![Zyxel USG 60 — понимание политики безопасности для сетевого трафика [360/829]](/img/pdf.png)
Zyxel USG 60 — понимание политики безопасности для сетевого трафика [360/829]
![Zyxel USG 60W [360/829] Security policy](/views2/1169222/page360/bg168.png)
ZyWALL/USG Series User’s Guide
360
CHAPTER 21
Security Policy
21.1 Overview
A security policy is a template of security settings that can be applied to specific traffic at specific
times. The policy can be applied:
• to a specific direction of travel of packets (from / to)
• to a specific source and destination address objects
• to a specific type of traffic (services)
• to a specific user or group of users
• at a specific schedule
The policy can be configured:
• to allow or deny traffic that matches the criteria above
• send a log or alert for traffic that matches the criteria above
• to apply the actions configured in the UTM profiles (application patrol, content filter, IDP, anti-
virus, anti-spam) to traffic that matches the criteria above
Note: Security policies can be applied to both IPv4 and IPv6 traffic.
The security policies can also limit the number of user sessions.
The following example shows the ZyWALL/USG’s default security policies behavior for a specific
direction of travel of packets. WAN to LAN traffic and how stateful inspection works. A LAN user can
initiate a Telnet session from within the LAN zone and the ZyWALL/USG allows the response.
However, the ZyWALL/USG blocks incoming Telnet traffic initiated from the WAN zone and destined
for the LAN zone.
Figure 242 Default Directional Security Policy Example
Содержание
- Quick start guide p.1
- Usg40 usg40w usg60 usg60w usg110 usg210 usg310 usg1100 usg1900 p.1
- Zywall 110 310 1100 p.1
- User s guide p.1
- Security firewalls p.1
- Zywall usg series p.1
- Zywall usg p.2
- Note it is recommended you use the web configurator to configure the zywall usg p.2
- Important p.2
- Related documentation p.2
- Read carefully before use p.2
- Keep this guide for future reference p.2
- Chapter 3 hardware interfaces and zones 0 p.3
- Chapter 1 introduction 1 p.3
- Chapter 2 installation setup wizard 1 p.3
- Part i user s guide 19 p.3
- Chapter 4 quick setup wizards 7 p.3
- Dashboard 0 p.4
- Chapter 5 0 p.4
- Chapter 6 monitor 09 p.5
- Part ii technical reference 107 p.5
- Chapter 8 wireless 63 p.6
- Chapter 7 licensing 57 p.6
- Chapter 9 interfaces 81 p.7
- Chapter 10 routing 67 p.7
- Chapter 14 07 p.8
- Chapter 11 ddns 90 p.8
- Alg 07 p.8
- Chapter 13 http redirect 03 p.8
- Chapter 12 nat 96 p.8
- Chapter 19 web authentication 39 p.9
- Chapter 15 upnp 15 p.9
- Chapter 18 inbound load balancing 33 p.9
- Chapter 17 layer 2 isolation 29 p.9
- Chapter 16 ip mac binding 24 p.9
- Chapter 22 ipsec vpn 85 p.10
- Chapter 21 security policy 60 p.10
- Chapter 20 rtls 57 p.10
- Ssl user screens 31 p.11
- Chapter 24 31 p.11
- Chapter 23 ssl vpn 20 p.11
- Chapter 26 l2tp vpn 48 p.12
- Chapter 25 zywall usg secuextender windows 44 p.12
- Chapter 29 content filtering 74 p.12
- Chapter 28 application patrol 68 p.12
- Chapter 27 bwm bandwidth management 53 p.12
- Chapter 31 anti virus 18 p.13
- Chapter 32 anti spam 30 p.13
- Chapter 30 idp 93 p.13
- Chapter 35 object 70 p.14
- Chapter 34 device ha 57 p.14
- Chapter 33 ssl inspection 48 p.14
- Chapter 36 system 67 p.16
- Chapter 38 file manager 39 p.17
- Chapter 37 log and report 20 p.17
- Chapter 42 troubleshooting 69 p.18
- Chapter 41 shutdown 68 p.18
- Chapter 39 diagnostics 50 p.18
- Appendix c product features 02 p.18
- Appendix b legal information 89 p.18
- Appendix a customer support 83 p.18
- Index 09 p.18
- Chapter 40 packet flow explore 60 p.18
- User s guide p.19
- Overview p.21
- Introduction p.21
- Security router p.22
- Ipv6 routing p.22
- Applications p.22
- Vpn connectivity p.23
- User aware access control p.23
- Ssl vpn network access p.23
- Web configurator p.24
- Management overview p.24
- Load balancing p.24
- Web configurator access p.25
- Web configurator p.25
- Note most screen shots in this guide come from the usg110 and usg60w screen shots for other models may vary a little p.25
- Command line interface cli p.25
- Cloudcnm p.25
- Web configurator screens overview p.28
- Title bar p.28
- Site map p.29
- Console p.30
- Table 5 object references p.30
- Object reference p.30
- Label description p.30
- Figure 11 object reference p.30
- Click object reference to open the object reference screen select the type of object and the individual object and click refresh to show which configuration settings reference the object p.30
- Click console to open a java based console window from which you can run cli commands you will be prompted to enter your user name and password see the command reference guide for information about the commands p.30
- Chapter 1 introduction p.30
- Zywall usg series user s guide p.30
- The fields vary with the type of object this table describes labels that can appear in this screen p.30
- Navigation panel p.31
- Cli messages p.31
- Zywall usg series user s guide p.32
- The monitor menu screens display status and statistics information p.32
- The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs see the web help for details on the dashboard p.32
- Table 6 monitor menu screens summary p.32
- Monitor menu p.32
- Folder or link tab function p.32
- Figure 14 navigation panel p.32
- Dashboard p.32
- Chapter 1 introduction p.32
- Folder or link tab function p.33
- Configuration menu p.33
- Chapter 1 introduction p.33
- Zywall usg series user s guide p.33
- Use the configuration menu screens to configure the zywall usg s features p.33
- Table 7 configuration menu screens summary p.33
- Table 6 monitor menu screens summary continued p.33
- Zywall usg series user s guide p.34
- Table 7 configuration menu screens summary continued p.34
- Folder or link tab function p.34
- Chapter 1 introduction p.34
- Zywall usg series user s guide p.35
- Table 7 configuration menu screens summary continued p.35
- Folder or link tab function p.35
- Chapter 1 introduction p.35
- Zywall usg series user s guide p.36
- Table 7 configuration menu screens summary continued p.36
- Folder or link tab function p.36
- Chapter 1 introduction p.36
- Zywall usg series user s guide p.37
- Table 7 configuration menu screens summary continued p.37
- Folder or link tab function p.37
- Chapter 1 introduction p.37
- Table 8 maintenance menu screens summary p.38
- Sort in ascending or descending reverse alphabetical order p.38
- Show entries in groups p.38
- Select which columns to display p.38
- Or or searching for text p.38
- Maintenance menu p.38
- Group entries by field p.38
- Folder or link tab function p.38
- Figure 15 sorting table entries by a column s criteria p.38
- Click the down arrow next to a column heading for more options about how to display the entries the options available vary depending on the type of fields in the column here are some examples of what you can do p.38
- Click a column heading to sort the table s entries according to that column s criteria p.38
- Chapter 1 introduction p.38
- Zywall usg series user s guide p.38
- Web configurator tables and lists are flexible with several options for how to display their entries p.38
- Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the zywall usg p.38
- Tables and lists p.38
- Zywall usg series user s guide p.40
- Working with lists p.40
- When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other in some lists you can also use the shift or ctrl key to select multiple entries and then use the arrow button to move them to the other list p.40
- Table 9 common table icons p.40
- Label description p.40
- Here are descriptions for the most common table icons p.40
- Figure 21 working with lists p.40
- Figure 20 common table icons p.40
- Chapter 1 introduction p.40
- Internet access setup wan interface p.41
- Installation setup wizard screens p.41
- Installation setup wizard p.41
- Note enter the internet access information exactly as given to you by your isp or network administrator p.42
- Internet access ethernet p.42
- Note enter the internet access information exactly as given to you by your isp p.43
- Internet access pppoe p.43
- Wan ip address assignments p.44
- Isp parameters p.44
- Note enter the internet access information exactly as given to you by your isp p.45
- Isp parameters p.45
- Internet access pptp p.45
- Wan ip address assignments p.46
- Pptp configuration p.46
- Internet access setup second wan interface p.46
- Wireless settings ap controller p.47
- Internet access succeed p.47
- Wireless settings ssid security p.48
- Ssid setting p.48
- Note the zywall usg must be connected to the internet in order to register p.49
- Internet access device registration p.49
- For built in wireless ap only p.49
- Hardware overview p.50
- Hardware interfaces and zones p.50
- Front panels p.50
- Zywall usg series user s guide p.51
- The following table describes the leds p.51
- The connection ports are located on the rear panel p.51
- Table 11 led descriptions p.51
- Rear panels p.51
- Led color status description p.51
- Figure 37 zywall 310 zywall 1100 usg310 usg1100 usg1900 rear panel p.51
- Figure 36 zywall 110 usg110 usg210 rear panel p.51
- Figure 35 usg60 usg60w front panel p.51
- Chapter 3 hardware interfaces and zones p.51
- Zywall usg series user s guide p.52
- The following table describes the items on the rear panel p.52
- Table 12 rear panel items p.52
- Note use an 8 wire ethernet cable to run your gigabit ethernet connection at 1000 mbps using a 4 wire ethernet cable limits your connection to 100 mbps note that the connection speed also depends on what the ethernet device at the other end can support p.52
- Label description p.52
- Figure 39 usg60 usg60w rear panel p.52
- Figure 38 usg40 usg40w rear panel p.52
- Chapter 3 hardware interfaces and zones p.52
- Table 13 mounting method p.53
- Rack mounting wall mounting p.53
- Rack mounting p.53
- Note leave 10 cm of clearance at the sides and 20 cm in the rear p.53
- Note failure to use the proper screws may damage the unit p.53
- Mounting p.53
- Wall mount the zywall usg horizontally the zywall usg s side panels with ventilation slots should not be facing up or down as this position is less safe p.54
- Note make sure the screws are securely fixed to the wall and strong enough to hold the weight of the zywall usg with the connection cables p.54
- Wall mounting p.54
- Table 14 default physical port interface mapping p.55
- Screw specifications p.55
- Default zones interfaces and ports p.55
- Zywall usg series user s guide p.56
- Zone interface wan lan1 lan2 dmz opt p.56
- The following table shows the default interface and zone mapping for each model at the time of writing p.56
- Table 15 default zone interface mapping p.56
- Stopping the zywall usg p.56
- Shutdown or the shutdown command before you turn off the zywall usg or remove the power not doing so can cause the firmware to become corrupt p.56
- No default zone p.56
- Chapter 3 hardware interfaces and zones p.56
- Quick setup wizards p.57
- Quick setup overview p.57
- Wan interface quick setup p.58
- Choose an ethernet interface p.58
- Select wan type p.59
- Note enter the internet access information exactly as your isp gave it to you p.59
- Configure wan ip settings p.59
- Note enter the internet access information exactly as your isp gave it to you p.60
- Isp and wan and isp connection settings p.60
- Zywall usg series user s guide p.61
- The following table describes the labels in this screen p.61
- Table 16 wan and isp connection settings p.61
- Label description p.61
- Figure 47 wan and isp connection settings pptp shown p.61
- Chapter 4 quick setup wizards p.61
- This screen displays the wan interface s settings p.62
- Table 16 wan and isp connection settings continued p.62
- Quick setup interface wizard summary p.62
- Label description p.62
- Chapter 4 quick setup wizards p.62
- Zywall usg series user s guide p.62
- Zywall usg series user s guide p.63
- Vpn setup wizard p.63
- The following table describes the labels in this screen p.63
- Table 17 interface wizard summary wan p.63
- Label description p.63
- Figure 48 interface wizard summary wan pptp shown p.63
- Click vpn setup in the main quick setup screen to open the vpn setup wizard welcome screen p.63
- Chapter 4 quick setup wizards p.63
- Welcome p.64
- Vpn express wizard scenario p.65
- Vpn setup wizard wizard type p.65
- Vpn express wizard summary p.67
- Vpn express wizard configuration p.67
- Vpn express wizard finish p.68
- Vpn advanced wizard scenario p.69
- Vpn advanced wizard phase 1 settings p.70
- Vpn advanced wizard phase 2 p.72
- Note the remote ipsec device must also have nat traversal enabled see the help in the main ipsec vpn screens for more information p.72
- Vpn advanced wizard summary p.73
- Vpn advanced wizard finish p.73
- Vpn settings for configuration provisioning wizard wizard type p.74
- Configuration provisioning express wizard vpn settings p.75
- Configuration provisioning vpn express wizard configuration p.76
- Vpn settings for configuration provisioning express wizard summary p.77
- Vpn settings for configuration provisioning express wizard finish p.78
- Vpn settings for configuration provisioning advanced wizard scenario p.79
- Vpn settings for configuration provisioning advanced wizard phase 1 settings p.80
- Vpn settings for configuration provisioning advanced wizard summary p.82
- Vpn settings for configuration provisioning advanced wizard phase 2 p.82
- Vpn settings for configuration provisioning advanced wizard finish p.84
- Vpn settings for l2tp vpn settings wizard p.85
- L2tp vpn settings p.86
- L2tp vpn settings p.87
- Vpn settings for l2tp vpn setting wizard summary p.88
- Note dns domain name system is for mapping a domain name to its corresponding ip address and vice versa the dns server is extremely important because without it you must know the ip address of a computer before you can access it the zywall usg uses a system dns server in the order you specify here to resolve domain names for vpn ddns and the time server p.88
- Vpn settings for l2tp vpn setting wizard completed p.89
- What you can do in this chapter p.90
- Overview p.90
- Dashboard p.90
- Main dashboard screen p.91
- Zywall usg series user s guide p.92
- The device information screen displays zywall usg s system and model name serial number mac address and firmware version shown in the below screen p.92
- Table 18 dashboard continued p.92
- Label description p.92
- Device information screen p.92
- Chapter 5 dashboard p.92
- Chapter 5 dashboard p.93
- Zywall usg series user s guide p.93
- This tabel describes the fields in the above screen p.93
- System status screen p.93
- System status example p.93
- Label description p.93
- Device information example p.93
- Device information p.93
- Zywall usg series user s guide p.94
- Vpn status screen p.94
- This table describes the fields in the above screen p.94
- System status p.94
- Label description p.94
- Click on vpn status link to look at the vpn tunnels that are currently established the following screen will show p.94
- Chapter 5 dashboard p.94
- Zywall usg series user s guide p.95
- Lable description p.95
- Chapter 5 dashboard p.95
- Vpn status p.95
- This table describes the fields in the above screen p.95
- Zywall usg series user s guide p.96
- This table describes the fields in the above screen p.96
- Label description p.96
- Dhcp table screen p.96
- Dhcp table p.96
- Click on the dhcp table link to look at the ip addresses currently assigned to dhcp clients and the ip addresses reserved for specific mac addresses the following screen will show p.96
- Chapter 5 dashboard p.96
- Number of login users screen p.97
- Number of login users p.97
- Label description p.97
- Hover your mouse over an item and click the arrow on the right to see more details on that resource p.97
- Click the number of login users link to see the following screen p.97
- Chapter 5 dashboard p.97
- Zywall usg series user s guide p.97
- This table describes the fields in the above screen p.97
- System resources screen p.97
- Zywall usg series user s guide p.98
- Use the below screen to look at a chart of the zywall usg s recent cpu usage to access this screen click cpu usage in the dashboard p.98
- This table describes the fields in the above screen p.98
- System resources p.98
- Label description p.98
- Cpu usage screen p.98
- Chapter 5 dashboard p.98
- Memory usage screen p.99
- Label description p.99
- Label description p.100
- Active session screen p.100
- Extension slot p.101
- Chapter 5 dashboard p.101
- Zywall usg series user s guide p.101
- This table describes the fields in the above screen p.101
- Label description p.101
- Interfaces per zywall usg model vary p.101
- Interface status summary screen p.101
- Extension slot screen p.101
- Zywall usg series user s guide p.102
- This table describes the fields in the above screen p.102
- Label description p.102
- Interface status summary p.102
- Chapter 5 dashboard p.102
- Secured service status screen p.103
- Secured service status p.103
- Label description p.103
- Interface status summary p.103
- Chapter 5 dashboard p.103
- Zywall usg series user s guide p.103
- This table describes the fields in the above screen p.103
- This part shows what unified threat management utm services are available and enabled p.103
- Zywall usg series user s guide p.104
- Top 5 viruses screen p.104
- Top 5 viruses p.104
- This table describes the fields in the above screen p.104
- Secured service status p.104
- Label description p.104
- Content filter statistics screen p.104
- Content filter statistics p.104
- Content filter and then view results here p.104
- Chapter 5 dashboard p.104
- This table describes the fields in the above screen p.105
- Label description p.105
- Chapter 5 dashboard p.105
- Zywall usg series user s guide p.105
- Top 5 viruses p.105
- Top 5 ipv4 ipv6 security policy rules that blocked traffic screen p.105
- Top 5 ipv4 ipv6 security policy rules that blocked traffic p.105
- Top 5 intrusions screen p.105
- Top 5 intrusions p.105
- Zywall usg series user s guide p.106
- Top 5 ipv4 ipv6 security policy rules that blocked traffic p.106
- This table describes the fields in the above screen p.106
- The latest alert logs screen p.106
- The latest alert logs p.106
- Label description p.106
- Chapter 5 dashboard p.106
- Technical reference p.107
- Overview p.109
- Monitor p.109
- What you can do in this chapter p.109
- The port statistics screen p.110
- Zywall usg series user s guide p.111
- Use this screen to look at a line graph of packet statistics for each physical port to access this screen click port statistics in the status screen and then the switch to graphic view button p.111
- The port statistics graph screen p.111
- The following table describes the labels in this screen p.111
- Port statistics p.111
- Label description p.111
- Chapter 6 monitor p.111
- Zywall usg series user s guide p.112
- The following table describes the labels in this screen p.112
- Switch to graphic view p.112
- Label description p.112
- Interface status to access this screen p.112
- Interface status screen p.112
- Chapter 6 monitor p.112
- Zywall usg series user s guide p.113
- Label description p.113
- Interface status p.113
- Each field is described in the following table p.113
- Chapter 6 monitor p.113
- Zywall usg series user s guide p.114
- Label description p.114
- Interface status continued p.114
- Chapter 6 monitor p.114
- The traffic statistics screen p.115
- Most visited web sites and the number of times each one was visited this count may not be accurate in some cases because the zywall usg counts http get packets please see table 39 on page 116 for more information p.115
- Most used protocols or service ports and the amount of traffic on each one p.115
- Lan ip with heaviest traffic and how much traffic has been sent to and from each one p.115
- Label description p.115
- Interface status continued p.115
- Chapter 6 monitor p.115
- Zywall usg series user s guide p.115
- Traffic statistics to display the traffic statistics screen this screen provides basic information about the following for example p.115
- Zywall usg series user s guide p.116
- You use the traffic statistics screen to tell the zywall usg when to start and when to stop collecting information for these reports you cannot schedule data collection you have to start and stop it manually in the traffic statistics screen p.116
- Traffic statistics p.116
- There is a limit on the number of records shown in the report please see table 40 on page 117 for more information the following table describes the labels in this screen p.116
- Label description p.116
- Chapter 6 monitor p.116
- Zywall usg series user s guide p.117
- Traffic statistics continued p.117
- The following table displays the maximum number of records shown in the report the byte count limit and the hit count limit p.117
- Table 40 maximum values for reports p.117
- Label description p.117
- Chapter 6 monitor p.117
- Destination address p.118
- Chapter 6 monitor p.118
- Zywall usg series user s guide p.118
- You can look at all established sessions that passed through the zywall usg by user service source ip address or destination ip address you can also filter the information by user protocol service or service group source address and or destination address and view it by user p.118
- User who started the session p.118
- The session monitor screen displays all established sessions that pass through the zywall usg for debugging or statistical analysis it is not possible to manage sessions in this screen the following information is displayed p.118
- The session monitor screen p.118
- The following table describes the labels in this screen p.118
- Source address p.118
- Session monitor to display the following screen p.118
- Session monitor p.118
- Protocol or service port used p.118
- Number of bytes transmitted so far p.118
- Number of bytes received so far p.118
- Label description p.118
- Duration so far p.118
- Igmp statistics p.119
- Chapter 6 monitor p.119
- Zywall usg series user s guide p.119
- Session monitor continued p.119
- Label description p.119
- Igmp statistics to open the following screen p.119
- Zywall usg series user s guide p.120
- The following table describes the labels in this screen p.120
- The ddns status screen p.120
- Label description p.120
- Igmp statistics p.120
- Ddns status to open the following screen p.120
- Ddns status p.120
- Chapter 6 monitor p.120
- The login users screen p.121
- Ip mac binding p.121
- Cellular status screen p.122
- Cellular status p.122
- Zywall usg series user s guide p.122
- The following table describes the labels in this screen p.122
- Login users p.122
- Label description p.122
- Chapter 6 monitor p.122
- Cellular status to display this screen p.122
- Zywall usg series user s guide p.123
- The following table describes the labels in this screen p.123
- Label description p.123
- Chapter 6 monitor p.123
- Cellular status p.123
- Zywall usg series user s guide p.124
- Label description p.124
- Chapter 6 monitor p.124
- Cellular status continued p.124
- Cellular status continued p.125
- Zywall usg series user s guide p.125
- The following table describes the labels in this screen p.125
- Note this screen is only available when the mobile broadband device is attached to and activated on the zywall usg p.125
- More information to display this screen p.125
- More information p.125
- Label description p.125
- Chapter 6 monitor p.125
- Zywall usg series user s guide p.126
- Upnp port status p.126
- The upnp port status screen p.126
- The following table describes the labels in this screen p.126
- More information continued p.126
- Label description p.126
- Chapter 6 monitor p.126
- Label description p.127
- Chapter 6 monitor p.127
- Zywall usg series user s guide p.127
- Usb storage to display this screen p.127
- Usb storage screen p.127
- Usb storage p.127
- Upnp port status continued p.127
- The following table describes the labels in this screen p.127
- Zon for more information on the zyxel one network zon utility that uses the zyxel discovery protocol zdp for discovering and configuring zdp aware zyxel devices in the same network as the computer on which the zon utility is installed p.128
- Usb storage continued p.128
- The ethernet neighbor screen allows you to view the zywall usg s neighboring devices in one place p.128
- Lldp is a layer 2 protocol that allows a network device to advertise its identity and capabilities on the local network it also allows the device to maintain and store information from adjacent devices which are directly connected to the network device this helps you discover network changes and perform necessary network reconfiguration and management p.128
- Label description p.128
- It uses smart connect that is link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the zywall usg that you re logged into using the web configurator p.128
- Ethernet neighbor to see the following screen p.128
- Ethernet neighbor screen p.128
- Ethernet neighbor p.128
- Chapter 6 monitor p.128
- Zywall usg series user s guide p.128
- Zon screen p.128
- Zywall usg series user s guide p.129
- Wireless contains ap information and station info menus p.129
- Wireless ap information ap list p.129
- Wireless p.129
- The following table describes the labels in this screen p.129
- The following table describes the fields in the previous screen p.129
- Label description p.129
- Ethernet neighbor p.129
- Chapter 6 monitor p.129
- Ap list p.129
- Ap information to display the ap list screen p.129
- Ap information p.129
- Ap list icons p.130
- Ap information continued p.130
- Zywall usg series user s guide p.130
- Use this screen to look at station statistics for the connected ap to access this screen select an entry and click the more information button in the ap list screen use this screen to look at p.130
- The following table describes the icons in this screen p.130
- Label description p.130
- Chapter 6 monitor p.130
- Ap list more information p.130
- Zywall usg series user s guide p.132
- Wireless ap information radio list p.132
- The following table describes the labels in this screen p.132
- Radio list to display the radio list screen p.132
- Radio list p.132
- More information continued p.132
- Label description p.132
- Chapter 6 monitor p.132
- Label description p.133
- Chapter 6 monitor p.133
- Zywall usg series user s guide p.133
- Radio list p.133
- Radio list more information p.134
- Zywall usg series user s guide p.135
- Wireless station info p.135
- The following table describes the labels in this screen p.135
- Station list p.135
- Station information to display this screen p.135
- More information p.135
- Label description p.135
- Chapter 6 monitor p.135
- Label description p.136
- Detected device to access this screen p.136
- Detected device p.136
- Chapter 6 monitor p.136
- Ap management screen in order to detect other wireless devices in its vicinity p.136
- Zywall usg series user s guide p.136
- The following table describes the labels in this screen p.136
- Station list p.136
- Zywall usg series user s guide p.137
- The ipsec monitor screen p.137
- Label description p.137
- Ipsec the following screen appears sas click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order p.137
- Each field is described in the following table p.137
- Detected device continued p.137
- Chapter 6 monitor p.137
- Log out individual users and delete related session information p.138
- Label description p.138
- Ipsec continued p.138
- Chapter 6 monitor p.138
- A question mark lets a single character in the vpn connection or policy name vary for example use a c without the quotation marks to specify abc acc and so on p.138
- A in the middle of a vpn connection or policy name has the zywall usg check the beginning and end and ignore the middle for example with abc 123 any vpn connection or policy name starting with abc and ending in 123 matches no matter how many characters are in between p.138
- Zywall usg series user s guide p.138
- Wildcards let multiple vpn connection or policy names match the pattern for example use abc without the quotation marks to specify any vpn connection or policy name that ends with abc a vpn connection named testabc would match there could be any number of any type of characters in front of the abc at the end and the vpn connection or policy name would still match a vpn connection or policy name named testacc for example would not match p.138
- View a list of active ssl vpn connections p.138
- Use this screen to do the following p.138
- The whole vpn connection or policy name has to match if you do not use a question mark or asterisk p.138
- The ssl screen p.138
- Ssl to display the user list p.138
- Regular expressions in searching ipsec sas p.138
- Once a user logs out the corresponding entry is removed from the screen p.138
- The l2tp over ipsec session monitor screen p.139
- The following table describes the labels in this screen p.139
- The following table describes the fields in this screen p.139
- Label description p.139
- L2tp over ipsec to open the following screen use this screen to display and manage the zywall usg s connected l2tp vpn sessions p.139
- L2tp over ipsec p.139
- Chapter 6 monitor p.139
- Zywall usg series user s guide p.139
- Zywall usg series user s guide p.140
- The following table describes the labels in this screen p.140
- The app patrol screen p.140
- Label description p.140
- L2tp over ipsec continued p.140
- Chapter 6 monitor p.140
- Application patrol provides a convenient way to manage the use of various applications on the network it manages general protocols for example http and ftp and instant messenger im peer to peer p2p voice over ip voip and streaming rstp applications you can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers p.140
- App patrol to display the following screen this screen displays application patrol statistics based on the app patrol profiles bound to security policy profiles p.140
- App patrol p.140
- Zywall usg series user s guide p.141
- The content filter screen p.141
- Label description p.141
- Content filter to display the following screen this screen displays content filter statistics p.141
- Chapter 6 monitor p.141
- App patrol p.141
- Zywall usg series user s guide p.142
- The following table describes the labels in this screen p.142
- Label description p.142
- Content filter p.142
- Chapter 6 monitor p.142
- Zywall usg series user s guide p.143
- The idp screen p.143
- Label description p.143
- Idp to display the following screen this screen displays idp intrusion detection and prevention statistics p.143
- Idp signature name p.143
- Content filter continued p.143
- Chapter 6 monitor p.143
- The statistics display as follows when you display the top entries by source p.144
- The following table describes the labels in this screen p.144
- Label description p.144
- Chapter 6 monitor p.144
- Zywall usg series user s guide p.144
- Zywall usg series user s guide p.145
- The statistics display as follows when you display the top entries by destination p.145
- The following table describes the labels in this screen p.145
- The anti virus screen p.145
- Label description p.145
- Idp source p.145
- Idp destination p.145
- Chapter 6 monitor p.145
- Anti virus virus name p.145
- Anti virus to display the following screen this screen displays anti virus statistics p.145
- Anti virus p.145
- Chapter 6 monitor p.146
- Anti virus source ip p.146
- Anti virus destination ip p.146
- Anti virus continued p.146
- Zywall usg series user s guide p.146
- The statistics display as follows when you display the top entries by source p.146
- The statistics display as follows when you display the top entries by destination p.146
- The anti spam screens p.146
- The anti spam menu contains the report and status screens p.146
- Label description p.146
- Zywall usg series user s guide p.147
- The following table describes the labels in this screen p.147
- Label description p.147
- Chapter 6 monitor p.147
- Anti spam to display the following screen this screen displays spam statistics p.147
- Anti spam report p.147
- Anti spam p.147
- Label description p.148
- Chapter 6 monitor p.148
- Anti spam continued p.148
- Zywall usg series user s guide p.148
- Zywall usg series user s guide p.149
- Use the anti spam status screen to see how many e mail sessions the anti spam feature is scanning and statistics for the dnsbls p.149
- The following table describes the labels in this screen p.149
- The anti spam status screen p.149
- Status to display the anti spam status screen p.149
- Status p.149
- Label description p.149
- Chapter 6 monitor p.149
- Anti spam continued p.149
- The ssl inspection screens p.150
- Status continued p.150
- Report to display the following screen p.150
- Report p.150
- Label description p.150
- Chapter 6 monitor p.150
- Zywall usg series user s guide p.150
- The zywall usg uses ssl inspection to decrypt ssl traffic sends it to the utm engines for inspection then encrypts traffic that passes inspection and forwards it p.150
- Zywall usg series user s guide p.151
- The following table describes the labels in this screen p.151
- Ssl traffic to a server to be excluded from ssl inspection is identified by its certificate traffic in an exclude list is not intercepted by ssl inspection p.151
- Report p.151
- Label description p.151
- Chapter 6 monitor p.151
- Certificate cache list to display a screen that shows details on ssl traffic going to servers identified by its certificate and an option to add that traffic to the exclude list p.151
- Certificate cache list p.151
- Zywall usg series user s guide p.152
- The following table describes the labels in this screen p.152
- Label description p.152
- Chapter 6 monitor p.152
- Certificate cache list p.152
- Chapter 6 monitor p.153
- Zywall usg series user s guide p.153
- View log p.153
- The maximum possible number of log messages in the zywall usg varies by model p.153
- The following table describes the labels in this screen p.153
- Note when a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first p.153
- Log the log is displayed in the following screen p.153
- Log screens p.153
- Log messages are stored in two separate logs one for regular log messages and one for debugging messages in the regular log you can look at all the log messages by selecting all logs or you can select a specific category of log messages for example security policy or user you can also look at the debugging log by selecting debug log all debugging messages have the same priority p.153
- Label description p.153
- Events that generate an alert as well as a log message display in red regular logs display in black click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order the web configurator saves the filter settings if you leave the view log screen and return to it later p.153
- Zywall usg series user s guide p.154
- View log continued p.154
- View ap log to open the following screen p.154
- View ap log p.154
- Label description p.154
- Chapter 6 monitor p.154
- Zywall usg series user s guide p.155
- Zywall usg p.155
- View ap log p.155
- The following table describes the labels in this screen p.155
- Label description p.155
- Chapter 6 monitor p.155
- Zywall usg series user s guide p.156
- Zywall usg p.156
- Label description p.156
- Chapter 6 monitor p.156
- What you need to know p.157
- Registration overview p.157
- Licensing p.157
- Service screen p.158
- Registration screen p.158
- Anti virus screen section 7 on page 159 to update the anti virus signatures p.159
- Zywall usg series user s guide p.159
- Your custom signature configurations are not over written when you download new signatures p.159
- You need a valid service registration to update the anti virus signatures and the idp apppatrol signatures p.159
- You do not need a service registration to update the system protection signatures p.159
- What you need to know p.159
- This section shows you how to update the zywall usg s signature packages p.159
- The anti virus update screen p.159
- Signature update p.159
- Service continued p.159
- Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network p.159
- Note the zywall usg does not have to reboot when you upload new signatures p.159
- Label description p.159
- Idp apppatrol screen section 7 on page 161 to update the signatures used for idp and application patrol p.159
- Chapter 7 licensing p.159
- Anti virus to display the following screen p.159
- Anti virus p.160
- Zywall usg series user s guide p.160
- The following table describes the labels in this screen p.160
- Label description p.160
- Chapter 7 licensing p.160
- The idp apppatrol update screen p.161
- Zywall usg series user s guide p.162
- Label description p.162
- Idp apppatrol continued p.162
- Chapter 7 licensing p.162
- Wireless p.163
- What you can do in this chapter p.163
- Overview p.163
- Controller screen p.163
- Chapter 8 wireless p.164
- Ap management to access these screens p.164
- Ap management screens p.164
- Zywall usg series user s guide p.164
- Note select the manual option for managing a specific set of aps this is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue aps p.164
- Mgnt ap list p.164
- Label description p.164
- Each field is described in the following table p.164
- Controller p.164
- Click on the icon to go to the onesecurity com website where there is guidance on configuration walkthroughs and other information p.164
- Zywall usg series user s guide p.165
- Note you should have enabled dcs in the applied ap radio profile berfore the aps can use dcs p.165
- Note dcs is not supported on the radio which is working in repeater ap mode p.165
- Mgnt ap list p.165
- Label description p.165
- Each field is described in the following table p.165
- Controller screen you set the registration type to always accept then as soon as you remove an ap from this list it reconnects p.165
- Chapter 8 wireless p.165
- Ap management table to display this screen p.166
- Zywall usg series user s guide p.166
- Label description p.166
- Edit ap list p.166
- Each field is described in the following table p.166
- Chapter 8 wireless p.166
- Zywall usg series user s guide p.167
- Label description p.167
- Edit ap list continued p.167
- Chapter 8 wireless p.167
- Zywall usg series user s guide p.168
- Label description p.168
- Each field is described in the following table p.168
- Chapter 8 wireless p.168
- Ap policy to access this screen p.168
- Ap policy p.168
- Ap group p.169
- Zywall usg series user s guide p.169
- Note you should have enabled dcs in the applied ap radio profile berfore the aps can use dcs p.169
- Note you cannot remove a group with which an ap is associated p.169
- Note dcs is not supported on the radio which is working in repeater ap mode p.169
- Label description p.169
- Each field is described in the following table p.169
- Chapter 8 wireless p.169
- Ap group to access this screen p.169
- Add edit ap group p.170
- Zywall usg series user s guide p.171
- Note reducing the output power also reduces the zywall usg s effective broadcast radius p.171
- Label description p.171
- Each field is described in the following table p.171
- Chapter 8 wireless p.171
- Add edit p.171
- Add edit continued p.172
- Zywall usg series user s guide p.172
- Note load balancing is not supported on the radio which is working in root ap or repeater ap mode p.172
- Label description p.172
- Chapter 8 wireless p.172
- Zywall usg series user s guide p.173
- When an ap connects to the zywall usg wireless controller the zywall usg will check if the ap has the same firmware version as the ap fimware on the zywall usg if yes then the zywall usg can manage it if no then the ap must upgrade or downgrade its firmware to be the same version as the ap firmware on the zywall usg and reboot p.173
- Use check to see if the zywall usg has the latest ap firmware use apply to have the zywall usg download the latest ap firmware see more details for more information on the firmware from the firmware server if the zywall usg does not have enough space for the latest ap firmware then the zywall usg will delete an existing firmware that no ap is using before downloading the new ap firmware p.173
- The zywall usg stores an ap firmware in order to manage supported aps this screen allows the zywall usg to check for and download new ap firmware when it becomes available on the firmware server all aps managed by the zywall usg must have the same firmware version as the ap fimware on the zywall usg p.173
- The zywall usg should always have the latest ap firmware so that p.173
- Note if you enable this function you should ensure that there are multiple aps within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded ap will be kicked continuously and never be allowed to connect p.173
- Label description p.173
- Firmware p.173
- Chapter 8 wireless p.173
- Aps don t have to downgrade firmware in order to be managed p.173
- All new aps are supported p.173
- Add edit continued p.173
- Zywall usg series user s guide p.174
- Label description p.174
- Firmware to access this screen p.174
- Firmware p.174
- Each field is described in the following table p.174
- Chapter 8 wireless p.174
- Zywall usg series user s guide p.175
- Use this screen to assign aps either to the rogue ap list or the friendly ap list a rogue ap is a wireless access point operating in a network s coverage area that is not under the control of the network administrator and which can potentially open up holes in a network s security p.175
- Mon mode to access this screen p.175
- Mon mode p.175
- Label description p.175
- Firmware continued p.175
- Chapter 8 wireless p.175
- Chapter 8 wireless p.176
- Add edit rogue friendly list p.176
- Add edit rogue friendly p.176
- Zywall usg series user s guide p.176
- Mon mode table to display this screen p.176
- Mon mode p.176
- Label description p.176
- Each field is described in the following table p.176
- Zywall usg series user s guide p.177
- Label description p.177
- Each field is described in the following table p.177
- Chapter 8 wireless p.177
- Auto healing to access this screen p.177
- Auto healing p.177
- Add edit rogue friendly p.177
- Technical reference p.178
- Dynamic channel selection p.178
- Load balancing p.179
- Interface overview p.181
- What you can do in this chapter p.181
- Interfaces p.181
- What you need to know p.182
- Types of interfaces p.182
- Interface characteristics p.182
- Zywall usg series user s guide p.183
- The names of virtual interfaces are derived from the interfaces on which they are created for example virtual interfaces created on ethernet interface wan1 are called wan1 1 wan1 2 and so on virtual interfaces created on vlan interface vlan2 are called vlan2 1 vlan2 2 and so on you cannot specify the number after the colon in the web configurator it is a sequential number you can specify the number after the colon if you use the cli to set up a virtual interface p.183
- Table 84 relationships between different types of interfaces p.183
- Table 83 ethernet ppp cellular vlan bridge and virtual interface characteristics p.183
- Relationships between interfaces p.183
- Note the format of interface names other than the ethernet and ppp interface names is strict each name consists of 2 4 letters interface type followed by a number x for most interfaces x is limited by the maximum number of the type of interface for vlan interfaces x is defined by the number you enter in the vlan name field for example ethernet interface names are wan1 wan2 lan1 lan2 dmz vlan interfaces are vlan0 vlan1 vlan2 and so on p.183
- Interface required port interface p.183
- In the zywall usg interfaces are usually created on top of other interfaces only ethernet interfaces are created directly on top of the physical ports or port groups the relationships between interfaces are explained in the following table p.183
- Characteristics these characteristics are listed in the following table and discussed in more detail below p.183
- Characteristics ethernet ethernet ppp cellular vlan bridge virtual p.183
- Chapter 9 interfaces p.183
- Prefix and prefix length p.184
- Note you cannot set up a ppp interface virtual ethernet interface or virtual vlan interface if the underlying interface is a member of a bridge you also cannot add an ethernet interface or vlan interface to a bridge if the member interface has a virtual interface or ppp interface on top of it p.184
- Ipv6 overview p.184
- Ipv6 addressing p.184
- Subnet masking p.185
- Stateless autoconfiguration p.185
- Prefix delegation p.185
- Link local address p.185
- What you need to do first p.186
- Table 86 models with port role p.186
- Port role screen p.186
- Ipv6 router advertisement p.186
- Dhcpv6 p.186
- Physical ports p.187
- Ethernet summary screen p.187
- Default interface zone p.187
- Zywall usg series user s guide p.188
- Label description p.188
- Exchanged the more efficient the routers should be however the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management the zywall usg supports two routing protocols rip and ospf see chapter 10 on page 279 for background information about these routing protocols p.188
- Ethernet p.188
- Each field is described in the following table p.188
- Chapter 9 interfaces p.188
- Note if you create ip address objects based on an interface s ip address subnet or gateway the zywall usg automatically updates every rule or setting that uses the object whenever the interface s ip address settings change for example if you change the lan s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object p.189
- Ethernet edit p.189
- Igmp proxy p.190
- Zywall usg series user s guide p.197
- This screen s fields are described in the table below p.197
- Label description p.197
- Chapter 9 interfaces p.197
- Label description p.198
- Edit continued p.198
- Chapter 9 interfaces p.198
- Zywall usg series user s guide p.198
- Zywall usg series user s guide p.199
- Note this field displays the combined address after you click ok and reopen this screen p.199
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work p.199
- Label description p.199
- Edit continued p.199
- Chapter 9 interfaces p.199
- Zywall usg series user s guide p.200
- Note make sure the hosts also support router preference to make this function work p.200
- Label description p.200
- Edit continued p.200
- Chapter 9 interfaces p.200
- Note this field displays the combined address after you click ok and reopen this screen p.201
- Label description p.201
- Edit continued p.201
- Chapter 9 interfaces p.201
- Zywall usg series user s guide p.201
- Zywall usg series user s guide p.202
- Label description p.202
- Edit continued p.202
- Chapter 9 interfaces p.202
- Zywall usg series user s guide p.203
- Label description p.203
- Edit continued p.203
- Chapter 9 interfaces p.203
- Zywall usg series user s guide p.204
- Label description p.204
- Edit continued p.204
- Chapter 9 interfaces p.204
- Object references p.205
- Add edit dhcpv6 request release options p.205
- Add dhcpv6 request lease options p.206
- Zywall usg series user s guide p.206
- The following table describes labels that can appear in this screen p.206
- Select a dhcpv6 request or lease object in the select one object field and click ok to save it click cancel to exit without saving the setting p.206
- Label description p.206
- Edit select dhcp server in the dhcp setting section and then click add or edit in the extended options table p.206
- Chapter 9 interfaces p.206
- Add edit extended options p.206
- Add edit dhcp extended options p.206
- Zywall usg series user s guide p.207
- The following table lists the available dhcp extended options defined in rfcs on the zywall usg see rfcs for more information p.207
- Table 91 dhcp extended options p.207
- Option name code description p.207
- Label description p.207
- Chapter 9 interfaces p.207
- Add edit extended options p.207
- Ppp interface summary p.208
- Ppp interfaces p.208
- Zywall usg series user s guide p.209
- Ppp interface add or edit p.209
- Note you have to set up an isp account before you create a pppoe pptp interface p.209
- Label description p.209
- Ipv6 screen you can also configure ppp interfaces used for your ipv6 networks on this screen to access this screen click the add icon or an edit icon in the ppp interface screen p.209
- Each field is described in the table below p.209
- Chapter 9 interfaces p.209
- Zywall usg series user s guide p.211
- Note multiple ppp interfaces can use the same base interface p.211
- Label description p.211
- Each field is explained in the following table p.211
- Chapter 9 interfaces p.211
- Label description p.212
- Chapter 9 interfaces p.212
- Add continued p.212
- Zywall usg series user s guide p.212
- Note this field displays the combined address after you click ok and reopen this screen p.212
- Zywall usg series user s guide p.213
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work p.213
- Label description p.213
- Chapter 9 interfaces p.213
- Add continued p.213
- Note the actual data rate you obtain varies depending on the mobile broadband device you use the signal strength to the service provider s base station and so on p.214
- Cellular configuration screen p.214
- Note the wan ip addresses of a zywall usg with multiple wan interfaces must be on different subnets p.215
- Note the actual data rate you obtain varies depending on your mobile environment the environmental factors may include the number of mobile devices which are currently connected to the mobile network the signal strength to the mobile network and so on p.215
- Note install or connect a compatible mobile broadband usb device to use a cellular connection p.215
- Name type p.215
- Mobile phone and data standards data speed gsm based cdma based p.215
- Chapter 9 interfaces p.215
- Cellular p.215
- Zywall usg series user s guide p.215
- Table 94 2g 2 g 2 5g 3g 3 g and 4g wireless technologies p.215
- See the following table for a comparison between 2g 2 g 2 5g 3g and 4g wireless technologies p.215
- Zywall usg series user s guide p.216
- The following table describes the labels in this screen p.216
- Label description p.216
- Chapter 9 interfaces p.216
- Cellular p.216
- Cellular choose slot p.217
- Add edit cellular configuration p.217
- Zywall usg series user s guide p.219
- The following table describes the labels in this screen p.219
- Label description p.219
- Chapter 9 interfaces p.219
- Add edit p.219
- Add edit continued p.220
- Zywall usg series user s guide p.220
- Label description p.220
- Chapter 9 interfaces p.220
- Zywall usg series user s guide p.221
- Label description p.221
- Chapter 9 interfaces p.221
- Add edit continued p.221
- Zywall usg series user s guide p.222
- Label description p.222
- Chapter 9 interfaces p.222
- Add edit continued p.222
- Label description p.223
- Gre tunnels encapsulate a wide variety of network layer protocol packet types inside ip tunnels a gre tunnel serves as a virtual point to point link between the zywall usg and another router over an ipv4 network at the time of writing the zywall usg only supports gre tunneling in ipv4 networks p.223
- Gre tunneling p.223
- Chapter 9 interfaces p.223
- Add edit continued p.223
- Zywall usg series user s guide p.223
- Tunnel interfaces p.223
- The zywall usg uses tunnel interfaces in generic routing encapsulation gre ipv6 in ipv4 and 6to4 tunnels p.223
- Ipv6 over ipv4 tunnels p.224
- Ipv6 ipv4 p.224
- Ipv6 in ipv4 tunneling p.224
- Ipv4 ipv6 ipv6 p.224
- Internet p.224
- To4 tunneling p.225
- Ipv6 ipv4 p.225
- Internet p.225
- Configuring a tunnel p.225
- Label description p.226
- Each field is explained in the following table p.226
- Chapter 9 interfaces p.226
- Add or edit to open the following screen p.226
- Zywall usg series user s guide p.226
- Tunnel add or edit screen p.226
- Tunnel p.226
- Zywall usg series user s guide p.227
- Label description p.227
- Each field is explained in the following table p.227
- Chapter 9 interfaces p.227
- Add edit p.227
- Zywall usg series user s guide p.228
- Label description p.228
- Chapter 9 interfaces p.228
- Add edit continued p.228
- Zywall usg series user s guide p.229
- Label description p.229
- Chapter 9 interfaces p.229
- Add edit continued p.229
- Vlan interfaces p.230
- Vlan summary screen p.231
- Vlan interfaces overview p.231
- Note each vlan interface is created on top of only one ethernet interface p.231
- Zywall usg series user s guide p.232
- Label description p.232
- Each field is explained in the following table p.232
- Chapter 9 interfaces p.232
- Vlan add edit p.233
- Zywall usg series user s guide p.235
- Label description p.235
- Each field is explained in the following table p.235
- Chapter 9 interfaces p.235
- Add edit p.235
- Chapter 9 interfaces p.236
- Add edit continued p.236
- Zywall usg series user s guide p.236
- Label description p.236
- Zywall usg series user s guide p.237
- Note this field displays the combined address after you click ok and reopen this screen p.237
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work p.237
- Label description p.237
- Chapter 9 interfaces p.237
- Add edit continued p.237
- Zywall usg series user s guide p.238
- Note make sure the hosts also support router preference to make this function work p.238
- Label description p.238
- Chapter 9 interfaces p.238
- Add edit continued p.238
- Label description p.239
- Chapter 9 interfaces p.239
- Add edit continued p.239
- Zywall usg series user s guide p.239
- Note this field displays the combined address after you click ok and reopen this screen p.239
- Zywall usg series user s guide p.240
- Label description p.240
- Chapter 9 interfaces p.240
- Add edit continued p.240
- Zywall usg series user s guide p.241
- Label description p.241
- Chapter 9 interfaces p.241
- Add edit continued p.241
- Bridge interfaces p.242
- Label description p.242
- Chapter 9 interfaces p.242
- Bridge overview p.242
- Add edit continued p.242
- A bridge creates a connection between two or more network segments at the layer 2 mac address level in the following example bridge x connects four network segments p.242
- Zywall usg series user s guide p.242
- This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces p.242
- Bridge interface overview p.243
- Zywall usg series user s guide p.244
- Table 103 example routing table before and after bridge interface br0 is created continued p.244
- Label description p.244
- Ip address es destination ip address es destination p.244
- In this example virtual ethernet interface lan1 1 is also removed from the routing table when lan1 is added to br0 virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed p.244
- Each field is described in the following table p.244
- Chapter 9 interfaces p.244
- Bridge summary p.244
- Bridge p.244
- Label description p.245
- Chapter 9 interfaces p.245
- Bridge continued p.245
- Bridge add edit p.245
- Zywall usg series user s guide p.245
- This screen lets you configure ip address assignment interface bandwidth parameters dhcp settings and connectivity check for each bridge interface to access this screen click the add or edit icon in the bridge summary screen the following screen appears p.245
- Zywall usg series user s guide p.247
- Label description p.247
- Each field is described in the table below p.247
- Chapter 9 interfaces p.247
- Add edit p.247
- Zywall usg series user s guide p.248
- Label description p.248
- Chapter 9 interfaces p.248
- Add edit continued p.248
- Zywall usg series user s guide p.249
- Note this field displays the combined address after you click ok and reopen this screen p.249
- Label description p.249
- Chapter 9 interfaces p.249
- Add edit continued p.249
- Zywall usg series user s guide p.250
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work p.250
- Label description p.250
- Chapter 9 interfaces p.250
- Add edit continued p.250
- Zywall usg series user s guide p.251
- Note this field displays the combined address after you click ok and reopen this screen p.251
- Note make sure the hosts also support router preference to make this function work p.251
- Label description p.251
- Chapter 9 interfaces p.251
- Add edit continued p.251
- Zywall usg series user s guide p.252
- Label description p.252
- Chapter 9 interfaces p.252
- Add edit continued p.252
- Add edit continued p.253
- Zywall usg series user s guide p.253
- Label description p.253
- Chapter 9 interfaces p.253
- Zywall usg series user s guide p.254
- Virtual interfaces can be created on top of ethernet interfaces vlan interfaces or bridge interfaces virtual vlan interfaces recognize and use the same vlan id otherwise there is no difference between each type of virtual interface network policies for example security policies that apply to the underlying interface automatically apply to the virtual interface as well p.254
- Virtual interfaces add edit p.254
- Virtual interfaces p.254
- Use virtual interfaces to tell the zywall usg where to route packets virtual interfaces can also be used in vpn gateways see chapter 22 on page 385 and vrrp groups see chapter 34 on page 557 p.254
- This screen lets you configure ip address assignment and interface parameters for virtual interfaces to access this screen click the create virtual interface icon in the ethernet vlan or bridge interface summary screen p.254
- Like other interfaces virtual interfaces have an ip address subnet mask and gateway used to make routing decisions however you have to manually specify the ip address and subnet mask virtual interfaces cannot be dhcp clients like other interfaces you can restrict bandwidth through virtual interfaces but you cannot change the mtu the virtual interface uses the same mtu that the underlying interface uses unlike other interfaces virtual interfaces do not provide dhcp services and they do not verify that the gateway is available p.254
- Label description p.254
- Chapter 9 interfaces p.254
- Add edit continued p.254
- Create virtual interface p.255
- Each field is described in the table below p.255
- Chapter 9 interfaces p.255
- Zywall usg series user s guide p.255
- Label description p.255
- Lan1 wan1 p.256
- Ip address assignment p.256
- Interface technical reference p.256
- Interface parameters p.257
- Dhcp settings p.257
- Pppoe pptp overview p.258
- What you need to know p.259
- Trunk overview p.259
- Load balancing algorithms p.260
- Least load first p.260
- Weighted round robin p.261
- Spillover p.261
- The trunk summary screen p.262
- Add or edit p.263
- Zywall usg series user s guide p.263
- Trunk in the user configuration table click the add or edit icon to open the following screen use this screen to create or edit a wan trunk entry p.263
- Trunk continued p.263
- Label description p.263
- Configuring a user defined trunk p.263
- Chapter 9 interfaces p.263
- Zywall usg series user s guide p.264
- Label description p.264
- Each field is described in the table below p.264
- Chapter 9 interfaces p.264
- Add or edit p.264
- Label description p.265
- Edit system default p.265
- Configuring the system default trunk p.265
- Chapter 9 interfaces p.265
- Add or edit continued p.265
- Zywall usg series user s guide p.265
- Trunk screen and the system default section select the default trunk entry and click edit to open the following screen use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface p.265
- Note you can configure the bandwidth of an interface in the corresponding interface edit screen p.265
- Note the available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk p.265
- Zywall usg series user s guide p.266
- Label description p.266
- Edit system default p.266
- Each field is described in the table below p.266
- Chapter 9 interfaces p.266
- What you can do in this chapter p.267
- Routing p.267
- Policy and static routes overview p.267
- Policy routes versus static routes p.268
- Note the zywall usg automatically uses snat for traffic it routes from internal interfaces to external interfaces for example lan to wan traffic p.268
- Note bandwidth management in policy routes has priority over application patrol bandwidth management p.268
- How you can use policy routing p.268
- What you need to know p.268
- Static routes p.268
- Policy routing p.268
- Policy route screen p.269
- Dscp marking and per hop behavior p.269
- Diffserv p.269
- Zywall usg series user s guide p.270
- The following table describes the labels in this screen p.270
- Policy route p.270
- Label description p.270
- Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information p.270
- Chapter 10 routing p.270
- Policy route edit screen p.271
- Policy route continued p.271
- Label description p.271
- Chapter 10 routing p.271
- Zywall usg series user s guide p.271
- Routing to open the policy route screen then click the add or edit icon in the ipv4 configuration or ipv6 configuration section the add policy route or p.271
- Zywall usg series user s guide p.273
- The following table describes the labels in this screen p.273
- Label description p.273
- Chapter 10 routing p.273
- Add edit ipv6 configuration p.273
- Add edit p.273
- Zywall usg series user s guide p.274
- Label description p.274
- Chapter 10 routing p.274
- Add edit continued p.274
- Zywall usg series user s guide p.275
- Label description p.275
- Chapter 10 routing p.275
- Add edit continued p.275
- Zywall usg series user s guide p.276
- The following table describes the labels in this screen p.276
- Static route add edit screen p.276
- Static route p.276
- Select a static route index number and click add or edit the screen shown next appears use this screen to configure the required information for a static route p.276
- Label description p.276
- Ipv6 screen you can also configure static routes used for your ipv6 networks on this screen p.276
- Ip static route screen p.276
- Chapter 10 routing p.276
- Zywall usg series user s guide p.277
- The following table describes the labels in this screen p.277
- Label description p.277
- Chapter 10 routing p.277
- Add ipv6 configuration p.277
- Add ipv4 configuration p.277
- Assured forwarding af phb for diffserv p.278
- Policy routing technical reference p.278
- Nat and snat p.278
- Maximize bandwidth usage p.278
- What you need to know p.279
- The rip screen p.279
- Routing protocols overview p.279
- Finding out more p.279
- Zywall usg series user s guide p.280
- Use the rip screen to specify the authentication method and maintain the policies for redistribution p.280
- The following table describes the labels in this screen p.280
- Second the zywall usg can also redistribute routing information from non rip networks specifically ospf networks and static routes to the rip network costs might be calculated differently however so you use the metric field to specify the cost in rip terms p.280
- Rip uses udp port 520 p.280
- Rip to open the following screen p.280
- Label description p.280
- Chapter 10 routing p.280
- Ospf areas p.281
- The ospf screen p.281
- Ospf routers p.282
- Virtual links p.283
- Ospf configuration p.284
- Configuring the ospf screen p.284
- Zywall usg series user s guide p.285
- The ospf area add edit screen allows you to create a new area or edit an existing one to access this screen go to the ospf summary screen see section 10 on page 281 and click either the add icon or an edit icon p.285
- Ospf continued p.285
- Ospf area add edit screen p.285
- Label description p.285
- Chapter 10 routing p.285
- Zywall usg series user s guide p.286
- The following table describes the labels in this screen p.286
- Label description p.286
- Chapter 10 routing p.286
- Add continued p.287
- Zywall usg series user s guide p.287
- Virtual link add edit screen p.287
- The virtual link add edit screen allows you to create a new virtual link or edit an existing one when the ospf add or edit screen see section 10 on page 285 has the type set to normal a virtual link table displays click either the add icon or an entry and the edit icon to display a screen like the following p.287
- Label description p.287
- Chapter 10 routing p.287
- The following table describes the labels in this screen p.288
- Text authentication using a plain text password and the unencrypted password is sent over the network this method is usually used temporarily to prevent network problems p.288
- Routing protocol technical reference p.288
- None no authentication is used p.288
- Md5 is an authentication method that produces a 128 bit checksum called a message digest for each packet it also includes an authentication id which can be set to any value between 1 and 255 the zywall usg only accepts packets if these conditions are satisfied p.288
- Md5 authentication using an md5 password and authentication id p.288
- Label description p.288
- Here is more detailed information about rip and ospf p.288
- Chapter 10 routing p.288
- Authentication types p.288
- Authentication is used to guarantee the integrity but not the confidentiality of routing updates the transmitting router uses its key to encrypt the original message into a smaller message and the smaller message is transmitted with the original message the receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it if the received message is verified then the receiving router accepts the updated routing information the transmitting and receiving routers must have the same key p.288
- Zywall usg series user s guide p.288
- The zywall usg supports three types of authentication for rip and ospf routing protocols p.288
- The packet s authentication id is the same as the authentication id of the interface that received it p.288
- What you need to know p.290
- What you can do in this chapter p.290
- Ddns overview p.290
- Zywall usg series user s guide p.291
- The following table describes the labels in this screen p.291
- The ddns screen p.291
- Label description p.291
- Ddns to open the following screen p.291
- Chapter 11 ddns p.291
- The dynamic dns add edit screen p.292
- Label description p.293
- Chapter 11 ddns p.293
- Add custom p.293
- Zywall usg series user s guide p.293
- The following table describes the labels in this screen p.293
- Zywall usg series user s guide p.294
- Note the zywall usg may not determine the proper ip address if there is an http proxy server between the zywall usg and the ddns server p.294
- Label description p.294
- Chapter 11 ddns p.294
- Add continued p.294
- Zywall usg series user s guide p.295
- Label description p.295
- Chapter 11 ddns p.295
- Add continued p.295
- What you need to know p.296
- What you can do in this chapter p.296
- The nat screen p.296
- Nat overview p.296
- Chapter 12 nat p.297
- Zywall usg series user s guide p.297
- The following table describes the labels in this screen p.297
- Nat the following screen appears providing a summary of the existing nat rules p.297
- Label description p.297
- Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information p.297
- The nat add edit screen p.298
- Zywall usg series user s guide p.299
- Label description p.299
- Chapter 12 nat p.299
- Add continued p.299
- Zywall usg series user s guide p.300
- Label description p.300
- Chapter 12 nat p.300
- Add continued p.300
- Nat technical reference p.301
- Nat loopback p.301
- Xxx lan smtp com 1 p.301
- Xxx lan smtp com p.301
- What you need to know p.303
- What you can do in this chapter p.303
- Overview p.303
- Http redirect p.303
- The http redirect screen p.304
- Note you can configure up to one http redirect rule for each incoming interface p.304
- Http redirect security policy and policy route p.304
- Zywall usg series user s guide p.305
- The http redirect edit screen p.305
- The following table describes the labels in this screen p.305
- Label description p.305
- Http redirect to open the http redirect screen then click the add or edit icon to open the http redirect edit screen where you can configure the rule p.305
- Http redirect p.305
- Chapter 13 http redirect p.305
- Zywall usg series user s guide p.306
- The following table describes the labels in this screen p.306
- Label description p.306
- Chapter 13 http redirect p.306
- What you need to know p.307
- Alg overview p.307
- Sip alg p.308
- H 23 alg p.308
- Ftp alg p.308
- Voip with multiple wan ip addresses p.309
- Voip calls from the wan with multiple outgoing calls p.309
- Peer to peer calls and the zywall usg p.309
- The alg screen p.310
- Note if the zywall usg provides an alg for a service you must enable the alg in order to use the application patrol on that service s traffic p.310
- Before you begin p.310
- Chapter 14 alg p.311
- Zywall usg series user s guide p.311
- The following table describes the labels in this screen p.311
- Label description p.311
- Zywall usg series user s guide p.312
- Label description p.312
- Chapter 14 alg p.312
- Alg continued p.312
- Alg technical reference p.313
- Alg and trunks p.313
- What you need to know p.315
- Upnp and nat pmp overview p.315
- Nat traversal p.315
- Upnp screen p.316
- Cautions with upnp and nat pmp p.316
- Click the start icon control panel and then the network and sharing center p.317
- Chapter 15 upnp p.317
- Zywall usg series user s guide p.317
- Turning on upnp in windows 7 example p.317
- This section shows you how to use the upnp feature in windows 7 upnp server is installed in windows 7 activate upnp on the zywall usg p.317
- The sections show examples of using upnp p.317
- The following table describes the fields in this screen p.317
- Technical reference p.317
- Make sure the computer is connected to a lan port of the zywall usg turn on your computer and the zywall usg p.317
- Label description p.317
- Using upnp in windows xp example p.319
- Auto discover your upnp enabled network device p.319
- Note when the upnp enabled device is disconnected from your computer all port mappings will be deleted automatically p.320
- Web configurator easy access p.321
- What you need to know p.324
- What you can do in this chapter p.324
- Ip mac binding overview p.324
- Ip mac binding p.324
- Zywall usg series user s guide p.325
- The following table describes the labels in this screen p.325
- Summary p.325
- Label description p.325
- Ip mac binding to open the ip mac binding summary screen this screen lists the total number of ip to mac address bindings for devices connected to each supported interface p.325
- Ip mac binding summary p.325
- Ip mac binding edit p.325
- Ip mac address bindings are grouped by interface you can use ip mac binding with ethernet bridge vlan and wlan interfaces you can also enable or disable ip mac binding and logging in an interface s configuration screen p.325
- Interfaces used with ip mac binding p.325
- Edit to open the ip mac binding edit screen use this screen to configure an interface s ip to mac address binding settings p.325
- Chapter 16 ip mac binding p.325
- The following table describes the labels in this screen p.326
- Static dhcp edit p.326
- Label description p.326
- Edit to open the ip mac binding edit screen click the add or edit icon to open the following screen use this screen to configure an interface s ip to mac address binding settings p.326
- Chapter 16 ip mac binding p.326
- Zywall usg series user s guide p.326
- Zywall usg series user s guide p.327
- The following table describes the labels in this screen p.327
- Label description p.327
- Ip mac binding exempt list p.327
- Exempt list to open the ip mac binding exempt list screen use this screen to configure ranges of ip addresses to which the zywall usg does not apply ip mac binding p.327
- Exempt list p.327
- Chapter 16 ip mac binding p.327
- Zywall usg series user s guide p.328
- Label description p.328
- Exempt list continued p.328
- Chapter 16 ip mac binding p.328
- What you can do in this chapter p.329
- Overview p.329
- Layer 2 isolation p.329
- Chapter 17 layer 2 isolation p.330
- Zywall usg series user s guide p.330
- White list screen p.330
- White list p.330
- The following table describes the labels in this screen p.330
- Note you can enable this feature only when the security policy is enabled p.330
- Layer 2 isolation general screen p.330
- Layer 2 isolation p.330
- Label description p.330
- Ip addresses that are not listed in the white list are blocked from communicating with other devices in the layer 2 isolation enabled internal interface s except for broadcast packets p.330
- The following table describes the labels in this screen p.331
- Note you need to know the ip address of each connected device that you want to allow to be accessed by other devices when layer 2 isolation is enabled p.331
- Note you can enable this feature only when the security policy is enabled p.331
- Note you can configure up to 100 white list rules on the zywall usg p.331
- Label description p.331
- Chapter 17 layer 2 isolation p.331
- Add edit white list rule p.331
- Zywall usg series user s guide p.331
- White list p.331
- This screen allows you to create a new rule in the white list or edit an existing one to access this screen click the add button or select an entry from the list and click the edit button p.331
- Zywall usg series user s guide p.332
- The following table describes the labels in this screen p.332
- Label description p.332
- Chapter 17 layer 2 isolation p.332
- Add edit p.332
- What you can do in this chapter p.333
- Inbound load balancing overview p.333
- Inbound load balancing p.333
- Label description p.334
- Inbound lb to open the following screen p.334
- Inbound lb p.334
- Dns inbound lb p.334
- Chapter 18 inbound load balancing p.334
- Zywall usg series user s guide p.334
- Use the inbound lb add edit screen see section 18 on page 335 to add or edit a dns load balancing rule p.334
- The inbound lb screen p.334
- The following table describes the labels in this screen p.334
- Note after you finish the inbound load balancing settings go to security policy and nat screens to configure the corresponding rule and virtual server to allow the internet users to access your internal servers p.334
- Zywall usg series user s guide p.335
- The inbound lb add edit screen p.335
- Label description p.335
- Inbound lb continued p.335
- Inbound lb and then the add or edit icon to open this screen p.335
- Chapter 18 inbound load balancing p.335
- Zywall usg series user s guide p.336
- The following table describes the labels in this screen p.336
- Label description p.336
- Chapter 18 inbound load balancing p.336
- Add edit p.336
- Zywall usg series user s guide p.337
- The inbound lb member add edit screen p.337
- Select weighted round robin to balance the traffic load between interfaces based on their respective weights an interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight for example if the weight ratio of wan1 and wan2 interfaces is 2 1 the zywall usg chooses wan1 for 2 sessions traffic and wan2 for every session s traffic in each round of 3 new sessions p.337
- Select a load balancing method to use from the drop down list box p.337
- Label description p.337
- Chapter 18 inbound load balancing p.337
- Add or edit and then an add or edit icon to open this screen p.337
- Add edit continued p.337
- Zywall usg series user s guide p.338
- The following table describes the labels in this screen p.338
- Label description p.338
- Chapter 18 inbound load balancing p.338
- Add edit p.338
- What you can do in this chapter p.339
- Web authentication p.339
- Web auth overview p.339
- What you need to know p.340
- Web authentication screen p.340
- Single sign on p.340
- Note this works with http traffic only the zywall usg does not display the login screen when users attempt to send other kinds of traffic p.340
- Forced user authentication p.340
- Zywall usg series user s guide p.341
- Web authentication web portal p.341
- Web authentication p.341
- The following table gives an overview of the objects you can configure p.341
- Label description p.341
- Chapter 19 web authentication p.341
- Zywall usg series user s guide p.342
- Web authentication continued p.342
- Label description p.342
- Chapter 19 web authentication p.342
- Creating editing an authentication policy p.343
- Creating exceptional services p.343
- Zywall usg series user s guide p.344
- The sso single sign on function integrates domain controller and zywall usg authentication mechanisms so that users just need to log in once single login to get access to permitted resources p.344
- The following table gives an overview of the objects you can configure p.344
- Sso overview p.344
- Label description p.344
- In the following figure u user logs into a domain controller dc which passes the user s login credentials to the sso agent the sso agent checks that these credentials are correct with the ad server and if the ad server confirms so the sso then notifies the zywall usg to allow access for the user to the permitted resource internet access for example p.344
- Chapter 19 web authentication p.344
- Add authentication policy p.344
- Web authentication screen p.345
- Sso does not support ipv6 ldap or radius you must use it in an ipv4 network environment with windows ad active directory authentication database p.345
- Note the zywall usg the dc the sso agent and the ad server must all be in the same domain and be able to communicate with each other p.345
- Sso zywall usg configuration p.346
- Screen field screen field p.346
- Configure the zywall usg to communicate with sso p.346
- Configuration overview p.346
- Zywall usg sso p.346
- Zywall usg series user s guide p.347
- The following table gives an overview of the objects you can configure p.347
- Label description p.347
- Enable web authentication and add a web authentication policy p.347
- Enable web authentication p.347
- Chapter 19 web authentication p.347
- Create a security policy p.348
- Configure user information p.349
- Configure an authentication method p.350
- Configure active directory p.351
- Sso agent configuration p.352
- What you can do in this chapter p.357
- Overview p.357
- At least three aps managed by the zywall usg the more aps the better since it increases the amount of information the ekahau rtls controller has for calculating the location of the tags p.358
- A dedicated rtls ssid is recommended p.358
- Zywall usg series user s guide p.358
- You need p.358
- The following table lists default port numbers and types of packets rtls uses p.358
- Table 148 rtls traffic port numbers p.358
- Security policies to allow rtls traffic if the zywall usg security policy control is enabled or the ekahau rtls controller is behind a firewall p.358
- Rtls to open this screen use this screen to turn rtls real time location system on or off and specify the ip address and server port of the ekahau rtls controller p.358
- Port number type description p.358
- Ip addresses for the ekahau wi fi tags p.358
- For example if the ekahau rtls controller is behind a firewall open ports 8550 8553 and 8569 to allow traffic the aps send to reach the ekahau rtls controller p.358
- Ekahau rtls controller in blink mode with tzsp updater enabled p.358
- Configuring rtls p.358
- Chapter 20 rtls p.358
- Before you begin p.358
- The following table describes the labels in this screen p.359
- Label description p.359
- Chapter 20 rtls p.359
- Zywall usg series user s guide p.359
- Security policy p.360
- Overview p.360
- One security p.361
- Zywall usg series user s guide p.363
- Table 150 onesecurity icons p.363
- Onesecurity icon screen p.363
- In the zywall usg you will see icons that link to onesecurity walkthroughs troubleshooting and so on in certain screens p.363
- For example at the time of writing these are the onesecurity icons you can see p.363
- Figure 245 example of l2tp over ipsec troubleshooting 2 p.363
- Chapter 21 security policy p.363
- What you can do in this chapter p.364
- Table 150 onesecurity icons continued p.364
- Onesecurity icon screen p.364
- Stateful inspection p.365
- Default directional security policy behavior p.365
- What you need to know p.365
- To device policies p.365
- Asymmetrical routes p.366
- User specific security policies p.366
- The security policy screen p.366
- Session limits p.366
- Security policy rule criteria p.366
- Global security policies p.366
- Configuring the security policy control screen p.367
- Zywall usg series user s guide p.368
- The following table describes the labels in this screen p.368
- Policy control p.368
- Label description p.368
- Chapter 21 security policy p.368
- Label description p.369
- Chapter 21 security policy p.369
- Zywall usg series user s guide p.369
- Policy control continued p.369
- Note allowing asymmetrical routes may let traffic from the wan go directly to the lan without passing through the zywall usg a better solution is to use virtual interfaces to put the zywall usg and the backup gateway on separate subnets p.369
- Zywall usg series user s guide p.370
- The security policy control add edit screen p.370
- Policy control continued p.370
- Label description p.370
- In the security policy control screen click the edit or add icon to display the security policy edit or add screen p.370
- Chapter 21 security policy p.370
- Zywall usg series user s guide p.371
- The following table describes the labels in this screen p.371
- Label description p.371
- Chapter 21 security policy p.371
- Anomaly detection and prevention overview p.372
- Anomaly detection and prevention adp protects against anomalies based on violations of protocol standards rfcs requests for comments and abnormal flows such as port scans this section introduces adp anomaly profiles and applying an adp profile to a traffic direction p.372
- Add continued p.372
- Zywall usg series user s guide p.372
- Note if you specified a source ip address group instead of any in the field below the user s ip address should be within the ip address range p.372
- Label description p.372
- Chapter 21 security policy p.372
- Traffic anomalies p.373
- The anomaly detection and prevention general screen p.373
- Protocol anomalies p.373
- Profile screen p.373
- Label description p.373
- General screen p.373
- Note depending on your network topology and traffic load applying every packet direction to an anomaly profile may affect the zywall usg s performance p.374
- Label description p.374
- General p.374
- Creating new adp profiles p.374
- Chapter 21 security policy p.374
- Adp profiles consist of traffic anomaly profiles and protocol anomaly profiles to create a new profile select a base profile and then click ok to go to the profile details screen type a new profile name enable or disable individual policies and then edit the default log options and actions p.374
- Zywall usg series user s guide p.374
- When creating adp profiles you may find that certain policies are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the zywall usg as each network is different false positives and false negatives are common on initial adp deployment p.374
- To counter this you could create a monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an in line profile whereby you configure appropriate actions to be taken when a packet matches a policy p.374
- Profile to view the following screen p.374
- Profile screens p.374
- Zywall usg series user s guide p.375
- Traffic anomaly profiles p.375
- The following table describes the labels in this screen p.375
- Profile screen click the edit or add icon and choose a base profile traffic anomaly is the first tab in the profile p.375
- Profile p.375
- Label description p.375
- Chapter 21 security policy p.375
- The following table describes the labels in this screen p.376
- Labels description p.376
- Chapter 21 security policy p.376
- Add traffic anomaly p.376
- Zywall usg series user s guide p.376
- Zywall usg series user s guide p.377
- Labels description p.377
- Chapter 21 security policy p.377
- Add traffic anomaly continued p.377
- Protocol anomalies p.378
- Zywall usg series user s guide p.379
- The following table describes the labels in this screen p.379
- Label description p.379
- Chapter 21 security policy p.379
- Add protocol anomaly p.379
- Session control to display the security policy session control screen use this screen to limit the number of concurrent nat security policy sessions a client can use you can apply a default limit for all users and individual limits for specific users addresses or both the individual limit takes priority if you apply both p.380
- Session control p.380
- Label description p.380
- Chapter 21 security policy p.380
- Add protocol anomaly p.380
- Zywall usg series user s guide p.380
- The session control screen p.380
- Zywall usg series user s guide p.381
- The session control add edit screen p.381
- The following table describes the labels in this screen p.381
- Session control and the add or edit icon to display the add or edit screen use this screen to configure rules that define a session limit for specific users or addresses p.381
- Session control p.381
- Label description p.381
- Chapter 21 security policy p.381
- The following table describes the labels in this screen p.382
- Suppose you decide to block lan users from using irc internet relay chat through the internet to do this you would configure a lan to wan security policy that blocks irc traffic from any source ip address from going to any destination address you do not need to specify a schedule since you need the security policy to always be in effect the following figure shows the results of this policy p.382
- Security policy example applications p.382
- Note if you specified an ip address or address group instead of any in the field below the user s ip address should be within the ip address range p.382
- Label description p.382
- Chapter 21 security policy p.382
- Add edit p.382
- Zywall usg series user s guide p.382
- Zywall usg series user s guide p.384
- Your security policy would have the following settings p.384
- Your security policy would have the following configuration p.384
- User source destination schedule utm profile action p.384
- The third row is the default policy of allowing allows all traffic from the lan1 to go to the wan p.384
- The third row is the default policy of allowing all traffic from the lan1 to go to the wan p.384
- The second row blocks lan1 access to the irc service on the wan p.384
- The policy for the ceo must come before the policy that blocks all lan1 to wan irc traffic if the policy that blocks all lan1 to wan irc traffic came first the ceo s irc traffic would match that policy and the zywall usg would drop it and not check any other security policies p.384
- The first row allows the lan1 computer at ip address 172 6 to access the irc service on the wan p.384
- The first row allows any lan1 computer to access the irc service on the wan by logging into the zywall usg with the ceo s user name p.384
- Table 162 limited lan1 to wan irc traffic example 2 p.384
- Table 161 limited lan1 to wan irc traffic example 1 p.384
- Figure 256 limited lan to wan irc traffic example p.384
- Chapter 21 security policy p.384
- Alternatively you configure a lan1 to wan policy with the ceo s user name say ceo to allow irc traffic from any source ip address to go to any destination address p.384
- Virtual private networks vpn overview p.385
- Ipsec vpn p.385
- Ssl vpn p.386
- What you can do in this chapter p.387
- L2tp vpn p.387
- What you need to know p.388
- The zywall usg s application scenarios make it easier to configure your vpn connection settings p.389
- Table 163 ipsec vpn application scenarios p.389
- Site to site site to site with dynamic peer p.389
- See the help in the ipsec vpn quick setup wizard screens p.389
- See section 22 on page 410 for ipsec vpn background information p.389
- Remote access server role p.389
- Remote access client role p.389
- Finding out more p.389
- Chapter 22 ipsec vpn p.389
- Application scenarios p.389
- Zywall usg series user s guide p.389
- The vpn connection screen p.390
- Before you begin p.390
- Zywall usg series user s guide p.391
- Vpn connection screen see section 22 on page 390 and click either the add icon or an edit icon p.391
- Vpn connection p.391
- The vpn connection add edit ike screen p.391
- Label description p.391
- Each field is discussed in the following table p.391
- Chapter 22 ipsec vpn p.391
- Zywall usg series user s guide p.393
- Label description p.393
- Each field is described in the following table p.393
- Chapter 22 ipsec vpn p.393
- Edit continued p.394
- Chapter 22 ipsec vpn p.394
- Zywall usg series user s guide p.394
- Label description p.394
- Zywall usg series user s guide p.395
- Label description p.395
- Edit continued p.395
- Chapter 22 ipsec vpn p.395
- Zywall usg series user s guide p.396
- Label description p.396
- Edit continued p.396
- Chapter 22 ipsec vpn p.396
- Zywall usg series user s guide p.397
- Label description p.397
- Edit continued p.397
- Chapter 22 ipsec vpn p.397
- Each field is discussed in the following table see section 22 on page 399 for more information p.398
- Chapter 22 ipsec vpn p.398
- Zywall usg series user s guide p.398
- Vpn gateway the following screen appears p.398
- Vpn gateway p.398
- The vpn gateway screen p.398
- Label description p.398
- Zywall usg series user s guide p.399
- Vpn gateway continued p.399
- The vpn gateway add edit screen allows you to create a new vpn gateway policy or edit an existing one to access this screen go to the vpn gateway summary screen see section 22 on page 398 and click either the add icon or an edit icon p.399
- The vpn gateway add edit screen p.399
- Label description p.399
- Chapter 22 ipsec vpn p.399
- Note the zywall usg and remote ipsec router must use the same authentication method to establish the ike sa p.401
- Label description p.401
- Each field is described in the following table p.401
- Chapter 22 ipsec vpn p.401
- Add edit p.401
- Zywall usg series user s guide p.401
- Zywall usg series user s guide p.402
- Note the ipsec routers must trust each other s certificates p.402
- Label description p.402
- Chapter 22 ipsec vpn p.402
- Add edit continued p.402
- Zywall usg series user s guide p.403
- Note if peer id type is ip please read the rest of this section p.403
- Label description p.403
- Chapter 22 ipsec vpn p.403
- Add edit continued p.403
- Zywall usg series user s guide p.404
- Label description p.404
- Chapter 22 ipsec vpn p.404
- Add edit continued p.404
- Add edit continued p.405
- Zywall usg series user s guide p.405
- Label description p.405
- Chapter 22 ipsec vpn p.405
- Vpn concentrator requirements and suggestions p.406
- Vpn concentrator p.406
- Vpn concentrator screen p.407
- The vpn concentrator add edit screen p.407
- Zywall usg ipsec vpn client configuration provisioning p.408
- Ipv6 rules p.409
- Ipv4 rules with user based psk authentication p.409
- Ipv4 rules with ikev2 version p.409
- In the zywall usg quick setup wizard you can use the vpn settings for configuration provisioning wizard to create a vpn rule that will not violate these restrictions p.409
- Each field is discussed in the following table p.409
- Configuration provisioning p.409
- Chapter 22 ipsec vpn p.409
- A subnet or range remote policy p.409
- Zywall usg series user s guide p.409
- The following vpn gateway rules configured on the zywall usg cannot be provisioned to the ipsec vpn client p.409
- Label description p.409
- Note both routers must use the same negotiation mode p.410
- Ipsec vpn background information p.410
- Ike sa overview p.410
- Note both routers must use the same encryption algorithm authentication algorithm and dh key group p.411
- Ip addresses of the zywall usg and remote ipsec router p.411
- Ike sa proposal p.411
- Diffie hellman dh key exchange p.412
- Authentication p.412
- Note the zywall usg s local and peer id type and content must match the remote ipsec router s peer and local id type and content respectively p.413
- Note the zywall usg and the remote ipsec router must use the same pre shared key p.413
- Vpn nat and nat traversal p.414
- Negotiation mode p.414
- Additional topics for ike sa p.414
- X auth extended authentication p.415
- Certificates p.415
- Note the ipsec sa stays connected even if the underlying ike sa is not available anymore p.416
- Note you must set up the certificates for the zywall usg and remote ipsec router first p.416
- Note the zywall usg and remote ipsec router must use the same encapsulation p.416
- Note the zywall usg and remote ipsec router must use the same active protocol p.416
- Local network and remote network p.416
- Ipsec sa overview p.416
- Encapsulation p.416
- Active protocol p.416
- Note the zywall usg and remote ipsec router must use the same spi p.417
- Nat for inbound and outbound traffic p.417
- Ipsec sa proposal and perfect forward secrecy p.417
- Authentication and the security parameter index spi p.417
- Additional topics for ipsec sa p.417
- Source address in inbound packets inbound traffic source nat p.418
- Source address in outbound packets outbound traffic source nat p.418
- Lan lan p.419
- Ipsec vpn example scenario p.419
- Destination address in inbound packets inbound traffic destination nat p.419
- 68 24 172 6 24 p.419
- What you need to know p.420
- What you can do in this chapter p.420
- Ssl vpn p.420
- Overview p.420
- The ssl access privilege screen p.421
- Ssl access policy objects p.421
- The ssl access privilege policy add edit screen p.422
- The following table describes the labels in this screen p.422
- Label description p.422
- Chapter 23 ssl vpn p.422
- Access privilege p.422
- Zywall usg series user s guide p.422
- To create a new or edit an existing ssl access policy click the add or edit icon in the access privilege screen p.422
- Zywall usg series user s guide p.424
- Note to allow access to shared files on a windows 7 computer within windows 7 you must enable sharing on the folder and also go to the network and sharing center s advanced sharing settings and turn on the current network profile s file and printer sharing p.424
- Note although you can select admin and limited admin accounts in this screen they are reserved for device configuration only you cannot use them to access the ssl vpn portal p.424
- Label description p.424
- Chapter 23 ssl vpn p.424
- Add edit continued p.424
- Zywall usg series user s guide p.425
- The ssl global setting screen p.425
- Ssl vpn and click the global setting tab to display the following screen use this screen to set the ip address of the zywall usg or a gateway device on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen p.425
- Label description p.425
- Global setting p.425
- Chapter 23 ssl vpn p.425
- Add edit continued p.425
- Chapter 23 ssl vpn p.426
- Zywall usg series user s guide p.426
- The following table describes the labels in this screen p.426
- Ssl vpn and click the global setting tab to display the configuration screen p.426
- Note the logo graphic must be gif jpg or png format the graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed the zywall usg automatically resizes a graphic of a different resolution to 103 x 29 pixels the file size must be 100 kilobytes or less transparent background is recommended p.426
- Log in as a user to verify that the new logo displays properly p.426
- Label description p.426
- How to upload a custom logo p.426
- Global setting p.426
- Follow the steps below to upload a custom logo to display on the remote user ssl vpn screens p.426
- Click browse to locate the logo graphic make sure the file is in gif jpg or png format p.426
- Click apply to start the file transfer process p.426
- Zywall usg secuextender p.427
- Label description p.428
- Example configure zywall usg for secuextender p.428
- Ssl user screens p.431
- Overview p.431
- What you need to know p.431
- System requirements p.432
- Required information p.432
- Remote ssl user login p.432
- Finding out more p.432
- Certificates p.432
- The ssl vpn user screens p.435
- Note available resource links vary depending on the configuration your network administrator made p.435
- You can create a bookmark of the zywall usg by clicking the add to favorite icon this allows you to access the zywall usg using the bookmark without having to enter the address every time p.436
- The following table describes the various parts of a remote user screen p.436
- Table 178 remote user screen overview p.436
- In any remote user screen click the add to favorite icon p.436
- Figure 295 remote user screen p.436
- Description p.436
- Chapter 24 ssl user screens p.436
- Bookmarking the zywall usg p.436
- Zywall usg series user s guide p.436
- Ssl user application screen p.437
- Logging out of the ssl vpn user screens p.437
- The main file sharing screen p.438
- Ssl user file sharing p.438
- Note available actions you can perform in the file sharing screen vary depending on the rights granted to you on the file server p.438
- Opening a file or folder p.439
- Saving a file p.440
- Downloading a file p.440
- Renaming a file or folder p.441
- Note make sure the length of the folder name does not exceed the maximum allowed on the file server p.441
- Creating a new folder p.441
- Uploading a file p.442
- Note make sure the length of the name does not exceed the maximum allowed on the file server you may not be able to open a file if you change the file extension p.442
- Deleting a file or folder p.442
- Note uploading a file with the same name and file extension replaces the existing file on the file server no warning message is displayed p.443
- Zywall usg secuextender windows p.444
- The zywall usg secuextender icon p.444
- Status p.444
- Zywall usg series user s guide p.445
- View log p.445
- The following table describes the labels in this screen p.445
- Table 179 zywall usg secuextender status p.445
- Label description p.445
- If you have problems with the zywall usg secuextender customer support may request you to provide information from the log right click the zywall usg secuextender icon in the system tray and select log to open a notepad file of the zywall usg secuextender s log p.445
- Figure 308 zywall usg secuextender status p.445
- Chapter 25 zywall usg secuextender windows p.445
- Uninstalling the zywall usg secuextender p.446
- Suspend and resume the connection p.446
- Stop the connection p.446
- Overview p.448
- L2tp vpn p.448
- What you need to know p.448
- What you can do in this chapter p.448
- Using the quick setup vpn setup wizard p.449
- Policy route p.449
- Lan_subnet p.449
- L2tp_pool p.449
- L2tp vpn screen p.449
- Zywall usg series user s guide p.450
- The following table describes the fields in this screen p.450
- Note modifying this vpn connection or the vpn gateway that it uses disconnects any existing l2tp vpn sessions p.450
- Label description p.450
- L2tp vpn p.450
- Chapter 26 l2tp vpn p.450
- Example l2tp and zywall usg behind a nat router p.451
- Chapter 26 l2tp vpn p.451
- Address for the wan ip address of the nat router p.451
- Zywall usg series user s guide p.451
- Vpn connection and click add for ipv4 configuration to create a new vpn connection p.451
- Select remote access server role as the vpn scenario for the remote client p.451
- Label description p.451
- L2tp vpn continued p.451
- If the zywall usg z is behind a nat router n then do the following for remote clients c to access the network behind the zywall usg z using l2tp over ipv4 p.451
- What you need to know p.453
- What you can do in this chapter p.453
- Overview p.453
- Bwm bandwidth management p.453
- Diffserv and dscp marking p.454
- Connection and packet directions p.454
- Outbound p.455
- Inbound p.455
- Connection p.455
- Bandwidth management priority p.455
- Outbound and inbound bandwidth limits p.455
- Priority effect p.456
- Maximize bandwidth usage p.456
- Configured rate effect p.456
- Bwm 1000 kbps p.456
- Bandwidth management behavior p.456
- The bandwidth management screen p.457
- Priority and over allotment of bandwidth effect p.457
- Maximize bandwidth usage effect p.457
- Zywall usg series user s guide p.458
- The following table describes the labels in this screen see section 27 on page 460 for more information as well p.458
- Label description p.458
- Chapter 27 bwm bandwidth management p.458
- Bandwidth management p.458
- Chapter 27 bwm bandwidth management p.459
- Bandwidth management p.459
- Zywall usg series user s guide p.459
- Label description p.459
- Zywall usg series user s guide p.460
- Use 802 p to prioritize outgoing traffic from a vlan interface the priority code is a 3 bit field within a 802 q vlan tag that s used to prioritize associated outgoing vlan traffic 0 is the lowest priority level and 7 is the highest p.460
- The following table is a guide to types of traffic for the priority code p.460
- The bandwidth management add edit screen p.460
- Table 188 priority code and types of traffic priority traffic types p.460
- Table 187 802 q frame p.460
- Table 186 single tagged 802 q frame format p.460
- P marking p.460
- Edit for the default policy p.460
- Chapter 27 bwm bandwidth management p.460
- Bandwidth management screen see section 27 on page 457 and click either the add icon or an edit icon p.460
- Bandwidth management add edit screen allows you to create a new condition or edit an existing one p.460
- Chapter 27 bwm bandwidth management p.461
- Add edit p.461
- Zywall usg series user s guide p.461
- The following table describes the labels in this screen p.461
- Label description p.461
- Zywall usg series user s guide p.462
- Label description p.462
- Chapter 27 bwm bandwidth management p.462
- Add edit p.462
- Zywall usg series user s guide p.463
- Label description p.463
- Chapter 27 bwm bandwidth management p.463
- Add edit p.463
- Label description p.464
- Adding objects for the bwm policy p.464
- Label description p.465
- Chapter 27 bwm bandwidth management p.465
- Add user p.465
- Zywall usg series user s guide p.465
- Zywall usg series user s guide p.466
- The following table describes the fields in the above screen p.466
- Label description p.466
- Chapter 27 bwm bandwidth management p.466
- Add schedule p.466
- Zywall usg series user s guide p.467
- The following table describes the fields in the above screen p.467
- Label description p.467
- Chapter 27 bwm bandwidth management p.467
- Add address p.467
- What you need to know p.468
- What you can do in this chapter p.468
- Overview p.468
- Application patrol p.468
- Application patrol profile p.469
- Note you must register for the idp apppatrol signature service at least the trial before you can use it p.469
- Note the zywall usg allows the first eight packets to go through the security policy regardless of the application patrol policy for the application the zywall usg examines these first eight packets to identify the application p.469
- Finding out more p.469
- Custom ports for sip and the sip alg p.469
- Classification of applications p.469
- Zywall usg series user s guide p.470
- The following table describes the labels in this screen p.470
- Profile p.470
- Label description p.470
- Chapter 28 application patrol p.470
- The application patrol profile add edit screen p.471
- Profile then click add to create a new profile rule or click an existing profile and click edit or double click it to open the following screen p.471
- Profile p.471
- Label description p.471
- Chapter 28 application patrol p.471
- Add edit p.471
- Zywall usg series user s guide p.471
- The following table describes the labels in this screen p.471
- Zywall usg series user s guide p.472
- The following table describes the labels in this screen p.472
- The application patrol profile rule add application screen p.472
- Label description p.472
- Click add or edit under profile management in the previous screen to display the following screen p.472
- Chapter 28 application patrol p.472
- Add edit continued p.472
- Add edit p.472
- Zywall usg series user s guide p.473
- Label description p.473
- Chapter 28 application patrol p.473
- Add edit p.473
- Overview p.474
- Content filtering p.474
- What you need to know p.474
- What you can do in this chapter p.474
- Keyword blocking url checking p.475
- Finding out more p.475
- External web filtering service p.475
- Content filtering configuration guidelines p.475
- Before you begin p.475
- Content filter profile screen p.476
- Zywall usg series user s guide p.477
- Profile continued p.477
- Label description p.477
- Chapter 29 content filtering p.477
- Content filter profile add or edit screen p.478
- Content filter add profile category service p.478
- Chapter 29 content filtering p.480
- Category service p.480
- Zywall usg series user s guide p.480
- The following table describes the labels in this screen p.480
- Label description p.480
- Zywall usg series user s guide p.481
- Sites that use bots zombies including command and control site p.481
- Label description p.481
- Chapter 29 content filtering p.481
- Category service p.481
- Zywall usg series user s guide p.482
- The following table describes the managed categories p.482
- Table 198 managed category descriptions p.482
- Label description p.482
- Chapter 29 content filtering p.482
- Category service p.482
- Category description p.482
- Chapter 29 content filtering p.483
- Zywall usg series user s guide p.483
- Table 198 managed category descriptions continued p.483
- Zywall usg series user s guide p.484
- Table 198 managed category descriptions continued p.484
- Chapter 29 content filtering p.484
- Zywall usg series user s guide p.485
- Table 198 managed category descriptions continued p.485
- Chapter 29 content filtering p.485
- Zywall usg series user s guide p.486
- Table 198 managed category descriptions continued p.486
- Custom service to open the custom service screen you can create a list of good allowed web site addresses and a list of bad blocked web site addresses you can also block web sites based on whether the web site s address contains a keyword use this screen to add or remove specific sites or keywords from the filter list p.486
- Content filter add filter profile custom service p.486
- Chapter 29 content filtering p.486
- Label description p.487
- Custom service p.487
- Chapter 29 content filtering p.487
- Zywall usg series user s guide p.487
- The following table describes the labels in this screen p.487
- Zywall usg series user s guide p.488
- Label description p.488
- Custom service continued p.488
- Chapter 29 content filtering p.488
- Zywall usg series user s guide p.489
- Trusted web sites to open the trusted web sites screen you can create a common list of good allowed web site addresses when you configure filter profiles you can select the option to check the common trusted web sites list use this screen to add or remove specific sites from the filter list p.489
- Label description p.489
- Custom service continued p.489
- Content filter trusted web sites screen p.489
- Chapter 29 content filtering p.489
- Label description p.490
- Forbidden web sites to open the forbidden web sites screen you can create a common list of bad blocked web site addresses when you configure filter profiles you can select the option to check the common forbidden web sites list use this screen to add or remove specific sites from the filter list p.490
- Content filter forbidden web sites screen p.490
- Chapter 29 content filtering p.490
- Zywall usg series user s guide p.490
- Trusted web sites p.490
- The following table describes the labels in this screen p.490
- Zywall usg series user s guide p.491
- This section provides content filtering background information p.491
- The following table describes the labels in this screen p.491
- The content filter lookup process is described below p.491
- Label description p.491
- Forbidden web sites p.491
- External content filter server lookup procedure p.491
- Content filter technical reference p.491
- Chapter 29 content filtering p.491
- What you need to know p.493
- What you can do in this chapter p.493
- Overview p.493
- Before you begin p.493
- The idp profile screen p.494
- Note you must register in order to use packet inspection signatures see the registration screens p.494
- Zywall usg series user s guide p.495
- Profile screen click add to display the following screen p.495
- Profile continued p.495
- Label description p.495
- Figure 334 base profiles p.495
- Chapter 30 idp p.495
- Base profiles p.495
- You could create a new monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature p.496
- The following table describes this screen p.496
- Table 203 base profiles p.496
- Packet inspection signatures examine the contents of a packet for malicious data it operates at layer 4 to layer 7 an idp profile is a group of idp signatures that have the same log and action settings in group view you can configure the same log and action settings for all idp signatures by severity level in the add profile screen you may also configure signature exceptions in the sameview p.496
- Chapter 30 idp p.496
- Base profile description p.496
- Adding editing profiles p.496
- Zywall usg series user s guide p.496
- You may want to create a new profile if not all signatures in a base profile are applicable to your network in this case you should disable non applicable signatures so as to improve zywall usg idp processing efficiency p.496
- You may also find that certain signatures are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the zywall usg as each network is different false positives and false negatives are common on initial idp deployment p.496
- Profile group view screen p.497
- Group view screen p.497
- Zywall usg series user s guide p.498
- Label description p.498
- Group view continued p.498
- Chapter 30 idp p.498
- Zywall usg series user s guide p.499
- Label description p.499
- Group view continued p.499
- Chapter 30 idp p.499
- Group view continued p.500
- Chapter 30 idp p.500
- Add profile query view p.500
- Zywall usg series user s guide p.500
- Query view p.500
- Label description p.500
- In the group view screen click switch to query view to search for signatures by criteria such as name id severity policy type platform service platforms or actions p.500
- Zywall usg series user s guide p.501
- This table describes policy types as categorized in the zywall usg p.501
- Table 205 policy types p.501
- Policy types p.501
- Policy type description p.501
- Chapter 30 idp p.501
- Table 206 idp service groups p.502
- Table 205 policy types continued p.502
- Policy type description p.502
- Idp service groups p.502
- Chapter 30 idp p.502
- An idp service group is a set of related packet inspection signatures p.502
- Zywall usg series user s guide p.502
- The n a service group is for signatures that are not for a specific service p.502
- Zywall usg series user s guide p.503
- The following table describes the fields specific to this screen s query view p.503
- Profile query view p.503
- Label description p.503
- Chapter 30 idp p.503
- Severity high p.504
- Service any p.504
- Query example p.504
- Profile query view continued p.504
- Policy type dos p.504
- Platform windows p.504
- Label description p.504
- Chapter 30 idp p.504
- Actions any p.504
- Zywall usg series user s guide p.504
- This example shows a search with these criteria p.504
- Ip packet header p.505
- Idp custom signatures p.505
- Zywall usg series user s guide p.506
- The header fields are discussed in the following table p.506
- Table 208 ip v4 packet headers p.506
- Header description p.506
- Figure 338 ip v4 packet headers p.506
- Chapter 30 idp p.506
- The following table describes the fields in this screen p.507
- Note the zywall usg checks all signatures and continues searching even after a match is found if two or more rules have conflicting actions for the same packet then the zywall usg applies the more restrictive action reject both reject receiver or reject sender drop none in this order if a packet matches a rule for reject receiver and it also matches a rule for reject sender then the zywall usg will reject both p.507
- Label description p.507
- Custom signatures p.507
- Custom signature s the first screen shows a summary of all custom signatures created click the sid or name heading to sort click the add icon to create a new signature or click the edit icon to edit an existing signature you can also delete custom signatures here or save them to your computer p.507
- Chapter 30 idp p.507
- Zywall usg series user s guide p.507
- Add edit custom signatures p.508
- Zywall usg series user s guide p.510
- The following table describes the fields in this screen p.510
- Label description p.510
- Chapter 30 idp p.510
- Add edit p.510
- Zywall usg series user s guide p.511
- Label description p.511
- Chapter 30 idp p.511
- Add edit continued p.511
- Label description p.512
- Custom signature example p.512
- Chapter 30 idp p.512
- Before creating a custom signature you must first clearly understand the vulnerability p.512
- Add edit continued p.512
- Zywall usg series user s guide p.512
- Understand the vulnerability p.513
- Analyze packets p.513
- Applying custom signatures p.514
- Verifying custom signatures p.515
- Network intrusions p.515
- Idp technical reference p.515
- Host intrusions p.515
- Table 211 zywall usg snort equivalent terms p.516
- Source and destination ports information p.516
- Source and destination ip addresses and netmasks p.516
- Snort signatures p.516
- Protocol p.516
- Chapter 30 idp p.516
- Action p.516
- 68 24 111 content 00 01 a5 msg mountd access p.516
- Zywall usg term snort equivalent term p.516
- Zywall usg series user s guide p.516
- You may want to refer to open source snort signatures when creating custom zywall usg ones most snort rules are written in a single line snort rules are divided into two logical sections the rule header and the rule options as shown in the following example p.516
- These are some equivalent snort terms in the zywall usg p.516
- The whole lan is compromised host based intrusions may be used to cause network based intrusions when the goal of the host virus is to propagate attacks on the network or attack computer server operating system vulnerabilities with the goal of bringing down the computer server typical network based intrusions are sql slammer blaster nimda mydoom etc p.516
- The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options the words before the colons in the rule options section are the option keywords p.516
- The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken p.516
- The rule header contains the rule s p.516
- Zywall usg term snort equivalent term p.517
- Zywall usg series user s guide p.517
- Table 211 zywall usg snort equivalent terms continued p.517
- Note not all snort functionality is supported in the zywall usg p.517
- Chapter 30 idp p.517
- What you can do in this chapter p.518
- Overview p.518
- Anti virus p.518
- Zywall usg anti virus scanner p.519
- What you need to know p.519
- Virus and worm p.519
- Since the zywall usg erases the infected portion of the file before sending it you may not be able to open the file p.519
- How the zywall usg anti virus scanner works p.519
- Anti virus engines p.519
- Notes about the zywall usg anti virus p.520
- Finding out more p.520
- Anti virus profile screen p.520
- Zywall usg series user s guide p.521
- The following table describes the labels in this screen p.521
- Profile p.521
- Label description p.521
- Chapter 31 anti virus p.521
- Chapter 31 anti virus p.522
- Anti virus profile add or edit p.522
- Zywall usg series user s guide p.522
- Profile screen to display the configuration screen as shown next p.522
- Profile continued p.522
- Label description p.522
- Zywall usg series user s guide p.523
- The following table describes the labels in this screen p.523
- Label description p.523
- Chapter 31 anti virus p.523
- Anti virus black list p.524
- Label description p.525
- For a white list entry enter a file pattern that should cause the zywall usg to allow a file p.525
- For a black list entry enter a file pattern that should cause the zywall usg to log and delete a file p.525
- Chapter 31 anti virus p.525
- Black list or white list screen click the add icon or an edit icon to display the following screen p.525
- Black list p.525
- Anti virus black list or white list add edit p.525
- Zywall usg series user s guide p.525
- The following table describes the labels in this screen p.525
- Zywall usg series user s guide p.526
- White list to display the screen shown next use the black white list screen to set up anti virus black blocked and white allowed lists of virus file patterns click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order p.526
- The following table describes the labels in this screen p.526
- Label description p.526
- Chapter 31 anti virus p.526
- Anti virus white list p.526
- Zywall usg series user s guide p.527
- White list p.527
- The following table describes the labels in this screen p.527
- Signature to display this screen use this screen to locate signatures and display details about them p.527
- Label description p.527
- If internet explorer opens a warning screen about a script making internet explorer run slowly and the computer maybe becoming unresponsive just click no to continue click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order p.527
- Chapter 31 anti virus p.527
- Av signature searching p.527
- Zywall usg series user s guide p.528
- Types of computer viruses p.528
- Type description p.528
- The following table describes the labels in this screen p.528
- The following table describes some of the common computer viruses p.528
- Table 218 common computer virus types p.528
- Signature p.528
- Label description p.528
- Chapter 31 anti virus p.528
- Anti virus technical reference p.528
- Types of anti virus scanner p.529
- Computer virus infection and prevention p.529
- What you need to know p.530
- What you can do in this chapter p.530
- Overview p.530
- Anti spam p.530
- Smtp and pop3 p.531
- Finding out more p.531
- E mail headers p.531
- E mail header buffer size p.531
- Before you begin p.531
- Zywall usg series user s guide p.532
- The following table describes the labels in this screen p.532
- The anti spam profile screen p.532
- Profilel p.532
- Profile p.532
- Label description p.532
- Configure your zones before you configure anti spam p.532
- Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information p.532
- Chapter 32 anti spam p.532
- Anti spam to open the anti spam profile screen use this screen to turn the anti spam feature on or off and manage anti spam policies you can also select the action the zywall usg takes when the mail sessions threshold is reached p.532
- Chapter 32 anti spam p.533
- Zywall usg series user s guide p.533
- The anti spam profile add or edit screen p.533
- Profile screen to display the configuration screen as shown next use this screen to configure an anti spam policy that controls what traffic direction of e mail to check which e mail protocols to scan the scanning options and the action to take on spam traffic p.533
- Profile p.533
- Label description p.533
- Zywall usg series user s guide p.534
- The following table describes the labels in this screen p.534
- Label description p.534
- Chapter 32 anti spam p.534
- Zywall usg series user s guide p.535
- The mail scan screen p.535
- Label description p.535
- Chapter 32 anti spam p.535
- Add edit screen p.535
- Add continued p.535
- Chapter 32 anti spam p.536
- Zywall usg series user s guide p.536
- The following table describes the labels in this screen p.536
- Mail scan p.536
- Label description p.536
- Zywall usg series user s guide p.537
- The anti spam black list screen p.537
- Mail scan p.537
- Label description p.537
- Configure the black list to identify spam e mail you can create black list entries based on the sender s or relay server s ip address or e mail address you can also create entries that check for particular e mail header fields with specific values or specific subject text click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order p.537
- Chapter 32 anti spam p.537
- Black white list to display the anti spam black list screen p.537
- Zywall usg series user s guide p.538
- The following table describes the labels in this screen p.538
- Label description p.538
- Chapter 32 anti spam p.538
- Black list p.538
- Zywall usg series user s guide p.539
- Use this screen to configure an anti spam black list entry to identify spam e mail you can create entries based on specific subject text or the sender s or relay s ip address or e mail address you can also create entries that check for particular header fields and values p.539
- The following table describes the labels in this screen p.539
- The anti spam black or white list add edit screen p.539
- Label description p.539
- In the anti spam black list or white list screen click the add icon or an edit icon to display the following screen p.539
- Chapter 32 anti spam p.539
- The zywall usg checks the first header with the name you specified in the entry so if the e mail has more than one received header the zywall usg checks the first one p.540
- The wildcard can be anywhere in the text string and you can use more than one wildcard you cannot use two wildcards side by side there must be other characters between them p.540
- The following applies for a black or white list entry based on an e mail subject e mail address or e mail header value p.540
- The anti spam white list screen p.540
- Regular expressions in black or white list entries p.540
- Label description p.540
- Configure the white list to identify legitimate e mail you can create white list entries based on the sender s or relay s ip address or e mail address you can also create entries that check for particular header fields and values or specific subject text p.540
- Chapter 32 anti spam p.540
- Black white list and then the white list tab to display the anti spam white list screen p.540
- Zywall usg series user s guide p.540
- You can also use a wildcard for example if you configure def com any e mail address that ends in def com matches so mail def com matches p.540
- Use a question mark to let a single character vary for example use a c without the quotation marks to specify abc acc and so on p.540
- Zywall usg series user s guide p.541
- White list p.541
- The following table describes the labels in this screen p.541
- Label description p.541
- Chapter 32 anti spam p.541
- The dnsbl screen p.542
- Zywall usg series user s guide p.543
- The following table describes the labels in this screen p.543
- Label description p.543
- Chapter 32 anti spam p.543
- Anti spam technical reference p.544
- A a a a not spam p.545
- A a a a b b b b p.545
- Ips a a a a b b b b p.545
- Dnsbl c p.545
- Dnsbl b p.545
- Dnsbl a p.545
- Ips c c c c d d d d p.546
- Dnsbl c p.546
- Dnsbl b p.546
- Dnsbl a p.546
- D d d d not spam p.546
- C c c c not spam p.546
- C c c c d d d d p.546
- Dnsbl b p.547
- Dnsbl a p.547
- A b c d w x y z p.547
- A b c d spam p.547
- A b c d not spam p.547
- Ips a b c d w x y z p.547
- Dnsbl c p.547
- What you need to know p.548
- What you can do in this chapter p.548
- Ssl inspection p.548
- Overview p.548
- The ssl inspection profile screen p.549
- Before you begin p.549
- Mymy12_3 4 p.550
- My profile p.550
- Label description p.550
- Chapter 33 ssl inspection p.550
- Add to create a new profile or select an existing profile and click edit to change its settings p.550
- Add edit ssl inspection profiles p.550
- Add edit p.550
- 1myprofile p.550
- Zywall usg series user s guide p.550
- Whatalongprofilename123456789012 p.550
- The following table describes the fields in this screen p.550
- Profile continued p.550
- Myprofile p.550
- Zywall usg series user s guide p.551
- Label description p.551
- Chapter 33 ssl inspection p.551
- Add edit continued p.551
- To ensure individual privacy and meet legal requirements you can configure an exclusion list to exclude matching sessions to destination servers this traffic is not intercepted and is passed through uninspected p.552
- There may be privacy and legality issues regarding inspecting a user s encrypted session the legal issues may vary by locale so it s important to check with your legal department to make sure that it s ok to intercept ssl traffic from your zywall usg users p.552
- Label description p.552
- Exclude list to display the following screen use add to put a new item in the list or edit to change an existing one or remove to delete an existing entry p.552
- Exclude list screen p.552
- Chapter 33 ssl inspection p.552
- Add edit continued p.552
- Zywall usg series user s guide p.552
- Zywall usg series user s guide p.553
- The following table describes the fields in this screen p.553
- Label description p.553
- Exclude list p.553
- Chapter 33 ssl inspection p.553
- Add edit p.553
- Certificate update screen p.554
- Install a ca certificate in a browser p.555
- Firefox browser p.556
- What you need to know p.557
- What you can do in this chapter p.557
- Overview p.557
- Device ha p.557
- Device ha general p.558
- Before you begin p.558
- Synchronization p.558
- Note subscribe to services on the backup zywall usg before synchronizing it with the master zywall usg p.558
- Note only zywall usgs of the same model and firmware version can synchronize p.558
- Finding out more p.558
- Zywall usg series user s guide p.559
- Virtual router p.559
- The master and backup zywall usg form a single virtual router in the following example master zywall usg a and backup zywall usg b form a virtual router p.559
- The following table describes the labels in this screen p.559
- The active passive mode screen p.559
- Note it is not recommended to use stp spanning tree protocol with device ha p.559
- Label description p.559
- General p.559
- Chapter 34 device ha p.559
- Virtual router and management ip addresses p.560
- Monitored interfaces in active passive mode device ha p.560
- Cluster id p.560
- Configuring active passive mode device ha p.561
- Zywall usg series user s guide p.563
- Label description p.563
- Chapter 34 device ha p.563
- Active passive mode continued p.563
- Zywall usg series user s guide p.564
- Label description p.564
- If you configure device ha settings for an ethernet interface and later add the ethernet interface to a bridge the zywall usg retains the interface s device ha settings and uses them again if you later remove the interface from the bridge if the bridge is later deleted or the interface is removed from it device ha will recover the interface s setting p.564
- Chapter 34 device ha p.564
- Active passive mode edit monitored interface p.564
- Active passive mode continued p.564
- A bridge interface s device ha settings are not retained if you delete the bridge interface p.564
- The following table describes the labels in this screen p.565
- Note do not connect the bridge interfaces on two zywall usgs without device ha activated on both doing so could cause a broadcast storm p.565
- Label description p.565
- Chapter 34 device ha p.565
- Zywall usg series user s guide p.565
- First option for connecting the bridge interfaces on two zywall usgs p.566
- Device ha technical reference p.566
- Br0 ge4 ge5 p.566
- Active passive mode device ha with bridge interfaces p.566
- Second option for connecting the bridge interfaces on two zywall usgs p.567
- Synchronization p.568
- Zones overview p.570
- What you need to know p.570
- Object p.570
- Label description p.571
- Inter zone traffic is traffic between interfaces or vpn tunnels in different zones for example in figure 375 on page 570 traffic between vlan 1 and the internet is inter zone traffic this is the normal case when zone based security and policy settings apply p.571
- Inter zone traffic p.571
- Extra zone traffic is traffic to or from any interface or vpn tunnel that is not assigned to a zone for example in figure 375 on page 570 traffic to or from computer c is extra zone traffic p.571
- Extra zone traffic p.571
- Chapter 35 object p.571
- Zywall usg series user s guide p.571
- The zone screen p.571
- The following table describes the labels in this screen p.571
- Some zone based security and policy settings may apply to extra zone traffic especially if you can set the zone attribute in them to any or all see the specific feature for more information p.571
- Zone edit p.572
- User group overview p.572
- What you need to know p.573
- User types p.573
- User account p.573
- Note the default admin account is always authenticated locally regardless of the authentication method setting see chapter 35 on page 637 for more information about authentication methods p.573
- Ext user accounts p.573
- Note you cannot put the default admin account into any user group p.574
- Note you cannot put access users and admin users in the same user group p.574
- Note if the zywall usg tries to authenticate an ext user using the local database the attempt always fails p.574
- Finding out more p.574
- Ext group user accounts p.574
- User groups p.574
- User awareness p.574
- Zywall usg series user s guide p.575
- Zywall us p.575
- User group user summary screen p.575
- User group p.575
- User add edit screen p.575
- The zywall usg supports ttls using pap so you can use the zywall usg s local user database to authenticate users with wpa or wpa2 instead of needing an external radius server p.575
- The user add edit screen allows you to create a new user account or edit an existing one p.575
- The following table describes the labels in this screen p.575
- Label description p.575
- Chapter 35 object p.575
- Enter a user name from 1 to 31 characters p.576
- Dashes p.576
- Chapter 35 object p.576
- Alphanumeric a z 0 9 there is no unicode support p.576
- _ underscores p.576
- Zywall usg series user s guide p.576
- User names have to be different than user group names p.576
- User names are case sensitive if you enter a user bob but use bob when connecting via cifs or ftp it will use the account settings used for bob not bob p.576
- To access this screen go to the user screen see section 35 4 on page 664 and click either the add icon or an edit icon p.576
- The user name can only contain the following characters p.576
- The first character must be alphabetical a z a z an underscore _ or a dash other limitations on user names are p.576
- Rules for user names p.576
- Here are the reserved user names p.576
- Zywall usg series user s guide p.577
- Zywall us p.577
- The following table describes the labels in this screen p.577
- Label description p.577
- Chapter 35 object p.577
- Chapter 35 object p.578
- Add continued p.578
- Zywall usg series user s guide p.578
- User group group summary screen p.578
- The group add edit screen allows you to create a new user group or edit an existing one to access this screen go to the group screen see section 35 on page 578 and click either the add icon or an edit icon p.578
- The following table describes the labels in this screen see section 35 on page 578 for more information as well p.578
- Label description p.578
- Group add edit screen p.578
- Zywall usg series user s guide p.579
- User group setting screen p.579
- The setting screen controls default settings login settings lockout settings and other user settings for the zywall usg you can also use this screen to specify when users must log in to the zywall usg before it routes traffic for them p.579
- The following table describes the labels in this screen p.579
- Setting p.579
- Label description p.579
- Chapter 35 object p.579
- Setting p.580
- Label description p.580
- Chapter 35 object p.580
- Zywall usg series user s guide p.580
- The following table describes the labels in this screen p.580
- Zywall usg series user s guide p.581
- Zywall us p.581
- Setting continued p.581
- Label description p.581
- Chapter 35 object p.581
- Zywall usg series user s guide p.582
- The default authentication timeout settings edit screen allows you to set the default authentication timeout settings for the selected type of user account these default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings you can still manually configure any user account s authentication timeout settings p.582
- Setting screen see section 35 on page 579 and click one of the default authentication timeout settings section s edit icons p.582
- Setting continued p.582
- Label description p.582
- Default user authentication timeout settings edit screens p.582
- Chapter 35 object p.582
- Chapter 35 object p.583
- Access users cannot use the web configurator to browse the configuration of the zywall usg instead after access users log into the zywall usg the following screen appears p.583
- Zywall usg series user s guide p.583
- Zywall us p.583
- User aware login example p.583
- The following table describes the labels in this screen p.583
- Label description p.583
- Figure 384 web configurator for non admin users p.583
- Zywall usg series user s guide p.584
- User group mac address summary screen p.584
- The following table describes the labels in this screen p.584
- Table 242 web configurator for non admin users p.584
- Note you need to configure an ssid security profile s mac authentication settings to have the ap use the zywall usg s local database to authenticate wireless clients by their mac addresses p.584
- Mac address to open this screen p.584
- Mac address p.584
- Label description p.584
- Chapter 35 object p.584
- Chapter 35 object p.585
- Zywall usg series user s guide p.585
- User group technical reference p.585
- This section provides some information on users who use an external authentication server in order to log in p.585
- This screen allows you to create a new allowed device or edit an existing one to access this screen go to the mac address screen see section 35 on page 584 and click either the add icon or an edit icon p.585
- The following table describes the labels in this screen p.585
- Mac address continued p.585
- Mac address add edit screen p.585
- Label description p.585
- Wireless profiles p.586
- What you need to know p.586
- Setting up user attributes in an external server p.586
- Creating a large number of ext user accounts p.586
- Ap profile overview p.586
- Wpa and wpa2 p.587
- Radio screen p.587
- Ieee 802 x p.587
- Zywall usg series user s guide p.588
- The following table describes the labels in this screen p.588
- Note you can have a maximum of 32 radio profiles on the zywall usg p.588
- Label description p.588
- Chapter 35 object p.588
- Add edit radio profile p.589
- Zywall usg series user s guide p.590
- Note if you change the country code later channel selection is set to manual automatically p.590
- Label description p.590
- Chapter 35 object p.590
- Add edit radio profile continued p.590
- Zywall usg series user s guide p.591
- Label description p.591
- Chapter 35 object p.591
- Add edit radio profile continued p.591
- Add edit radio profile continued p.592
- Zywall usg series user s guide p.592
- Label description p.592
- Chapter 35 object p.592
- Ssid screen p.593
- Ssid list p.593
- Note you can have a maximum of 32 ssid profiles on the zywall usg p.593
- Zywall usg series user s guide p.594
- This screen allows you to create a new ssid profile or edit an existing one to access this screen click the add button or select an ssid profile from the list and click the edit button p.594
- The following table describes the labels in this screen p.594
- Ssid list continued p.594
- Label description p.594
- Chapter 35 object p.594
- Add edit ssid profile p.594
- Label description p.595
- Chapter 35 object p.595
- Add edit ssid profile continued p.595
- Zywall usg series user s guide p.595
- Note it is highly recommended that you create security profiles for all of your ssids to enhance your network security p.595
- Zywall usg series user s guide p.596
- This screen allows you to manage wireless security configurations that can be used by your ssids wireless security is implemented strictly between the ap broadcasting the ssid and the stations that are connected to it p.596
- The following table describes the labels in this screen p.596
- Security list p.596
- Note you can have a maximum of 32 security profiles on the zywall usg p.596
- Label description p.596
- Chapter 35 object p.596
- Add edit ssid profile continued p.596
- Note this screen s options change based on the security mode selected only the default screen is displayed here p.597
- Add edit security profile p.597
- The following table describes the labels in this screen p.598
- Label description p.598
- Chapter 35 object p.598
- Add edit security profile p.598
- Zywall usg series user s guide p.598
- Zywall usg series user s guide p.599
- Label description p.599
- Chapter 35 object p.599
- Add edit security profile p.599
- Zywall usg series user s guide p.600
- The following table describes the labels in this screen p.600
- Note you can have a maximum of 32 mac filtering profiles on the zywall usg p.600
- Mac filter list p.600
- Label description p.600
- Chapter 35 object p.600
- This screen allows you to create a new mac filtering profile or edit an existing one to access this screen click the add button or select a mac filter profile from the list and click the edit button p.601
- The following table describes the labels in this screen p.601
- Label description p.601
- Chapter 35 object p.601
- Add edit mac filter profile p.601
- Zywall usg series user s guide p.601
- What you need to know p.602
- What you can do in this chapter p.602
- Passive scan p.602
- Overview p.602
- Mon profile p.602
- Active scan p.602
- Zywall usg series user s guide p.603
- This screen allows you to create a new monitor mode profile or edit an existing one to access this screen click the add button or select and existing monitor mode profile and click the edit button p.603
- The following table describes the labels in this screen p.603
- Mon profile p.603
- Label description p.603
- Chapter 35 object p.603
- Add edit mon profile p.603
- Chapter 35 object p.604
- Add edit mon profile p.604
- Zywall usg series user s guide p.604
- The following table describes the labels in this screen p.604
- Label description p.604
- Technical reference p.605
- Rogue aps p.605
- Zywall usg series user s guide p.606
- The following table shows the types of categories currently supported a and the associated signatures for each category b p.606
- Table 256 categories of applications p.606
- If you have more than one ap in your wireless network you should also configure a list of friendly aps friendly aps are other wireless access points that are detected in your network as well as any others that you know are not a threat those from recognized networks for example it is recommended that you export save your list of friendly aps often especially if you have a network with a large number of access points p.606
- Friendly aps p.606
- Figure 400 application categories and associated signatures p.606
- Chapter 35 object p.606
- Application categories of applications include at the time of writing p.606
- Application p.606
- Chapter 35 object p.607
- Application p.607
- Zywall usg series user s guide p.607
- Use the application screen section on page 607 to create application objects that can be used in app patrol profiles p.607
- Use the application group screen section 35 on page 611 to group application objects as an individual object that can be used in app patrol profiles p.607
- The following table describes the labels in this screen p.607
- Label description p.607
- Zywall usg series user s guide p.608
- You then click add again to choose the signatures that should go into this object p.608
- The following table describes the labels in this screen p.608
- Label description p.608
- Chapter 35 object p.608
- Application to create a new application rule in the first screen you type a name to identify this application object and write an optional brief description of it p.608
- Application continued p.608
- Add application rule p.608
- Add application object by category or service p.609
- Add by service p.610
- Add application object p.610
- Zywall usg series user s guide p.610
- The following table describes the labels in this screen p.610
- Label description p.610
- Chapter 35 object p.610
- Zywall usg series user s guide p.611
- The following table describes the labels in this screen p.611
- Label description p.611
- Chapter 35 object p.611
- Application group screen p.611
- Application group p.611
- Address overview p.612
- Add application group rule p.612
- What you need to know p.613
- Address summary screen p.613
- Address continued p.614
- Add edit p.614
- Zywall usg series user s guide p.614
- Label description p.614
- Ipv4 address add edit screen allows you to create a new address or edit an existing one to access this screen go to the address screen see section 35 on page 613 and click either the add icon or an edit icon in the ipv4 address configuration section p.614
- Ipv4 address add edit screen p.614
- Chapter 35 object p.614
- Zywall usg series user s guide p.615
- The following table describes the labels in this screen p.615
- Note the zywall usg automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change 1 s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object p.615
- Label description p.615
- Ipv6 address add edit screen allows you to create a new address or edit an existing one to access this screen go to the address screen see section 35 on page 613 and click either the add icon or an edit icon in the ipv6 address configuration section p.615
- Ipv6 address add edit screen p.615
- Chapter 35 object p.615
- Add edit p.615
- Address group click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order p.616
- Address group p.616
- Add edit p.616
- Zywall usg series user s guide p.616
- The following table describes the labels in this screen p.616
- Note the zywall usg automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change 1 s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object p.616
- Label description p.616
- Chapter 35 object p.616
- Address group summary screen p.616
- Zywall usg series user s guide p.617
- The following table describes the labels in this screen see section 35 on page 617 for more information as well p.617
- The address group add edit screen allows you to create a new address group or edit an existing one to access this screen go to the address group screen see section 35 on page 616 and click either the add icon or an edit icon in the ipv4 address group configuration or ipv6 address group configuration section p.617
- Label description p.617
- Chapter 35 object p.617
- Address group add edit screen p.617
- Address group p.617
- Service overview p.618
- Label description p.618
- Chapter 35 object p.618
- Zywall usg series user s guide p.618
- Use the service screens section 35 on page 619 to view and configure the zywall usg s list of services and their definitions p.618
- Use the service group screens section 35 on page 619 to view and configure the zywall usg s list of service groups p.618
- Use service objects to define tcp applications udp applications and icmp messages you can also create service groups to refer to multiple service objects in other features p.618
- The following table describes the labels in this screen p.618
- What you need to know p.619
- The service summary screen p.619
- Service objects and service groups p.619
- Ip protocols p.619
- The service add edit screen p.620
- The service group summary screen provides a summary of all service groups in addition this screen allows you to add edit and remove service groups p.621
- The service group summary screen p.621
- The following table describes the labels in this screen p.621
- Service group p.621
- Label description p.621
- Chapter 35 object p.621
- Zywall usg series user s guide p.621
- Zywall usg series user s guide p.622
- The service group add edit screen allows you to create a new service group or edit an existing one to access this screen go to the service group screen see section 35 on page 621 and click either the add icon or an edit icon p.622
- The service group add edit screen p.622
- The following table describes the labels in this screen see section 35 on page 622 for more information as well p.622
- Service group p.622
- Label description p.622
- Chapter 35 object p.622
- What you need to know p.623
- Schedule overview p.623
- Recurring schedules p.623
- One time schedules p.623
- Note schedules are based on the zywall usg s current date and time p.623
- Schedule p.624
- Label description p.624
- Chapter 35 object p.624
- Zywall usg series user s guide p.624
- The schedule summary screen p.624
- The following table describes the labels in this screen see section 35 on page 625 and section 35 on page 626 for more information as well p.624
- Schedules always begin and end in the same day recurring schedules are useful for defining the workday and off work hours p.624
- Zywall usg series user s guide p.625
- The one time schedule add edit screen allows you to define a one time schedule or edit an existing one to access this screen go to the schedule screen see section 35 on page 624 and click either the add icon or an edit icon in the one time section p.625
- The one time schedule add edit screen p.625
- The following table describes the labels in this screen p.625
- Schedule continued p.625
- Label description p.625
- Edit one time p.625
- Chapter 35 object p.625
- Label description p.626
- Edit recurring p.626
- Edit one time continued p.626
- Chapter 35 object p.626
- Zywall usg series user s guide p.626
- The year month and day columns are not used in recurring schedules and are disabled in this screen the following table describes the remaining labels in this screen p.626
- The recurring schedule add edit screen allows you to define a recurring schedule or edit an existing one to access this screen go to the schedule screen see section 35 on page 624 and click either the add icon or an edit icon in the recurring section p.626
- The recurring schedule add edit screen p.626
- Zywall usg series user s guide p.627
- The schedule group screen p.627
- The schedule group add edit screen allows you to define a schedule group or edit an existing one to access this screen go to the schedule screen see and click either the add icon or an edit icon in the schedule group section p.627
- The schedule group add edit screen p.627
- The following table describes the fields in the above screen p.627
- Schedule group p.627
- Label description p.627
- Configuration p.627
- Chapter 35 object p.627
- Chapter 35 object p.628
- Cancel p.628
- Aaa server overview p.628
- Zywall usg series user s guide p.628
- You can use a aaa authentication authorization accounting server to provide access control to your network the aaa server can be a active directory ldap or radius server use the aaa server screens to create and manage objects that contain settings for using aaa servers you use p.628
- The following table describes the fields in the above screen p.628
- Member list p.628
- Label description p.628
- Group members p.628
- Radius server p.629
- Directory service ad ldap p.629
- What you need to know p.630
- Directory structure p.630
- Aaa servers supported by the zywall usg p.630
- Distinguished name dn p.631
- Bind dn p.631
- Base dn p.631
- Active directory or ldap server summary p.631
- Adding an active directory or ldap server p.632
- O zyxel c u p.632
- Zywalladmi p.634
- Zywall usg series user s guide p.634
- The following table describes the labels in this screen p.634
- O zyxel c u p.634
- Label description p.634
- Cn zywalladmi p.634
- Chapter 35 object p.634
- Use the radius screen to manage the list of radius servers the zywall usg can use in authenticating users p.635
- The following table describes the labels in this screen p.635
- Radius to display the radius screen p.635
- Radius server summary p.635
- Radius p.635
- Label description p.635
- Chapter 35 object p.635
- Add continued p.635
- Zywall usg series user s guide p.635
- Adding a radius server p.636
- Zywall usg series user s guide p.637
- Label description p.637
- Follow the steps below to specify the authentication method for a vpn connection p.637
- Example selecting a vpn authentication method p.637
- Configure aaa server objects before you configure authentication method objects p.637
- Chapter 35 object p.637
- Before you begin p.637
- Authentication method objects set how the zywall usg authenticates wireless http https clients and peer ipsec routers extended authentication clients configure authentication method objects to have the zywall usg use the local user database and or the authentication servers and authentication server groups specified by aaa server objects by default user accounts created and stored on the zywall usg are authenticated locally p.637
- Auth method screens section 35 0 on page 638 to create and manage authentication method objects p.637
- Auth method overview p.637
- After you set up an authentication method object in the auth method screens you can use it in the vpn gateway screen to authenticate vpn users for establishing a vpn connection refer to the chapter on vpn for more information p.637
- Add continued p.637
- Note you can create up to 16 authentication method objects p.638
- Authentication method objects p.638
- Note you can not select two server objects of the same type p.639
- Creating an authentication method object p.639
- What you need to know p.640
- Certificate overview p.640
- Self signed certificates p.641
- Factory default certificate p.641
- Advantages of certificates p.641
- Verifying a certificate p.642
- Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default p.642
- Certificate file formats p.642
- The my certificates screen p.643
- The following table describes the labels in this screen p.644
- My certificates and then the add icon to open the my certificates add screen use this screen to have the zywall usg create a self signed certificate enroll a certificate with a certification authority or generate a certification request p.644
- My certificates p.644
- Label description p.644
- Chapter 35 object p.644
- Zywall usg series user s guide p.644
- The my certificates add screen p.644
- Zywall usg series user s guide p.645
- The following table describes the labels in this screen p.645
- Label description p.645
- Chapter 35 object p.645
- Zywall usg series user s guide p.646
- Label description p.646
- If you configured the my certificate create screen to have the zywall usg enroll a certificate and the certificate enrollment is not successful you see a screen with a return button that takes you back to the my certificate create screen click return and check your information in the my certificate create screen make sure that the certification authority information is correct and that your internet connection is working properly if you want the zywall usg to enroll a certificate online p.646
- Chapter 35 object p.646
- Add continued p.646
- The my certificates edit screen p.647
- Zywall usg series user s guide p.648
- The following table describes the labels in this screen p.648
- Label description p.648
- Chapter 35 object p.648
- Zywall usg series user s guide p.649
- You must remove any spaces from the certificate s filename before you can import it p.649
- The my certificates import screen p.649
- The certificate you import replaces the corresponding request in the my certificates screen p.649
- Note you can import a certificate that matches a corresponding certification request that was generated by the zywall usg you can also import a certificate in pkcs 12 format including the certificate s public and private keys p.649
- Label description p.649
- Import to open the my certificate import screen follow the instructions in this screen to save an existing certificate to the zywall usg p.649
- Edit continued p.649
- Chapter 35 object p.649
- Trusted certificates to open the trusted certificates screen this screen displays a summary list of certificates that you have set the zywall usg to accept as trusted the zywall usg also accepts any valid certificate signed by a certificate on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certificates p.650
- Trusted certificates p.650
- The trusted certificates screen p.650
- The following table describes the labels in this screen p.650
- Label description p.650
- Import p.650
- Chapter 35 object p.650
- Zywall usg series user s guide p.650
- Zywall usg series user s guide p.651
- Trusted certificates and then a certificate s edit icon to open the trusted certificates edit screen use this screen to view in depth information about the certificate change the certificate s name and set whether or not you want the zywall usg to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority p.651
- Trusted certificates p.651
- The trusted certificates edit screen p.651
- The following table describes the labels in this screen p.651
- Label description p.651
- Chapter 35 object p.651
- Zywall usg series user s guide p.653
- The following table describes the labels in this screen p.653
- Label description p.653
- Chapter 35 object p.653
- Label description p.654
- Import to open the trusted certificates import screen follow the instructions in this screen to save a trusted certificate to the zywall usg p.654
- Edit continued p.654
- Chapter 35 object p.654
- Zywall usg series user s guide p.654
- The trusted certificates import screen p.654
- Note you must remove any spaces from the certificate s filename before you can import the certificate p.654
- Isp account overview p.655
- Certificates technical reference p.655
- Isp account summary p.656
- Isp account edit p.656
- Zywall usg series user s guide p.657
- The following table describes the labels in this screen p.657
- Label description p.657
- Chapter 35 object p.657
- Label description p.658
- Edit continued p.658
- Chapter 35 object p.658
- Application types p.658
- A web based application allows remote users to access an intranet site using standard web browsers p.658
- Zywall usg series user s guide p.658
- You can configure the following ssl application on the zywall usg p.658
- You can also use the ssl application edit screen to specify the name of a folder on a linux or windows file server which remote users can access using a standard web browser section 35 3 on page 661 p.658
- What you need to know p.658
- Web based p.658
- Use the ssl application screen section 35 3 on page 660 to view the zywall usg s configured ssl application objects p.658
- Use the ssl application edit screen to create or edit web based application objects to allow remote users to access an application via standard web browsers section 35 3 on page 661 p.658
- Ssl vpn screen for a user account user group p.658
- Ssl application overview p.658
- Weblinks p.659
- Remote user screen links p.659
- Remote desktop connections p.659
- Example specifying a web site for access p.659
- The ssl application screen p.660
- Note if you are creating a file sharing ssl application you must also configure the shared folder on the file server for remote access refer to the document that comes with your file server p.661
- Creating editing an ssl application object p.661
- Zywall usg series user s guide p.662
- The following table describes the labels in this screen p.662
- Note you must enter the http or https prefix p.662
- Label description p.662
- Chapter 35 object p.662
- Add edit web application file sharing p.662
- Add edit file sharing p.662
- Zywall usg series user s guide p.663
- This section describes how to configure dhcpv6 request type and lease type objects p.663
- The request screen see section 35 4 on page 664 allows you to configure dhcpv6 request type objects p.663
- The lease screen see section 35 on page 578 allows you to configure dhcpv6 lease type objects p.663
- Label description p.663
- Dhcpv6 overview p.663
- Chapter 35 object p.663
- Add edit web application file sharing p.663
- Dhcpv6 request add edit screen p.664
- The dhcpv6 request screen p.664
- Zywall usg series user s guide p.665
- To access this screen go to the lease screen see section 35 4 on page 665 and click either the add icon or an edit icon p.665
- The lease add edit screen allows you to create a new lease object or edit an existing one p.665
- The following table describes the labels in this screen p.665
- The dhcpv6 lease screen p.665
- Label description p.665
- Dhcpv6 lease add edit screen p.665
- Chapter 35 object p.665
- Zywall usg series user s guide p.666
- The following table describes the labels in this screen p.666
- Label description p.666
- Chapter 35 object p.666
- What you can do in this chapter p.667
- System p.667
- Overview p.667
- Usb storage p.668
- Note see each section for related background information and term definitions p.668
- Note only connect one usb device it must allow writing it cannot be read only and use the fat16 fat32 ext2 or ext3 file system p.668
- Host name p.668
- Zywall usg series user s guide p.669
- Usb storage p.669
- The following table describes the labels in this screen p.669
- Label description p.669
- For effective scheduling and logging the zywall usg system time must be accurate the zywall usg s real time chip rtc keeps track of the time and date there is also a software mechanism to set the time manually or get the current time and date from an external server p.669
- Date time the screen displays as shown you can manually set the zywall usg s time and date or have the zywall usg get the date and time from a time server p.669
- Date and time p.669
- Chapter 36 system p.669
- The following table describes the labels in this screen p.670
- Label description p.670
- Date and time p.670
- Chapter 36 system p.670
- Zywall usg series user s guide p.670
- Zywall usg series user s guide p.671
- Label description p.671
- Date and time continued p.671
- Chapter 36 system p.671
- Time server synchronization p.672
- Pre defined ntp time servers list p.672
- Console port speed p.673
- Dns server address assignment p.674
- Dns overview p.674
- Configuring the dns screen p.674
- Zywall usg series user s guide p.675
- The following table describes the labels in this screen p.675
- Label description p.675
- Chapter 36 system p.675
- Chapter 36 system p.676
- Zywall usg series user s guide p.676
- Label description p.676
- Dns continued p.676
- Zywall usg series user s guide p.677
- Label description p.677
- Dns continued p.677
- Chapter 36 system p.677
- Ptr record p.678
- Address record p.678
- Adding an address ptr record p.678
- Label description p.679
- Domain zone forwarder p.679
- Cname record p.679
- Adding a cname record p.679
- Zywall usg series user s guide p.680
- Chapter 36 system p.680
- Adding a domain zone forwarder p.680
- The following table describes the labels in this screen p.680
- Label description p.680
- Fully qualified domain name without the host for example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name p.680
- Domain zone forwarder add p.680
- Click the add icon in the domain zone forwarder table to add a domain zone forwarder record p.680
- 3 editing a security option control p.681
- 2 security option control p.681
- 1 adding a mx record p.681
- 0 mx record p.681
- The following table describes the labels in this screen p.682
- Security option control edit customize p.682
- Label description p.682
- Click the add icon in the service control table to add a service control rule p.682
- Chapter 36 system p.682
- 4 adding a dns service control rule p.682
- Zywall usg series user s guide p.682
- Zywall usg series user s guide p.683
- You have disabled that service in the corresponding screen p.683
- Www overview p.683
- To stop a service from accessing the zywall usg clear enable in the corresponding service screen p.683
- The following table describes the labels in this screen p.683
- The following figure shows secure and insecure management of the zywall usg coming in from the wan https and ssh access are secure http and telnet access are not secure p.683
- The allowed ip address address object in the service control table does not match the client ip address the zywall usg disallows the session p.683
- Service control rule add p.683
- Service access limitations p.683
- Note to allow the zywall usg to be accessed from a specified computer using a service make sure you do not have a service control rule or to zywall usg security policy rule to block that traffic p.683
- Label description p.683
- Chapter 36 system p.683
- A service cannot be used to access the zywall usg when p.683
- System timeout p.684
- Configuring www service control p.685
- Zywall usg series user s guide p.686
- The following table describes the labels in this screen p.686
- Service control p.686
- Label description p.686
- Chapter 36 system p.686
- Zywall usg series user s guide p.687
- Service control continued p.687
- Label description p.687
- Chapter 36 system p.687
- Zywall usg series user s guide p.688
- Service control rules p.688
- Service control continued p.688
- Label description p.688
- Click add or edit in the service control table in a www ssh telnet ftp or snmp screen to add a service control rule p.688
- Chapter 36 system p.688
- Chapter 36 system p.689
- Zywall usg series user s guide p.689
- The following table describes the labels in this screen p.689
- Login page to open the login page screen use this screen to customize the web configurator login screen you can also customize the page that displays after an access user logs into the web configurator to access network services like the internet p.689
- Label description p.689
- Customizing the www login page p.689
- Zywall usg series user s guide p.692
- Your desired color should display in the preview screen on the right after you click in another field click apply or press enter if your desired color does not display your browser may not support it try selecting another color p.692
- The following table describes the labels in the screen p.692
- Note use a gif jpg or png of 100 kilobytes or less p.692
- Login page p.692
- Label description p.692
- Enter rgb followed by red green and blue values in parenthesis and separate by commas for example use rgb 0 0 0 for black p.692
- Enter a pound sign followed by the six digit hexadecimal number that represents the desired color for example use 000000 for black p.692
- Chapter 36 system p.692
- Internet explorer warning messages p.693
- Https example p.693
- Mozilla firefox warning messages p.693
- Login screen p.694
- Avoiding browser warning messages p.694
- Installing the ca s certificate p.695
- Enrolling and importing ssl client certificates p.695
- Installing your personal certificate s p.696
- Using a certificate when accessing the zywall usg example p.699
- How ssh works p.701
- You must install an ssh client program on a client computer windows or linux operating system that is used to connect to the zywall usg over ssh p.702
- The following table describes the labels in this screen p.702
- Ssh to change your zywall usg s secure shell settings use this screen to specify from which zones ssh can be used to manage the zywall usg you can also specify from which ip addresses the access can come p.702
- Ssh implementation on the zywall usg p.702
- Requirements for using ssh p.702
- Label description p.702
- Configuring ssh p.702
- Chapter 36 system p.702
- Zywall usg series user s guide p.702
- Your zywall usg supports ssh versions 1 and 2 using rsa authentication and four encryption methods aes 3des archfour and blowfish the ssh server is implemented on the zywall usg for management using port 22 by default p.702
- Zywall usg series user s guide p.703
- This section shows two examples using a command interface and a graphical interface ssh client program to remotely access the zywall usg the configuration and connection steps are similar for most ssh client programs refer to your ssh client program user s guide p.703
- This section describes how to access the zywall usg using the secure shell client program p.703
- Ssh continued p.703
- Secure telnet using ssh examples p.703
- Launch the ssh client and specify the connection information ip address port number for the zywall usg p.703
- Label description p.703
- Figure 487 ssh example 1 store host key p.703
- Example 1 microsoft windows p.703
- Enter the password to log in to the zywall usg the cli screen displays next p.703
- Configure the ssh client to accept connection using ssh version 1 p.703
- Chapter 36 system p.703
- A window displays prompting you to store the host key in you computer click yes to continue p.703
- Configuring telnet p.704
- Telnet p.704
- Example 2 linux p.704
- Zywall usg series user s guide p.705
- The following table describes the labels in this screen p.705
- Telnet p.705
- Label description p.705
- Chapter 36 system p.705
- Zywall usg series user s guide p.706
- You can upload and download the zywall usg s firmware and configuration files using ftp to use this feature your computer must have an ftp client p.706
- The following table describes the labels in this screen p.706
- Label description p.706
- Ftp tab the screen appears as shown use this screen to specify from which zones ftp can be used to access the zywall usg you can also specify from which ip addresses the access can come p.706
- Configuring ftp p.706
- Chapter 36 system p.706
- Ftp continued p.707
- Chapter 36 system p.707
- Zywall usg series user s guide p.707
- Simple network management protocol is a protocol used for exchanging management information between network devices your zywall usg supports snmp agent functionality which allows a manager station to manage and monitor the zywall usg through the network the zywall usg supports snmp version one snmpv1 version two snmpv2c and version 3 snmpv3 the next figure illustrates an snmp management operation p.707
- Label description p.707
- Snmpv3 and security p.708
- Zywall usg series user s guide p.709
- The zywall usg will send traps to the snmp manager when any one of the following events occurs p.709
- The zywall usg supports mib ii that is defined in rfc 1213 and rfc 1215 the zywall usg also supports private mibs zywall mib and zyxel zywall zld common mib to collect information about cpu and memory usage and vpn total throughput the focus of the mibs is to let administrators collect statistical data and monitor status and performance you can download the zywall usg s mibs from www zyxel com p.709
- Table 315 snmp traps p.709
- Supported mibs p.709
- Snmp traps p.709
- Snmp tab the screen appears as shown use this screen to configure your snmp settings including from which zones snmp can be used to access the zywall usg you can also specify from which ip addresses the access can come p.709
- Security can be further enhanced by encrypting the snmp messages sent from the managers encryption protects the contents of the snmp messages when the contents of the snmp messages are encrypted only the intended recipients can read them p.709
- Object label object id description p.709
- Configuring snmp p.709
- Chapter 36 system p.709
- Chapter 36 system p.710
- Zywall usg series user s guide p.710
- The following table describes the labels in this screen p.710
- Note your login password must consist of at least 8 printable characters for snmpv3 an error message will display if your login password has fewer characters p.710
- Label description p.710
- Zywall usg series user s guide p.711
- Snmp continued p.711
- Label description p.711
- Chapter 36 system p.711
- Zywall usg series user s guide p.712
- The following table describes the labels in this screen p.712
- Label description p.712
- Chapter 36 system p.712
- Authentication server p.712
- Auth server tab the screen appears as shown use this screen to enable the authentication server feature of the zywall usg and specify the radius client s ip address p.712
- Auth server p.712
- Add edit p.713
- Zywall usg series user s guide p.713
- The following table describes the labels in this screen p.713
- Label description p.713
- Chapter 36 system p.713
- Auth server to display the auth server screen click the add icon or an edit icon to display the following screen use this screen to create a new entry or edit an existing one p.713
- Auth server continued p.713
- Add edit trusted radius client p.713
- Cloudcnm screen p.714
- To allow cloudcnm management of your zywall usg p.715
- The zywall usg must be able to communicate with the cloudcnm server p.715
- The following table describes the labels in this screen p.715
- Perform site to site hub spoke fully meshed and remote access vpn provisioning p.715
- Label description p.715
- Cloudcnm to allow the zywall usg to find the cloudcnm server p.715
- Cloudcnm p.715
- Chapter 36 system p.715
- Zywall usg series user s guide p.715
- You must have a cloudcnm license with cnm id number or a cloudcnm url identifying the server p.715
- Zywall usg series user s guide p.716
- The following table describes the labels in this screen p.716
- Note see the cloudcnm user guide for more information on cloudcnm p.716
- Language to open the following screen use this screen to select a display language for the zywall usg s web configurator screens p.716
- Language screen p.716
- Language p.716
- Label description p.716
- Ipv6 to open the following screen use this screen to enable ipv6 support for the zywall usg s web configurator screens p.716
- Ipv6 screen p.716
- Cloudcnm continued p.716
- Chapter 36 system p.716
- Icon description p.717
- Figure 500 zon utility screen p.717
- Chapter 36 system p.717
- Zyxel one network zon utility p.717
- Zywall usg series user s guide p.717
- The zyxel one network zon utility uses the zyxel discovery protocol zdp for discovering and configuring zdp aware zyxel devices in the same broadcast domain as the computer on which zon is installed p.717
- The zon utility issues requests via zdp and in response to the query the zyxel device responds with basic information including ip address firmware version location system and model name the information is then displayed in the zon utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it you can download the zon utility at www zyxel com and install it on a computer p.717
- The following table describes the labels in this screen p.717
- The following figure shows the zon utility screen p.717
- Table 322 zon utility icons p.717
- Label description p.717
- In the zon utility select a device and then use the icons to perform actions the following table describes the icons numbered from left to right in the zon utility screen p.717
- The following table describes the fields in the zon utility main screen p.718
- Table 323 zon utility fields p.718
- Table 322 zon utility icons p.718
- Label description p.718
- Icon description p.718
- Ethernet neighbor for information on using smart connect link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the zywall usg that you re logged into using the web configurator p.718
- Chapter 36 system p.718
- Zyxel one network zon system screen p.718
- Zywall usg series user s guide p.718
- Zon screen p.718
- Zywall usg series user s guide p.719
- The following table describes the labels in this screen p.719
- Label description p.719
- Chapter 36 system p.719
- What you can do in this chapter p.720
- Overview p.720
- Log and report p.720
- Email daily report p.720
- Log setting screens p.722
- Log screen use the e mail profiles to mail log messages p.722
- Label description p.722
- Email daily report p.722
- Chapter 37 log and report p.722
- Zywall usg series user s guide p.722
- The log setting screens control log messages and alerts a log message stores the information for viewing or regular e mailing later and an alert is e mailed immediately usually alerts are used for events that require more serious attention such as system errors and attacks p.722
- The following table describes the labels in this screen p.722
- Log setting summary p.723
- Zywall usg series user s guide p.724
- The log settings edit screen controls the detailed settings for each log in the system log which includes the e mail profiles go to the log settings summary screen see section 37 on page 723 and click the system log edit icon p.724
- Log setting continued p.724
- Label description p.724
- Edit system log settings p.724
- Chapter 37 log and report p.724
- Zywall usg series user s guide p.727
- The following table describes the labels in this screen p.727
- Label description p.727
- Edit system log ap p.727
- Edit system log p.727
- Chapter 37 log and report p.727
- Zywall usg series user s guide p.728
- Label description p.728
- Edit system log continued p.728
- Chapter 37 log and report p.728
- Zywall usg series user s guide p.729
- The edit log on usb storage setting screen controls the detailed settings for saving logs to a connected usb storage device go to the log setting summary screen see section 37 on page 723 and click the usb storage edit icon p.729
- Label description p.729
- Edit system log continued p.729
- Edit log on usb storage setting p.729
- Chapter 37 log and report p.729
- The log settings edit screen controls the detailed settings for each log in the remote server syslog go to the log settings summary screen see section 37 on page 723 and click a remote server edit icon p.731
- The following table describes the labels in this screen p.731
- Label description p.731
- Edit usb storage p.731
- Edit remote server log settings p.731
- Chapter 37 log and report p.731
- Zywall usg series user s guide p.731
- Zywall usg series user s guide p.733
- The following table describes the labels in this screen p.733
- Label description p.733
- Edit remote server ap p.733
- Edit remote server p.733
- Chapter 37 log and report p.733
- Zywall usg series user s guide p.734
- The log category settings screen allows you to view and to edit what information is included in the system log usb storage e mail profiles and remote servers at the same time it does not let you change other log settings for example where and how often log information is e mailed or remote server names to access this screen go to the log settings summary screen see section 37 on page 723 and click the log category settings button p.734
- Log category settings screen p.734
- Label description p.734
- Edit remote server continued p.734
- Chapter 37 log and report p.734
- Log category settings p.737
- Label description p.737
- Chapter 37 log and report p.737
- Zywall usg series user s guide p.737
- The following table describes the fields in this screen p.737
- Zywall usg series user s guide p.738
- Log category settings continued p.738
- Label description p.738
- Chapter 37 log and report p.738
- What you need to know p.739
- What you can do in this chapter p.739
- Overview p.739
- File manager p.739
- Note exit or must follow sub commands if it is to make the zywall usg exit sub command mode p.740
- Comments in configuration files or shell scripts p.740
- The configuration file screen p.741
- Errors in configuration files or shell scripts p.741
- Do not turn off the zywall usg while configuration file upload is in progress p.742
- Configuration file flow at restart p.742
- Zywall usg series user s guide p.743
- The following table describes the labels in this screen p.743
- Rename p.743
- Label description p.743
- Configuration file p.743
- Chapter 38 file manager p.743
- Zywall usg series user s guide p.744
- Label description p.744
- Configuration file continued p.744
- Chapter 38 file manager p.744
- Note the web configurator is the recommended method for uploading firmware you only need to use the command line interface if you need to recover the firmware see the cli reference guide for how to determine if you need to recover the firmware and how to recover it p.745
- Label description p.745
- Firmware package to open the firmware package screen use the firmware package screen to check your current firmware version and upload firmware to the zywall usg you can upload firmware to be the running firmware or standby firmware p.745
- Find the firmware package at www zyxel com in a file that usually uses the system model name with a bin extension for example zywall bin p.745
- Configuration file continued p.745
- Chapter 38 file manager p.745
- Zywall usg series user s guide p.745
- The zywall usg s firmware package cannot go through the zywall usg when you enable the anti virus destroy compressed files that could not be decompressed option the zywall usg classifies the firmware package as not being able to be decompressed and deletes it you can upload the firmware package to the zywall usg with the option enabled so you only need to clear p.745
- The firmware package screen p.745
- Zywall usg series user s guide p.746
- The following table describes the labels in this screen p.746
- The firmware update can take up to five minutes do not turn off or reset the zywall usg while the firmware update is in progress p.746
- The destroy compressed files that could not be decompressed option while you download the firmware package see section 31 on page 522 for more on the anti virus destroy compressed files that could not be decompressed option p.746
- Label description p.746
- Firmware package p.746
- Chapter 38 file manager p.746
- Figure 519 firmware upload error p.747
- Figure 518 network p.747
- Figure 517 firmware upload in process p.747
- Chapter 38 file manager p.747
- After you see the firmware upload in process screen wait a few minutes before logging into the zywall usg again p.747
- After five minutes log in again and check your new firmware version in the dashboard screen p.747
- Zywall usg series user s guide p.747
- The zywall usg automatically restarts causing a temporary network disconnect in some operating systems you may see the following icon on your desktop p.747
- Note the zywall usg automatically reboots after a successful upload p.747
- Label description p.747
- If the upload was not successful the following message appears in the status bar at the bottom of the screen p.747
- Firmware package continued p.747
- Zywall usg series user s guide p.748
- Use shell script files to have the zywall usg use commands that you specify use a text editor to create the shell script files they must use a zysh filename extension p.748
- The shell script screen p.748
- Shell script to open the shell script screen use the shell script screen to store name download upload and run shell script files you can store multiple shell script files on the zywall usg at the same time p.748
- Shell script p.748
- Rename p.748
- Note you should include write commands in your scripts if you do not use the write command the changes will be lost when the zywall usg restarts you could use multiple write commands in a long script p.748
- Label description p.748
- Each field is described in the following table p.748
- Chapter 38 file manager p.748
- Zywall usg series user s guide p.749
- Shell script continued p.749
- Label description p.749
- Chapter 38 file manager p.749
- What you can do in this chapter p.750
- The diagnostic screen p.750
- Overview p.750
- Diagnostics p.750
- Chapter 39 diagnostics p.751
- Zywall usg series user s guide p.751
- The following table describes the labels in this screen p.751
- The diagnostics files screen p.751
- Label description p.751
- Files to open the diagnostic files screen this screen lists the files of diagnostic information the zywall usg has collected and stored in a connected usb storage device you may need to send these files to customer support for troubleshooting p.751
- Diagnostics p.751
- Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this p.752
- The packet capture screen p.752
- Zywall usg series user s guide p.753
- The following table describes the labels in this screen p.753
- Packet capture p.753
- Note the zywall usg reserves some usb storage space as a buffer p.753
- Note the zywall usg reserves some onboard storage space as a buffer p.753
- Note if you have existing capture files and have not selected the continuously capture and overwrite old ones option you may need to set this size larger or delete existing capture files p.753
- Label description p.753
- Chapter 39 diagnostics p.753
- Zywall usg series user s guide p.754
- The packet capture files screen p.754
- Packet capture continued p.754
- Label description p.754
- Files to open the packet capture files screen this screen lists the files of packet captures stored on the zywall usg or a connected usb storage device you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark p.754
- Chapter 39 diagnostics p.754
- Chapter 39 diagnostics p.755
- Zywall usg series user s guide p.755
- The system log screen p.755
- The following table describes the labels in this screen p.755
- System log to open the system log files screen this screen lists the files of system logs stored on a connected usb storage device the files are in comma separated value csv format you can download them to your computer and open them in a tool like microsoft s excel p.755
- System log p.755
- Label description p.755
- Zywall usg series user s guide p.756
- Use this screen to ping or traceroute an ip address p.756
- The following table describes the labels in this screen p.756
- The network tool screen p.756
- Network tool to display this screen p.756
- Network tool p.756
- Label description p.756
- Chapter 39 diagnostics p.756
- Label description p.757
- Chapter 39 diagnostics p.757
- Capture p.757
- Zywall usg series user s guide p.757
- Wireless frame capture to display this screen p.757
- Use this screen to capture wireless network traffic going through the ap interfaces connected to your zywall usg studying these frame captures may help you identify network problems p.757
- The wireless frame capture screen p.757
- The following table describes the labels in this screen p.757
- Note new capture files overwrite existing files of the same name change the file prefix field s setting to avoid this p.757
- Zywall usg series user s guide p.758
- The wireless frame capture files screen p.758
- Note if you have existing capture files you may need to set this size larger or delete existing capture files p.758
- Label description p.758
- Files to open this screen this screen lists the files of wireless frame captures the zywall usg has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark p.758
- Chapter 39 diagnostics p.758
- Capture continued p.758
- The following table describes the labels in this screen p.759
- Label description p.759
- Chapter 39 diagnostics p.759
- Zywall usg series user s guide p.759
- What you can do in this chapter p.760
- The routing status screen p.760
- Packet flow explore p.760
- Overview p.760
- Zywall usg series user s guide p.764
- The following table describes the labels in this screen p.764
- Routing status p.764
- Label description p.764
- Chapter 40 packet flow explore p.764
- Snat status policy route snat p.765
- Snat status p.765
- Routing status continued p.765
- Note once a packet matches the criteria of an snat rule the zywall usg takes the corresponding action and does not perform any further flow checking p.765
- Label description p.765
- Chapter 40 packet flow explore p.765
- Zywall usg series user s guide p.765
- Use policy routes to control 1 1 nat by using the policy control virtual server rules activate command p.765
- Trunk screen p.765
- The snat status screen p.765
- The order of the snat flow may vary depending on whether you p.765
- Zywall usg series user s guide p.766
- The following table describes the labels in this screen p.766
- Snat status loopback snat p.766
- Snat status default snat p.766
- Snat status 1 1 snat p.766
- Snat status p.766
- Label description p.766
- Chapter 40 packet flow explore p.766
- Snat status continued p.767
- Label description p.767
- Chapter 40 packet flow explore p.767
- Zywall usg series user s guide p.767
- What you need to know p.768
- The shutdown screen p.768
- Shutdown p.768
- Overview p.768
- Troubleshooting p.769
- The zywall usg is not applying the custom policy route i configured p.770
- The content filter category service is not working p.770
- I downloaded updated anti virus or idp application patrol signatures why has the zywall usg not re booted yet p.770
- I configured security settings but the zywall usg is not applying them for certain interfaces p.770
- I cannot update the idp application patrol signatures p.770
- I cannot update the anti virus signatures p.770
- My rules and settings that apply to a particular interface no longer work p.771
- I cannot set up a ppp interface virtual ethernet interface or virtual vlan interface on an ethernet interface p.771
- I cannot set up a ppp interface p.771
- I cannot enter the interface name i want p.771
- The zywall usg is not applying the custom security policy i configured p.771
- The zywall usg is not applying an interface s configured ingress bandwidth limit p.772
- The wireless security is not following the re authentication timer setting i specified p.772
- The data rates through my cellular connection are no where near the rates i expected p.772
- I created a cellular interface but cannot connect through it p.772
- I cannot configure a particular vlan interface on top of an ethernet interface even though i have it configured it on top of another ethernet interface p.772
- Hackers have accessed my wep encrypted wireless lan p.772
- The zywall usg s performance slowed down after i configured many new application patrol entries p.773
- The zywall usg s performance seems slower after configuring idp p.773
- The zywall usg s anti virus scanner cleaned an infected file but now i cannot use the file p.773
- The zywall usg is not scanning some zipped files p.773
- The zywall usg is not applying my application patrol bandwidth management settings p.773
- The zywall usg is deleting some zipped files p.773
- Idp is dropping traffic that matches a rule that says no action should be taken p.774
- I uploaded a custom signature file and now all of my earlier custom signatures are gone p.774
- I cannot configure some items in idp that i can configure in snort p.774
- The zywall usg s performance seems slower after configuring adp p.774
- The zywall usg routes and applies snat for traffic from some interfaces but not from others p.774
- The zywall usg keeps resetting the connection p.775
- I cannot get the application patrol to manage sip traffic p.775
- I cannot get the application patrol to manage h 23 traffic p.775
- I cannot get the application patrol to manage ftp traffic p.775
- I cannot get dynamic dns to work p.775
- I cannot create a second http redirect rule for an incoming interface p.775
- I cannot set up an ipsec vpn tunnel to another device p.776
- The vpn connection is up but vpn traffic cannot be transmitted through the vpn tunnel p.777
- I uploaded a logo to show in the ssl vpn user screens but it does not display properly p.777
- I logged into the ssl vpn but cannot see some of the resource links p.777
- I cannot download the zywall usg s firmware package p.777
- I changed the lan ip address and can no longer access the internet p.778
- I cannot get the radius server to authenticate the zywall usg s default admin account p.778
- I cannot add the admin users to a user group with access users p.778
- The zywall usg fails to authentication the ext user user accounts i configured p.778
- I configured policy routes to manage the bandwidth of tcp and udp traffic but the bandwidth management is not being applied properly p.778
- I configured application patrol to allow and manage access to a specific service but access is blocked p.778
- The schedule i configured is not being applied at the configured times p.779
- Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default p.779
- I cannot get a certificate to import into the zywall usg p.779
- I cannot add the default admin account to a user group p.779
- I cannot access the zywall usg from a computer connected to the internet p.779
- The zywall usg s traffic throughput rate decreased after i started collecting traffic statistics p.780
- The commands in my configuration file or shell script are not working properly p.780
- Note exit or must follow sub commands if it is to make the zywall usg exit sub command mode p.780
- I uploaded a logo to use as the screen or window background but it does not display properly p.780
- I uploaded a logo to display on the upper left corner of the web configurator login screen and access page but it does not display properly p.780
- I cannot get the firmware uploaded using the commands p.780
- I can only see newer logs older logs are missing p.780
- My earlier packet capture files are missing p.781
- Resetting the zywall usg p.781
- Note this procedure removes the current configuration p.781
- My packet capture captured less than i wanted or failed p.781
- Getting more troubleshooting help p.782
- Ppendi p.783
- Customer support p.783
- Vietnam p.784
- Thailand p.784
- Taiwan p.784
- Singapore p.784
- Philipines p.784
- Pakistan p.784
- Malaysia p.784
- Europe p.784
- Austria p.784
- Belarus p.785
- Latvia p.785
- Hungary p.785
- Germany p.785
- France p.785
- Finland p.785
- Estonia p.785
- Denmark p.785
- Bulgaria p.785
- Belgium p.785
- Slovakia p.786
- Russia p.786
- Romania p.786
- Poland p.786
- Norway p.786
- Netherlands p.786
- Lithuania p.786
- Switzerland p.786
- Sweden p.786
- Ukraine p.787
- Turkey p.787
- North america p.787
- Middle east p.787
- Latin america p.787
- Ecuador p.787
- Argentina p.787
- South africa p.788
- Oceania p.788
- Australia p.788
- Africa p.788
- Ppendi p.789
- Legal information p.789
- Appendix b legal information p.790
- Zywall usg series user s guide p.790
- Safety warnings p.790
- List of national codes p.790
- Ce emc statement p.790
- Zywall usg series user s guide p.791
- European union disposal and recycling information p.791
- Environment statment p.791
- Appendix b legal information p.791
- Environmental product declaration p.792
- Zyxel limited warranty p.793
- Zywall usg series user s guide p.793
- Viewing certifications p.793
- Trademarks p.793
- Registration p.793
- Open source licenses p.793
- Appendix b legal information p.793
- 警告使用者 這是甲類的資訊產品 在居住的環境中使用時 可能會造成射頻干擾 在這種情況下 使用者會被要求採取某些適當的對策 p.793
- 台灣 p.793
- Zywall usg series user s guide p.794
- United states of america p.794
- Regulatory notice and statement class b p.794
- Model list usg40 usg40w usg60 usg60w p.794
- Industry canada rss gen rss 247 statement p.794
- Industry canada ices statement p.794
- Fcc radiation exposure statement p.794
- Fcc emc statement p.794
- Canada p.794
- Appendix b legal information p.794
- Antenna information p.794
- Déclaration d exposition aux radiations p.795
- Declaration of conformity with regard to eu directive 1999 5 ec r tte directive p.795
- Appendix b legal information p.795
- Zywall usg series user s guide p.795
- Informations antenne for external antenna p.795
- Industry canada radiation exposure statement p.795
- European union p.795
- Zywall usg series user s guide p.796
- National restrictions p.796
- Appendix b legal information p.796
- Zywall usg series user s guide p.797
- Safety warnings p.797
- List of national codes p.797
- Appendix b legal information p.797
- Zywall usg series user s guide p.798
- European union disposal and recycling information p.798
- Erp energy related products p.798
- Environment statement p.798
- Appendix b legal information p.798
- 台灣 p.800
- Zyxel limited warranty p.800
- Zywall usg series user s guide p.800
- Viewing certifications p.800
- Appendix b legal information p.800
- Zywall usg series user s guide p.801
- Registration p.801
- Open source licenses p.801
- Appendix b legal information p.801
- Product features p.802
- Ppendi p.802
- Zywall usg series user s guide p.803
- Table 345 product features p.803
- Model name p.803
- Appendix c product features p.803
- Appendix c product features p.804
- Zywall usg series user s guide p.804
- Table 345 product features p.804
- Model name p.804
- Zywall usg series user s guide p.805
- Table 345 product features p.805
- Model name p.805
- Appendix c product features p.805
- Zywall usg series user s guide p.806
- Table 345 product features p.806
- Model name p.806
- Appendix c product features p.806
- Zywall usg series user s guide p.807
- Table 345 product features p.807
- Model name p.807
- Appendix c product features p.807
- Appendix c product features p.808
- Zywall usg series user s guide p.808
- Table 345 product features p.808
- Model name p.808
- Symbols p.809
- Numbers p.809
Похожие устройства
-
Zyxel USG1100Описание параметров -
Zyxel ZyWALL USG 2000Рекомендации по настройке -
Zyxel ZyWALL USG 2000Инструкция по установке -
Zyxel ZyWALL USG 2000Справочник командного интерфейса -
Zyxel ZyWALL USG 2000Инструкция по эксплуатации -
Zyxel ZyWALL USG 1000Инструкция по установке -
Zyxel ZyWALL USG 1000Рекомендации по настройке
-
Zyxel ZyWALL USG 1000Справочник командного интерфейса
-
Zyxel ZyWALL USG 1000Инструкция по эксплуатации
-
Zyxel ZyWALL USG 300Рекомендации по настройке
-
Zyxel ZyWALL USG 300Справочник командного интерфейса
-
Zyxel ZyWALL USG 300Инструкция по установке
Изучите, как настраивать политику безопасности для управления сетевым трафиком, включая разрешения, блокировки и действия для различных типов трафика.