access: Ethernet
This screen is read-only if you set the previous screen’ s IP Address Assignment field to Auto. Use this screen to configure your IP address settings.
64
ZyWALL USG 300 User’s Guide
Chapter 4 Installation Setup Wizard
Note: Enter the Internet access information exactly as given to you by your ISP. Figure 29 Internet Access: Ethernet Encapsulation
Encapsulation: This displays the type of Internet connection you are configuring.
First WAN Interface: This is the number of the interface that will connect with your ISP.
Zone: This is the security zone to which thi s int erface and Internet connection will belong.
IP Address: Enter your (static) public IP address. Auto d isplays if y ou selected Auto as the IP Address Assignment in the previous screen.
The following fields display if you selected static IP address assignment.
IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.
Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway).
First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
ZyWALL USG 300 User’s Guide
65
Chapter 4 Installation Setup Wizard
4.1.3 Internet Access: PPPoE
Note: Enter the Internet access information exactly as given to you by your ISP.
Figure 30 Internet Access: PPPoE Encapsulation
4.1.3.1 ISP Parameters
• T ype the PPP oE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and ­_@$./ characters, and it can be up to 64 characters long.
Authentication Type - Select an authentication protocol for outgoing connection requests. Options are:
CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node.
CHAP - Your ZyWALL accepts CHAP only.
PAP - Your ZyWALL accepts PAP only.
MSCHAP - Your ZyWALL accepts MSCHAP only.
MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.
• Type the User Name given to you by your ISP. You can use alphanumeric and ­_@$./ characters, and it can be up to 31 characters long.
• Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank.
• Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server.
66
ZyWALL USG 300 User’s Guide
4.1.3.2 WAN IP Address Assignments
WAN Interface: This is the name of the interface that wi ll co n nect with your ISP.
Zone: This is the security zone to which thi s int erface and Internet connection will belong.
IP Address: Enter your (static) public IP address. Auto d isplays if y ou selected Auto as the IP Address Assignment in the previous screen.
First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not w ant to configure DNS servers. If y ou do not configure a DNS server, you must know the IP address of a machine in order to access it.
4.1.4 Internet Access: PPTP
Chapter 4 Installation Setup Wizard
Note: Enter the Internet access information exactly as given to you by your ISP.
Figure 31 Internet Access: PPTP Encapsulation
4.1.5 ISP Parameters
Authentication Type - Select an authentication protocol for outgoing calls. Options are:
ZyWALL USG 300 User’s Guide
67
Chapter 4 Installation Setup Wizard
CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by the remote node.
CHAP - Your ZyWALL accepts CHAP only.
PAP - Your ZyWALL accepts PAP only.
MSCHAP - Your ZyWALL accepts MSCHAP only.
MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.
• Type the User Name given to you by your ISP. You can use alphanumeric and ­_@$./ characters, and it can be up to 31 characters long.
• Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type y our password in the next field to confirm it.
• Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server.
4.1.5.1 PPTP Configuration
Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router.
•Type a Base IP Address (static) assigned to you by your ISP.
• Type the IP Subnet Mask assigned to you by your ISP (if given).
Server IP: Type the IP address of the PPTP server.
•Type a Connection ID or connection name. It must follow the “c:id” and “n:name” format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to 31 characters long.
4.1.5.2 WAN IP Address Assignments
First WAN Interface: This is the connection type on the interface you are configuring to connect with your ISP.
Zone This is the security zone to whic h thi s in terface and Internet connection will belong.
IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.
First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.
68
ZyWALL USG 300 User’s Guide
Chapter 4 Installation Setup Wizard
4.1.6 Internet Access Setup - Second WAN Interface
If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 64).
Figure 32 Internet Access: Step 3: Second WAN Interface
4.1.7 Internet Access - Finish
You have set up your ZyWALL to access the Internet. After configuring the WAN interface(s), a screen displays with your settings. If they are not correct, click Back.
Figure 33 Internet Access: Ethernet Encapsulation
ZyWALL USG 300 User’s Guide
69
Chapter 4 Installation Setup Wizard
Note: If you have not already done so, you can register your ZyWALL with
myZyXEL.com and activate trials of services like IDP.
Click Next and use the following screen to perform a basic registration (see
Section 4.2 on page 70). If you want to do a more detailed registration or manage
your account details, click myZyXEL.com.
Alternatively, close the window to exit the wizard.

4.2 Device Registration

Use this screen to register your ZyWALL with myZXEL.com and activate trial periods of subscription security features if you have not already done so. If the ZyWALL is already registered this screen displays your user name and which trial services are activated (if any). You can still activate any un-activated trial services.
Note: You must be connected to the Internet to register.
Use the Registration > Service screen to update your service subscription status.
Figure 34 Registration
70
• Select new myZyXEL.com account if you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ZyWALL.
ZyWALL USG 300 User’s Guide
Chapter 4 Installation Setup Wizard
• Select existing myZyXEL.com account if you already have an account at myZyXEL.com and enter your user name and password in the fields below to register your ZyWALL.
•Enter a User Name for your myZyXEL.com account. Use from six to 20 alphanumeric characters (and the underscore). Spaces are not allowed. Click Check to verify that it is available.
Password: Use six to 20 alphanumeric characters (and the underscore). Spaces are not allowed. Type it again in the Confirm Password field.
E-Mail Address: Enter your e-mail address. Use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces.
Country Code: Select your country from the drop-down box list.
Trial Service Activation: You can try a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service.
Figure 35 Registration: Registered Device
ZyWALL USG 300 User’s Guide
71
Chapter 4 Installation Setup Wizard
72
ZyWALL USG 300 User’s Guide
CHAPTER 5

Quick Setup

5.1 Quick Setup Overview

The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information.
In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup screen.
Figure 36 Quick Setup
• WAN Interface
Click this link to open a wizard to set up a WAN (Internet) connection. This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 5.2 on page 74.
•VPN SETUP
Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for a secure connection to another computer or network. See Section 5.4 on page 80.
ZyWALL USG 300 User’s Guide
73
Chapter 5 Quick Setup

5.2 WAN Interface Quick Setup

Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the internet. Click Next.
Figure 37 WAN Interface Quick Setup Wizard
5.2.1 Choose an Ethernet Interface
Select the Ethernet interface that you want to configure for a WAN connection and click Next.
Figure 38 Choose an Ethernet Interface
5.2.2 Select WAN Type
74
WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet.
ZyWALL USG 300 User’s Guide
Chapter 5 Quick Setup
Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.
Figure 39 WAN Interface Setup: Step 2
The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information.
Note: Enter the Internet access information exactly as your ISP gave it to you.
5.2.3 Configure WAN Settings
Use this screen to select to which zone the interface belongs and whether the interface should use a fixed or dynamic IP address.
Figure 40 WAN Interface Setup: Step 2
WAN Interface: This is the interface you are configuring for Internet access.
Zone:
ZyWALL USG 300 User’s Guide
75
Chapter 5 Quick Setup
IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address.
5.2.4 WAN and ISP Connection Settings
Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you set the IP Address Assignment to Static.
Note: Enter the Internet access information exactly as your ISP gave it to you.
Figure 41 WAN and ISP Connection Settings: (PPTP Shown)
76
The following table describes the labels in this screen.
Table 10 WAN and ISP Connection Settings
LABEL DESCRIPTION
ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet
connection.
Encapsulation This displays the type of Internet connection you are configuring.
ZyWALL USG 300 User’s Guide
Chapter 5 Quick Setup
Table 10 WAN and ISP Connection Settings (continued)
LABEL DESCRIPTION
Authentication Type
User Name Type the user name given to you by your ISP. You can use
Password T ype the password associated with the user name above. Use up to 64
Retype to Confirm
Nailed-Up Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically
PPTP Configuration
Base Interface This displays the identity of the Ethernet interface you configure to
Base IP Address
IP Subnet Mask
Server IP Type the IP address of the PPTP server. Connection ID Enter the connection ID or connection name in this field. It must
Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:
CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.
CHAP - Your ZyWALL accepts CHAP only. PAP - Your ZyWALL accepts PAP only. MSCHAP - Your ZyWALL accepts MSCHAP only. MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only.
alphanumeric and -_ characters long.
ASCII characters except the [] and ?. This field can be blank. Type your password again for confirmation.
disconnects from the PPPoE server. 0 means no timeout. This section only appears if the interface uses a PPPoE or PPTP
Internet connection.
connect with a modem or router. Type the (static) IP address assigned to you by your ISP.
Type the subnet mask assigned to you by your ISP (if given).
follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem.
@$./ characters, and it can be up to 31
WAN Interface Setup
WAN Interface This displays the identity of the interface you configure to connect
Zone This field displays to which security zone this interface and Internet
IP Address This field is read-only when the WAN interface uses a dynamic IP
ZyWALL USG 300 User’s Guide
You can use alphanumeric and -_ characters long.
with your ISP.
connection will belong.
address. If your WAN interface uses a static IP address, enter it in this field.
: characters, and it can be up to 31
77
Chapter 5 Quick Setup
Table 10 WAN and ISP Connection Settings (continued)
LABEL DESCRIPTION
First DNS Server
Second DNS Server
Back Click Back to return to the previous screen. Next Click Next to continue.
These fields only display for an interface with a static IP address. Enter the DNS server IP address(es) in the field(s) to the right.
Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is ex tremely important because without it, you must know the IP address of a computer before you can access it. The ZyWALL uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
5.2.5 Quick Setup Interface Wizard: Summary
This screen displays the WAN interface’s settings.
Figure 42 Interface Wizard: Summary WAN (PPTP Shown)
The following table describes the labels in this screen.
Table 11 Interface Wizard: Summary WAN
LABEL DESCRIPTION
Encapsulation This displays what encapsulation this interface uses to connect to the
Internet.
Service Name This field only appears for a PPPoE interface. It displays the PPPoE
service name specified in the ISP account.
78
ZyWALL USG 300 User’s Guide
Chapter 5 Quick Setup
Table 11 Interface Wizard: Summary WAN
LABEL DESCRIPTION
Server IP This field only appears for a PPTP interface. It displays the IP address of
the PPTP server. User Name This is the user name given to you by your ISP. Nailed-Up If No displays the connection will not time out. Yes means the ZyWALL
uses the idle timeout. Idle Timeout This is how many seconds the connection can be idle before the router
automatically disconnects from the PPPoE server. 0 means no timeout. Connection ID If you specified a connection ID, it displays here. WAN Interface This identifies the interface you configure to connect with your ISP. Zone This field displays to which security zone this interface and Internet
connection will belong. IP Address
Assignment First DNS
Server Second DNS
Server Close Click Close to exit the wizard.
This field displays whether the WAN IP address is static or dynamic
(Auto).
If the IP Address Assignment is Static, these fields display the DNS
server IP address(es).

5.3 VPN Quick Setup

Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. The VPN wizard creates corresponding VPN connection
and VPN gateway settings and address objects that you can use later in configuring more VPN connections or other features. Click Next.
Figure 43 VPN Quick Setup Wizard
ZyWALL USG 300 User’s Guide
79
Chapter 5 Quick Setup

5.4 VPN Setup Wizard: Wizard Type

A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network. Use this screen to select which type of VPN connection you want to configure.
Figure 44 VPN Setup Wizard: Wizard Type
Express: Use this wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings.
Advanced: Use this wizard to configure det a i led V PN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device.
80
ZyWALL USG 300 User’s Guide

5.5 VPN Express Wizard - Scenario

Click the Express radio button as shown in Figure 44 on page 80 to display the following screen.
Figure 45 VPN Express Wizard: Step 2
Chapter 5 Quick Setup
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select.
• Site-to-site - Choose this if the remote IPSec device has a static IP address or a domain name. This ZyWALL can initiate the VPN tunnel.
• Site-to-site with Dynamic Peer - Choose this if the remote IPSec device has a dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.
• Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.
• Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel.
ZyWALL USG 300 User’s Guide
81
Chapter 5 Quick Setup
5.5.1 VPN Express Wizard - Configuration
Figure 46 VPN Express Wizard: Step 3
Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address.
Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal (“0-9”, “A-F”) characters. Proceed a hexadecimal key with “0x”. You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends.
Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
Remote Policy (IP/Mask): If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device.
82
ZyWALL USG 300 User’s Guide
5.5.2 VPN Express Wizard - Summary
This screen provides a read-only summary of the VPN tunnel’s configuration and also commands that you can copy and paste into another ZLD-based ZyWALL’s command line interface to configure it.
Figure 47 VPN Express Wizard: Step 4
Chapter 5 Quick Setup
Rule Name: Identifies the VPN gateway policy.
Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1 IKE negotiation.
Local Policy: (Static) IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel.
Remote Policy: (Static) IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
• Copy and paste the Configuration for Secure Gateway commands into another ZLD-based ZyWALL’s command line interface to configure it to serve as the other end of this VPN tunnel. You can also use a text editor to save these commands as a shell script file with a “.zysh” filename extension. Then you can use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list.
ZyWALL USG 300 User’s Guide
83
Chapter 5 Quick Setup
5.5.3 VPN Express Wizard - Finish
Now you can use the VPN tunnel.
Figure 48 VPN Express Wizard: Step 6
84
Note: If you have not already done so, use the myZyXEL.com link and register your
ZyWALL with myZyXEL.com and activate trials of services like IDP.
Click Close to exit the wizard.
ZyWALL USG 300 User’s Guide
5.5.4 VPN Advanced Wizard - Scenario
Click the Advanced radio button as shown in Figure 44 on page 80 to di splay the following screen.
Figure 49 VPN Advanced Wizard: Scenario
Chapter 5 Quick Setup
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). Y ou may use 1-31 alphanumeric char acters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Select the scenario that best describes your intended VPN connection. The figure on the left of the screen changes to match the scenario you select.
• Site-to-site - Choose this if the remote IPSec device has a static IP address or a domain name. This ZyWALL can initiate the VPN tunnel.
• Site-to-site with Dynamic Peer - Choose this if the remote IPSec device has a dynamic IP address. Only the remote IPSec device can initiate the VPN tunnel.
• Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.
ZyWALL USG 300 User’s Guide
85
Chapter 5 Quick Setup
• Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel.
5.5.5 VPN Advanced Wizard - Phase 1 Settings
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establ ishes an IKE SA (Security Association).
Figure 50 VPN Advanced Wizard: Phase 1 Settings
Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec device has a dynamic WAN IP address.
My Address (interface): Select an interface from the drop-down list box to use on your ZyWALL.
Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.
Note: Multiple SAs connecting through a secure gateway must have the same
negotiation mode.
Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the security (this may affect throughput). Both sender and recei ver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
86
ZyWALL USG 300 User’s Guide
Chapter 5 Quick Setup
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key and AES256 uses a 256-bit key.
Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security. MD5 (Message Digest 5) and SHA1 (Secure Has h Algorithm) are hash algorithms used to authenticate pac ket data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.
SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices).
Note: The remote IPSec device must also have NAT traversal enabled. See VPN,
NAT, and NAT Traversal on page 500 for more information.
Dead Peer Detection (DPD) has the ZyWALL make sure the remote IPSec device is there before transmitting data through the IKE SA. If there has been no traffic for at least 15 seconds, the ZyWALL sends a message to the remote IPSec device. If it responds, the ZyWALL transmits the data. If it does not respond, the ZyWALL shuts down the IKE SA.
Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the ZyWALL’s certificates.
ZyWALL USG 300 User’s Guide
87
Chapter 5 Quick Setup
5.5.6 VPN Advanced Wizard - Phase 2
Phase 2 in an IKE uses the SA that was established in phase 1 to negot iate SAs for IPSec.
Figure 51 VPN Advanced Wizard: Step 4
Active Protocol: ESP is compatible with NAT, AH is not.
Encapsulation: Tunnel is compatible with NAT, Transport is not.
Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security. MD5 (Message Digest 5) and SHA1 (Secure Has h Algorithm) are hash algorithms used to authenticate pac ket data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
• Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure, yet slower).
Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
88
Remote Policy (IP/Mask): Type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device.
ZyWALL USG 300 User’s Guide
Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires.
5.5.7 VPN Advanced Wizard - Summary
This is a read-only summary of the VPN tunnel settings.
Figure 52 VPN Advanced Wizard: Step 5
Chapter 5 Quick Setup
Rule Name: Identifies the VPN connection (and the VPN gateway).
Secure Gateway: IP address or domain name of the remote IPSec device.
Pre-Shared Key: VPN tunnel password.
Certificate: The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel.
Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel.
Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel.
• Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL’s command line interface.
•Click Save to save the VPN rule.
ZyWALL USG 300 User’s Guide
89
Chapter 5 Quick Setup
5.5.8 VPN Advanced Wizard - Finish
Now you can use the VPN tunnel.
Figure 53 VPN Wizard: Step 6: Advanced
90
Note: If you have not already done so, you can register your ZyWALL with
myZyXEL.com and activate trials of services like IDP.
Click Close to exit the wizard.
ZyWALL USG 300 User’s Guide
CHAPTER 6

Configuration Basics

This information is provided to help you configure the ZyW ALL effectively. Some of it is helpful when you are just gett i n g st a r t ed. Some of it is provided for your reference when you configure various features in the ZyWALL.
Section 6.1 on page 91 introduces the ZyWALL’s object-based configuration.
Section 6.2 on page 92 introduces zones, interfaces, and port groups.
Section 6.3 on page 95 introduces some differences in terminology and organization between the ZyWALL and other routers, particularly ZyNOS routers.
Section 6.4 on page 96 covers the ZyWALL’s packet flow.
Section 6.5 on page 99 identifies the features you should conf igure before and after you configure the main screens for each feature. For example, if you want to configure a trunk for load-balancing, you should configure the member interfaces before you configure the trunk. After you configure the trunk, you should configure a policy route for it as well. (You might also have to configure criteria for the policy route.)
Section 6.6 on page 110 identifies the objects that store information used by other features.
Section 6.7 on page 111 introduces some of the tools available for system management.

6.1 Object-based Configuration

The ZyWALL stores information or settings as objects. You use these objects to configure many of the ZyWALL’s features and settings. Once you configure an object, you can reuse it in configuring other features.
When you change an object’s settings, the ZyWALL automatically updates al l the settings or rules that use the object. For example, if you create a schedule objec t, you can have firewall, applicat ion patrol, content filter, and other settings use it. If you modify the schedule, all the firewall, application patrol, content filter, and other settings that use the schedule automatically apply the updated schedule.
You can create address objects based on an interface’s IP address, subnet, or gateway. The Z y WALL automatically updates every rule or setting that uses these
ZyWALL USG 300 User’s Guide
91
Chapter 6 Configuration Basics
objects whenever the interface’s IP address settings change. For example, if you change an Ethernet interface’s IP address, the ZyWALL automatically updates the rules or settings that use the interface-based, LAN subnet address object.
You can use the Configuration > Objects screens to create objects before you configure features that use them. If you are in a screen that uses objects, you can also usually select Create new Object to be able to configure a new object. F or a list of common objects, see Section 6.6 on page 110.
Use the Object Reference screen (Section 3.3.3.3 on page 57) to see what objects are configured and which configuration settings reference specific objects.

6.2 Zones, Interfaces, and Physical Ports

Zones (groups of interfaces and VPN tunnels) simplify security settings. Here is an overview of zones, interfaces, and physical ports in the ZyWALL.
Figure 54 Zones, Interfaces, and Physical Ethernet Ports
Zones
Interfaces
Physical Ports
LAN
ge1 ge2 ge3
P1 P2 P3 P4 P5 P6
WAN
DMZ
ge4 ge5
WLAN
ge6
Table 12 Zones, Interfaces, and Physical Ethernet Ports
Zones
(WAN, LAN, DMZ)
Interfaces
(Ethernet, VLAN,...)
Physical Ethernet Ports
(P1, P2, ...)
A zone is a group of interfaces and VPN tunnels. Use zones to apply security settings such as firewall, IDP, remote management, anti­virus, and application patrol.
Interfaces are logical entities that (layer-3) packets pass through. Use interfaces in configuring VPN, zones, trunks, device HA, DDNS, policy routes, static routes, HTTP redirect, and NAT.
Port groups combine physical ports into interfaces. The physical port is where you connect a cable. In configuration, you
use physical ports when configuring port groups. You use interfaces and zones in configuring other features.
92
ZyWALL USG 300 User’s Guide
6.2.1 Interface Types
There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL.
Ethernet interfaces are the foundation for defining other interfaces and network policies. Y o u also configure RIP and OSPF in these interfaces.
Port groups create a hardware connection between physical ports at the layer­2 (data link, MAC address) level.
PPP interfaces support Point-to-Point Protocols (PPPoE or PPTP). ISP accounts are required for PPPoE/PPTP interfaces.
VLAN interfaces recognize tagged frames. The ZyWALL automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge.
Chapter 6 Configuration Basics
Virtual interfaces increase the amount of routing information in the ZyWALL. There are three types: virtual Ethernet interfaces (also known as IP alias), virtual VLAN interfaces, and virtual bridge interfaces.
•The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port.
ZyWALL USG 300 User’s Guide
93
Chapter 6 Configuration Basics
6.2.2 Default Interface and Zone Configuration
This section introduces the ZyWALL’ s default zone member ph ysical interfaces and the default configuration of those interfaces. The following figure uses letters to denote public IP addresses or part of a private IP address.
Figure 55 Default Network Topology
Table 13 Default Port, Interface, and Zone Configuration
PORT INTERFACE ZONE
1 ge1 LAN 192.168.1.1, DHCP server
2, 3 ge2, ge3 WAN DHCP clients Connections to the Internet 4, 5 ge4, ge5 DMZ 192.168.2.1 (ge4) and
6 ge6 WLAN 10.59.0.1, DHCP server
7 ge7 None None, DHCP server
AUX aux None None Auxiliary modem CONSOLE N/A None None Local management
IP ADDRESS AND DHCP SETTINGS
enabled
192.168.3.1 (ge5), DHCP server disabled
enabled
disabled
• The LAN zone contains the ge1 interface. The LAN zone is a protected zone. The ge1 interface uses 192.168.1.1.
SUGGESTED USE WITH DEFAULT SETTINGS
Protected LAN
Public servers (such as web, e-mail and FTP)
Wireless access points
Optional
94
ZyWALL USG 300 User’s Guide
• The WAN zone contains the ge2 and ge3 interfaces (physical ports 2 and 3). They use public IP addresses to connect to the Internet.
• The DMZ zone contains the ge4 and ge5 interfaces (physical ports 4 and 5). The DMZ zone has servers that are available to the public. These interface uses private IP addresses 192.168.2.1 and 192.168.3.1.
• The WLAN zone contains the ge6 interface (physical port P6). This is a second protected zone for connecting wireless access points. The ge6 interface uses private IP address 10.59.0.1 and the connected devices use IP add resses in the
10.59.0.2 to 10.59.0.254 range.
•Interface ge7 (physical port 7) is not part of a zone by default. Add it to a zone to apply security policies.

6.3 Terminology in the ZyWALL

This section highlights some differences in terminology or organization between the ZLD-based ZyWALL and other routers, particularly ZyNOS routers.
Chapter 6 Configuration Basics
Table 14 ZLD ZyWALL Terminology That is Different Than ZyNOS
ZYNOS FEATURE / TERM ZLD ZYWALL FEATURE / TERM
IP alias Virtual interface Gateway policy VPN gateway Network policy (IPSec SA) VPN connection Hub-and-spoke VPN (VPN) concentrator
Table 15 ZLD ZyWALL Terminology That Might Be Different Than Other Products
FEATURE / TERM ZLD ZYWALL FEATURE / TERM
Source NAT (SNAT) Policy route
Table 16 NAT: Differences Between ZLD ZyWALL and ZyNOS
ZYNOS FEATURE / SCREEN ZLD ZYWALL FEATURE / SCREEN
Trigger port, port triggering Policy route Address mapping Policy route Address mapping (VPN) IPSec VPN
Table 17 Bandwidth Management: Differences Between the ZLD ZyWALL and ZyNOS
ZYNOS FEATURE / SCREEN ZLD ZYWALL FEATURE / SCREEN
Interface bandwidth management (outbound)
OSI level-7 bandwidth management Application patrol General bandwidth management Policy route
Interface
ZyWALL USG 300 User’s Guide
95
Chapter 6 Configuration Basics

6.4 Packet Flow

Here is the order in which the ZyWALL applies its features and checks.
Figure 56 Packet Flow
6.4.1 ZLD 2.20 Packet Flow Enhancements
ZLD version 2.20 has been enhanced to simplify configuration. The packet flow has been changed as follows:
• Automatic SNAT and WAN trunk routing for traffic going from internal to external interfaces (you don’t need to configure anything to all LAN to WAN or WLAN to WAN traffic).
The ZyWALL automatically adds al l of the external interfaces to the default W AN trunk. External interfaces include ppp, cellular, and aux interfaces as well as any Ethernet interfaces that are set as external interfaces.
Examples of internal interfaces are WLAN interfaces and any Ethernet interfaces that you configure as internal interfaces.
• A policy route can be automatically disabled if the next-hop is dead.
• You do not need to set up policy routes for IPSec traffic.
• Policy routes can override direct routes.
96
ZyWALL USG 300 User’s Guide
Chapter 6 Configuration Basics
• You do not need to set up policy routes for 1:1 NAT entries.
• You can create Many 1:1 NAT entries to translate a range of private network addresses to a range of public IP addresses
• Static and dynamic routes have their own category.
Even with these changes, you can still use an existing configuration file from the previous version.
6.4.2 Routing Table Checking Flow Enhancements
When the ZyWALL receives packets it defragments them and applies destination NAT. Then it examines the packets and determines how to route them. The following figure shows how the ZLD 2.20 firmware’s routing table compares with the earlier 2.1x firmware’s routing table.The checking flow is from top to bottom. As soon as the packets match an entry in one of the sections, the ZyWALL stops checking the packets against the routing table and moves on to the other checks, for example the firewall check.
Figure 57 Routing Table Checking Flow Enhancements
1 Direct-connected Subnets: The ZyWALL first checks to see if the packets are
destined for an address in the same subnet as one of the ZyWALL’ s interfaces. You can override this and have the ZyWALL check the policy routes first by enabling the policy route feature’s Use Policy Route to Override Direct Route option (see Section 15.1 on page 373).
ZyWALL USG 300 User’s Guide
97
Chapter 6 Configuration Basics
2 Policy Routes: These are the user-configured policy routes. Configure policy
routes to send packets through the appropriate interface or VPN tunnel. See
Chapter 15 on page 373 for more on policy routes.
3 1 to 1 and Many 1 to 1 NAT: These are the 1 to 1 NAT and many 1 to 1 NAT
rules. If a private network server will initiate sessions to the outside clients, create a 1 to 1 NAT entry to have the ZyWALL translate the source IP address of the server’s outgoing traffic to the same publ i c IP address that the outside clients use to access the server. A many 1 to 1 NAT entry works like multiple 1 to 1 NA T rules. It maps a range of private network servers that will init iate sessions to the outside clients to a range of public IP addresses. See Section 19.2.1 on page 416 for more.
4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for the
VPN rules. Disabling the IPSec VPN feature’s Use Policy Route to control dynamic IPSec rules option moves the routes for dynamic IPSec rules up above the policy routes (see Section 25.2 on page 470).
5 Static and Dynamic Routes: This section contains the user-configured static
routes and the dynamic routing information learned from other routers through RIP and OSPF. See Chapter 15 on page 373 for more information.
6 Default WAN Trunk: For any traffic coming in through an internal interface, if it
does not match any of the other routing entries, the ZyWALL forwards it through the default WAN trunk. See Section 14.2 on page 368 for how to select which trunk the ZyWALL uses as the default.
7 Main Routing Table: In ZLD 2.20 the default WAN trunk is expected to be used
for any traffic that did not match any earlier routing entries but the main routing table has been retained for backwards compatibility with earlier ZLD versions.
6.4.3 NAT Table Checking Flow
The ZyWALL’s NAT has been enhanced in ZLD version 2.20 and renamed from virtual server. The following figure shows how the ZLD 2.20 firmware’s NAT table compares with the earlier 2.1x firmware’s NAT table.The checking flow is from top to bottom. As soon as the packets match an entry in one of the sections, the
98
ZyWALL USG 300 User’s Guide
Chapter 6 Configuration Basics
ZyWALL stops checking the packets against the NAT table and moves on to bandwidth management.
Figure 58 NAT Table Checking Flow
1 SNAT defined in the policy routes. This was already in ZLD 2.1x.
2 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table.
3 NAT loopback is now included in the NAT table instead of requiring a separate
policy route.
4 SNAT is also now performed by default and included in the NAT table.

6.5 Feature Configuration Overview

This section provides information about configuring the main features in the ZyWALL. The features are listed in the same sequence as the menu item(s) in the Web Configurator. Each feature description is organized as shown below.
ZyWALL USG 300 User’s Guide
99
Chapter 6 Configuration Basics
6.5.1 Feature
This provides a brief description. See the appropriate chapter(s) in this User’s Guide for more information about any feature.
MENU ITEM(S)
PREREQUISITES
WHERE USED
This shows you the sequence of menu items and tabs you should click to find the main screen(s) for this feature. See the web help or the related User’s Guide chapter for information about each screen.
These are other features you should configure before you configure the main screen(s) for this feature.
If you did not configure one of the prerequisites first, you can often select an option to create a new object. After you create the object you return to the main screen to finish configuring the feature.
You may not have to configure everything in the list of prerequisites. For example, you do not have to create a schedule for a policy route unless time is one of the criterion.
There are two uses for this. These are other features you should usually configure or check right
after you configure the main screen(s) for this feature. For example, you should usually create a policy route for a VPN tunnel.
You have to delete the references to this feature before you can delete any settings. For example, you have to delete (or modify) all the policy routes that refer to a VPN tunnel before you can delete the VPN tunnel.
Example: This provides a simple example to show you how to configure this feature. The example is usually based on the network topology in Figure 55 on
page 94.
Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites
or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry.
6.5.2 Licensing Registration
Use these screens to register your ZyWALL and subscribe to services like anti­virus, IDP and application patrol, more SSL VPN tunnels, and content filtering. Y ou must have Internet access to myZyXEL.com.
MENU ITEM(S) PREREQUISITES
Configuration > Licensing > Registration
Internet access to myZyXEL.com
6.5.3 Licensing Update
Use these screens to update the ZyWALL’s signature packages for the anti-virus, IDP and application patrol, and system protect features. You must have a valid
100
ZyWALL USG 300 User’s Guide
Loading...