![Zyxel ZyWALL 1100 [365/829] What you need to know](/img/pdf.png)
Zyxel ZyWALL 1100 [365/829] What you need to know
![Zyxel USG 1900 [365/829] What you need to know](/views2/1169222/page365/bg16d.png)
Chapter 21 Security Policy
ZyWALL/USG Series User’s Guide
365
21.3.1 What You Need to Know
Stateful Inspection
The ZyWALL/USG uses stateful inspection in its security policies. The ZyWALL/USG restricts access
by screening data packets against defined access rules. It also inspects sessions. For example,
traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces. Group the ZyWALL/USG’s interfaces into different zones based on
your needs. You can configure security policies for data passing between zones or even between
interfaces.
Default Directional Security Policy Behavior
Security Policies can be grouped based on the direction of travel of packets to which they apply.
Here is the The ZyWALL/USG has default Security Policy behavior for traffic going through the
ZyWALL/USG in various directions.
To-Device Policies
Policies with Device as the To Zone apply to traffic going to the ZyWALL/USG itself. By default:
• The Security Policy allows only LAN, or WAN computers to access or manage the ZyWALL/USG.
• The ZyWALL/USG allows DHCP traffic from any interface to the ZyWALL/USG.
• The ZyWALL/USG drops most packets from the WAN zone to the ZyWALL/USG itself and
generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the ZyWALL/USG itself, make
sure it does not conflict with your service control rule. The ZyWALL/USG checks the security policy
before the service control rules for traffic destined for the ZyWALL/USG.
Table 151 Directional Security Policy Behavior
FROM ZONE TO ZONE BEHAVIOR
From any to Device DHCP traffic from any interface to the ZyWALL/USG is allowed.
From LAN1 to any (other than
the ZyWALL/USG)
Traffic from the LAN1 to any of the networks connected to the ZyWALL/USG is
allowed.
From LAN2 to any (other than
the ZyWALL/USG)
Traffic from the LAN2 to any of the networks connected to the ZyWALL/USG is
allowed.
From LAN1 to Device Traffic from the LAN1 to the ZyWALL/USG itself is allowed.
From LAN2 to Device Traffic from the LAN2 to the ZyWALL/USG itself is allowed.
From WAN to Device The default services listed in To-Device Policies on page 365 are allowed from
the WAN to the ZyWALL/USG itself. All other WAN to ZyWALL/USG traffic is
dropped.
From any to any Traffic that does not match any
Security policy is dropped. This includes
traffic from the WAN to any of the networks behind the ZyWALL/USG.
This also includes traffic to or from interfaces that are not assigned to a zone
(extra-zone traffic).
Содержание
- Quick start guide 1
- Security firewalls 1
- User s guide 1
- Usg40 usg40w usg60 usg60w usg110 usg210 usg310 usg1100 usg1900 1
- Zywall 110 310 1100 1
- Zywall usg series 1
- Important 2
- Keep this guide for future reference 2
- Note it is recommended you use the web configurator to configure the zywall usg 2
- Read carefully before use 2
- Related documentation 2
- Zywall usg 2
- Chapter 1 introduction 1 3
- Chapter 2 installation setup wizard 1 3
- Chapter 3 hardware interfaces and zones 0 3
- Chapter 4 quick setup wizards 7 3
- Part i user s guide 19 3
- Chapter 5 0 4
- Dashboard 0 4
- Chapter 6 monitor 09 5
- Part ii technical reference 107 5
- Chapter 7 licensing 57 6
- Chapter 8 wireless 63 6
- Chapter 10 routing 67 7
- Chapter 9 interfaces 81 7
- Alg 07 8
- Chapter 11 ddns 90 8
- Chapter 12 nat 96 8
- Chapter 13 http redirect 03 8
- Chapter 14 07 8
- Chapter 15 upnp 15 9
- Chapter 16 ip mac binding 24 9
- Chapter 17 layer 2 isolation 29 9
- Chapter 18 inbound load balancing 33 9
- Chapter 19 web authentication 39 9
- Chapter 20 rtls 57 10
- Chapter 21 security policy 60 10
- Chapter 22 ipsec vpn 85 10
- Chapter 23 ssl vpn 20 11
- Chapter 24 31 11
- Ssl user screens 31 11
- Chapter 25 zywall usg secuextender windows 44 12
- Chapter 26 l2tp vpn 48 12
- Chapter 27 bwm bandwidth management 53 12
- Chapter 28 application patrol 68 12
- Chapter 29 content filtering 74 12
- Chapter 30 idp 93 13
- Chapter 31 anti virus 18 13
- Chapter 32 anti spam 30 13
- Chapter 33 ssl inspection 48 14
- Chapter 34 device ha 57 14
- Chapter 35 object 70 14
- Chapter 36 system 67 16
- Chapter 37 log and report 20 17
- Chapter 38 file manager 39 17
- Appendix a customer support 83 18
- Appendix b legal information 89 18
- Appendix c product features 02 18
- Chapter 39 diagnostics 50 18
- Chapter 40 packet flow explore 60 18
- Chapter 41 shutdown 68 18
- Chapter 42 troubleshooting 69 18
- Index 09 18
- User s guide 19
- Introduction 21
- Overview 21
- Applications 22
- Ipv6 routing 22
- Security router 22
- Ssl vpn network access 23
- User aware access control 23
- Vpn connectivity 23
- Load balancing 24
- Management overview 24
- Web configurator 24
- Cloudcnm 25
- Command line interface cli 25
- Note most screen shots in this guide come from the usg110 and usg60w screen shots for other models may vary a little 25
- Web configurator 25
- Web configurator access 25
- Title bar 28
- Web configurator screens overview 28
- Site map 29
- Chapter 1 introduction 30
- Click console to open a java based console window from which you can run cli commands you will be prompted to enter your user name and password see the command reference guide for information about the commands 30
- Click object reference to open the object reference screen select the type of object and the individual object and click refresh to show which configuration settings reference the object 30
- Console 30
- Figure 11 object reference 30
- Label description 30
- Object reference 30
- Table 5 object references 30
- The fields vary with the type of object this table describes labels that can appear in this screen 30
- Zywall usg series user s guide 30
- Cli messages 31
- Navigation panel 31
- Chapter 1 introduction 32
- Dashboard 32
- Figure 14 navigation panel 32
- Folder or link tab function 32
- Monitor menu 32
- Table 6 monitor menu screens summary 32
- The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs see the web help for details on the dashboard 32
- The monitor menu screens display status and statistics information 32
- Zywall usg series user s guide 32
- Chapter 1 introduction 33
- Configuration menu 33
- Folder or link tab function 33
- Table 6 monitor menu screens summary continued 33
- Table 7 configuration menu screens summary 33
- Use the configuration menu screens to configure the zywall usg s features 33
- Zywall usg series user s guide 33
- Chapter 1 introduction 34
- Folder or link tab function 34
- Table 7 configuration menu screens summary continued 34
- Zywall usg series user s guide 34
- Chapter 1 introduction 35
- Folder or link tab function 35
- Table 7 configuration menu screens summary continued 35
- Zywall usg series user s guide 35
- Chapter 1 introduction 36
- Folder or link tab function 36
- Table 7 configuration menu screens summary continued 36
- Zywall usg series user s guide 36
- Chapter 1 introduction 37
- Folder or link tab function 37
- Table 7 configuration menu screens summary continued 37
- Zywall usg series user s guide 37
- Chapter 1 introduction 38
- Click a column heading to sort the table s entries according to that column s criteria 38
- Click the down arrow next to a column heading for more options about how to display the entries the options available vary depending on the type of fields in the column here are some examples of what you can do 38
- Figure 15 sorting table entries by a column s criteria 38
- Folder or link tab function 38
- Group entries by field 38
- Maintenance menu 38
- Or or searching for text 38
- Select which columns to display 38
- Show entries in groups 38
- Sort in ascending or descending reverse alphabetical order 38
- Table 8 maintenance menu screens summary 38
- Tables and lists 38
- Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the zywall usg 38
- Web configurator tables and lists are flexible with several options for how to display their entries 38
- Zywall usg series user s guide 38
- Chapter 1 introduction 40
- Figure 20 common table icons 40
- Figure 21 working with lists 40
- Here are descriptions for the most common table icons 40
- Label description 40
- Table 9 common table icons 40
- When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other in some lists you can also use the shift or ctrl key to select multiple entries and then use the arrow button to move them to the other list 40
- Working with lists 40
- Zywall usg series user s guide 40
- Installation setup wizard 41
- Installation setup wizard screens 41
- Internet access setup wan interface 41
- Internet access ethernet 42
- Note enter the internet access information exactly as given to you by your isp or network administrator 42
- Internet access pppoe 43
- Note enter the internet access information exactly as given to you by your isp 43
- Isp parameters 44
- Wan ip address assignments 44
- Internet access pptp 45
- Isp parameters 45
- Note enter the internet access information exactly as given to you by your isp 45
- Internet access setup second wan interface 46
- Pptp configuration 46
- Wan ip address assignments 46
- Internet access succeed 47
- Wireless settings ap controller 47
- Ssid setting 48
- Wireless settings ssid security 48
- For built in wireless ap only 49
- Internet access device registration 49
- Note the zywall usg must be connected to the internet in order to register 49
- Front panels 50
- Hardware interfaces and zones 50
- Hardware overview 50
- Chapter 3 hardware interfaces and zones 51
- Figure 35 usg60 usg60w front panel 51
- Figure 36 zywall 110 usg110 usg210 rear panel 51
- Figure 37 zywall 310 zywall 1100 usg310 usg1100 usg1900 rear panel 51
- Led color status description 51
- Rear panels 51
- Table 11 led descriptions 51
- The connection ports are located on the rear panel 51
- The following table describes the leds 51
- Zywall usg series user s guide 51
- Chapter 3 hardware interfaces and zones 52
- Figure 38 usg40 usg40w rear panel 52
- Figure 39 usg60 usg60w rear panel 52
- Label description 52
- Note use an 8 wire ethernet cable to run your gigabit ethernet connection at 1000 mbps using a 4 wire ethernet cable limits your connection to 100 mbps note that the connection speed also depends on what the ethernet device at the other end can support 52
- Table 12 rear panel items 52
- The following table describes the items on the rear panel 52
- Zywall usg series user s guide 52
- Mounting 53
- Note failure to use the proper screws may damage the unit 53
- Note leave 10 cm of clearance at the sides and 20 cm in the rear 53
- Rack mounting 53
- Rack mounting wall mounting 53
- Table 13 mounting method 53
- Note make sure the screws are securely fixed to the wall and strong enough to hold the weight of the zywall usg with the connection cables 54
- Wall mount the zywall usg horizontally the zywall usg s side panels with ventilation slots should not be facing up or down as this position is less safe 54
- Wall mounting 54
- Default zones interfaces and ports 55
- Screw specifications 55
- Table 14 default physical port interface mapping 55
- Chapter 3 hardware interfaces and zones 56
- No default zone 56
- Shutdown or the shutdown command before you turn off the zywall usg or remove the power not doing so can cause the firmware to become corrupt 56
- Stopping the zywall usg 56
- Table 15 default zone interface mapping 56
- The following table shows the default interface and zone mapping for each model at the time of writing 56
- Zone interface wan lan1 lan2 dmz opt 56
- Zywall usg series user s guide 56
- Quick setup overview 57
- Quick setup wizards 57
- Choose an ethernet interface 58
- Wan interface quick setup 58
- Configure wan ip settings 59
- Note enter the internet access information exactly as your isp gave it to you 59
- Select wan type 59
- Isp and wan and isp connection settings 60
- Note enter the internet access information exactly as your isp gave it to you 60
- Chapter 4 quick setup wizards 61
- Figure 47 wan and isp connection settings pptp shown 61
- Label description 61
- Table 16 wan and isp connection settings 61
- The following table describes the labels in this screen 61
- Zywall usg series user s guide 61
- Chapter 4 quick setup wizards 62
- Label description 62
- Quick setup interface wizard summary 62
- Table 16 wan and isp connection settings continued 62
- This screen displays the wan interface s settings 62
- Zywall usg series user s guide 62
- Chapter 4 quick setup wizards 63
- Click vpn setup in the main quick setup screen to open the vpn setup wizard welcome screen 63
- Figure 48 interface wizard summary wan pptp shown 63
- Label description 63
- Table 17 interface wizard summary wan 63
- The following table describes the labels in this screen 63
- Vpn setup wizard 63
- Zywall usg series user s guide 63
- Welcome 64
- Vpn express wizard scenario 65
- Vpn setup wizard wizard type 65
- Vpn express wizard configuration 67
- Vpn express wizard summary 67
- Vpn express wizard finish 68
- Vpn advanced wizard scenario 69
- Vpn advanced wizard phase 1 settings 70
- Note the remote ipsec device must also have nat traversal enabled see the help in the main ipsec vpn screens for more information 72
- Vpn advanced wizard phase 2 72
- Vpn advanced wizard finish 73
- Vpn advanced wizard summary 73
- Vpn settings for configuration provisioning wizard wizard type 74
- Configuration provisioning express wizard vpn settings 75
- Configuration provisioning vpn express wizard configuration 76
- Vpn settings for configuration provisioning express wizard summary 77
- Vpn settings for configuration provisioning express wizard finish 78
- Vpn settings for configuration provisioning advanced wizard scenario 79
- Vpn settings for configuration provisioning advanced wizard phase 1 settings 80
- Vpn settings for configuration provisioning advanced wizard phase 2 82
- Vpn settings for configuration provisioning advanced wizard summary 82
- Vpn settings for configuration provisioning advanced wizard finish 84
- Vpn settings for l2tp vpn settings wizard 85
- L2tp vpn settings 86
- L2tp vpn settings 87
- Note dns domain name system is for mapping a domain name to its corresponding ip address and vice versa the dns server is extremely important because without it you must know the ip address of a computer before you can access it the zywall usg uses a system dns server in the order you specify here to resolve domain names for vpn ddns and the time server 88
- Vpn settings for l2tp vpn setting wizard summary 88
- Vpn settings for l2tp vpn setting wizard completed 89
- Dashboard 90
- Overview 90
- What you can do in this chapter 90
- Main dashboard screen 91
- Chapter 5 dashboard 92
- Device information screen 92
- Label description 92
- Table 18 dashboard continued 92
- The device information screen displays zywall usg s system and model name serial number mac address and firmware version shown in the below screen 92
- Zywall usg series user s guide 92
- Chapter 5 dashboard 93
- Device information 93
- Device information example 93
- Label description 93
- System status example 93
- System status screen 93
- This tabel describes the fields in the above screen 93
- Zywall usg series user s guide 93
- Chapter 5 dashboard 94
- Click on vpn status link to look at the vpn tunnels that are currently established the following screen will show 94
- Label description 94
- System status 94
- This table describes the fields in the above screen 94
- Vpn status screen 94
- Zywall usg series user s guide 94
- Chapter 5 dashboard 95
- Lable description 95
- This table describes the fields in the above screen 95
- Vpn status 95
- Zywall usg series user s guide 95
- Chapter 5 dashboard 96
- Click on the dhcp table link to look at the ip addresses currently assigned to dhcp clients and the ip addresses reserved for specific mac addresses the following screen will show 96
- Dhcp table 96
- Dhcp table screen 96
- Label description 96
- This table describes the fields in the above screen 96
- Zywall usg series user s guide 96
- Chapter 5 dashboard 97
- Click the number of login users link to see the following screen 97
- Hover your mouse over an item and click the arrow on the right to see more details on that resource 97
- Label description 97
- Number of login users 97
- Number of login users screen 97
- System resources screen 97
- This table describes the fields in the above screen 97
- Zywall usg series user s guide 97
- Chapter 5 dashboard 98
- Cpu usage screen 98
- Label description 98
- System resources 98
- This table describes the fields in the above screen 98
- Use the below screen to look at a chart of the zywall usg s recent cpu usage to access this screen click cpu usage in the dashboard 98
- Zywall usg series user s guide 98
- Label description 99
- Memory usage screen 99
- Active session screen 100
- Label description 100
- Chapter 5 dashboard 101
- Extension slot 101
- Extension slot screen 101
- Interface status summary screen 101
- Interfaces per zywall usg model vary 101
- Label description 101
- This table describes the fields in the above screen 101
- Zywall usg series user s guide 101
- Chapter 5 dashboard 102
- Interface status summary 102
- Label description 102
- This table describes the fields in the above screen 102
- Zywall usg series user s guide 102
- Chapter 5 dashboard 103
- Interface status summary 103
- Label description 103
- Secured service status 103
- Secured service status screen 103
- This part shows what unified threat management utm services are available and enabled 103
- This table describes the fields in the above screen 103
- Zywall usg series user s guide 103
- Chapter 5 dashboard 104
- Content filter and then view results here 104
- Content filter statistics 104
- Content filter statistics screen 104
- Label description 104
- Secured service status 104
- This table describes the fields in the above screen 104
- Top 5 viruses 104
- Top 5 viruses screen 104
- Zywall usg series user s guide 104
- Chapter 5 dashboard 105
- Label description 105
- This table describes the fields in the above screen 105
- Top 5 intrusions 105
- Top 5 intrusions screen 105
- Top 5 ipv4 ipv6 security policy rules that blocked traffic 105
- Top 5 ipv4 ipv6 security policy rules that blocked traffic screen 105
- Top 5 viruses 105
- Zywall usg series user s guide 105
- Chapter 5 dashboard 106
- Label description 106
- The latest alert logs 106
- The latest alert logs screen 106
- This table describes the fields in the above screen 106
- Top 5 ipv4 ipv6 security policy rules that blocked traffic 106
- Zywall usg series user s guide 106
- Technical reference 107
- Monitor 109
- Overview 109
- What you can do in this chapter 109
- The port statistics screen 110
- Chapter 6 monitor 111
- Label description 111
- Port statistics 111
- The following table describes the labels in this screen 111
- The port statistics graph screen 111
- Use this screen to look at a line graph of packet statistics for each physical port to access this screen click port statistics in the status screen and then the switch to graphic view button 111
- Zywall usg series user s guide 111
- Chapter 6 monitor 112
- Interface status screen 112
- Interface status to access this screen 112
- Label description 112
- Switch to graphic view 112
- The following table describes the labels in this screen 112
- Zywall usg series user s guide 112
- Chapter 6 monitor 113
- Each field is described in the following table 113
- Interface status 113
- Label description 113
- Zywall usg series user s guide 113
- Chapter 6 monitor 114
- Interface status continued 114
- Label description 114
- Zywall usg series user s guide 114
- Chapter 6 monitor 115
- Interface status continued 115
- Label description 115
- Lan ip with heaviest traffic and how much traffic has been sent to and from each one 115
- Most used protocols or service ports and the amount of traffic on each one 115
- Most visited web sites and the number of times each one was visited this count may not be accurate in some cases because the zywall usg counts http get packets please see table 39 on page 116 for more information 115
- The traffic statistics screen 115
- Traffic statistics to display the traffic statistics screen this screen provides basic information about the following for example 115
- Zywall usg series user s guide 115
- Chapter 6 monitor 116
- Label description 116
- There is a limit on the number of records shown in the report please see table 40 on page 117 for more information the following table describes the labels in this screen 116
- Traffic statistics 116
- You use the traffic statistics screen to tell the zywall usg when to start and when to stop collecting information for these reports you cannot schedule data collection you have to start and stop it manually in the traffic statistics screen 116
- Zywall usg series user s guide 116
- Chapter 6 monitor 117
- Label description 117
- Table 40 maximum values for reports 117
- The following table displays the maximum number of records shown in the report the byte count limit and the hit count limit 117
- Traffic statistics continued 117
- Zywall usg series user s guide 117
- Chapter 6 monitor 118
- Destination address 118
- Duration so far 118
- Label description 118
- Number of bytes received so far 118
- Number of bytes transmitted so far 118
- Protocol or service port used 118
- Session monitor 118
- Session monitor to display the following screen 118
- Source address 118
- The following table describes the labels in this screen 118
- The session monitor screen 118
- The session monitor screen displays all established sessions that pass through the zywall usg for debugging or statistical analysis it is not possible to manage sessions in this screen the following information is displayed 118
- User who started the session 118
- You can look at all established sessions that passed through the zywall usg by user service source ip address or destination ip address you can also filter the information by user protocol service or service group source address and or destination address and view it by user 118
- Zywall usg series user s guide 118
- Chapter 6 monitor 119
- Igmp statistics 119
- Igmp statistics to open the following screen 119
- Label description 119
- Session monitor continued 119
- Zywall usg series user s guide 119
- Chapter 6 monitor 120
- Ddns status 120
- Ddns status to open the following screen 120
- Igmp statistics 120
- Label description 120
- The ddns status screen 120
- The following table describes the labels in this screen 120
- Zywall usg series user s guide 120
- Ip mac binding 121
- The login users screen 121
- Cellular status 122
- Cellular status screen 122
- Cellular status to display this screen 122
- Chapter 6 monitor 122
- Label description 122
- Login users 122
- The following table describes the labels in this screen 122
- Zywall usg series user s guide 122
- Cellular status 123
- Chapter 6 monitor 123
- Label description 123
- The following table describes the labels in this screen 123
- Zywall usg series user s guide 123
- Cellular status continued 124
- Chapter 6 monitor 124
- Label description 124
- Zywall usg series user s guide 124
- Cellular status continued 125
- Chapter 6 monitor 125
- Label description 125
- More information 125
- More information to display this screen 125
- Note this screen is only available when the mobile broadband device is attached to and activated on the zywall usg 125
- The following table describes the labels in this screen 125
- Zywall usg series user s guide 125
- Chapter 6 monitor 126
- Label description 126
- More information continued 126
- The following table describes the labels in this screen 126
- The upnp port status screen 126
- Upnp port status 126
- Zywall usg series user s guide 126
- Chapter 6 monitor 127
- Label description 127
- The following table describes the labels in this screen 127
- Upnp port status continued 127
- Usb storage 127
- Usb storage screen 127
- Usb storage to display this screen 127
- Zywall usg series user s guide 127
- Chapter 6 monitor 128
- Ethernet neighbor 128
- Ethernet neighbor screen 128
- Ethernet neighbor to see the following screen 128
- It uses smart connect that is link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the zywall usg that you re logged into using the web configurator 128
- Label description 128
- Lldp is a layer 2 protocol that allows a network device to advertise its identity and capabilities on the local network it also allows the device to maintain and store information from adjacent devices which are directly connected to the network device this helps you discover network changes and perform necessary network reconfiguration and management 128
- The ethernet neighbor screen allows you to view the zywall usg s neighboring devices in one place 128
- Usb storage continued 128
- Zon for more information on the zyxel one network zon utility that uses the zyxel discovery protocol zdp for discovering and configuring zdp aware zyxel devices in the same network as the computer on which the zon utility is installed 128
- Zon screen 128
- Zywall usg series user s guide 128
- Ap information 129
- Ap information to display the ap list screen 129
- Ap list 129
- Chapter 6 monitor 129
- Ethernet neighbor 129
- Label description 129
- The following table describes the fields in the previous screen 129
- The following table describes the labels in this screen 129
- Wireless 129
- Wireless ap information ap list 129
- Wireless contains ap information and station info menus 129
- Zywall usg series user s guide 129
- Ap information continued 130
- Ap list icons 130
- Ap list more information 130
- Chapter 6 monitor 130
- Label description 130
- The following table describes the icons in this screen 130
- Use this screen to look at station statistics for the connected ap to access this screen select an entry and click the more information button in the ap list screen use this screen to look at 130
- Zywall usg series user s guide 130
- Chapter 6 monitor 132
- Label description 132
- More information continued 132
- Radio list 132
- Radio list to display the radio list screen 132
- The following table describes the labels in this screen 132
- Wireless ap information radio list 132
- Zywall usg series user s guide 132
- Chapter 6 monitor 133
- Label description 133
- Radio list 133
- Zywall usg series user s guide 133
- Radio list more information 134
- Chapter 6 monitor 135
- Label description 135
- More information 135
- Station information to display this screen 135
- Station list 135
- The following table describes the labels in this screen 135
- Wireless station info 135
- Zywall usg series user s guide 135
- Ap management screen in order to detect other wireless devices in its vicinity 136
- Chapter 6 monitor 136
- Detected device 136
- Detected device to access this screen 136
- Label description 136
- Station list 136
- The following table describes the labels in this screen 136
- Zywall usg series user s guide 136
- Chapter 6 monitor 137
- Detected device continued 137
- Each field is described in the following table 137
- Ipsec the following screen appears sas click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 137
- Label description 137
- The ipsec monitor screen 137
- Zywall usg series user s guide 137
- A in the middle of a vpn connection or policy name has the zywall usg check the beginning and end and ignore the middle for example with abc 123 any vpn connection or policy name starting with abc and ending in 123 matches no matter how many characters are in between 138
- A question mark lets a single character in the vpn connection or policy name vary for example use a c without the quotation marks to specify abc acc and so on 138
- Chapter 6 monitor 138
- Ipsec continued 138
- Label description 138
- Log out individual users and delete related session information 138
- Once a user logs out the corresponding entry is removed from the screen 138
- Regular expressions in searching ipsec sas 138
- Ssl to display the user list 138
- The ssl screen 138
- The whole vpn connection or policy name has to match if you do not use a question mark or asterisk 138
- Use this screen to do the following 138
- View a list of active ssl vpn connections 138
- Wildcards let multiple vpn connection or policy names match the pattern for example use abc without the quotation marks to specify any vpn connection or policy name that ends with abc a vpn connection named testabc would match there could be any number of any type of characters in front of the abc at the end and the vpn connection or policy name would still match a vpn connection or policy name named testacc for example would not match 138
- Zywall usg series user s guide 138
- Chapter 6 monitor 139
- L2tp over ipsec 139
- L2tp over ipsec to open the following screen use this screen to display and manage the zywall usg s connected l2tp vpn sessions 139
- Label description 139
- The following table describes the fields in this screen 139
- The following table describes the labels in this screen 139
- The l2tp over ipsec session monitor screen 139
- Zywall usg series user s guide 139
- App patrol 140
- App patrol to display the following screen this screen displays application patrol statistics based on the app patrol profiles bound to security policy profiles 140
- Application patrol provides a convenient way to manage the use of various applications on the network it manages general protocols for example http and ftp and instant messenger im peer to peer p2p voice over ip voip and streaming rstp applications you can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers 140
- Chapter 6 monitor 140
- L2tp over ipsec continued 140
- Label description 140
- The app patrol screen 140
- The following table describes the labels in this screen 140
- Zywall usg series user s guide 140
- App patrol 141
- Chapter 6 monitor 141
- Content filter to display the following screen this screen displays content filter statistics 141
- Label description 141
- The content filter screen 141
- Zywall usg series user s guide 141
- Chapter 6 monitor 142
- Content filter 142
- Label description 142
- The following table describes the labels in this screen 142
- Zywall usg series user s guide 142
- Chapter 6 monitor 143
- Content filter continued 143
- Idp signature name 143
- Idp to display the following screen this screen displays idp intrusion detection and prevention statistics 143
- Label description 143
- The idp screen 143
- Zywall usg series user s guide 143
- Chapter 6 monitor 144
- Label description 144
- The following table describes the labels in this screen 144
- The statistics display as follows when you display the top entries by source 144
- Zywall usg series user s guide 144
- Anti virus 145
- Anti virus to display the following screen this screen displays anti virus statistics 145
- Anti virus virus name 145
- Chapter 6 monitor 145
- Idp destination 145
- Idp source 145
- Label description 145
- The anti virus screen 145
- The following table describes the labels in this screen 145
- The statistics display as follows when you display the top entries by destination 145
- Zywall usg series user s guide 145
- Anti virus continued 146
- Anti virus destination ip 146
- Anti virus source ip 146
- Chapter 6 monitor 146
- Label description 146
- The anti spam menu contains the report and status screens 146
- The anti spam screens 146
- The statistics display as follows when you display the top entries by destination 146
- The statistics display as follows when you display the top entries by source 146
- Zywall usg series user s guide 146
- Anti spam 147
- Anti spam report 147
- Anti spam to display the following screen this screen displays spam statistics 147
- Chapter 6 monitor 147
- Label description 147
- The following table describes the labels in this screen 147
- Zywall usg series user s guide 147
- Anti spam continued 148
- Chapter 6 monitor 148
- Label description 148
- Zywall usg series user s guide 148
- Anti spam continued 149
- Chapter 6 monitor 149
- Label description 149
- Status 149
- Status to display the anti spam status screen 149
- The anti spam status screen 149
- The following table describes the labels in this screen 149
- Use the anti spam status screen to see how many e mail sessions the anti spam feature is scanning and statistics for the dnsbls 149
- Zywall usg series user s guide 149
- Chapter 6 monitor 150
- Label description 150
- Report 150
- Report to display the following screen 150
- Status continued 150
- The ssl inspection screens 150
- The zywall usg uses ssl inspection to decrypt ssl traffic sends it to the utm engines for inspection then encrypts traffic that passes inspection and forwards it 150
- Zywall usg series user s guide 150
- Certificate cache list 151
- Certificate cache list to display a screen that shows details on ssl traffic going to servers identified by its certificate and an option to add that traffic to the exclude list 151
- Chapter 6 monitor 151
- Label description 151
- Report 151
- Ssl traffic to a server to be excluded from ssl inspection is identified by its certificate traffic in an exclude list is not intercepted by ssl inspection 151
- The following table describes the labels in this screen 151
- Zywall usg series user s guide 151
- Certificate cache list 152
- Chapter 6 monitor 152
- Label description 152
- The following table describes the labels in this screen 152
- Zywall usg series user s guide 152
- Chapter 6 monitor 153
- Events that generate an alert as well as a log message display in red regular logs display in black click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order the web configurator saves the filter settings if you leave the view log screen and return to it later 153
- Label description 153
- Log messages are stored in two separate logs one for regular log messages and one for debugging messages in the regular log you can look at all the log messages by selecting all logs or you can select a specific category of log messages for example security policy or user you can also look at the debugging log by selecting debug log all debugging messages have the same priority 153
- Log screens 153
- Log the log is displayed in the following screen 153
- Note when a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first 153
- The following table describes the labels in this screen 153
- The maximum possible number of log messages in the zywall usg varies by model 153
- View log 153
- Zywall usg series user s guide 153
- Chapter 6 monitor 154
- Label description 154
- View ap log 154
- View ap log to open the following screen 154
- View log continued 154
- Zywall usg series user s guide 154
- Chapter 6 monitor 155
- Label description 155
- The following table describes the labels in this screen 155
- View ap log 155
- Zywall usg 155
- Zywall usg series user s guide 155
- Chapter 6 monitor 156
- Label description 156
- Zywall usg 156
- Zywall usg series user s guide 156
- Licensing 157
- Registration overview 157
- What you need to know 157
- Registration screen 158
- Service screen 158
- Anti virus screen section 7 on page 159 to update the anti virus signatures 159
- Anti virus to display the following screen 159
- Chapter 7 licensing 159
- Idp apppatrol screen section 7 on page 161 to update the signatures used for idp and application patrol 159
- Label description 159
- Note the zywall usg does not have to reboot when you upload new signatures 159
- Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network 159
- Service continued 159
- Signature update 159
- The anti virus update screen 159
- This section shows you how to update the zywall usg s signature packages 159
- What you need to know 159
- You do not need a service registration to update the system protection signatures 159
- You need a valid service registration to update the anti virus signatures and the idp apppatrol signatures 159
- Your custom signature configurations are not over written when you download new signatures 159
- Zywall usg series user s guide 159
- Anti virus 160
- Chapter 7 licensing 160
- Label description 160
- The following table describes the labels in this screen 160
- Zywall usg series user s guide 160
- The idp apppatrol update screen 161
- Chapter 7 licensing 162
- Idp apppatrol continued 162
- Label description 162
- Zywall usg series user s guide 162
- Controller screen 163
- Overview 163
- What you can do in this chapter 163
- Wireless 163
- Ap management screens 164
- Ap management to access these screens 164
- Chapter 8 wireless 164
- Click on the icon to go to the onesecurity com website where there is guidance on configuration walkthroughs and other information 164
- Controller 164
- Each field is described in the following table 164
- Label description 164
- Mgnt ap list 164
- Note select the manual option for managing a specific set of aps this is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue aps 164
- Zywall usg series user s guide 164
- Chapter 8 wireless 165
- Controller screen you set the registration type to always accept then as soon as you remove an ap from this list it reconnects 165
- Each field is described in the following table 165
- Label description 165
- Mgnt ap list 165
- Note dcs is not supported on the radio which is working in repeater ap mode 165
- Note you should have enabled dcs in the applied ap radio profile berfore the aps can use dcs 165
- Zywall usg series user s guide 165
- Ap management table to display this screen 166
- Chapter 8 wireless 166
- Each field is described in the following table 166
- Edit ap list 166
- Label description 166
- Zywall usg series user s guide 166
- Chapter 8 wireless 167
- Edit ap list continued 167
- Label description 167
- Zywall usg series user s guide 167
- Ap policy 168
- Ap policy to access this screen 168
- Chapter 8 wireless 168
- Each field is described in the following table 168
- Label description 168
- Zywall usg series user s guide 168
- Ap group 169
- Ap group to access this screen 169
- Chapter 8 wireless 169
- Each field is described in the following table 169
- Label description 169
- Note dcs is not supported on the radio which is working in repeater ap mode 169
- Note you cannot remove a group with which an ap is associated 169
- Note you should have enabled dcs in the applied ap radio profile berfore the aps can use dcs 169
- Zywall usg series user s guide 169
- Add edit ap group 170
- Add edit 171
- Chapter 8 wireless 171
- Each field is described in the following table 171
- Label description 171
- Note reducing the output power also reduces the zywall usg s effective broadcast radius 171
- Zywall usg series user s guide 171
- Add edit continued 172
- Chapter 8 wireless 172
- Label description 172
- Note load balancing is not supported on the radio which is working in root ap or repeater ap mode 172
- Zywall usg series user s guide 172
- Add edit continued 173
- All new aps are supported 173
- Aps don t have to downgrade firmware in order to be managed 173
- Chapter 8 wireless 173
- Firmware 173
- Label description 173
- Note if you enable this function you should ensure that there are multiple aps within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded ap will be kicked continuously and never be allowed to connect 173
- The zywall usg should always have the latest ap firmware so that 173
- The zywall usg stores an ap firmware in order to manage supported aps this screen allows the zywall usg to check for and download new ap firmware when it becomes available on the firmware server all aps managed by the zywall usg must have the same firmware version as the ap fimware on the zywall usg 173
- Use check to see if the zywall usg has the latest ap firmware use apply to have the zywall usg download the latest ap firmware see more details for more information on the firmware from the firmware server if the zywall usg does not have enough space for the latest ap firmware then the zywall usg will delete an existing firmware that no ap is using before downloading the new ap firmware 173
- When an ap connects to the zywall usg wireless controller the zywall usg will check if the ap has the same firmware version as the ap fimware on the zywall usg if yes then the zywall usg can manage it if no then the ap must upgrade or downgrade its firmware to be the same version as the ap firmware on the zywall usg and reboot 173
- Zywall usg series user s guide 173
- Chapter 8 wireless 174
- Each field is described in the following table 174
- Firmware 174
- Firmware to access this screen 174
- Label description 174
- Zywall usg series user s guide 174
- Chapter 8 wireless 175
- Firmware continued 175
- Label description 175
- Mon mode 175
- Mon mode to access this screen 175
- Use this screen to assign aps either to the rogue ap list or the friendly ap list a rogue ap is a wireless access point operating in a network s coverage area that is not under the control of the network administrator and which can potentially open up holes in a network s security 175
- Zywall usg series user s guide 175
- Add edit rogue friendly 176
- Add edit rogue friendly list 176
- Chapter 8 wireless 176
- Each field is described in the following table 176
- Label description 176
- Mon mode 176
- Mon mode table to display this screen 176
- Zywall usg series user s guide 176
- Add edit rogue friendly 177
- Auto healing 177
- Auto healing to access this screen 177
- Chapter 8 wireless 177
- Each field is described in the following table 177
- Label description 177
- Zywall usg series user s guide 177
- Dynamic channel selection 178
- Technical reference 178
- Load balancing 179
- Interface overview 181
- Interfaces 181
- What you can do in this chapter 181
- Interface characteristics 182
- Types of interfaces 182
- What you need to know 182
- Chapter 9 interfaces 183
- Characteristics ethernet ethernet ppp cellular vlan bridge virtual 183
- Characteristics these characteristics are listed in the following table and discussed in more detail below 183
- In the zywall usg interfaces are usually created on top of other interfaces only ethernet interfaces are created directly on top of the physical ports or port groups the relationships between interfaces are explained in the following table 183
- Interface required port interface 183
- Note the format of interface names other than the ethernet and ppp interface names is strict each name consists of 2 4 letters interface type followed by a number x for most interfaces x is limited by the maximum number of the type of interface for vlan interfaces x is defined by the number you enter in the vlan name field for example ethernet interface names are wan1 wan2 lan1 lan2 dmz vlan interfaces are vlan0 vlan1 vlan2 and so on 183
- Relationships between interfaces 183
- Table 83 ethernet ppp cellular vlan bridge and virtual interface characteristics 183
- Table 84 relationships between different types of interfaces 183
- The names of virtual interfaces are derived from the interfaces on which they are created for example virtual interfaces created on ethernet interface wan1 are called wan1 1 wan1 2 and so on virtual interfaces created on vlan interface vlan2 are called vlan2 1 vlan2 2 and so on you cannot specify the number after the colon in the web configurator it is a sequential number you can specify the number after the colon if you use the cli to set up a virtual interface 183
- Zywall usg series user s guide 183
- Ipv6 addressing 184
- Ipv6 overview 184
- Note you cannot set up a ppp interface virtual ethernet interface or virtual vlan interface if the underlying interface is a member of a bridge you also cannot add an ethernet interface or vlan interface to a bridge if the member interface has a virtual interface or ppp interface on top of it 184
- Prefix and prefix length 184
- Link local address 185
- Prefix delegation 185
- Stateless autoconfiguration 185
- Subnet masking 185
- Dhcpv6 186
- Ipv6 router advertisement 186
- Port role screen 186
- Table 86 models with port role 186
- What you need to do first 186
- Default interface zone 187
- Ethernet summary screen 187
- Physical ports 187
- Chapter 9 interfaces 188
- Each field is described in the following table 188
- Ethernet 188
- Exchanged the more efficient the routers should be however the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management the zywall usg supports two routing protocols rip and ospf see chapter 10 on page 279 for background information about these routing protocols 188
- Label description 188
- Zywall usg series user s guide 188
- Ethernet edit 189
- Note if you create ip address objects based on an interface s ip address subnet or gateway the zywall usg automatically updates every rule or setting that uses the object whenever the interface s ip address settings change for example if you change the lan s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object 189
- Igmp proxy 190
- Chapter 9 interfaces 197
- Label description 197
- This screen s fields are described in the table below 197
- Zywall usg series user s guide 197
- Chapter 9 interfaces 198
- Edit continued 198
- Label description 198
- Zywall usg series user s guide 198
- Chapter 9 interfaces 199
- Edit continued 199
- Label description 199
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 199
- Note this field displays the combined address after you click ok and reopen this screen 199
- Zywall usg series user s guide 199
- Chapter 9 interfaces 200
- Edit continued 200
- Label description 200
- Note make sure the hosts also support router preference to make this function work 200
- Zywall usg series user s guide 200
- Chapter 9 interfaces 201
- Edit continued 201
- Label description 201
- Note this field displays the combined address after you click ok and reopen this screen 201
- Zywall usg series user s guide 201
- Chapter 9 interfaces 202
- Edit continued 202
- Label description 202
- Zywall usg series user s guide 202
- Chapter 9 interfaces 203
- Edit continued 203
- Label description 203
- Zywall usg series user s guide 203
- Chapter 9 interfaces 204
- Edit continued 204
- Label description 204
- Zywall usg series user s guide 204
- Add edit dhcpv6 request release options 205
- Object references 205
- Add dhcpv6 request lease options 206
- Add edit dhcp extended options 206
- Add edit extended options 206
- Chapter 9 interfaces 206
- Edit select dhcp server in the dhcp setting section and then click add or edit in the extended options table 206
- Label description 206
- Select a dhcpv6 request or lease object in the select one object field and click ok to save it click cancel to exit without saving the setting 206
- The following table describes labels that can appear in this screen 206
- Zywall usg series user s guide 206
- Add edit extended options 207
- Chapter 9 interfaces 207
- Label description 207
- Option name code description 207
- Table 91 dhcp extended options 207
- The following table lists the available dhcp extended options defined in rfcs on the zywall usg see rfcs for more information 207
- Zywall usg series user s guide 207
- Ppp interface summary 208
- Ppp interfaces 208
- Chapter 9 interfaces 209
- Each field is described in the table below 209
- Ipv6 screen you can also configure ppp interfaces used for your ipv6 networks on this screen to access this screen click the add icon or an edit icon in the ppp interface screen 209
- Label description 209
- Note you have to set up an isp account before you create a pppoe pptp interface 209
- Ppp interface add or edit 209
- Zywall usg series user s guide 209
- Chapter 9 interfaces 211
- Each field is explained in the following table 211
- Label description 211
- Note multiple ppp interfaces can use the same base interface 211
- Zywall usg series user s guide 211
- Add continued 212
- Chapter 9 interfaces 212
- Label description 212
- Note this field displays the combined address after you click ok and reopen this screen 212
- Zywall usg series user s guide 212
- Add continued 213
- Chapter 9 interfaces 213
- Label description 213
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 213
- Zywall usg series user s guide 213
- Cellular configuration screen 214
- Note the actual data rate you obtain varies depending on the mobile broadband device you use the signal strength to the service provider s base station and so on 214
- Cellular 215
- Chapter 9 interfaces 215
- Mobile phone and data standards data speed gsm based cdma based 215
- Name type 215
- Note install or connect a compatible mobile broadband usb device to use a cellular connection 215
- Note the actual data rate you obtain varies depending on your mobile environment the environmental factors may include the number of mobile devices which are currently connected to the mobile network the signal strength to the mobile network and so on 215
- Note the wan ip addresses of a zywall usg with multiple wan interfaces must be on different subnets 215
- See the following table for a comparison between 2g 2 g 2 5g 3g and 4g wireless technologies 215
- Table 94 2g 2 g 2 5g 3g 3 g and 4g wireless technologies 215
- Zywall usg series user s guide 215
- Cellular 216
- Chapter 9 interfaces 216
- Label description 216
- The following table describes the labels in this screen 216
- Zywall usg series user s guide 216
- Add edit cellular configuration 217
- Cellular choose slot 217
- Add edit 219
- Chapter 9 interfaces 219
- Label description 219
- The following table describes the labels in this screen 219
- Zywall usg series user s guide 219
- Add edit continued 220
- Chapter 9 interfaces 220
- Label description 220
- Zywall usg series user s guide 220
- Add edit continued 221
- Chapter 9 interfaces 221
- Label description 221
- Zywall usg series user s guide 221
- Add edit continued 222
- Chapter 9 interfaces 222
- Label description 222
- Zywall usg series user s guide 222
- Add edit continued 223
- Chapter 9 interfaces 223
- Gre tunneling 223
- Gre tunnels encapsulate a wide variety of network layer protocol packet types inside ip tunnels a gre tunnel serves as a virtual point to point link between the zywall usg and another router over an ipv4 network at the time of writing the zywall usg only supports gre tunneling in ipv4 networks 223
- Label description 223
- The zywall usg uses tunnel interfaces in generic routing encapsulation gre ipv6 in ipv4 and 6to4 tunnels 223
- Tunnel interfaces 223
- Zywall usg series user s guide 223
- Internet 224
- Ipv4 ipv6 ipv6 224
- Ipv6 in ipv4 tunneling 224
- Ipv6 ipv4 224
- Ipv6 over ipv4 tunnels 224
- Configuring a tunnel 225
- Internet 225
- Ipv6 ipv4 225
- To4 tunneling 225
- Add or edit to open the following screen 226
- Chapter 9 interfaces 226
- Each field is explained in the following table 226
- Label description 226
- Tunnel 226
- Tunnel add or edit screen 226
- Zywall usg series user s guide 226
- Add edit 227
- Chapter 9 interfaces 227
- Each field is explained in the following table 227
- Label description 227
- Zywall usg series user s guide 227
- Add edit continued 228
- Chapter 9 interfaces 228
- Label description 228
- Zywall usg series user s guide 228
- Add edit continued 229
- Chapter 9 interfaces 229
- Label description 229
- Zywall usg series user s guide 229
- Vlan interfaces 230
- Note each vlan interface is created on top of only one ethernet interface 231
- Vlan interfaces overview 231
- Vlan summary screen 231
- Chapter 9 interfaces 232
- Each field is explained in the following table 232
- Label description 232
- Zywall usg series user s guide 232
- Vlan add edit 233
- Add edit 235
- Chapter 9 interfaces 235
- Each field is explained in the following table 235
- Label description 235
- Zywall usg series user s guide 235
- Add edit continued 236
- Chapter 9 interfaces 236
- Label description 236
- Zywall usg series user s guide 236
- Add edit continued 237
- Chapter 9 interfaces 237
- Label description 237
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 237
- Note this field displays the combined address after you click ok and reopen this screen 237
- Zywall usg series user s guide 237
- Add edit continued 238
- Chapter 9 interfaces 238
- Label description 238
- Note make sure the hosts also support router preference to make this function work 238
- Zywall usg series user s guide 238
- Add edit continued 239
- Chapter 9 interfaces 239
- Label description 239
- Note this field displays the combined address after you click ok and reopen this screen 239
- Zywall usg series user s guide 239
- Add edit continued 240
- Chapter 9 interfaces 240
- Label description 240
- Zywall usg series user s guide 240
- Add edit continued 241
- Chapter 9 interfaces 241
- Label description 241
- Zywall usg series user s guide 241
- A bridge creates a connection between two or more network segments at the layer 2 mac address level in the following example bridge x connects four network segments 242
- Add edit continued 242
- Bridge interfaces 242
- Bridge overview 242
- Chapter 9 interfaces 242
- Label description 242
- This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces 242
- Zywall usg series user s guide 242
- Bridge interface overview 243
- Bridge 244
- Bridge summary 244
- Chapter 9 interfaces 244
- Each field is described in the following table 244
- In this example virtual ethernet interface lan1 1 is also removed from the routing table when lan1 is added to br0 virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed 244
- Ip address es destination ip address es destination 244
- Label description 244
- Table 103 example routing table before and after bridge interface br0 is created continued 244
- Zywall usg series user s guide 244
- Bridge add edit 245
- Bridge continued 245
- Chapter 9 interfaces 245
- Label description 245
- This screen lets you configure ip address assignment interface bandwidth parameters dhcp settings and connectivity check for each bridge interface to access this screen click the add or edit icon in the bridge summary screen the following screen appears 245
- Zywall usg series user s guide 245
- Add edit 247
- Chapter 9 interfaces 247
- Each field is described in the table below 247
- Label description 247
- Zywall usg series user s guide 247
- Add edit continued 248
- Chapter 9 interfaces 248
- Label description 248
- Zywall usg series user s guide 248
- Add edit continued 249
- Chapter 9 interfaces 249
- Label description 249
- Note this field displays the combined address after you click ok and reopen this screen 249
- Zywall usg series user s guide 249
- Add edit continued 250
- Chapter 9 interfaces 250
- Label description 250
- Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 250
- Zywall usg series user s guide 250
- Add edit continued 251
- Chapter 9 interfaces 251
- Label description 251
- Note make sure the hosts also support router preference to make this function work 251
- Note this field displays the combined address after you click ok and reopen this screen 251
- Zywall usg series user s guide 251
- Add edit continued 252
- Chapter 9 interfaces 252
- Label description 252
- Zywall usg series user s guide 252
- Add edit continued 253
- Chapter 9 interfaces 253
- Label description 253
- Zywall usg series user s guide 253
- Add edit continued 254
- Chapter 9 interfaces 254
- Label description 254
- Like other interfaces virtual interfaces have an ip address subnet mask and gateway used to make routing decisions however you have to manually specify the ip address and subnet mask virtual interfaces cannot be dhcp clients like other interfaces you can restrict bandwidth through virtual interfaces but you cannot change the mtu the virtual interface uses the same mtu that the underlying interface uses unlike other interfaces virtual interfaces do not provide dhcp services and they do not verify that the gateway is available 254
- This screen lets you configure ip address assignment and interface parameters for virtual interfaces to access this screen click the create virtual interface icon in the ethernet vlan or bridge interface summary screen 254
- Use virtual interfaces to tell the zywall usg where to route packets virtual interfaces can also be used in vpn gateways see chapter 22 on page 385 and vrrp groups see chapter 34 on page 557 254
- Virtual interfaces 254
- Virtual interfaces add edit 254
- Virtual interfaces can be created on top of ethernet interfaces vlan interfaces or bridge interfaces virtual vlan interfaces recognize and use the same vlan id otherwise there is no difference between each type of virtual interface network policies for example security policies that apply to the underlying interface automatically apply to the virtual interface as well 254
- Zywall usg series user s guide 254
- Chapter 9 interfaces 255
- Create virtual interface 255
- Each field is described in the table below 255
- Label description 255
- Zywall usg series user s guide 255
- Interface technical reference 256
- Ip address assignment 256
- Lan1 wan1 256
- Dhcp settings 257
- Interface parameters 257
- Pppoe pptp overview 258
- Trunk overview 259
- What you need to know 259
- Least load first 260
- Load balancing algorithms 260
- Spillover 261
- Weighted round robin 261
- The trunk summary screen 262
- Add or edit 263
- Chapter 9 interfaces 263
- Configuring a user defined trunk 263
- Label description 263
- Trunk continued 263
- Trunk in the user configuration table click the add or edit icon to open the following screen use this screen to create or edit a wan trunk entry 263
- Zywall usg series user s guide 263
- Add or edit 264
- Chapter 9 interfaces 264
- Each field is described in the table below 264
- Label description 264
- Zywall usg series user s guide 264
- Add or edit continued 265
- Chapter 9 interfaces 265
- Configuring the system default trunk 265
- Edit system default 265
- Label description 265
- Note the available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk 265
- Note you can configure the bandwidth of an interface in the corresponding interface edit screen 265
- Trunk screen and the system default section select the default trunk entry and click edit to open the following screen use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface 265
- Zywall usg series user s guide 265
- Chapter 9 interfaces 266
- Each field is described in the table below 266
- Edit system default 266
- Label description 266
- Zywall usg series user s guide 266
- Policy and static routes overview 267
- Routing 267
- What you can do in this chapter 267
- How you can use policy routing 268
- Note bandwidth management in policy routes has priority over application patrol bandwidth management 268
- Note the zywall usg automatically uses snat for traffic it routes from internal interfaces to external interfaces for example lan to wan traffic 268
- Policy routes versus static routes 268
- Policy routing 268
- Static routes 268
- What you need to know 268
- Diffserv 269
- Dscp marking and per hop behavior 269
- Policy route screen 269
- Chapter 10 routing 270
- Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information 270
- Label description 270
- Policy route 270
- The following table describes the labels in this screen 270
- Zywall usg series user s guide 270
- Chapter 10 routing 271
- Label description 271
- Policy route continued 271
- Policy route edit screen 271
- Routing to open the policy route screen then click the add or edit icon in the ipv4 configuration or ipv6 configuration section the add policy route or 271
- Zywall usg series user s guide 271
- Add edit 273
- Add edit ipv6 configuration 273
- Chapter 10 routing 273
- Label description 273
- The following table describes the labels in this screen 273
- Zywall usg series user s guide 273
- Add edit continued 274
- Chapter 10 routing 274
- Label description 274
- Zywall usg series user s guide 274
- Add edit continued 275
- Chapter 10 routing 275
- Label description 275
- Zywall usg series user s guide 275
- Chapter 10 routing 276
- Ip static route screen 276
- Ipv6 screen you can also configure static routes used for your ipv6 networks on this screen 276
- Label description 276
- Select a static route index number and click add or edit the screen shown next appears use this screen to configure the required information for a static route 276
- Static route 276
- Static route add edit screen 276
- The following table describes the labels in this screen 276
- Zywall usg series user s guide 276
- Add ipv4 configuration 277
- Add ipv6 configuration 277
- Chapter 10 routing 277
- Label description 277
- The following table describes the labels in this screen 277
- Zywall usg series user s guide 277
- Assured forwarding af phb for diffserv 278
- Maximize bandwidth usage 278
- Nat and snat 278
- Policy routing technical reference 278
- Finding out more 279
- Routing protocols overview 279
- The rip screen 279
- What you need to know 279
- Chapter 10 routing 280
- Label description 280
- Rip to open the following screen 280
- Rip uses udp port 520 280
- Second the zywall usg can also redistribute routing information from non rip networks specifically ospf networks and static routes to the rip network costs might be calculated differently however so you use the metric field to specify the cost in rip terms 280
- The following table describes the labels in this screen 280
- Use the rip screen to specify the authentication method and maintain the policies for redistribution 280
- Zywall usg series user s guide 280
- Ospf areas 281
- The ospf screen 281
- Ospf routers 282
- Virtual links 283
- Configuring the ospf screen 284
- Ospf configuration 284
- Chapter 10 routing 285
- Label description 285
- Ospf area add edit screen 285
- Ospf continued 285
- The ospf area add edit screen allows you to create a new area or edit an existing one to access this screen go to the ospf summary screen see section 10 on page 281 and click either the add icon or an edit icon 285
- Zywall usg series user s guide 285
- Chapter 10 routing 286
- Label description 286
- The following table describes the labels in this screen 286
- Zywall usg series user s guide 286
- Add continued 287
- Chapter 10 routing 287
- Label description 287
- The virtual link add edit screen allows you to create a new virtual link or edit an existing one when the ospf add or edit screen see section 10 on page 285 has the type set to normal a virtual link table displays click either the add icon or an entry and the edit icon to display a screen like the following 287
- Virtual link add edit screen 287
- Zywall usg series user s guide 287
- Authentication is used to guarantee the integrity but not the confidentiality of routing updates the transmitting router uses its key to encrypt the original message into a smaller message and the smaller message is transmitted with the original message the receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it if the received message is verified then the receiving router accepts the updated routing information the transmitting and receiving routers must have the same key 288
- Authentication types 288
- Chapter 10 routing 288
- Here is more detailed information about rip and ospf 288
- Label description 288
- Md5 authentication using an md5 password and authentication id 288
- Md5 is an authentication method that produces a 128 bit checksum called a message digest for each packet it also includes an authentication id which can be set to any value between 1 and 255 the zywall usg only accepts packets if these conditions are satisfied 288
- None no authentication is used 288
- Routing protocol technical reference 288
- Text authentication using a plain text password and the unencrypted password is sent over the network this method is usually used temporarily to prevent network problems 288
- The following table describes the labels in this screen 288
- The packet s authentication id is the same as the authentication id of the interface that received it 288
- The zywall usg supports three types of authentication for rip and ospf routing protocols 288
- Zywall usg series user s guide 288
- Ddns overview 290
- What you can do in this chapter 290
- What you need to know 290
- Chapter 11 ddns 291
- Ddns to open the following screen 291
- Label description 291
- The ddns screen 291
- The following table describes the labels in this screen 291
- Zywall usg series user s guide 291
- The dynamic dns add edit screen 292
- Add custom 293
- Chapter 11 ddns 293
- Label description 293
- The following table describes the labels in this screen 293
- Zywall usg series user s guide 293
- Add continued 294
- Chapter 11 ddns 294
- Label description 294
- Note the zywall usg may not determine the proper ip address if there is an http proxy server between the zywall usg and the ddns server 294
- Zywall usg series user s guide 294
- Add continued 295
- Chapter 11 ddns 295
- Label description 295
- Zywall usg series user s guide 295
- Nat overview 296
- The nat screen 296
- What you can do in this chapter 296
- What you need to know 296
- Chapter 12 nat 297
- Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information 297
- Label description 297
- Nat the following screen appears providing a summary of the existing nat rules 297
- The following table describes the labels in this screen 297
- Zywall usg series user s guide 297
- The nat add edit screen 298
- Add continued 299
- Chapter 12 nat 299
- Label description 299
- Zywall usg series user s guide 299
- Add continued 300
- Chapter 12 nat 300
- Label description 300
- Zywall usg series user s guide 300
- Nat loopback 301
- Nat technical reference 301
- Xxx lan smtp com 301
- Xxx lan smtp com 1 301
- Http redirect 303
- Overview 303
- What you can do in this chapter 303
- What you need to know 303
- Http redirect security policy and policy route 304
- Note you can configure up to one http redirect rule for each incoming interface 304
- The http redirect screen 304
- Chapter 13 http redirect 305
- Http redirect 305
- Http redirect to open the http redirect screen then click the add or edit icon to open the http redirect edit screen where you can configure the rule 305
- Label description 305
- The following table describes the labels in this screen 305
- The http redirect edit screen 305
- Zywall usg series user s guide 305
- Chapter 13 http redirect 306
- Label description 306
- The following table describes the labels in this screen 306
- Zywall usg series user s guide 306
- Alg overview 307
- What you need to know 307
- Ftp alg 308
- H 23 alg 308
- Sip alg 308
- Peer to peer calls and the zywall usg 309
- Voip calls from the wan with multiple outgoing calls 309
- Voip with multiple wan ip addresses 309
- Before you begin 310
- Note if the zywall usg provides an alg for a service you must enable the alg in order to use the application patrol on that service s traffic 310
- The alg screen 310
- Chapter 14 alg 311
- Label description 311
- The following table describes the labels in this screen 311
- Zywall usg series user s guide 311
- Alg continued 312
- Chapter 14 alg 312
- Label description 312
- Zywall usg series user s guide 312
- Alg and trunks 313
- Alg technical reference 313
- Nat traversal 315
- Upnp and nat pmp overview 315
- What you need to know 315
- Cautions with upnp and nat pmp 316
- Upnp screen 316
- Chapter 15 upnp 317
- Click the start icon control panel and then the network and sharing center 317
- Label description 317
- Make sure the computer is connected to a lan port of the zywall usg turn on your computer and the zywall usg 317
- Technical reference 317
- The following table describes the fields in this screen 317
- The sections show examples of using upnp 317
- This section shows you how to use the upnp feature in windows 7 upnp server is installed in windows 7 activate upnp on the zywall usg 317
- Turning on upnp in windows 7 example 317
- Zywall usg series user s guide 317
- Auto discover your upnp enabled network device 319
- Using upnp in windows xp example 319
- Note when the upnp enabled device is disconnected from your computer all port mappings will be deleted automatically 320
- Web configurator easy access 321
- Ip mac binding 324
- Ip mac binding overview 324
- What you can do in this chapter 324
- What you need to know 324
- Chapter 16 ip mac binding 325
- Edit to open the ip mac binding edit screen use this screen to configure an interface s ip to mac address binding settings 325
- Interfaces used with ip mac binding 325
- Ip mac address bindings are grouped by interface you can use ip mac binding with ethernet bridge vlan and wlan interfaces you can also enable or disable ip mac binding and logging in an interface s configuration screen 325
- Ip mac binding edit 325
- Ip mac binding summary 325
- Ip mac binding to open the ip mac binding summary screen this screen lists the total number of ip to mac address bindings for devices connected to each supported interface 325
- Label description 325
- Summary 325
- The following table describes the labels in this screen 325
- Zywall usg series user s guide 325
- Chapter 16 ip mac binding 326
- Edit to open the ip mac binding edit screen click the add or edit icon to open the following screen use this screen to configure an interface s ip to mac address binding settings 326
- Label description 326
- Static dhcp edit 326
- The following table describes the labels in this screen 326
- Zywall usg series user s guide 326
- Chapter 16 ip mac binding 327
- Exempt list 327
- Exempt list to open the ip mac binding exempt list screen use this screen to configure ranges of ip addresses to which the zywall usg does not apply ip mac binding 327
- Ip mac binding exempt list 327
- Label description 327
- The following table describes the labels in this screen 327
- Zywall usg series user s guide 327
- Chapter 16 ip mac binding 328
- Exempt list continued 328
- Label description 328
- Zywall usg series user s guide 328
- Layer 2 isolation 329
- Overview 329
- What you can do in this chapter 329
- Chapter 17 layer 2 isolation 330
- Ip addresses that are not listed in the white list are blocked from communicating with other devices in the layer 2 isolation enabled internal interface s except for broadcast packets 330
- Label description 330
- Layer 2 isolation 330
- Layer 2 isolation general screen 330
- Note you can enable this feature only when the security policy is enabled 330
- The following table describes the labels in this screen 330
- White list 330
- White list screen 330
- Zywall usg series user s guide 330
- Add edit white list rule 331
- Chapter 17 layer 2 isolation 331
- Label description 331
- Note you can configure up to 100 white list rules on the zywall usg 331
- Note you can enable this feature only when the security policy is enabled 331
- Note you need to know the ip address of each connected device that you want to allow to be accessed by other devices when layer 2 isolation is enabled 331
- The following table describes the labels in this screen 331
- This screen allows you to create a new rule in the white list or edit an existing one to access this screen click the add button or select an entry from the list and click the edit button 331
- White list 331
- Zywall usg series user s guide 331
- Add edit 332
- Chapter 17 layer 2 isolation 332
- Label description 332
- The following table describes the labels in this screen 332
- Zywall usg series user s guide 332
- Inbound load balancing 333
- Inbound load balancing overview 333
- What you can do in this chapter 333
- Chapter 18 inbound load balancing 334
- Dns inbound lb 334
- Inbound lb 334
- Inbound lb to open the following screen 334
- Label description 334
- Note after you finish the inbound load balancing settings go to security policy and nat screens to configure the corresponding rule and virtual server to allow the internet users to access your internal servers 334
- The following table describes the labels in this screen 334
- The inbound lb screen 334
- Use the inbound lb add edit screen see section 18 on page 335 to add or edit a dns load balancing rule 334
- Zywall usg series user s guide 334
- Chapter 18 inbound load balancing 335
- Inbound lb and then the add or edit icon to open this screen 335
- Inbound lb continued 335
- Label description 335
- The inbound lb add edit screen 335
- Zywall usg series user s guide 335
- Add edit 336
- Chapter 18 inbound load balancing 336
- Label description 336
- The following table describes the labels in this screen 336
- Zywall usg series user s guide 336
- Add edit continued 337
- Add or edit and then an add or edit icon to open this screen 337
- Chapter 18 inbound load balancing 337
- Label description 337
- Select a load balancing method to use from the drop down list box 337
- Select weighted round robin to balance the traffic load between interfaces based on their respective weights an interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight for example if the weight ratio of wan1 and wan2 interfaces is 2 1 the zywall usg chooses wan1 for 2 sessions traffic and wan2 for every session s traffic in each round of 3 new sessions 337
- The inbound lb member add edit screen 337
- Zywall usg series user s guide 337
- Add edit 338
- Chapter 18 inbound load balancing 338
- Label description 338
- The following table describes the labels in this screen 338
- Zywall usg series user s guide 338
- Web auth overview 339
- Web authentication 339
- What you can do in this chapter 339
- Forced user authentication 340
- Note this works with http traffic only the zywall usg does not display the login screen when users attempt to send other kinds of traffic 340
- Single sign on 340
- Web authentication screen 340
- What you need to know 340
- Chapter 19 web authentication 341
- Label description 341
- The following table gives an overview of the objects you can configure 341
- Web authentication 341
- Web authentication web portal 341
- Zywall usg series user s guide 341
- Chapter 19 web authentication 342
- Label description 342
- Web authentication continued 342
- Zywall usg series user s guide 342
- Creating editing an authentication policy 343
- Creating exceptional services 343
- Add authentication policy 344
- Chapter 19 web authentication 344
- In the following figure u user logs into a domain controller dc which passes the user s login credentials to the sso agent the sso agent checks that these credentials are correct with the ad server and if the ad server confirms so the sso then notifies the zywall usg to allow access for the user to the permitted resource internet access for example 344
- Label description 344
- Sso overview 344
- The following table gives an overview of the objects you can configure 344
- The sso single sign on function integrates domain controller and zywall usg authentication mechanisms so that users just need to log in once single login to get access to permitted resources 344
- Zywall usg series user s guide 344
- Note the zywall usg the dc the sso agent and the ad server must all be in the same domain and be able to communicate with each other 345
- Sso does not support ipv6 ldap or radius you must use it in an ipv4 network environment with windows ad active directory authentication database 345
- Web authentication screen 345
- Configuration overview 346
- Configure the zywall usg to communicate with sso 346
- Screen field screen field 346
- Sso zywall usg configuration 346
- Zywall usg sso 346
- Chapter 19 web authentication 347
- Enable web authentication 347
- Enable web authentication and add a web authentication policy 347
- Label description 347
- The following table gives an overview of the objects you can configure 347
- Zywall usg series user s guide 347
- Create a security policy 348
- Configure user information 349
- Configure an authentication method 350
- Configure active directory 351
- Sso agent configuration 352
- Overview 357
- What you can do in this chapter 357
- A dedicated rtls ssid is recommended 358
- At least three aps managed by the zywall usg the more aps the better since it increases the amount of information the ekahau rtls controller has for calculating the location of the tags 358
- Before you begin 358
- Chapter 20 rtls 358
- Configuring rtls 358
- Ekahau rtls controller in blink mode with tzsp updater enabled 358
- For example if the ekahau rtls controller is behind a firewall open ports 8550 8553 and 8569 to allow traffic the aps send to reach the ekahau rtls controller 358
- Ip addresses for the ekahau wi fi tags 358
- Port number type description 358
- Rtls to open this screen use this screen to turn rtls real time location system on or off and specify the ip address and server port of the ekahau rtls controller 358
- Security policies to allow rtls traffic if the zywall usg security policy control is enabled or the ekahau rtls controller is behind a firewall 358
- Table 148 rtls traffic port numbers 358
- The following table lists default port numbers and types of packets rtls uses 358
- You need 358
- Zywall usg series user s guide 358
- Chapter 20 rtls 359
- Label description 359
- The following table describes the labels in this screen 359
- Zywall usg series user s guide 359
- Overview 360
- Security policy 360
- One security 361
- Chapter 21 security policy 363
- Figure 245 example of l2tp over ipsec troubleshooting 2 363
- For example at the time of writing these are the onesecurity icons you can see 363
- In the zywall usg you will see icons that link to onesecurity walkthroughs troubleshooting and so on in certain screens 363
- Onesecurity icon screen 363
- Table 150 onesecurity icons 363
- Zywall usg series user s guide 363
- Onesecurity icon screen 364
- Table 150 onesecurity icons continued 364
- What you can do in this chapter 364
- Default directional security policy behavior 365
- Stateful inspection 365
- To device policies 365
- What you need to know 365
- Asymmetrical routes 366
- Global security policies 366
- Security policy rule criteria 366
- Session limits 366
- The security policy screen 366
- User specific security policies 366
- Configuring the security policy control screen 367
- Chapter 21 security policy 368
- Label description 368
- Policy control 368
- The following table describes the labels in this screen 368
- Zywall usg series user s guide 368
- Chapter 21 security policy 369
- Label description 369
- Note allowing asymmetrical routes may let traffic from the wan go directly to the lan without passing through the zywall usg a better solution is to use virtual interfaces to put the zywall usg and the backup gateway on separate subnets 369
- Policy control continued 369
- Zywall usg series user s guide 369
- Chapter 21 security policy 370
- In the security policy control screen click the edit or add icon to display the security policy edit or add screen 370
- Label description 370
- Policy control continued 370
- The security policy control add edit screen 370
- Zywall usg series user s guide 370
- Chapter 21 security policy 371
- Label description 371
- The following table describes the labels in this screen 371
- Zywall usg series user s guide 371
- Add continued 372
- Anomaly detection and prevention adp protects against anomalies based on violations of protocol standards rfcs requests for comments and abnormal flows such as port scans this section introduces adp anomaly profiles and applying an adp profile to a traffic direction 372
- Anomaly detection and prevention overview 372
- Chapter 21 security policy 372
- Label description 372
- Note if you specified a source ip address group instead of any in the field below the user s ip address should be within the ip address range 372
- Zywall usg series user s guide 372
- General screen 373
- Label description 373
- Profile screen 373
- Protocol anomalies 373
- The anomaly detection and prevention general screen 373
- Traffic anomalies 373
- Adp profiles consist of traffic anomaly profiles and protocol anomaly profiles to create a new profile select a base profile and then click ok to go to the profile details screen type a new profile name enable or disable individual policies and then edit the default log options and actions 374
- Chapter 21 security policy 374
- Creating new adp profiles 374
- General 374
- Label description 374
- Note depending on your network topology and traffic load applying every packet direction to an anomaly profile may affect the zywall usg s performance 374
- Profile screens 374
- Profile to view the following screen 374
- To counter this you could create a monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an in line profile whereby you configure appropriate actions to be taken when a packet matches a policy 374
- When creating adp profiles you may find that certain policies are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the zywall usg as each network is different false positives and false negatives are common on initial adp deployment 374
- Zywall usg series user s guide 374
- Chapter 21 security policy 375
- Label description 375
- Profile 375
- Profile screen click the edit or add icon and choose a base profile traffic anomaly is the first tab in the profile 375
- The following table describes the labels in this screen 375
- Traffic anomaly profiles 375
- Zywall usg series user s guide 375
- Add traffic anomaly 376
- Chapter 21 security policy 376
- Labels description 376
- The following table describes the labels in this screen 376
- Zywall usg series user s guide 376
- Add traffic anomaly continued 377
- Chapter 21 security policy 377
- Labels description 377
- Zywall usg series user s guide 377
- Protocol anomalies 378
- Add protocol anomaly 379
- Chapter 21 security policy 379
- Label description 379
- The following table describes the labels in this screen 379
- Zywall usg series user s guide 379
- Add protocol anomaly 380
- Chapter 21 security policy 380
- Label description 380
- Session control 380
- Session control to display the security policy session control screen use this screen to limit the number of concurrent nat security policy sessions a client can use you can apply a default limit for all users and individual limits for specific users addresses or both the individual limit takes priority if you apply both 380
- The session control screen 380
- Zywall usg series user s guide 380
- Chapter 21 security policy 381
- Label description 381
- Session control 381
- Session control and the add or edit icon to display the add or edit screen use this screen to configure rules that define a session limit for specific users or addresses 381
- The following table describes the labels in this screen 381
- The session control add edit screen 381
- Zywall usg series user s guide 381
- Add edit 382
- Chapter 21 security policy 382
- Label description 382
- Note if you specified an ip address or address group instead of any in the field below the user s ip address should be within the ip address range 382
- Security policy example applications 382
- Suppose you decide to block lan users from using irc internet relay chat through the internet to do this you would configure a lan to wan security policy that blocks irc traffic from any source ip address from going to any destination address you do not need to specify a schedule since you need the security policy to always be in effect the following figure shows the results of this policy 382
- The following table describes the labels in this screen 382
- Zywall usg series user s guide 382
- Alternatively you configure a lan1 to wan policy with the ceo s user name say ceo to allow irc traffic from any source ip address to go to any destination address 384
- Chapter 21 security policy 384
- Figure 256 limited lan to wan irc traffic example 384
- Table 161 limited lan1 to wan irc traffic example 1 384
- Table 162 limited lan1 to wan irc traffic example 2 384
- The first row allows any lan1 computer to access the irc service on the wan by logging into the zywall usg with the ceo s user name 384
- The first row allows the lan1 computer at ip address 172 6 to access the irc service on the wan 384
- The policy for the ceo must come before the policy that blocks all lan1 to wan irc traffic if the policy that blocks all lan1 to wan irc traffic came first the ceo s irc traffic would match that policy and the zywall usg would drop it and not check any other security policies 384
- The second row blocks lan1 access to the irc service on the wan 384
- The third row is the default policy of allowing all traffic from the lan1 to go to the wan 384
- The third row is the default policy of allowing allows all traffic from the lan1 to go to the wan 384
- User source destination schedule utm profile action 384
- Your security policy would have the following configuration 384
- Your security policy would have the following settings 384
- Zywall usg series user s guide 384
- Ipsec vpn 385
- Virtual private networks vpn overview 385
- Ssl vpn 386
- L2tp vpn 387
- What you can do in this chapter 387
- What you need to know 388
- Application scenarios 389
- Chapter 22 ipsec vpn 389
- Finding out more 389
- Remote access client role 389
- Remote access server role 389
- See section 22 on page 410 for ipsec vpn background information 389
- See the help in the ipsec vpn quick setup wizard screens 389
- Site to site site to site with dynamic peer 389
- Table 163 ipsec vpn application scenarios 389
- The zywall usg s application scenarios make it easier to configure your vpn connection settings 389
- Zywall usg series user s guide 389
- Before you begin 390
- The vpn connection screen 390
- Chapter 22 ipsec vpn 391
- Each field is discussed in the following table 391
- Label description 391
- The vpn connection add edit ike screen 391
- Vpn connection 391
- Vpn connection screen see section 22 on page 390 and click either the add icon or an edit icon 391
- Zywall usg series user s guide 391
- Chapter 22 ipsec vpn 393
- Each field is described in the following table 393
- Label description 393
- Zywall usg series user s guide 393
- Chapter 22 ipsec vpn 394
- Edit continued 394
- Label description 394
- Zywall usg series user s guide 394
- Chapter 22 ipsec vpn 395
- Edit continued 395
- Label description 395
- Zywall usg series user s guide 395
- Chapter 22 ipsec vpn 396
- Edit continued 396
- Label description 396
- Zywall usg series user s guide 396
- Chapter 22 ipsec vpn 397
- Edit continued 397
- Label description 397
- Zywall usg series user s guide 397
- Chapter 22 ipsec vpn 398
- Each field is discussed in the following table see section 22 on page 399 for more information 398
- Label description 398
- The vpn gateway screen 398
- Vpn gateway 398
- Vpn gateway the following screen appears 398
- Zywall usg series user s guide 398
- Chapter 22 ipsec vpn 399
- Label description 399
- The vpn gateway add edit screen 399
- The vpn gateway add edit screen allows you to create a new vpn gateway policy or edit an existing one to access this screen go to the vpn gateway summary screen see section 22 on page 398 and click either the add icon or an edit icon 399
- Vpn gateway continued 399
- Zywall usg series user s guide 399
- Add edit 401
- Chapter 22 ipsec vpn 401
- Each field is described in the following table 401
- Label description 401
- Note the zywall usg and remote ipsec router must use the same authentication method to establish the ike sa 401
- Zywall usg series user s guide 401
- Add edit continued 402
- Chapter 22 ipsec vpn 402
- Label description 402
- Note the ipsec routers must trust each other s certificates 402
- Zywall usg series user s guide 402
- Add edit continued 403
- Chapter 22 ipsec vpn 403
- Label description 403
- Note if peer id type is ip please read the rest of this section 403
- Zywall usg series user s guide 403
- Add edit continued 404
- Chapter 22 ipsec vpn 404
- Label description 404
- Zywall usg series user s guide 404
- Add edit continued 405
- Chapter 22 ipsec vpn 405
- Label description 405
- Zywall usg series user s guide 405
- Vpn concentrator 406
- Vpn concentrator requirements and suggestions 406
- The vpn concentrator add edit screen 407
- Vpn concentrator screen 407
- Zywall usg ipsec vpn client configuration provisioning 408
- A subnet or range remote policy 409
- Chapter 22 ipsec vpn 409
- Configuration provisioning 409
- Each field is discussed in the following table 409
- In the zywall usg quick setup wizard you can use the vpn settings for configuration provisioning wizard to create a vpn rule that will not violate these restrictions 409
- Ipv4 rules with ikev2 version 409
- Ipv4 rules with user based psk authentication 409
- Ipv6 rules 409
- Label description 409
- The following vpn gateway rules configured on the zywall usg cannot be provisioned to the ipsec vpn client 409
- Zywall usg series user s guide 409
- Ike sa overview 410
- Ipsec vpn background information 410
- Note both routers must use the same negotiation mode 410
- Ike sa proposal 411
- Ip addresses of the zywall usg and remote ipsec router 411
- Note both routers must use the same encryption algorithm authentication algorithm and dh key group 411
- Authentication 412
- Diffie hellman dh key exchange 412
- Note the zywall usg and the remote ipsec router must use the same pre shared key 413
- Note the zywall usg s local and peer id type and content must match the remote ipsec router s peer and local id type and content respectively 413
- Additional topics for ike sa 414
- Negotiation mode 414
- Vpn nat and nat traversal 414
- Certificates 415
- X auth extended authentication 415
- Active protocol 416
- Encapsulation 416
- Ipsec sa overview 416
- Local network and remote network 416
- Note the ipsec sa stays connected even if the underlying ike sa is not available anymore 416
- Note the zywall usg and remote ipsec router must use the same active protocol 416
- Note the zywall usg and remote ipsec router must use the same encapsulation 416
- Note you must set up the certificates for the zywall usg and remote ipsec router first 416
- Additional topics for ipsec sa 417
- Authentication and the security parameter index spi 417
- Ipsec sa proposal and perfect forward secrecy 417
- Nat for inbound and outbound traffic 417
- Note the zywall usg and remote ipsec router must use the same spi 417
- Source address in inbound packets inbound traffic source nat 418
- Source address in outbound packets outbound traffic source nat 418
- 68 24 172 6 24 419
- Destination address in inbound packets inbound traffic destination nat 419
- Ipsec vpn example scenario 419
- Lan lan 419
- Overview 420
- Ssl vpn 420
- What you can do in this chapter 420
- What you need to know 420
- Ssl access policy objects 421
- The ssl access privilege screen 421
- Access privilege 422
- Chapter 23 ssl vpn 422
- Label description 422
- The following table describes the labels in this screen 422
- The ssl access privilege policy add edit screen 422
- To create a new or edit an existing ssl access policy click the add or edit icon in the access privilege screen 422
- Zywall usg series user s guide 422
- Add edit continued 424
- Chapter 23 ssl vpn 424
- Label description 424
- Note although you can select admin and limited admin accounts in this screen they are reserved for device configuration only you cannot use them to access the ssl vpn portal 424
- Note to allow access to shared files on a windows 7 computer within windows 7 you must enable sharing on the folder and also go to the network and sharing center s advanced sharing settings and turn on the current network profile s file and printer sharing 424
- Zywall usg series user s guide 424
- Add edit continued 425
- Chapter 23 ssl vpn 425
- Global setting 425
- Label description 425
- Ssl vpn and click the global setting tab to display the following screen use this screen to set the ip address of the zywall usg or a gateway device on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen 425
- The ssl global setting screen 425
- Zywall usg series user s guide 425
- Chapter 23 ssl vpn 426
- Click apply to start the file transfer process 426
- Click browse to locate the logo graphic make sure the file is in gif jpg or png format 426
- Follow the steps below to upload a custom logo to display on the remote user ssl vpn screens 426
- Global setting 426
- How to upload a custom logo 426
- Label description 426
- Log in as a user to verify that the new logo displays properly 426
- Note the logo graphic must be gif jpg or png format the graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed the zywall usg automatically resizes a graphic of a different resolution to 103 x 29 pixels the file size must be 100 kilobytes or less transparent background is recommended 426
- Ssl vpn and click the global setting tab to display the configuration screen 426
- The following table describes the labels in this screen 426
- Zywall usg series user s guide 426
- Zywall usg secuextender 427
- Example configure zywall usg for secuextender 428
- Label description 428
- Overview 431
- Ssl user screens 431
- What you need to know 431
- Certificates 432
- Finding out more 432
- Remote ssl user login 432
- Required information 432
- System requirements 432
- Note available resource links vary depending on the configuration your network administrator made 435
- The ssl vpn user screens 435
- Bookmarking the zywall usg 436
- Chapter 24 ssl user screens 436
- Description 436
- Figure 295 remote user screen 436
- In any remote user screen click the add to favorite icon 436
- Table 178 remote user screen overview 436
- The following table describes the various parts of a remote user screen 436
- You can create a bookmark of the zywall usg by clicking the add to favorite icon this allows you to access the zywall usg using the bookmark without having to enter the address every time 436
- Zywall usg series user s guide 436
- Logging out of the ssl vpn user screens 437
- Ssl user application screen 437
- Note available actions you can perform in the file sharing screen vary depending on the rights granted to you on the file server 438
- Ssl user file sharing 438
- The main file sharing screen 438
- Opening a file or folder 439
- Downloading a file 440
- Saving a file 440
- Creating a new folder 441
- Note make sure the length of the folder name does not exceed the maximum allowed on the file server 441
- Renaming a file or folder 441
- Deleting a file or folder 442
- Note make sure the length of the name does not exceed the maximum allowed on the file server you may not be able to open a file if you change the file extension 442
- Uploading a file 442
- Note uploading a file with the same name and file extension replaces the existing file on the file server no warning message is displayed 443
- Status 444
- The zywall usg secuextender icon 444
- Zywall usg secuextender windows 444
- Chapter 25 zywall usg secuextender windows 445
- Figure 308 zywall usg secuextender status 445
- If you have problems with the zywall usg secuextender customer support may request you to provide information from the log right click the zywall usg secuextender icon in the system tray and select log to open a notepad file of the zywall usg secuextender s log 445
- Label description 445
- Table 179 zywall usg secuextender status 445
- The following table describes the labels in this screen 445
- View log 445
- Zywall usg series user s guide 445
- Stop the connection 446
- Suspend and resume the connection 446
- Uninstalling the zywall usg secuextender 446
- L2tp vpn 448
- Overview 448
- What you can do in this chapter 448
- What you need to know 448
- L2tp vpn screen 449
- L2tp_pool 449
- Lan_subnet 449
- Policy route 449
- Using the quick setup vpn setup wizard 449
- Chapter 26 l2tp vpn 450
- L2tp vpn 450
- Label description 450
- Note modifying this vpn connection or the vpn gateway that it uses disconnects any existing l2tp vpn sessions 450
- The following table describes the fields in this screen 450
- Zywall usg series user s guide 450
- Address for the wan ip address of the nat router 451
- Chapter 26 l2tp vpn 451
- Example l2tp and zywall usg behind a nat router 451
- If the zywall usg z is behind a nat router n then do the following for remote clients c to access the network behind the zywall usg z using l2tp over ipv4 451
- L2tp vpn continued 451
- Label description 451
- Select remote access server role as the vpn scenario for the remote client 451
- Vpn connection and click add for ipv4 configuration to create a new vpn connection 451
- Zywall usg series user s guide 451
- Bwm bandwidth management 453
- Overview 453
- What you can do in this chapter 453
- What you need to know 453
- Connection and packet directions 454
- Diffserv and dscp marking 454
- Bandwidth management priority 455
- Connection 455
- Inbound 455
- Outbound 455
- Outbound and inbound bandwidth limits 455
- Bandwidth management behavior 456
- Bwm 1000 kbps 456
- Configured rate effect 456
- Maximize bandwidth usage 456
- Priority effect 456
- Maximize bandwidth usage effect 457
- Priority and over allotment of bandwidth effect 457
- The bandwidth management screen 457
- Bandwidth management 458
- Chapter 27 bwm bandwidth management 458
- Label description 458
- The following table describes the labels in this screen see section 27 on page 460 for more information as well 458
- Zywall usg series user s guide 458
- Bandwidth management 459
- Chapter 27 bwm bandwidth management 459
- Label description 459
- Zywall usg series user s guide 459
- Bandwidth management add edit screen allows you to create a new condition or edit an existing one 460
- Bandwidth management screen see section 27 on page 457 and click either the add icon or an edit icon 460
- Chapter 27 bwm bandwidth management 460
- Edit for the default policy 460
- P marking 460
- Table 186 single tagged 802 q frame format 460
- Table 187 802 q frame 460
- Table 188 priority code and types of traffic priority traffic types 460
- The bandwidth management add edit screen 460
- The following table is a guide to types of traffic for the priority code 460
- Use 802 p to prioritize outgoing traffic from a vlan interface the priority code is a 3 bit field within a 802 q vlan tag that s used to prioritize associated outgoing vlan traffic 0 is the lowest priority level and 7 is the highest 460
- Zywall usg series user s guide 460
- Add edit 461
- Chapter 27 bwm bandwidth management 461
- Label description 461
- The following table describes the labels in this screen 461
- Zywall usg series user s guide 461
- Add edit 462
- Chapter 27 bwm bandwidth management 462
- Label description 462
- Zywall usg series user s guide 462
- Add edit 463
- Chapter 27 bwm bandwidth management 463
- Label description 463
- Zywall usg series user s guide 463
- Adding objects for the bwm policy 464
- Label description 464
- Add user 465
- Chapter 27 bwm bandwidth management 465
- Label description 465
- Zywall usg series user s guide 465
- Add schedule 466
- Chapter 27 bwm bandwidth management 466
- Label description 466
- The following table describes the fields in the above screen 466
- Zywall usg series user s guide 466
- Add address 467
- Chapter 27 bwm bandwidth management 467
- Label description 467
- The following table describes the fields in the above screen 467
- Zywall usg series user s guide 467
- Application patrol 468
- Overview 468
- What you can do in this chapter 468
- What you need to know 468
- Application patrol profile 469
- Classification of applications 469
- Custom ports for sip and the sip alg 469
- Finding out more 469
- Note the zywall usg allows the first eight packets to go through the security policy regardless of the application patrol policy for the application the zywall usg examines these first eight packets to identify the application 469
- Note you must register for the idp apppatrol signature service at least the trial before you can use it 469
- Chapter 28 application patrol 470
- Label description 470
- Profile 470
- The following table describes the labels in this screen 470
- Zywall usg series user s guide 470
- Add edit 471
- Chapter 28 application patrol 471
- Label description 471
- Profile 471
- Profile then click add to create a new profile rule or click an existing profile and click edit or double click it to open the following screen 471
- The application patrol profile add edit screen 471
- The following table describes the labels in this screen 471
- Zywall usg series user s guide 471
- Add edit 472
- Add edit continued 472
- Chapter 28 application patrol 472
- Click add or edit under profile management in the previous screen to display the following screen 472
- Label description 472
- The application patrol profile rule add application screen 472
- The following table describes the labels in this screen 472
- Zywall usg series user s guide 472
- Add edit 473
- Chapter 28 application patrol 473
- Label description 473
- Zywall usg series user s guide 473
- Content filtering 474
- Overview 474
- What you can do in this chapter 474
- What you need to know 474
- Before you begin 475
- Content filtering configuration guidelines 475
- External web filtering service 475
- Finding out more 475
- Keyword blocking url checking 475
- Content filter profile screen 476
- Chapter 29 content filtering 477
- Label description 477
- Profile continued 477
- Zywall usg series user s guide 477
- Content filter add profile category service 478
- Content filter profile add or edit screen 478
- Category service 480
- Chapter 29 content filtering 480
- Label description 480
- The following table describes the labels in this screen 480
- Zywall usg series user s guide 480
- Category service 481
- Chapter 29 content filtering 481
- Label description 481
- Sites that use bots zombies including command and control site 481
- Zywall usg series user s guide 481
- Category description 482
- Category service 482
- Chapter 29 content filtering 482
- Label description 482
- Table 198 managed category descriptions 482
- The following table describes the managed categories 482
- Zywall usg series user s guide 482
- Chapter 29 content filtering 483
- Table 198 managed category descriptions continued 483
- Zywall usg series user s guide 483
- Chapter 29 content filtering 484
- Table 198 managed category descriptions continued 484
- Zywall usg series user s guide 484
- Chapter 29 content filtering 485
- Table 198 managed category descriptions continued 485
- Zywall usg series user s guide 485
- Chapter 29 content filtering 486
- Content filter add filter profile custom service 486
- Custom service to open the custom service screen you can create a list of good allowed web site addresses and a list of bad blocked web site addresses you can also block web sites based on whether the web site s address contains a keyword use this screen to add or remove specific sites or keywords from the filter list 486
- Table 198 managed category descriptions continued 486
- Zywall usg series user s guide 486
- Chapter 29 content filtering 487
- Custom service 487
- Label description 487
- The following table describes the labels in this screen 487
- Zywall usg series user s guide 487
- Chapter 29 content filtering 488
- Custom service continued 488
- Label description 488
- Zywall usg series user s guide 488
- Chapter 29 content filtering 489
- Content filter trusted web sites screen 489
- Custom service continued 489
- Label description 489
- Trusted web sites to open the trusted web sites screen you can create a common list of good allowed web site addresses when you configure filter profiles you can select the option to check the common trusted web sites list use this screen to add or remove specific sites from the filter list 489
- Zywall usg series user s guide 489
- Chapter 29 content filtering 490
- Content filter forbidden web sites screen 490
- Forbidden web sites to open the forbidden web sites screen you can create a common list of bad blocked web site addresses when you configure filter profiles you can select the option to check the common forbidden web sites list use this screen to add or remove specific sites from the filter list 490
- Label description 490
- The following table describes the labels in this screen 490
- Trusted web sites 490
- Zywall usg series user s guide 490
- Chapter 29 content filtering 491
- Content filter technical reference 491
- External content filter server lookup procedure 491
- Forbidden web sites 491
- Label description 491
- The content filter lookup process is described below 491
- The following table describes the labels in this screen 491
- This section provides content filtering background information 491
- Zywall usg series user s guide 491
- Before you begin 493
- Overview 493
- What you can do in this chapter 493
- What you need to know 493
- Note you must register in order to use packet inspection signatures see the registration screens 494
- The idp profile screen 494
- Base profiles 495
- Chapter 30 idp 495
- Figure 334 base profiles 495
- Label description 495
- Profile continued 495
- Profile screen click add to display the following screen 495
- Zywall usg series user s guide 495
- Adding editing profiles 496
- Base profile description 496
- Chapter 30 idp 496
- Packet inspection signatures examine the contents of a packet for malicious data it operates at layer 4 to layer 7 an idp profile is a group of idp signatures that have the same log and action settings in group view you can configure the same log and action settings for all idp signatures by severity level in the add profile screen you may also configure signature exceptions in the sameview 496
- Table 203 base profiles 496
- The following table describes this screen 496
- You could create a new monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 496
- You may also find that certain signatures are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the zywall usg as each network is different false positives and false negatives are common on initial idp deployment 496
- You may want to create a new profile if not all signatures in a base profile are applicable to your network in this case you should disable non applicable signatures so as to improve zywall usg idp processing efficiency 496
- Zywall usg series user s guide 496
- Group view screen 497
- Profile group view screen 497
- Chapter 30 idp 498
- Group view continued 498
- Label description 498
- Zywall usg series user s guide 498
- Chapter 30 idp 499
- Group view continued 499
- Label description 499
- Zywall usg series user s guide 499
- Add profile query view 500
- Chapter 30 idp 500
- Group view continued 500
- In the group view screen click switch to query view to search for signatures by criteria such as name id severity policy type platform service platforms or actions 500
- Label description 500
- Query view 500
- Zywall usg series user s guide 500
- Chapter 30 idp 501
- Policy type description 501
- Policy types 501
- Table 205 policy types 501
- This table describes policy types as categorized in the zywall usg 501
- Zywall usg series user s guide 501
- An idp service group is a set of related packet inspection signatures 502
- Chapter 30 idp 502
- Idp service groups 502
- Policy type description 502
- Table 205 policy types continued 502
- Table 206 idp service groups 502
- The n a service group is for signatures that are not for a specific service 502
- Zywall usg series user s guide 502
- Chapter 30 idp 503
- Label description 503
- Profile query view 503
- The following table describes the fields specific to this screen s query view 503
- Zywall usg series user s guide 503
- Actions any 504
- Chapter 30 idp 504
- Label description 504
- Platform windows 504
- Policy type dos 504
- Profile query view continued 504
- Query example 504
- Service any 504
- Severity high 504
- This example shows a search with these criteria 504
- Zywall usg series user s guide 504
- Idp custom signatures 505
- Ip packet header 505
- Chapter 30 idp 506
- Figure 338 ip v4 packet headers 506
- Header description 506
- Table 208 ip v4 packet headers 506
- The header fields are discussed in the following table 506
- Zywall usg series user s guide 506
- Chapter 30 idp 507
- Custom signature s the first screen shows a summary of all custom signatures created click the sid or name heading to sort click the add icon to create a new signature or click the edit icon to edit an existing signature you can also delete custom signatures here or save them to your computer 507
- Custom signatures 507
- Label description 507
- Note the zywall usg checks all signatures and continues searching even after a match is found if two or more rules have conflicting actions for the same packet then the zywall usg applies the more restrictive action reject both reject receiver or reject sender drop none in this order if a packet matches a rule for reject receiver and it also matches a rule for reject sender then the zywall usg will reject both 507
- The following table describes the fields in this screen 507
- Zywall usg series user s guide 507
- Add edit custom signatures 508
- Add edit 510
- Chapter 30 idp 510
- Label description 510
- The following table describes the fields in this screen 510
- Zywall usg series user s guide 510
- Add edit continued 511
- Chapter 30 idp 511
- Label description 511
- Zywall usg series user s guide 511
- Add edit continued 512
- Before creating a custom signature you must first clearly understand the vulnerability 512
- Chapter 30 idp 512
- Custom signature example 512
- Label description 512
- Zywall usg series user s guide 512
- Analyze packets 513
- Understand the vulnerability 513
- Applying custom signatures 514
- Host intrusions 515
- Idp technical reference 515
- Network intrusions 515
- Verifying custom signatures 515
- 68 24 111 content 00 01 a5 msg mountd access 516
- Action 516
- Chapter 30 idp 516
- Protocol 516
- Snort signatures 516
- Source and destination ip addresses and netmasks 516
- Source and destination ports information 516
- Table 211 zywall usg snort equivalent terms 516
- The rule header contains the rule s 516
- The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken 516
- The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options the words before the colons in the rule options section are the option keywords 516
- The whole lan is compromised host based intrusions may be used to cause network based intrusions when the goal of the host virus is to propagate attacks on the network or attack computer server operating system vulnerabilities with the goal of bringing down the computer server typical network based intrusions are sql slammer blaster nimda mydoom etc 516
- These are some equivalent snort terms in the zywall usg 516
- You may want to refer to open source snort signatures when creating custom zywall usg ones most snort rules are written in a single line snort rules are divided into two logical sections the rule header and the rule options as shown in the following example 516
- Zywall usg series user s guide 516
- Zywall usg term snort equivalent term 516
- Chapter 30 idp 517
- Note not all snort functionality is supported in the zywall usg 517
- Table 211 zywall usg snort equivalent terms continued 517
- Zywall usg series user s guide 517
- Zywall usg term snort equivalent term 517
- Anti virus 518
- Overview 518
- What you can do in this chapter 518
- Anti virus engines 519
- How the zywall usg anti virus scanner works 519
- Since the zywall usg erases the infected portion of the file before sending it you may not be able to open the file 519
- Virus and worm 519
- What you need to know 519
- Zywall usg anti virus scanner 519
- Anti virus profile screen 520
- Finding out more 520
- Notes about the zywall usg anti virus 520
- Chapter 31 anti virus 521
- Label description 521
- Profile 521
- The following table describes the labels in this screen 521
- Zywall usg series user s guide 521
- Anti virus profile add or edit 522
- Chapter 31 anti virus 522
- Label description 522
- Profile continued 522
- Profile screen to display the configuration screen as shown next 522
- Zywall usg series user s guide 522
- Chapter 31 anti virus 523
- Label description 523
- The following table describes the labels in this screen 523
- Zywall usg series user s guide 523
- Anti virus black list 524
- Anti virus black list or white list add edit 525
- Black list 525
- Black list or white list screen click the add icon or an edit icon to display the following screen 525
- Chapter 31 anti virus 525
- For a black list entry enter a file pattern that should cause the zywall usg to log and delete a file 525
- For a white list entry enter a file pattern that should cause the zywall usg to allow a file 525
- Label description 525
- The following table describes the labels in this screen 525
- Zywall usg series user s guide 525
- Anti virus white list 526
- Chapter 31 anti virus 526
- Label description 526
- The following table describes the labels in this screen 526
- White list to display the screen shown next use the black white list screen to set up anti virus black blocked and white allowed lists of virus file patterns click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 526
- Zywall usg series user s guide 526
- Av signature searching 527
- Chapter 31 anti virus 527
- If internet explorer opens a warning screen about a script making internet explorer run slowly and the computer maybe becoming unresponsive just click no to continue click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 527
- Label description 527
- Signature to display this screen use this screen to locate signatures and display details about them 527
- The following table describes the labels in this screen 527
- White list 527
- Zywall usg series user s guide 527
- Anti virus technical reference 528
- Chapter 31 anti virus 528
- Label description 528
- Signature 528
- Table 218 common computer virus types 528
- The following table describes some of the common computer viruses 528
- The following table describes the labels in this screen 528
- Type description 528
- Types of computer viruses 528
- Zywall usg series user s guide 528
- Computer virus infection and prevention 529
- Types of anti virus scanner 529
- Anti spam 530
- Overview 530
- What you can do in this chapter 530
- What you need to know 530
- Before you begin 531
- E mail header buffer size 531
- E mail headers 531
- Finding out more 531
- Smtp and pop3 531
- Anti spam to open the anti spam profile screen use this screen to turn the anti spam feature on or off and manage anti spam policies you can also select the action the zywall usg takes when the mail sessions threshold is reached 532
- Chapter 32 anti spam 532
- Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information 532
- Configure your zones before you configure anti spam 532
- Label description 532
- Profile 532
- Profilel 532
- The anti spam profile screen 532
- The following table describes the labels in this screen 532
- Zywall usg series user s guide 532
- Chapter 32 anti spam 533
- Label description 533
- Profile 533
- Profile screen to display the configuration screen as shown next use this screen to configure an anti spam policy that controls what traffic direction of e mail to check which e mail protocols to scan the scanning options and the action to take on spam traffic 533
- The anti spam profile add or edit screen 533
- Zywall usg series user s guide 533
- Chapter 32 anti spam 534
- Label description 534
- The following table describes the labels in this screen 534
- Zywall usg series user s guide 534
- Add continued 535
- Add edit screen 535
- Chapter 32 anti spam 535
- Label description 535
- The mail scan screen 535
- Zywall usg series user s guide 535
- Chapter 32 anti spam 536
- Label description 536
- Mail scan 536
- The following table describes the labels in this screen 536
- Zywall usg series user s guide 536
- Black white list to display the anti spam black list screen 537
- Chapter 32 anti spam 537
- Configure the black list to identify spam e mail you can create black list entries based on the sender s or relay server s ip address or e mail address you can also create entries that check for particular e mail header fields with specific values or specific subject text click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 537
- Label description 537
- Mail scan 537
- The anti spam black list screen 537
- Zywall usg series user s guide 537
- Black list 538
- Chapter 32 anti spam 538
- Label description 538
- The following table describes the labels in this screen 538
- Zywall usg series user s guide 538
- Chapter 32 anti spam 539
- In the anti spam black list or white list screen click the add icon or an edit icon to display the following screen 539
- Label description 539
- The anti spam black or white list add edit screen 539
- The following table describes the labels in this screen 539
- Use this screen to configure an anti spam black list entry to identify spam e mail you can create entries based on specific subject text or the sender s or relay s ip address or e mail address you can also create entries that check for particular header fields and values 539
- Zywall usg series user s guide 539
- Black white list and then the white list tab to display the anti spam white list screen 540
- Chapter 32 anti spam 540
- Configure the white list to identify legitimate e mail you can create white list entries based on the sender s or relay s ip address or e mail address you can also create entries that check for particular header fields and values or specific subject text 540
- Label description 540
- Regular expressions in black or white list entries 540
- The anti spam white list screen 540
- The following applies for a black or white list entry based on an e mail subject e mail address or e mail header value 540
- The wildcard can be anywhere in the text string and you can use more than one wildcard you cannot use two wildcards side by side there must be other characters between them 540
- The zywall usg checks the first header with the name you specified in the entry so if the e mail has more than one received header the zywall usg checks the first one 540
- Use a question mark to let a single character vary for example use a c without the quotation marks to specify abc acc and so on 540
- You can also use a wildcard for example if you configure def com any e mail address that ends in def com matches so mail def com matches 540
- Zywall usg series user s guide 540
- Chapter 32 anti spam 541
- Label description 541
- The following table describes the labels in this screen 541
- White list 541
- Zywall usg series user s guide 541
- The dnsbl screen 542
- Chapter 32 anti spam 543
- Label description 543
- The following table describes the labels in this screen 543
- Zywall usg series user s guide 543
- Anti spam technical reference 544
- A a a a b b b b 545
- A a a a not spam 545
- Dnsbl a 545
- Dnsbl b 545
- Dnsbl c 545
- Ips a a a a b b b b 545
- C c c c d d d d 546
- C c c c not spam 546
- D d d d not spam 546
- Dnsbl a 546
- Dnsbl b 546
- Dnsbl c 546
- Ips c c c c d d d d 546
- A b c d not spam 547
- A b c d spam 547
- A b c d w x y z 547
- Dnsbl a 547
- Dnsbl b 547
- Dnsbl c 547
- Ips a b c d w x y z 547
- Overview 548
- Ssl inspection 548
- What you can do in this chapter 548
- What you need to know 548
- Before you begin 549
- The ssl inspection profile screen 549
- 1myprofile 550
- Add edit 550
- Add edit ssl inspection profiles 550
- Add to create a new profile or select an existing profile and click edit to change its settings 550
- Chapter 33 ssl inspection 550
- Label description 550
- My profile 550
- Mymy12_3 4 550
- Myprofile 550
- Profile continued 550
- The following table describes the fields in this screen 550
- Whatalongprofilename123456789012 550
- Zywall usg series user s guide 550
- Add edit continued 551
- Chapter 33 ssl inspection 551
- Label description 551
- Zywall usg series user s guide 551
- Add edit continued 552
- Chapter 33 ssl inspection 552
- Exclude list screen 552
- Exclude list to display the following screen use add to put a new item in the list or edit to change an existing one or remove to delete an existing entry 552
- Label description 552
- There may be privacy and legality issues regarding inspecting a user s encrypted session the legal issues may vary by locale so it s important to check with your legal department to make sure that it s ok to intercept ssl traffic from your zywall usg users 552
- To ensure individual privacy and meet legal requirements you can configure an exclusion list to exclude matching sessions to destination servers this traffic is not intercepted and is passed through uninspected 552
- Zywall usg series user s guide 552
- Add edit 553
- Chapter 33 ssl inspection 553
- Exclude list 553
- Label description 553
- The following table describes the fields in this screen 553
- Zywall usg series user s guide 553
- Certificate update screen 554
- Install a ca certificate in a browser 555
- Firefox browser 556
- Device ha 557
- Overview 557
- What you can do in this chapter 557
- What you need to know 557
- Before you begin 558
- Device ha general 558
- Finding out more 558
- Note only zywall usgs of the same model and firmware version can synchronize 558
- Note subscribe to services on the backup zywall usg before synchronizing it with the master zywall usg 558
- Synchronization 558
- Chapter 34 device ha 559
- General 559
- Label description 559
- Note it is not recommended to use stp spanning tree protocol with device ha 559
- The active passive mode screen 559
- The following table describes the labels in this screen 559
- The master and backup zywall usg form a single virtual router in the following example master zywall usg a and backup zywall usg b form a virtual router 559
- Virtual router 559
- Zywall usg series user s guide 559
- Cluster id 560
- Monitored interfaces in active passive mode device ha 560
- Virtual router and management ip addresses 560
- Configuring active passive mode device ha 561
- Active passive mode continued 563
- Chapter 34 device ha 563
- Label description 563
- Zywall usg series user s guide 563
- A bridge interface s device ha settings are not retained if you delete the bridge interface 564
- Active passive mode continued 564
- Active passive mode edit monitored interface 564
- Chapter 34 device ha 564
- If you configure device ha settings for an ethernet interface and later add the ethernet interface to a bridge the zywall usg retains the interface s device ha settings and uses them again if you later remove the interface from the bridge if the bridge is later deleted or the interface is removed from it device ha will recover the interface s setting 564
- Label description 564
- Zywall usg series user s guide 564
- Chapter 34 device ha 565
- Label description 565
- Note do not connect the bridge interfaces on two zywall usgs without device ha activated on both doing so could cause a broadcast storm 565
- The following table describes the labels in this screen 565
- Zywall usg series user s guide 565
- Active passive mode device ha with bridge interfaces 566
- Br0 ge4 ge5 566
- Device ha technical reference 566
- First option for connecting the bridge interfaces on two zywall usgs 566
- Second option for connecting the bridge interfaces on two zywall usgs 567
- Synchronization 568
- Object 570
- What you need to know 570
- Zones overview 570
- Chapter 35 object 571
- Extra zone traffic 571
- Extra zone traffic is traffic to or from any interface or vpn tunnel that is not assigned to a zone for example in figure 375 on page 570 traffic to or from computer c is extra zone traffic 571
- Inter zone traffic 571
- Inter zone traffic is traffic between interfaces or vpn tunnels in different zones for example in figure 375 on page 570 traffic between vlan 1 and the internet is inter zone traffic this is the normal case when zone based security and policy settings apply 571
- Label description 571
- Some zone based security and policy settings may apply to extra zone traffic especially if you can set the zone attribute in them to any or all see the specific feature for more information 571
- The following table describes the labels in this screen 571
- The zone screen 571
- Zywall usg series user s guide 571
- User group overview 572
- Zone edit 572
- Ext user accounts 573
- Note the default admin account is always authenticated locally regardless of the authentication method setting see chapter 35 on page 637 for more information about authentication methods 573
- User account 573
- User types 573
- What you need to know 573
- Ext group user accounts 574
- Finding out more 574
- Note if the zywall usg tries to authenticate an ext user using the local database the attempt always fails 574
- Note you cannot put access users and admin users in the same user group 574
- Note you cannot put the default admin account into any user group 574
- User awareness 574
- User groups 574
- Chapter 35 object 575
- Label description 575
- The following table describes the labels in this screen 575
- The user add edit screen allows you to create a new user account or edit an existing one 575
- The zywall usg supports ttls using pap so you can use the zywall usg s local user database to authenticate users with wpa or wpa2 instead of needing an external radius server 575
- User add edit screen 575
- User group 575
- User group user summary screen 575
- Zywall us 575
- Zywall usg series user s guide 575
- Alphanumeric a z 0 9 there is no unicode support 576
- Chapter 35 object 576
- Dashes 576
- Enter a user name from 1 to 31 characters 576
- Here are the reserved user names 576
- Rules for user names 576
- The first character must be alphabetical a z a z an underscore _ or a dash other limitations on user names are 576
- The user name can only contain the following characters 576
- To access this screen go to the user screen see section 35 4 on page 664 and click either the add icon or an edit icon 576
- User names are case sensitive if you enter a user bob but use bob when connecting via cifs or ftp it will use the account settings used for bob not bob 576
- User names have to be different than user group names 576
- Zywall usg series user s guide 576
- _ underscores 576
- Chapter 35 object 577
- Label description 577
- The following table describes the labels in this screen 577
- Zywall us 577
- Zywall usg series user s guide 577
- Add continued 578
- Chapter 35 object 578
- Group add edit screen 578
- Label description 578
- The following table describes the labels in this screen see section 35 on page 578 for more information as well 578
- The group add edit screen allows you to create a new user group or edit an existing one to access this screen go to the group screen see section 35 on page 578 and click either the add icon or an edit icon 578
- User group group summary screen 578
- Zywall usg series user s guide 578
- Chapter 35 object 579
- Label description 579
- Setting 579
- The following table describes the labels in this screen 579
- The setting screen controls default settings login settings lockout settings and other user settings for the zywall usg you can also use this screen to specify when users must log in to the zywall usg before it routes traffic for them 579
- User group setting screen 579
- Zywall usg series user s guide 579
- Chapter 35 object 580
- Label description 580
- Setting 580
- The following table describes the labels in this screen 580
- Zywall usg series user s guide 580
- Chapter 35 object 581
- Label description 581
- Setting continued 581
- Zywall us 581
- Zywall usg series user s guide 581
- Chapter 35 object 582
- Default user authentication timeout settings edit screens 582
- Label description 582
- Setting continued 582
- Setting screen see section 35 on page 579 and click one of the default authentication timeout settings section s edit icons 582
- The default authentication timeout settings edit screen allows you to set the default authentication timeout settings for the selected type of user account these default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings you can still manually configure any user account s authentication timeout settings 582
- Zywall usg series user s guide 582
- Access users cannot use the web configurator to browse the configuration of the zywall usg instead after access users log into the zywall usg the following screen appears 583
- Chapter 35 object 583
- Figure 384 web configurator for non admin users 583
- Label description 583
- The following table describes the labels in this screen 583
- User aware login example 583
- Zywall us 583
- Zywall usg series user s guide 583
- Chapter 35 object 584
- Label description 584
- Mac address 584
- Mac address to open this screen 584
- Note you need to configure an ssid security profile s mac authentication settings to have the ap use the zywall usg s local database to authenticate wireless clients by their mac addresses 584
- Table 242 web configurator for non admin users 584
- The following table describes the labels in this screen 584
- User group mac address summary screen 584
- Zywall usg series user s guide 584
- Chapter 35 object 585
- Label description 585
- Mac address add edit screen 585
- Mac address continued 585
- The following table describes the labels in this screen 585
- This screen allows you to create a new allowed device or edit an existing one to access this screen go to the mac address screen see section 35 on page 584 and click either the add icon or an edit icon 585
- This section provides some information on users who use an external authentication server in order to log in 585
- User group technical reference 585
- Zywall usg series user s guide 585
- Ap profile overview 586
- Creating a large number of ext user accounts 586
- Setting up user attributes in an external server 586
- What you need to know 586
- Wireless profiles 586
- Ieee 802 x 587
- Radio screen 587
- Wpa and wpa2 587
- Chapter 35 object 588
- Label description 588
- Note you can have a maximum of 32 radio profiles on the zywall usg 588
- The following table describes the labels in this screen 588
- Zywall usg series user s guide 588
- Add edit radio profile 589
- Add edit radio profile continued 590
- Chapter 35 object 590
- Label description 590
- Note if you change the country code later channel selection is set to manual automatically 590
- Zywall usg series user s guide 590
- Add edit radio profile continued 591
- Chapter 35 object 591
- Label description 591
- Zywall usg series user s guide 591
- Add edit radio profile continued 592
- Chapter 35 object 592
- Label description 592
- Zywall usg series user s guide 592
- Note you can have a maximum of 32 ssid profiles on the zywall usg 593
- Ssid list 593
- Ssid screen 593
- Add edit ssid profile 594
- Chapter 35 object 594
- Label description 594
- Ssid list continued 594
- The following table describes the labels in this screen 594
- This screen allows you to create a new ssid profile or edit an existing one to access this screen click the add button or select an ssid profile from the list and click the edit button 594
- Zywall usg series user s guide 594
- Add edit ssid profile continued 595
- Chapter 35 object 595
- Label description 595
- Note it is highly recommended that you create security profiles for all of your ssids to enhance your network security 595
- Zywall usg series user s guide 595
- Add edit ssid profile continued 596
- Chapter 35 object 596
- Label description 596
- Note you can have a maximum of 32 security profiles on the zywall usg 596
- Security list 596
- The following table describes the labels in this screen 596
- This screen allows you to manage wireless security configurations that can be used by your ssids wireless security is implemented strictly between the ap broadcasting the ssid and the stations that are connected to it 596
- Zywall usg series user s guide 596
- Add edit security profile 597
- Note this screen s options change based on the security mode selected only the default screen is displayed here 597
- Add edit security profile 598
- Chapter 35 object 598
- Label description 598
- The following table describes the labels in this screen 598
- Zywall usg series user s guide 598
- Add edit security profile 599
- Chapter 35 object 599
- Label description 599
- Zywall usg series user s guide 599
- Chapter 35 object 600
- Label description 600
- Mac filter list 600
- Note you can have a maximum of 32 mac filtering profiles on the zywall usg 600
- The following table describes the labels in this screen 600
- Zywall usg series user s guide 600
- Add edit mac filter profile 601
- Chapter 35 object 601
- Label description 601
- The following table describes the labels in this screen 601
- This screen allows you to create a new mac filtering profile or edit an existing one to access this screen click the add button or select a mac filter profile from the list and click the edit button 601
- Zywall usg series user s guide 601
- Active scan 602
- Mon profile 602
- Overview 602
- Passive scan 602
- What you can do in this chapter 602
- What you need to know 602
- Add edit mon profile 603
- Chapter 35 object 603
- Label description 603
- Mon profile 603
- The following table describes the labels in this screen 603
- This screen allows you to create a new monitor mode profile or edit an existing one to access this screen click the add button or select and existing monitor mode profile and click the edit button 603
- Zywall usg series user s guide 603
- Add edit mon profile 604
- Chapter 35 object 604
- Label description 604
- The following table describes the labels in this screen 604
- Zywall usg series user s guide 604
- Rogue aps 605
- Technical reference 605
- Application 606
- Application categories of applications include at the time of writing 606
- Chapter 35 object 606
- Figure 400 application categories and associated signatures 606
- Friendly aps 606
- If you have more than one ap in your wireless network you should also configure a list of friendly aps friendly aps are other wireless access points that are detected in your network as well as any others that you know are not a threat those from recognized networks for example it is recommended that you export save your list of friendly aps often especially if you have a network with a large number of access points 606
- Table 256 categories of applications 606
- The following table shows the types of categories currently supported a and the associated signatures for each category b 606
- Zywall usg series user s guide 606
- Application 607
- Chapter 35 object 607
- Label description 607
- The following table describes the labels in this screen 607
- Use the application group screen section 35 on page 611 to group application objects as an individual object that can be used in app patrol profiles 607
- Use the application screen section on page 607 to create application objects that can be used in app patrol profiles 607
- Zywall usg series user s guide 607
- Add application rule 608
- Application continued 608
- Application to create a new application rule in the first screen you type a name to identify this application object and write an optional brief description of it 608
- Chapter 35 object 608
- Label description 608
- The following table describes the labels in this screen 608
- You then click add again to choose the signatures that should go into this object 608
- Zywall usg series user s guide 608
- Add application object by category or service 609
- Add application object 610
- Add by service 610
- Chapter 35 object 610
- Label description 610
- The following table describes the labels in this screen 610
- Zywall usg series user s guide 610
- Application group 611
- Application group screen 611
- Chapter 35 object 611
- Label description 611
- The following table describes the labels in this screen 611
- Zywall usg series user s guide 611
- Add application group rule 612
- Address overview 612
- Address summary screen 613
- What you need to know 613
- Add edit 614
- Address continued 614
- Chapter 35 object 614
- Ipv4 address add edit screen 614
- Ipv4 address add edit screen allows you to create a new address or edit an existing one to access this screen go to the address screen see section 35 on page 613 and click either the add icon or an edit icon in the ipv4 address configuration section 614
- Label description 614
- Zywall usg series user s guide 614
- Add edit 615
- Chapter 35 object 615
- Ipv6 address add edit screen 615
- Ipv6 address add edit screen allows you to create a new address or edit an existing one to access this screen go to the address screen see section 35 on page 613 and click either the add icon or an edit icon in the ipv6 address configuration section 615
- Label description 615
- Note the zywall usg automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change 1 s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object 615
- The following table describes the labels in this screen 615
- Zywall usg series user s guide 615
- Add edit 616
- Address group 616
- Address group click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 616
- Address group summary screen 616
- Chapter 35 object 616
- Label description 616
- Note the zywall usg automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change 1 s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object 616
- The following table describes the labels in this screen 616
- Zywall usg series user s guide 616
- Address group 617
- Address group add edit screen 617
- Chapter 35 object 617
- Label description 617
- The address group add edit screen allows you to create a new address group or edit an existing one to access this screen go to the address group screen see section 35 on page 616 and click either the add icon or an edit icon in the ipv4 address group configuration or ipv6 address group configuration section 617
- The following table describes the labels in this screen see section 35 on page 617 for more information as well 617
- Zywall usg series user s guide 617
- Chapter 35 object 618
- Label description 618
- Service overview 618
- The following table describes the labels in this screen 618
- Use service objects to define tcp applications udp applications and icmp messages you can also create service groups to refer to multiple service objects in other features 618
- Use the service group screens section 35 on page 619 to view and configure the zywall usg s list of service groups 618
- Use the service screens section 35 on page 619 to view and configure the zywall usg s list of services and their definitions 618
- Zywall usg series user s guide 618
- Ip protocols 619
- Service objects and service groups 619
- The service summary screen 619
- What you need to know 619
- The service add edit screen 620
- Chapter 35 object 621
- Label description 621
- Service group 621
- The following table describes the labels in this screen 621
- The service group summary screen 621
- The service group summary screen provides a summary of all service groups in addition this screen allows you to add edit and remove service groups 621
- Zywall usg series user s guide 621
- Chapter 35 object 622
- Label description 622
- Service group 622
- The following table describes the labels in this screen see section 35 on page 622 for more information as well 622
- The service group add edit screen 622
- The service group add edit screen allows you to create a new service group or edit an existing one to access this screen go to the service group screen see section 35 on page 621 and click either the add icon or an edit icon 622
- Zywall usg series user s guide 622
- Note schedules are based on the zywall usg s current date and time 623
- One time schedules 623
- Recurring schedules 623
- Schedule overview 623
- What you need to know 623
- Chapter 35 object 624
- Label description 624
- Schedule 624
- Schedules always begin and end in the same day recurring schedules are useful for defining the workday and off work hours 624
- The following table describes the labels in this screen see section 35 on page 625 and section 35 on page 626 for more information as well 624
- The schedule summary screen 624
- Zywall usg series user s guide 624
- Chapter 35 object 625
- Edit one time 625
- Label description 625
- Schedule continued 625
- The following table describes the labels in this screen 625
- The one time schedule add edit screen 625
- The one time schedule add edit screen allows you to define a one time schedule or edit an existing one to access this screen go to the schedule screen see section 35 on page 624 and click either the add icon or an edit icon in the one time section 625
- Zywall usg series user s guide 625
- Chapter 35 object 626
- Edit one time continued 626
- Edit recurring 626
- Label description 626
- The recurring schedule add edit screen 626
- The recurring schedule add edit screen allows you to define a recurring schedule or edit an existing one to access this screen go to the schedule screen see section 35 on page 624 and click either the add icon or an edit icon in the recurring section 626
- The year month and day columns are not used in recurring schedules and are disabled in this screen the following table describes the remaining labels in this screen 626
- Zywall usg series user s guide 626
- Chapter 35 object 627
- Configuration 627
- Label description 627
- Schedule group 627
- The following table describes the fields in the above screen 627
- The schedule group add edit screen 627
- The schedule group add edit screen allows you to define a schedule group or edit an existing one to access this screen go to the schedule screen see and click either the add icon or an edit icon in the schedule group section 627
- The schedule group screen 627
- Zywall usg series user s guide 627
- Aaa server overview 628
- Cancel 628
- Chapter 35 object 628
- Group members 628
- Label description 628
- Member list 628
- The following table describes the fields in the above screen 628
- You can use a aaa authentication authorization accounting server to provide access control to your network the aaa server can be a active directory ldap or radius server use the aaa server screens to create and manage objects that contain settings for using aaa servers you use 628
- Zywall usg series user s guide 628
- Directory service ad ldap 629
- Radius server 629
- Aaa servers supported by the zywall usg 630
- Directory structure 630
- What you need to know 630
- Active directory or ldap server summary 631
- Base dn 631
- Bind dn 631
- Distinguished name dn 631
- Adding an active directory or ldap server 632
- O zyxel c u 632
- Chapter 35 object 634
- Cn zywalladmi 634
- Label description 634
- O zyxel c u 634
- The following table describes the labels in this screen 634
- Zywall usg series user s guide 634
- Zywalladmi 634
- Add continued 635
- Chapter 35 object 635
- Label description 635
- Radius 635
- Radius server summary 635
- Radius to display the radius screen 635
- The following table describes the labels in this screen 635
- Use the radius screen to manage the list of radius servers the zywall usg can use in authenticating users 635
- Zywall usg series user s guide 635
- Adding a radius server 636
- Add continued 637
- After you set up an authentication method object in the auth method screens you can use it in the vpn gateway screen to authenticate vpn users for establishing a vpn connection refer to the chapter on vpn for more information 637
- Auth method overview 637
- Auth method screens section 35 0 on page 638 to create and manage authentication method objects 637
- Authentication method objects set how the zywall usg authenticates wireless http https clients and peer ipsec routers extended authentication clients configure authentication method objects to have the zywall usg use the local user database and or the authentication servers and authentication server groups specified by aaa server objects by default user accounts created and stored on the zywall usg are authenticated locally 637
- Before you begin 637
- Chapter 35 object 637
- Configure aaa server objects before you configure authentication method objects 637
- Example selecting a vpn authentication method 637
- Follow the steps below to specify the authentication method for a vpn connection 637
- Label description 637
- Zywall usg series user s guide 637
- Authentication method objects 638
- Note you can create up to 16 authentication method objects 638
- Creating an authentication method object 639
- Note you can not select two server objects of the same type 639
- Certificate overview 640
- What you need to know 640
- Advantages of certificates 641
- Factory default certificate 641
- Self signed certificates 641
- Certificate file formats 642
- Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 642
- Verifying a certificate 642
- The my certificates screen 643
- Chapter 35 object 644
- Label description 644
- My certificates 644
- My certificates and then the add icon to open the my certificates add screen use this screen to have the zywall usg create a self signed certificate enroll a certificate with a certification authority or generate a certification request 644
- The following table describes the labels in this screen 644
- The my certificates add screen 644
- Zywall usg series user s guide 644
- Chapter 35 object 645
- Label description 645
- The following table describes the labels in this screen 645
- Zywall usg series user s guide 645
- Add continued 646
- Chapter 35 object 646
- If you configured the my certificate create screen to have the zywall usg enroll a certificate and the certificate enrollment is not successful you see a screen with a return button that takes you back to the my certificate create screen click return and check your information in the my certificate create screen make sure that the certification authority information is correct and that your internet connection is working properly if you want the zywall usg to enroll a certificate online 646
- Label description 646
- Zywall usg series user s guide 646
- The my certificates edit screen 647
- Chapter 35 object 648
- Label description 648
- The following table describes the labels in this screen 648
- Zywall usg series user s guide 648
- Chapter 35 object 649
- Edit continued 649
- Import to open the my certificate import screen follow the instructions in this screen to save an existing certificate to the zywall usg 649
- Label description 649
- Note you can import a certificate that matches a corresponding certification request that was generated by the zywall usg you can also import a certificate in pkcs 12 format including the certificate s public and private keys 649
- The certificate you import replaces the corresponding request in the my certificates screen 649
- The my certificates import screen 649
- You must remove any spaces from the certificate s filename before you can import it 649
- Zywall usg series user s guide 649
- Chapter 35 object 650
- Import 650
- Label description 650
- The following table describes the labels in this screen 650
- The trusted certificates screen 650
- Trusted certificates 650
- Trusted certificates to open the trusted certificates screen this screen displays a summary list of certificates that you have set the zywall usg to accept as trusted the zywall usg also accepts any valid certificate signed by a certificate on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certificates 650
- Zywall usg series user s guide 650
- Chapter 35 object 651
- Label description 651
- The following table describes the labels in this screen 651
- The trusted certificates edit screen 651
- Trusted certificates 651
- Trusted certificates and then a certificate s edit icon to open the trusted certificates edit screen use this screen to view in depth information about the certificate change the certificate s name and set whether or not you want the zywall usg to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority 651
- Zywall usg series user s guide 651
- Chapter 35 object 653
- Label description 653
- The following table describes the labels in this screen 653
- Zywall usg series user s guide 653
- Chapter 35 object 654
- Edit continued 654
- Import to open the trusted certificates import screen follow the instructions in this screen to save a trusted certificate to the zywall usg 654
- Label description 654
- Note you must remove any spaces from the certificate s filename before you can import the certificate 654
- The trusted certificates import screen 654
- Zywall usg series user s guide 654
- Certificates technical reference 655
- Isp account overview 655
- Isp account edit 656
- Isp account summary 656
- Chapter 35 object 657
- Label description 657
- The following table describes the labels in this screen 657
- Zywall usg series user s guide 657
- A web based application allows remote users to access an intranet site using standard web browsers 658
- Application types 658
- Chapter 35 object 658
- Edit continued 658
- Label description 658
- Ssl application overview 658
- Ssl vpn screen for a user account user group 658
- Use the ssl application edit screen to create or edit web based application objects to allow remote users to access an application via standard web browsers section 35 3 on page 661 658
- Use the ssl application screen section 35 3 on page 660 to view the zywall usg s configured ssl application objects 658
- Web based 658
- What you need to know 658
- You can also use the ssl application edit screen to specify the name of a folder on a linux or windows file server which remote users can access using a standard web browser section 35 3 on page 661 658
- You can configure the following ssl application on the zywall usg 658
- Zywall usg series user s guide 658
- Example specifying a web site for access 659
- Remote desktop connections 659
- Remote user screen links 659
- Weblinks 659
- The ssl application screen 660
- Creating editing an ssl application object 661
- Note if you are creating a file sharing ssl application you must also configure the shared folder on the file server for remote access refer to the document that comes with your file server 661
- Add edit file sharing 662
- Add edit web application file sharing 662
- Chapter 35 object 662
- Label description 662
- Note you must enter the http or https prefix 662
- The following table describes the labels in this screen 662
- Zywall usg series user s guide 662
- Add edit web application file sharing 663
- Chapter 35 object 663
- Dhcpv6 overview 663
- Label description 663
- The lease screen see section 35 on page 578 allows you to configure dhcpv6 lease type objects 663
- The request screen see section 35 4 on page 664 allows you to configure dhcpv6 request type objects 663
- This section describes how to configure dhcpv6 request type and lease type objects 663
- Zywall usg series user s guide 663
- Dhcpv6 request add edit screen 664
- The dhcpv6 request screen 664
- Chapter 35 object 665
- Dhcpv6 lease add edit screen 665
- Label description 665
- The dhcpv6 lease screen 665
- The following table describes the labels in this screen 665
- The lease add edit screen allows you to create a new lease object or edit an existing one 665
- To access this screen go to the lease screen see section 35 4 on page 665 and click either the add icon or an edit icon 665
- Zywall usg series user s guide 665
- Chapter 35 object 666
- Label description 666
- The following table describes the labels in this screen 666
- Zywall usg series user s guide 666
- Overview 667
- System 667
- What you can do in this chapter 667
- Host name 668
- Note only connect one usb device it must allow writing it cannot be read only and use the fat16 fat32 ext2 or ext3 file system 668
- Note see each section for related background information and term definitions 668
- Usb storage 668
- Chapter 36 system 669
- Date and time 669
- Date time the screen displays as shown you can manually set the zywall usg s time and date or have the zywall usg get the date and time from a time server 669
- For effective scheduling and logging the zywall usg system time must be accurate the zywall usg s real time chip rtc keeps track of the time and date there is also a software mechanism to set the time manually or get the current time and date from an external server 669
- Label description 669
- The following table describes the labels in this screen 669
- Usb storage 669
- Zywall usg series user s guide 669
- Chapter 36 system 670
- Date and time 670
- Label description 670
- The following table describes the labels in this screen 670
- Zywall usg series user s guide 670
- Chapter 36 system 671
- Date and time continued 671
- Label description 671
- Zywall usg series user s guide 671
- Pre defined ntp time servers list 672
- Time server synchronization 672
- Console port speed 673
- Configuring the dns screen 674
- Dns overview 674
- Dns server address assignment 674
- Chapter 36 system 675
- Label description 675
- The following table describes the labels in this screen 675
- Zywall usg series user s guide 675
- Chapter 36 system 676
- Dns continued 676
- Label description 676
- Zywall usg series user s guide 676
- Chapter 36 system 677
- Dns continued 677
- Label description 677
- Zywall usg series user s guide 677
- Adding an address ptr record 678
- Address record 678
- Ptr record 678
- Adding a cname record 679
- Cname record 679
- Domain zone forwarder 679
- Label description 679
- Adding a domain zone forwarder 680
- Chapter 36 system 680
- Click the add icon in the domain zone forwarder table to add a domain zone forwarder record 680
- Domain zone forwarder add 680
- Fully qualified domain name without the host for example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name 680
- Label description 680
- The following table describes the labels in this screen 680
- Zywall usg series user s guide 680
- 0 mx record 681
- 1 adding a mx record 681
- 2 security option control 681
- 3 editing a security option control 681
- 4 adding a dns service control rule 682
- Chapter 36 system 682
- Click the add icon in the service control table to add a service control rule 682
- Label description 682
- Security option control edit customize 682
- The following table describes the labels in this screen 682
- Zywall usg series user s guide 682
- A service cannot be used to access the zywall usg when 683
- Chapter 36 system 683
- Label description 683
- Note to allow the zywall usg to be accessed from a specified computer using a service make sure you do not have a service control rule or to zywall usg security policy rule to block that traffic 683
- Service access limitations 683
- Service control rule add 683
- The allowed ip address address object in the service control table does not match the client ip address the zywall usg disallows the session 683
- The following figure shows secure and insecure management of the zywall usg coming in from the wan https and ssh access are secure http and telnet access are not secure 683
- The following table describes the labels in this screen 683
- To stop a service from accessing the zywall usg clear enable in the corresponding service screen 683
- Www overview 683
- You have disabled that service in the corresponding screen 683
- Zywall usg series user s guide 683
- System timeout 684
- Configuring www service control 685
- Chapter 36 system 686
- Label description 686
- Service control 686
- The following table describes the labels in this screen 686
- Zywall usg series user s guide 686
- Chapter 36 system 687
- Label description 687
- Service control continued 687
- Zywall usg series user s guide 687
- Chapter 36 system 688
- Click add or edit in the service control table in a www ssh telnet ftp or snmp screen to add a service control rule 688
- Label description 688
- Service control continued 688
- Service control rules 688
- Zywall usg series user s guide 688
- Chapter 36 system 689
- Customizing the www login page 689
- Label description 689
- Login page to open the login page screen use this screen to customize the web configurator login screen you can also customize the page that displays after an access user logs into the web configurator to access network services like the internet 689
- The following table describes the labels in this screen 689
- Zywall usg series user s guide 689
- Chapter 36 system 692
- Enter a pound sign followed by the six digit hexadecimal number that represents the desired color for example use 000000 for black 692
- Enter rgb followed by red green and blue values in parenthesis and separate by commas for example use rgb 0 0 0 for black 692
- Label description 692
- Login page 692
- Note use a gif jpg or png of 100 kilobytes or less 692
- The following table describes the labels in the screen 692
- Your desired color should display in the preview screen on the right after you click in another field click apply or press enter if your desired color does not display your browser may not support it try selecting another color 692
- Zywall usg series user s guide 692
- Https example 693
- Internet explorer warning messages 693
- Mozilla firefox warning messages 693
- Avoiding browser warning messages 694
- Login screen 694
- Enrolling and importing ssl client certificates 695
- Installing the ca s certificate 695
- Installing your personal certificate s 696
- Using a certificate when accessing the zywall usg example 699
- How ssh works 701
- Chapter 36 system 702
- Configuring ssh 702
- Label description 702
- Requirements for using ssh 702
- Ssh implementation on the zywall usg 702
- Ssh to change your zywall usg s secure shell settings use this screen to specify from which zones ssh can be used to manage the zywall usg you can also specify from which ip addresses the access can come 702
- The following table describes the labels in this screen 702
- You must install an ssh client program on a client computer windows or linux operating system that is used to connect to the zywall usg over ssh 702
- Your zywall usg supports ssh versions 1 and 2 using rsa authentication and four encryption methods aes 3des archfour and blowfish the ssh server is implemented on the zywall usg for management using port 22 by default 702
- Zywall usg series user s guide 702
- A window displays prompting you to store the host key in you computer click yes to continue 703
- Chapter 36 system 703
- Configure the ssh client to accept connection using ssh version 1 703
- Enter the password to log in to the zywall usg the cli screen displays next 703
- Example 1 microsoft windows 703
- Figure 487 ssh example 1 store host key 703
- Label description 703
- Launch the ssh client and specify the connection information ip address port number for the zywall usg 703
- Secure telnet using ssh examples 703
- Ssh continued 703
- This section describes how to access the zywall usg using the secure shell client program 703
- This section shows two examples using a command interface and a graphical interface ssh client program to remotely access the zywall usg the configuration and connection steps are similar for most ssh client programs refer to your ssh client program user s guide 703
- Zywall usg series user s guide 703
- Configuring telnet 704
- Example 2 linux 704
- Telnet 704
- Chapter 36 system 705
- Label description 705
- Telnet 705
- The following table describes the labels in this screen 705
- Zywall usg series user s guide 705
- Chapter 36 system 706
- Configuring ftp 706
- Ftp tab the screen appears as shown use this screen to specify from which zones ftp can be used to access the zywall usg you can also specify from which ip addresses the access can come 706
- Label description 706
- The following table describes the labels in this screen 706
- You can upload and download the zywall usg s firmware and configuration files using ftp to use this feature your computer must have an ftp client 706
- Zywall usg series user s guide 706
- Chapter 36 system 707
- Ftp continued 707
- Label description 707
- Simple network management protocol is a protocol used for exchanging management information between network devices your zywall usg supports snmp agent functionality which allows a manager station to manage and monitor the zywall usg through the network the zywall usg supports snmp version one snmpv1 version two snmpv2c and version 3 snmpv3 the next figure illustrates an snmp management operation 707
- Zywall usg series user s guide 707
- Snmpv3 and security 708
- Chapter 36 system 709
- Configuring snmp 709
- Object label object id description 709
- Security can be further enhanced by encrypting the snmp messages sent from the managers encryption protects the contents of the snmp messages when the contents of the snmp messages are encrypted only the intended recipients can read them 709
- Snmp tab the screen appears as shown use this screen to configure your snmp settings including from which zones snmp can be used to access the zywall usg you can also specify from which ip addresses the access can come 709
- Snmp traps 709
- Supported mibs 709
- Table 315 snmp traps 709
- The zywall usg supports mib ii that is defined in rfc 1213 and rfc 1215 the zywall usg also supports private mibs zywall mib and zyxel zywall zld common mib to collect information about cpu and memory usage and vpn total throughput the focus of the mibs is to let administrators collect statistical data and monitor status and performance you can download the zywall usg s mibs from www zyxel com 709
- The zywall usg will send traps to the snmp manager when any one of the following events occurs 709
- Zywall usg series user s guide 709
- Chapter 36 system 710
- Label description 710
- Note your login password must consist of at least 8 printable characters for snmpv3 an error message will display if your login password has fewer characters 710
- The following table describes the labels in this screen 710
- Zywall usg series user s guide 710
- Chapter 36 system 711
- Label description 711
- Snmp continued 711
- Zywall usg series user s guide 711
- Auth server 712
- Auth server tab the screen appears as shown use this screen to enable the authentication server feature of the zywall usg and specify the radius client s ip address 712
- Authentication server 712
- Chapter 36 system 712
- Label description 712
- The following table describes the labels in this screen 712
- Zywall usg series user s guide 712
- Add edit 713
- Add edit trusted radius client 713
- Auth server continued 713
- Auth server to display the auth server screen click the add icon or an edit icon to display the following screen use this screen to create a new entry or edit an existing one 713
- Chapter 36 system 713
- Label description 713
- The following table describes the labels in this screen 713
- Zywall usg series user s guide 713
- Cloudcnm screen 714
- Chapter 36 system 715
- Cloudcnm 715
- Cloudcnm to allow the zywall usg to find the cloudcnm server 715
- Label description 715
- Perform site to site hub spoke fully meshed and remote access vpn provisioning 715
- The following table describes the labels in this screen 715
- The zywall usg must be able to communicate with the cloudcnm server 715
- To allow cloudcnm management of your zywall usg 715
- You must have a cloudcnm license with cnm id number or a cloudcnm url identifying the server 715
- Zywall usg series user s guide 715
- Chapter 36 system 716
- Cloudcnm continued 716
- Ipv6 screen 716
- Ipv6 to open the following screen use this screen to enable ipv6 support for the zywall usg s web configurator screens 716
- Label description 716
- Language 716
- Language screen 716
- Language to open the following screen use this screen to select a display language for the zywall usg s web configurator screens 716
- Note see the cloudcnm user guide for more information on cloudcnm 716
- The following table describes the labels in this screen 716
- Zywall usg series user s guide 716
- Chapter 36 system 717
- Figure 500 zon utility screen 717
- Icon description 717
- In the zon utility select a device and then use the icons to perform actions the following table describes the icons numbered from left to right in the zon utility screen 717
- Label description 717
- Table 322 zon utility icons 717
- The following figure shows the zon utility screen 717
- The following table describes the labels in this screen 717
- The zon utility issues requests via zdp and in response to the query the zyxel device responds with basic information including ip address firmware version location system and model name the information is then displayed in the zon utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it you can download the zon utility at www zyxel com and install it on a computer 717
- The zyxel one network zon utility uses the zyxel discovery protocol zdp for discovering and configuring zdp aware zyxel devices in the same broadcast domain as the computer on which zon is installed 717
- Zywall usg series user s guide 717
- Zyxel one network zon utility 717
- Chapter 36 system 718
- Ethernet neighbor for information on using smart connect link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the zywall usg that you re logged into using the web configurator 718
- Icon description 718
- Label description 718
- Table 322 zon utility icons 718
- Table 323 zon utility fields 718
- The following table describes the fields in the zon utility main screen 718
- Zon screen 718
- Zywall usg series user s guide 718
- Zyxel one network zon system screen 718
- Chapter 36 system 719
- Label description 719
- The following table describes the labels in this screen 719
- Zywall usg series user s guide 719
- Email daily report 720
- Log and report 720
- Overview 720
- What you can do in this chapter 720
- Chapter 37 log and report 722
- Email daily report 722
- Label description 722
- Log screen use the e mail profiles to mail log messages 722
- Log setting screens 722
- The following table describes the labels in this screen 722
- The log setting screens control log messages and alerts a log message stores the information for viewing or regular e mailing later and an alert is e mailed immediately usually alerts are used for events that require more serious attention such as system errors and attacks 722
- Zywall usg series user s guide 722
- Log setting summary 723
- Chapter 37 log and report 724
- Edit system log settings 724
- Label description 724
- Log setting continued 724
- The log settings edit screen controls the detailed settings for each log in the system log which includes the e mail profiles go to the log settings summary screen see section 37 on page 723 and click the system log edit icon 724
- Zywall usg series user s guide 724
- Chapter 37 log and report 727
- Edit system log 727
- Edit system log ap 727
- Label description 727
- The following table describes the labels in this screen 727
- Zywall usg series user s guide 727
- Chapter 37 log and report 728
- Edit system log continued 728
- Label description 728
- Zywall usg series user s guide 728
- Chapter 37 log and report 729
- Edit log on usb storage setting 729
- Edit system log continued 729
- Label description 729
- The edit log on usb storage setting screen controls the detailed settings for saving logs to a connected usb storage device go to the log setting summary screen see section 37 on page 723 and click the usb storage edit icon 729
- Zywall usg series user s guide 729
- Chapter 37 log and report 731
- Edit remote server log settings 731
- Edit usb storage 731
- Label description 731
- The following table describes the labels in this screen 731
- The log settings edit screen controls the detailed settings for each log in the remote server syslog go to the log settings summary screen see section 37 on page 723 and click a remote server edit icon 731
- Zywall usg series user s guide 731
- Chapter 37 log and report 733
- Edit remote server 733
- Edit remote server ap 733
- Label description 733
- The following table describes the labels in this screen 733
- Zywall usg series user s guide 733
- Chapter 37 log and report 734
- Edit remote server continued 734
- Label description 734
- Log category settings screen 734
- The log category settings screen allows you to view and to edit what information is included in the system log usb storage e mail profiles and remote servers at the same time it does not let you change other log settings for example where and how often log information is e mailed or remote server names to access this screen go to the log settings summary screen see section 37 on page 723 and click the log category settings button 734
- Zywall usg series user s guide 734
- Chapter 37 log and report 737
- Label description 737
- Log category settings 737
- The following table describes the fields in this screen 737
- Zywall usg series user s guide 737
- Chapter 37 log and report 738
- Label description 738
- Log category settings continued 738
- Zywall usg series user s guide 738
- File manager 739
- Overview 739
- What you can do in this chapter 739
- What you need to know 739
- Comments in configuration files or shell scripts 740
- Note exit or must follow sub commands if it is to make the zywall usg exit sub command mode 740
- Errors in configuration files or shell scripts 741
- The configuration file screen 741
- Configuration file flow at restart 742
- Do not turn off the zywall usg while configuration file upload is in progress 742
- Chapter 38 file manager 743
- Configuration file 743
- Label description 743
- Rename 743
- The following table describes the labels in this screen 743
- Zywall usg series user s guide 743
- Chapter 38 file manager 744
- Configuration file continued 744
- Label description 744
- Zywall usg series user s guide 744
- Chapter 38 file manager 745
- Configuration file continued 745
- Find the firmware package at www zyxel com in a file that usually uses the system model name with a bin extension for example zywall bin 745
- Firmware package to open the firmware package screen use the firmware package screen to check your current firmware version and upload firmware to the zywall usg you can upload firmware to be the running firmware or standby firmware 745
- Label description 745
- Note the web configurator is the recommended method for uploading firmware you only need to use the command line interface if you need to recover the firmware see the cli reference guide for how to determine if you need to recover the firmware and how to recover it 745
- The firmware package screen 745
- The zywall usg s firmware package cannot go through the zywall usg when you enable the anti virus destroy compressed files that could not be decompressed option the zywall usg classifies the firmware package as not being able to be decompressed and deletes it you can upload the firmware package to the zywall usg with the option enabled so you only need to clear 745
- Zywall usg series user s guide 745
- Chapter 38 file manager 746
- Firmware package 746
- Label description 746
- The destroy compressed files that could not be decompressed option while you download the firmware package see section 31 on page 522 for more on the anti virus destroy compressed files that could not be decompressed option 746
- The firmware update can take up to five minutes do not turn off or reset the zywall usg while the firmware update is in progress 746
- The following table describes the labels in this screen 746
- Zywall usg series user s guide 746
- After five minutes log in again and check your new firmware version in the dashboard screen 747
- After you see the firmware upload in process screen wait a few minutes before logging into the zywall usg again 747
- Chapter 38 file manager 747
- Figure 517 firmware upload in process 747
- Figure 518 network 747
- Figure 519 firmware upload error 747
- Firmware package continued 747
- If the upload was not successful the following message appears in the status bar at the bottom of the screen 747
- Label description 747
- Note the zywall usg automatically reboots after a successful upload 747
- The zywall usg automatically restarts causing a temporary network disconnect in some operating systems you may see the following icon on your desktop 747
- Zywall usg series user s guide 747
- Chapter 38 file manager 748
- Each field is described in the following table 748
- Label description 748
- Note you should include write commands in your scripts if you do not use the write command the changes will be lost when the zywall usg restarts you could use multiple write commands in a long script 748
- Rename 748
- Shell script 748
- Shell script to open the shell script screen use the shell script screen to store name download upload and run shell script files you can store multiple shell script files on the zywall usg at the same time 748
- The shell script screen 748
- Use shell script files to have the zywall usg use commands that you specify use a text editor to create the shell script files they must use a zysh filename extension 748
- Zywall usg series user s guide 748
- Chapter 38 file manager 749
- Label description 749
- Shell script continued 749
- Zywall usg series user s guide 749
- Diagnostics 750
- Overview 750
- The diagnostic screen 750
- What you can do in this chapter 750
- Chapter 39 diagnostics 751
- Diagnostics 751
- Files to open the diagnostic files screen this screen lists the files of diagnostic information the zywall usg has collected and stored in a connected usb storage device you may need to send these files to customer support for troubleshooting 751
- Label description 751
- The diagnostics files screen 751
- The following table describes the labels in this screen 751
- Zywall usg series user s guide 751
- Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this 752
- The packet capture screen 752
- Chapter 39 diagnostics 753
- Label description 753
- Note if you have existing capture files and have not selected the continuously capture and overwrite old ones option you may need to set this size larger or delete existing capture files 753
- Note the zywall usg reserves some onboard storage space as a buffer 753
- Note the zywall usg reserves some usb storage space as a buffer 753
- Packet capture 753
- The following table describes the labels in this screen 753
- Zywall usg series user s guide 753
- Chapter 39 diagnostics 754
- Files to open the packet capture files screen this screen lists the files of packet captures stored on the zywall usg or a connected usb storage device you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 754
- Label description 754
- Packet capture continued 754
- The packet capture files screen 754
- Zywall usg series user s guide 754
- Chapter 39 diagnostics 755
- Label description 755
- System log 755
- System log to open the system log files screen this screen lists the files of system logs stored on a connected usb storage device the files are in comma separated value csv format you can download them to your computer and open them in a tool like microsoft s excel 755
- The following table describes the labels in this screen 755
- The system log screen 755
- Zywall usg series user s guide 755
- Chapter 39 diagnostics 756
- Label description 756
- Network tool 756
- Network tool to display this screen 756
- The following table describes the labels in this screen 756
- The network tool screen 756
- Use this screen to ping or traceroute an ip address 756
- Zywall usg series user s guide 756
- Capture 757
- Chapter 39 diagnostics 757
- Label description 757
- Note new capture files overwrite existing files of the same name change the file prefix field s setting to avoid this 757
- The following table describes the labels in this screen 757
- The wireless frame capture screen 757
- Use this screen to capture wireless network traffic going through the ap interfaces connected to your zywall usg studying these frame captures may help you identify network problems 757
- Wireless frame capture to display this screen 757
- Zywall usg series user s guide 757
- Capture continued 758
- Chapter 39 diagnostics 758
- Files to open this screen this screen lists the files of wireless frame captures the zywall usg has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 758
- Label description 758
- Note if you have existing capture files you may need to set this size larger or delete existing capture files 758
- The wireless frame capture files screen 758
- Zywall usg series user s guide 758
- Chapter 39 diagnostics 759
- Label description 759
- The following table describes the labels in this screen 759
- Zywall usg series user s guide 759
- Overview 760
- Packet flow explore 760
- The routing status screen 760
- What you can do in this chapter 760
- Chapter 40 packet flow explore 764
- Label description 764
- Routing status 764
- The following table describes the labels in this screen 764
- Zywall usg series user s guide 764
- Chapter 40 packet flow explore 765
- Label description 765
- Note once a packet matches the criteria of an snat rule the zywall usg takes the corresponding action and does not perform any further flow checking 765
- Routing status continued 765
- Snat status 765
- Snat status policy route snat 765
- The order of the snat flow may vary depending on whether you 765
- The snat status screen 765
- Trunk screen 765
- Use policy routes to control 1 1 nat by using the policy control virtual server rules activate command 765
- Zywall usg series user s guide 765
- Chapter 40 packet flow explore 766
- Label description 766
- Snat status 766
- Snat status 1 1 snat 766
- Snat status default snat 766
- Snat status loopback snat 766
- The following table describes the labels in this screen 766
- Zywall usg series user s guide 766
- Chapter 40 packet flow explore 767
- Label description 767
- Snat status continued 767
- Zywall usg series user s guide 767
- Overview 768
- Shutdown 768
- The shutdown screen 768
- What you need to know 768
- Troubleshooting 769
- I cannot update the anti virus signatures 770
- I cannot update the idp application patrol signatures 770
- I configured security settings but the zywall usg is not applying them for certain interfaces 770
- I downloaded updated anti virus or idp application patrol signatures why has the zywall usg not re booted yet 770
- The content filter category service is not working 770
- The zywall usg is not applying the custom policy route i configured 770
- I cannot enter the interface name i want 771
- I cannot set up a ppp interface 771
- I cannot set up a ppp interface virtual ethernet interface or virtual vlan interface on an ethernet interface 771
- My rules and settings that apply to a particular interface no longer work 771
- The zywall usg is not applying the custom security policy i configured 771
- Hackers have accessed my wep encrypted wireless lan 772
- I cannot configure a particular vlan interface on top of an ethernet interface even though i have it configured it on top of another ethernet interface 772
- I created a cellular interface but cannot connect through it 772
- The data rates through my cellular connection are no where near the rates i expected 772
- The wireless security is not following the re authentication timer setting i specified 772
- The zywall usg is not applying an interface s configured ingress bandwidth limit 772
- The zywall usg is deleting some zipped files 773
- The zywall usg is not applying my application patrol bandwidth management settings 773
- The zywall usg is not scanning some zipped files 773
- The zywall usg s anti virus scanner cleaned an infected file but now i cannot use the file 773
- The zywall usg s performance seems slower after configuring idp 773
- The zywall usg s performance slowed down after i configured many new application patrol entries 773
- I cannot configure some items in idp that i can configure in snort 774
- I uploaded a custom signature file and now all of my earlier custom signatures are gone 774
- Idp is dropping traffic that matches a rule that says no action should be taken 774
- The zywall usg routes and applies snat for traffic from some interfaces but not from others 774
- The zywall usg s performance seems slower after configuring adp 774
- I cannot create a second http redirect rule for an incoming interface 775
- I cannot get dynamic dns to work 775
- I cannot get the application patrol to manage ftp traffic 775
- I cannot get the application patrol to manage h 23 traffic 775
- I cannot get the application patrol to manage sip traffic 775
- The zywall usg keeps resetting the connection 775
- I cannot set up an ipsec vpn tunnel to another device 776
- I cannot download the zywall usg s firmware package 777
- I logged into the ssl vpn but cannot see some of the resource links 777
- I uploaded a logo to show in the ssl vpn user screens but it does not display properly 777
- The vpn connection is up but vpn traffic cannot be transmitted through the vpn tunnel 777
- I cannot add the admin users to a user group with access users 778
- I cannot get the radius server to authenticate the zywall usg s default admin account 778
- I changed the lan ip address and can no longer access the internet 778
- I configured application patrol to allow and manage access to a specific service but access is blocked 778
- I configured policy routes to manage the bandwidth of tcp and udp traffic but the bandwidth management is not being applied properly 778
- The zywall usg fails to authentication the ext user user accounts i configured 778
- I cannot access the zywall usg from a computer connected to the internet 779
- I cannot add the default admin account to a user group 779
- I cannot get a certificate to import into the zywall usg 779
- Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 779
- The schedule i configured is not being applied at the configured times 779
- I can only see newer logs older logs are missing 780
- I cannot get the firmware uploaded using the commands 780
- I uploaded a logo to display on the upper left corner of the web configurator login screen and access page but it does not display properly 780
- I uploaded a logo to use as the screen or window background but it does not display properly 780
- Note exit or must follow sub commands if it is to make the zywall usg exit sub command mode 780
- The commands in my configuration file or shell script are not working properly 780
- The zywall usg s traffic throughput rate decreased after i started collecting traffic statistics 780
- My earlier packet capture files are missing 781
- My packet capture captured less than i wanted or failed 781
- Note this procedure removes the current configuration 781
- Resetting the zywall usg 781
- Getting more troubleshooting help 782
- Customer support 783
- Ppendi 783
- Austria 784
- Europe 784
- Malaysia 784
- Pakistan 784
- Philipines 784
- Singapore 784
- Taiwan 784
- Thailand 784
- Vietnam 784
- Belarus 785
- Belgium 785
- Bulgaria 785
- Denmark 785
- Estonia 785
- Finland 785
- France 785
- Germany 785
- Hungary 785
- Latvia 785
- Lithuania 786
- Netherlands 786
- Norway 786
- Poland 786
- Romania 786
- Russia 786
- Slovakia 786
- Sweden 786
- Switzerland 786
- Argentina 787
- Ecuador 787
- Latin america 787
- Middle east 787
- North america 787
- Turkey 787
- Ukraine 787
- Africa 788
- Australia 788
- Oceania 788
- South africa 788
- Legal information 789
- Ppendi 789
- Appendix b legal information 790
- Ce emc statement 790
- List of national codes 790
- Safety warnings 790
- Zywall usg series user s guide 790
- Appendix b legal information 791
- Environment statment 791
- European union disposal and recycling information 791
- Zywall usg series user s guide 791
- Environmental product declaration 792
- Appendix b legal information 793
- Open source licenses 793
- Registration 793
- Trademarks 793
- Viewing certifications 793
- Zywall usg series user s guide 793
- Zyxel limited warranty 793
- 台灣 793
- 警告使用者 這是甲類的資訊產品 在居住的環境中使用時 可能會造成射頻干擾 在這種情況下 使用者會被要求採取某些適當的對策 793
- Antenna information 794
- Appendix b legal information 794
- Canada 794
- Fcc emc statement 794
- Fcc radiation exposure statement 794
- Industry canada ices statement 794
- Industry canada rss gen rss 247 statement 794
- Model list usg40 usg40w usg60 usg60w 794
- Regulatory notice and statement class b 794
- United states of america 794
- Zywall usg series user s guide 794
- Appendix b legal information 795
- Declaration of conformity with regard to eu directive 1999 5 ec r tte directive 795
- Déclaration d exposition aux radiations 795
- European union 795
- Industry canada radiation exposure statement 795
- Informations antenne for external antenna 795
- Zywall usg series user s guide 795
- Appendix b legal information 796
- National restrictions 796
- Zywall usg series user s guide 796
- Appendix b legal information 797
- List of national codes 797
- Safety warnings 797
- Zywall usg series user s guide 797
- Appendix b legal information 798
- Environment statement 798
- Erp energy related products 798
- European union disposal and recycling information 798
- Zywall usg series user s guide 798
- Appendix b legal information 800
- Viewing certifications 800
- Zywall usg series user s guide 800
- Zyxel limited warranty 800
- 台灣 800
- Appendix b legal information 801
- Open source licenses 801
- Registration 801
- Zywall usg series user s guide 801
- Ppendi 802
- Product features 802
- Appendix c product features 803
- Model name 803
- Table 345 product features 803
- Zywall usg series user s guide 803
- Appendix c product features 804
- Model name 804
- Table 345 product features 804
- Zywall usg series user s guide 804
- Appendix c product features 805
- Model name 805
- Table 345 product features 805
- Zywall usg series user s guide 805
- Appendix c product features 806
- Model name 806
- Table 345 product features 806
- Zywall usg series user s guide 806
- Appendix c product features 807
- Model name 807
- Table 345 product features 807
- Zywall usg series user s guide 807
- Appendix c product features 808
- Model name 808
- Table 345 product features 808
- Zywall usg series user s guide 808
- Numbers 809
- Symbols 809
Похожие устройства
- Zyxel ZyWALL 1100 Рекомендации по настройке
- Zyxel ZyWALL 1100 Справочник командного интерфейса
- Zyxel USG 1900 Инструкция по эксплуатации
- Zyxel USG 1900 Рекомендации по настройке
- Zyxel USG 1900 Справочник командного интерфейса
- HP eliteone 705, j4v28ea Инструкция по эксплуатации
- HP dl360 g9 8sff cto server Инструкция по эксплуатации
- HP stream 11-d055ur, l0z83ea Инструкция по эксплуатации
- Zyxel ZyWALL USG 50 Инструкция по эксплуатации
- Zyxel ZyWALL USG 50 Справочник командного интерфейса
- Zyxel ZyWALL USG 50 Инструкция по установке
- Zyxel ZyWALL USG 50 Рекомендации по настройке
- HP spectre x360 13-4051ur, m3k02ea Инструкция по эксплуатации
- HP spectre x360 13-4050ur, l1s05ea Инструкция по эксплуатации
- HP 15-r263ur, l2u69ea Инструкция по эксплуатации
- HP proone 400, g9d90es Инструкция по эксплуатации
- HP probook 450, k9l17ea Инструкция по эксплуатации
- HP proone 400, d5u21ea Инструкция по эксплуатации
- HP proone 400, f4q59ea Инструкция по эксплуатации
- HP pavilion mini 300-030ur, l1v76ea Инструкция по эксплуатации