Zyxel ZyWALL 1100 [382/829] Security policy example applications

Click console to open a java based console window from which you can run cli commands you will be prompted to enter your user name and password see the command reference guide for information about the commands 30

Click object reference to open the object reference screen select the type of object and the individual object and click refresh to show which configuration settings reference the object 30

Console 30

Figure 11 object reference 30

Label description 30

Object reference 30

Table 5 object references 30

The fields vary with the type of object this table describes labels that can appear in this screen 30

Zywall usg series user s guide 30

Cli messages 31

Navigation panel 31

Chapter 1 introduction 32

Dashboard 32

Figure 14 navigation panel 32

Folder or link tab function 32

Monitor menu 32

Table 6 monitor menu screens summary 32

The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs see the web help for details on the dashboard 32

The monitor menu screens display status and statistics information 32

Zywall usg series user s guide 32

Chapter 1 introduction 33

Configuration menu 33

Folder or link tab function 33

Table 6 monitor menu screens summary continued 33

Table 7 configuration menu screens summary 33

Use the configuration menu screens to configure the zywall usg s features 33

Zywall usg series user s guide 33

Chapter 1 introduction 34

Folder or link tab function 34

Table 7 configuration menu screens summary continued 34

Zywall usg series user s guide 34

Chapter 1 introduction 35

Folder or link tab function 35

Table 7 configuration menu screens summary continued 35

Zywall usg series user s guide 35

Chapter 1 introduction 36

Folder or link tab function 36

Table 7 configuration menu screens summary continued 36

Zywall usg series user s guide 36

Chapter 1 introduction 37

Folder or link tab function 37

Table 7 configuration menu screens summary continued 37

Zywall usg series user s guide 37

Chapter 1 introduction 38

Click a column heading to sort the table s entries according to that column s criteria 38

Click the down arrow next to a column heading for more options about how to display the entries the options available vary depending on the type of fields in the column here are some examples of what you can do 38

Figure 15 sorting table entries by a column s criteria 38

Folder or link tab function 38

Group entries by field 38

Maintenance menu 38

Or or searching for text 38

Select which columns to display 38

Show entries in groups 38

Sort in ascending or descending reverse alphabetical order 38

Table 8 maintenance menu screens summary 38

Tables and lists 38

Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the zywall usg 38

Web configurator tables and lists are flexible with several options for how to display their entries 38

Zywall usg series user s guide 38

Chapter 1 introduction 40

Figure 20 common table icons 40

Figure 21 working with lists 40

Here are descriptions for the most common table icons 40

Label description 40

Table 9 common table icons 40

When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other in some lists you can also use the shift or ctrl key to select multiple entries and then use the arrow button to move them to the other list 40

Working with lists 40

Zywall usg series user s guide 40

Installation setup wizard 41

Installation setup wizard screens 41

Internet access setup wan interface 41

Internet access ethernet 42

Note enter the internet access information exactly as given to you by your isp or network administrator 42

Internet access pppoe 43

Note enter the internet access information exactly as given to you by your isp 43

Isp parameters 44

Wan ip address assignments 44

Internet access pptp 45

Isp parameters 45

Note enter the internet access information exactly as given to you by your isp 45

Internet access setup second wan interface 46

Pptp configuration 46

Wan ip address assignments 46

Internet access succeed 47

Wireless settings ap controller 47

Ssid setting 48

Wireless settings ssid security 48

For built in wireless ap only 49

Internet access device registration 49

Note the zywall usg must be connected to the internet in order to register 49

Front panels 50

Hardware interfaces and zones 50

Hardware overview 50

Chapter 3 hardware interfaces and zones 51

Figure 35 usg60 usg60w front panel 51

Figure 36 zywall 110 usg110 usg210 rear panel 51

Figure 37 zywall 310 zywall 1100 usg310 usg1100 usg1900 rear panel 51

Led color status description 51

Rear panels 51

Table 11 led descriptions 51

The connection ports are located on the rear panel 51

The following table describes the leds 51

Zywall usg series user s guide 51

Chapter 3 hardware interfaces and zones 52

Figure 38 usg40 usg40w rear panel 52

Figure 39 usg60 usg60w rear panel 52

Label description 52

Note use an 8 wire ethernet cable to run your gigabit ethernet connection at 1000 mbps using a 4 wire ethernet cable limits your connection to 100 mbps note that the connection speed also depends on what the ethernet device at the other end can support 52

Table 12 rear panel items 52

The following table describes the items on the rear panel 52

Zywall usg series user s guide 52

Mounting 53

Note failure to use the proper screws may damage the unit 53

Note leave 10 cm of clearance at the sides and 20 cm in the rear 53

Rack mounting 53

Rack mounting wall mounting 53

Table 13 mounting method 53

Note make sure the screws are securely fixed to the wall and strong enough to hold the weight of the zywall usg with the connection cables 54

Wall mount the zywall usg horizontally the zywall usg s side panels with ventilation slots should not be facing up or down as this position is less safe 54

Wall mounting 54

Default zones interfaces and ports 55

Screw specifications 55

Table 14 default physical port interface mapping 55

Chapter 3 hardware interfaces and zones 56

No default zone 56

Shutdown or the shutdown command before you turn off the zywall usg or remove the power not doing so can cause the firmware to become corrupt 56

Stopping the zywall usg 56

Table 15 default zone interface mapping 56

The following table shows the default interface and zone mapping for each model at the time of writing 56

Zone interface wan lan1 lan2 dmz opt 56

Zywall usg series user s guide 56

Quick setup overview 57

Quick setup wizards 57

Choose an ethernet interface 58

Wan interface quick setup 58

Configure wan ip settings 59

Note enter the internet access information exactly as your isp gave it to you 59

Select wan type 59

Isp and wan and isp connection settings 60

Note enter the internet access information exactly as your isp gave it to you 60

Chapter 4 quick setup wizards 61

Figure 47 wan and isp connection settings pptp shown 61

Label description 61

Table 16 wan and isp connection settings 61

The following table describes the labels in this screen 61

Zywall usg series user s guide 61

Chapter 4 quick setup wizards 62

Label description 62

Quick setup interface wizard summary 62

Table 16 wan and isp connection settings continued 62

This screen displays the wan interface s settings 62

Zywall usg series user s guide 62

Chapter 4 quick setup wizards 63

Click vpn setup in the main quick setup screen to open the vpn setup wizard welcome screen 63

Figure 48 interface wizard summary wan pptp shown 63

Label description 63

Table 17 interface wizard summary wan 63

The following table describes the labels in this screen 63

Vpn setup wizard 63

Zywall usg series user s guide 63

Welcome 64

Vpn express wizard scenario 65

Vpn setup wizard wizard type 65

Vpn express wizard configuration 67

Vpn express wizard summary 67

Vpn express wizard finish 68

Vpn advanced wizard scenario 69

Vpn advanced wizard phase 1 settings 70

Note the remote ipsec device must also have nat traversal enabled see the help in the main ipsec vpn screens for more information 72

Vpn advanced wizard phase 2 72

Vpn advanced wizard finish 73

Vpn advanced wizard summary 73

Vpn settings for configuration provisioning wizard wizard type 74

Configuration provisioning express wizard vpn settings 75

Configuration provisioning vpn express wizard configuration 76

Vpn settings for configuration provisioning express wizard summary 77

Vpn settings for configuration provisioning express wizard finish 78

Vpn settings for configuration provisioning advanced wizard scenario 79

Vpn settings for configuration provisioning advanced wizard phase 1 settings 80

Vpn settings for configuration provisioning advanced wizard phase 2 82

Vpn settings for configuration provisioning advanced wizard summary 82

Vpn settings for configuration provisioning advanced wizard finish 84

Vpn settings for l2tp vpn settings wizard 85

L2tp vpn settings 86

L2tp vpn settings 87

Note dns domain name system is for mapping a domain name to its corresponding ip address and vice versa the dns server is extremely important because without it you must know the ip address of a computer before you can access it the zywall usg uses a system dns server in the order you specify here to resolve domain names for vpn ddns and the time server 88

Vpn settings for l2tp vpn setting wizard summary 88

Vpn settings for l2tp vpn setting wizard completed 89

Dashboard 90

Overview 90

What you can do in this chapter 90

Main dashboard screen 91

Chapter 5 dashboard 92

Device information screen 92

Label description 92

Table 18 dashboard continued 92

The device information screen displays zywall usg s system and model name serial number mac address and firmware version shown in the below screen 92

Zywall usg series user s guide 92

Chapter 5 dashboard 93

Device information 93

Device information example 93

Label description 93

System status example 93

System status screen 93

This tabel describes the fields in the above screen 93

Zywall usg series user s guide 93

Chapter 5 dashboard 94

Click on vpn status link to look at the vpn tunnels that are currently established the following screen will show 94

Label description 94

System status 94

This table describes the fields in the above screen 94

Vpn status screen 94

Zywall usg series user s guide 94

Chapter 5 dashboard 95

Lable description 95

This table describes the fields in the above screen 95

Vpn status 95

Zywall usg series user s guide 95

Chapter 5 dashboard 96

Click on the dhcp table link to look at the ip addresses currently assigned to dhcp clients and the ip addresses reserved for specific mac addresses the following screen will show 96

Dhcp table 96

Dhcp table screen 96

Label description 96

This table describes the fields in the above screen 96

Zywall usg series user s guide 96

Chapter 5 dashboard 97

Click the number of login users link to see the following screen 97

Hover your mouse over an item and click the arrow on the right to see more details on that resource 97

Label description 97

Number of login users 97

Number of login users screen 97

System resources screen 97

This table describes the fields in the above screen 97

Zywall usg series user s guide 97

Chapter 5 dashboard 98

Cpu usage screen 98

Label description 98

System resources 98

This table describes the fields in the above screen 98

Use the below screen to look at a chart of the zywall usg s recent cpu usage to access this screen click cpu usage in the dashboard 98

Zywall usg series user s guide 98

Label description 99

Memory usage screen 99

Active session screen 100

Label description 100

Chapter 5 dashboard 101

Extension slot 101

Extension slot screen 101

Interface status summary screen 101

Interfaces per zywall usg model vary 101

Label description 101

This table describes the fields in the above screen 101

Zywall usg series user s guide 101

Chapter 5 dashboard 102

Interface status summary 102

Label description 102

This table describes the fields in the above screen 102

Zywall usg series user s guide 102

Chapter 5 dashboard 103

Interface status summary 103

Label description 103

Secured service status 103

Secured service status screen 103

This part shows what unified threat management utm services are available and enabled 103

This table describes the fields in the above screen 103

Zywall usg series user s guide 103

Chapter 5 dashboard 104

Content filter and then view results here 104

Content filter statistics 104

Content filter statistics screen 104

Label description 104

Secured service status 104

This table describes the fields in the above screen 104

Top 5 viruses 104

Top 5 viruses screen 104

Zywall usg series user s guide 104

Chapter 5 dashboard 105

Label description 105

This table describes the fields in the above screen 105

Top 5 intrusions 105

Top 5 intrusions screen 105

Top 5 ipv4 ipv6 security policy rules that blocked traffic 105

Top 5 ipv4 ipv6 security policy rules that blocked traffic screen 105

Top 5 viruses 105

Zywall usg series user s guide 105

Chapter 5 dashboard 106

Label description 106

The latest alert logs 106

The latest alert logs screen 106

This table describes the fields in the above screen 106

Top 5 ipv4 ipv6 security policy rules that blocked traffic 106

Zywall usg series user s guide 106

Technical reference 107

Monitor 109

Overview 109

What you can do in this chapter 109

The port statistics screen 110

Chapter 6 monitor 111

Label description 111

Port statistics 111

The following table describes the labels in this screen 111

The port statistics graph screen 111

Use this screen to look at a line graph of packet statistics for each physical port to access this screen click port statistics in the status screen and then the switch to graphic view button 111

Zywall usg series user s guide 111

Chapter 6 monitor 112

Interface status screen 112

Interface status to access this screen 112

Label description 112

Switch to graphic view 112

The following table describes the labels in this screen 112

Zywall usg series user s guide 112

Chapter 6 monitor 113

Each field is described in the following table 113

Interface status 113

Label description 113

Zywall usg series user s guide 113

Chapter 6 monitor 114

Interface status continued 114

Label description 114

Zywall usg series user s guide 114

Chapter 6 monitor 115

Interface status continued 115

Label description 115

Lan ip with heaviest traffic and how much traffic has been sent to and from each one 115

Most used protocols or service ports and the amount of traffic on each one 115

Most visited web sites and the number of times each one was visited this count may not be accurate in some cases because the zywall usg counts http get packets please see table 39 on page 116 for more information 115

The traffic statistics screen 115

Traffic statistics to display the traffic statistics screen this screen provides basic information about the following for example 115

Zywall usg series user s guide 115

Chapter 6 monitor 116

Label description 116

There is a limit on the number of records shown in the report please see table 40 on page 117 for more information the following table describes the labels in this screen 116

Traffic statistics 116

You use the traffic statistics screen to tell the zywall usg when to start and when to stop collecting information for these reports you cannot schedule data collection you have to start and stop it manually in the traffic statistics screen 116

Zywall usg series user s guide 116

Chapter 6 monitor 117

Label description 117

Table 40 maximum values for reports 117

The following table displays the maximum number of records shown in the report the byte count limit and the hit count limit 117

Traffic statistics continued 117

Zywall usg series user s guide 117

Chapter 6 monitor 118

Destination address 118

Duration so far 118

Label description 118

Number of bytes received so far 118

Number of bytes transmitted so far 118

Protocol or service port used 118

Session monitor 118

Session monitor to display the following screen 118

Source address 118

The following table describes the labels in this screen 118

The session monitor screen 118

The session monitor screen displays all established sessions that pass through the zywall usg for debugging or statistical analysis it is not possible to manage sessions in this screen the following information is displayed 118

User who started the session 118

You can look at all established sessions that passed through the zywall usg by user service source ip address or destination ip address you can also filter the information by user protocol service or service group source address and or destination address and view it by user 118

Zywall usg series user s guide 118

Chapter 6 monitor 119

Igmp statistics 119

Igmp statistics to open the following screen 119

Label description 119

Session monitor continued 119

Zywall usg series user s guide 119

Chapter 6 monitor 120

Ddns status 120

Ddns status to open the following screen 120

Igmp statistics 120

Label description 120

The ddns status screen 120

The following table describes the labels in this screen 120

Zywall usg series user s guide 120

Ip mac binding 121

The login users screen 121

Cellular status 122

Cellular status screen 122

Cellular status to display this screen 122

Chapter 6 monitor 122

Label description 122

Login users 122

The following table describes the labels in this screen 122

Zywall usg series user s guide 122

Cellular status 123

Chapter 6 monitor 123

Label description 123

The following table describes the labels in this screen 123

Zywall usg series user s guide 123

Cellular status continued 124

Chapter 6 monitor 124

Label description 124

Zywall usg series user s guide 124

Cellular status continued 125

Chapter 6 monitor 125

Label description 125

More information 125

More information to display this screen 125

Note this screen is only available when the mobile broadband device is attached to and activated on the zywall usg 125

The following table describes the labels in this screen 125

Zywall usg series user s guide 125

Chapter 6 monitor 126

Label description 126

More information continued 126

The following table describes the labels in this screen 126

The upnp port status screen 126

Upnp port status 126

Zywall usg series user s guide 126

Chapter 6 monitor 127

Label description 127

The following table describes the labels in this screen 127

Upnp port status continued 127

Usb storage 127

Usb storage screen 127

Usb storage to display this screen 127

Zywall usg series user s guide 127

Chapter 6 monitor 128

Ethernet neighbor 128

Ethernet neighbor screen 128

Ethernet neighbor to see the following screen 128

It uses smart connect that is link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the zywall usg that you re logged into using the web configurator 128

Label description 128

Lldp is a layer 2 protocol that allows a network device to advertise its identity and capabilities on the local network it also allows the device to maintain and store information from adjacent devices which are directly connected to the network device this helps you discover network changes and perform necessary network reconfiguration and management 128

The ethernet neighbor screen allows you to view the zywall usg s neighboring devices in one place 128

Usb storage continued 128

Zon for more information on the zyxel one network zon utility that uses the zyxel discovery protocol zdp for discovering and configuring zdp aware zyxel devices in the same network as the computer on which the zon utility is installed 128

Zon screen 128

Zywall usg series user s guide 128

Ap information 129

Ap information to display the ap list screen 129

Ap list 129

Chapter 6 monitor 129

Ethernet neighbor 129

Label description 129

The following table describes the fields in the previous screen 129

The following table describes the labels in this screen 129

Wireless 129

Wireless ap information ap list 129

Wireless contains ap information and station info menus 129

Zywall usg series user s guide 129

Ap information continued 130

Ap list icons 130

Ap list more information 130

Chapter 6 monitor 130

Label description 130

The following table describes the icons in this screen 130

Use this screen to look at station statistics for the connected ap to access this screen select an entry and click the more information button in the ap list screen use this screen to look at 130

Zywall usg series user s guide 130

Chapter 6 monitor 132

Label description 132

More information continued 132

Radio list 132

Radio list to display the radio list screen 132

The following table describes the labels in this screen 132

Wireless ap information radio list 132

Zywall usg series user s guide 132

Chapter 6 monitor 133

Label description 133

Radio list 133

Zywall usg series user s guide 133

Radio list more information 134

Chapter 6 monitor 135

Label description 135

More information 135

Station information to display this screen 135

Station list 135

The following table describes the labels in this screen 135

Wireless station info 135

Zywall usg series user s guide 135

Ap management screen in order to detect other wireless devices in its vicinity 136

Chapter 6 monitor 136

Detected device 136

Detected device to access this screen 136

Label description 136

Station list 136

The following table describes the labels in this screen 136

Zywall usg series user s guide 136

Chapter 6 monitor 137

Detected device continued 137

Each field is described in the following table 137

Ipsec the following screen appears sas click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 137

Label description 137

The ipsec monitor screen 137

Zywall usg series user s guide 137

A in the middle of a vpn connection or policy name has the zywall usg check the beginning and end and ignore the middle for example with abc 123 any vpn connection or policy name starting with abc and ending in 123 matches no matter how many characters are in between 138

A question mark lets a single character in the vpn connection or policy name vary for example use a c without the quotation marks to specify abc acc and so on 138

Chapter 6 monitor 138

Ipsec continued 138

Label description 138

Log out individual users and delete related session information 138

Once a user logs out the corresponding entry is removed from the screen 138

Regular expressions in searching ipsec sas 138

Ssl to display the user list 138

The ssl screen 138

The whole vpn connection or policy name has to match if you do not use a question mark or asterisk 138

Use this screen to do the following 138

View a list of active ssl vpn connections 138

Wildcards let multiple vpn connection or policy names match the pattern for example use abc without the quotation marks to specify any vpn connection or policy name that ends with abc a vpn connection named testabc would match there could be any number of any type of characters in front of the abc at the end and the vpn connection or policy name would still match a vpn connection or policy name named testacc for example would not match 138

Zywall usg series user s guide 138

Chapter 6 monitor 139

L2tp over ipsec 139

L2tp over ipsec to open the following screen use this screen to display and manage the zywall usg s connected l2tp vpn sessions 139

Label description 139

The following table describes the fields in this screen 139

The following table describes the labels in this screen 139

The l2tp over ipsec session monitor screen 139

Zywall usg series user s guide 139

App patrol 140

App patrol to display the following screen this screen displays application patrol statistics based on the app patrol profiles bound to security policy profiles 140

Application patrol provides a convenient way to manage the use of various applications on the network it manages general protocols for example http and ftp and instant messenger im peer to peer p2p voice over ip voip and streaming rstp applications you can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers 140

Chapter 6 monitor 140

L2tp over ipsec continued 140

Label description 140

The app patrol screen 140

The following table describes the labels in this screen 140

Zywall usg series user s guide 140

App patrol 141

Chapter 6 monitor 141

Content filter to display the following screen this screen displays content filter statistics 141

Label description 141

The content filter screen 141

Zywall usg series user s guide 141

Chapter 6 monitor 142

Content filter 142

Label description 142

The following table describes the labels in this screen 142

Zywall usg series user s guide 142

Chapter 6 monitor 143

Content filter continued 143

Idp signature name 143

Idp to display the following screen this screen displays idp intrusion detection and prevention statistics 143

Label description 143

The idp screen 143

Zywall usg series user s guide 143

Chapter 6 monitor 144

Label description 144

The following table describes the labels in this screen 144

The statistics display as follows when you display the top entries by source 144

Zywall usg series user s guide 144

Anti virus 145

Anti virus to display the following screen this screen displays anti virus statistics 145

Anti virus virus name 145

Chapter 6 monitor 145

Idp destination 145

Idp source 145

Label description 145

The anti virus screen 145

The following table describes the labels in this screen 145

The statistics display as follows when you display the top entries by destination 145

Zywall usg series user s guide 145

Anti virus continued 146

Anti virus destination ip 146

Anti virus source ip 146

Chapter 6 monitor 146

Label description 146

The anti spam menu contains the report and status screens 146

The anti spam screens 146

The statistics display as follows when you display the top entries by destination 146

The statistics display as follows when you display the top entries by source 146

Zywall usg series user s guide 146

Anti spam 147

Anti spam report 147

Anti spam to display the following screen this screen displays spam statistics 147

Chapter 6 monitor 147

Label description 147

The following table describes the labels in this screen 147

Zywall usg series user s guide 147

Anti spam continued 148

Chapter 6 monitor 148

Label description 148

Zywall usg series user s guide 148

Anti spam continued 149

Chapter 6 monitor 149

Label description 149

Status 149

Status to display the anti spam status screen 149

The anti spam status screen 149

The following table describes the labels in this screen 149

Use the anti spam status screen to see how many e mail sessions the anti spam feature is scanning and statistics for the dnsbls 149

Zywall usg series user s guide 149

Chapter 6 monitor 150

Label description 150

Report 150

Report to display the following screen 150

Status continued 150

The ssl inspection screens 150

The zywall usg uses ssl inspection to decrypt ssl traffic sends it to the utm engines for inspection then encrypts traffic that passes inspection and forwards it 150

Zywall usg series user s guide 150

Certificate cache list 151

Certificate cache list to display a screen that shows details on ssl traffic going to servers identified by its certificate and an option to add that traffic to the exclude list 151

Chapter 6 monitor 151

Label description 151

Report 151

Ssl traffic to a server to be excluded from ssl inspection is identified by its certificate traffic in an exclude list is not intercepted by ssl inspection 151

The following table describes the labels in this screen 151

Zywall usg series user s guide 151

Certificate cache list 152

Chapter 6 monitor 152

Label description 152

The following table describes the labels in this screen 152

Zywall usg series user s guide 152

Chapter 6 monitor 153

Events that generate an alert as well as a log message display in red regular logs display in black click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order the web configurator saves the filter settings if you leave the view log screen and return to it later 153

Label description 153

Log messages are stored in two separate logs one for regular log messages and one for debugging messages in the regular log you can look at all the log messages by selecting all logs or you can select a specific category of log messages for example security policy or user you can also look at the debugging log by selecting debug log all debugging messages have the same priority 153

Log screens 153

Log the log is displayed in the following screen 153

Note when a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first 153

The following table describes the labels in this screen 153

The maximum possible number of log messages in the zywall usg varies by model 153

View log 153

Zywall usg series user s guide 153

Chapter 6 monitor 154

Label description 154

View ap log 154

View ap log to open the following screen 154

View log continued 154

Zywall usg series user s guide 154

Chapter 6 monitor 155

Label description 155

The following table describes the labels in this screen 155

View ap log 155

Zywall usg 155

Zywall usg series user s guide 155

Chapter 6 monitor 156

Label description 156

Zywall usg 156

Zywall usg series user s guide 156

Licensing 157

Registration overview 157

What you need to know 157

Registration screen 158

Service screen 158

Anti virus screen section 7 on page 159 to update the anti virus signatures 159

Anti virus to display the following screen 159

Chapter 7 licensing 159

Idp apppatrol screen section 7 on page 161 to update the signatures used for idp and application patrol 159

Label description 159

Note the zywall usg does not have to reboot when you upload new signatures 159

Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network 159

Service continued 159

Signature update 159

The anti virus update screen 159

This section shows you how to update the zywall usg s signature packages 159

What you need to know 159

You do not need a service registration to update the system protection signatures 159

You need a valid service registration to update the anti virus signatures and the idp apppatrol signatures 159

Your custom signature configurations are not over written when you download new signatures 159

Zywall usg series user s guide 159

Anti virus 160

Chapter 7 licensing 160

Label description 160

The following table describes the labels in this screen 160

Zywall usg series user s guide 160

The idp apppatrol update screen 161

Chapter 7 licensing 162

Idp apppatrol continued 162

Label description 162

Zywall usg series user s guide 162

Controller screen 163

Overview 163

What you can do in this chapter 163

Wireless 163

Ap management screens 164

Ap management to access these screens 164

Chapter 8 wireless 164

Click on the icon to go to the onesecurity com website where there is guidance on configuration walkthroughs and other information 164

Controller 164

Each field is described in the following table 164

Label description 164

Mgnt ap list 164

Note select the manual option for managing a specific set of aps this is recommended as the registration mechanism cannot automatically differentiate between friendly and rogue aps 164

Zywall usg series user s guide 164

Chapter 8 wireless 165

Controller screen you set the registration type to always accept then as soon as you remove an ap from this list it reconnects 165

Each field is described in the following table 165

Label description 165

Mgnt ap list 165

Note dcs is not supported on the radio which is working in repeater ap mode 165

Note you should have enabled dcs in the applied ap radio profile berfore the aps can use dcs 165

Zywall usg series user s guide 165

Ap management table to display this screen 166

Chapter 8 wireless 166

Each field is described in the following table 166

Edit ap list 166

Label description 166

Zywall usg series user s guide 166

Chapter 8 wireless 167

Edit ap list continued 167

Label description 167

Zywall usg series user s guide 167

Ap policy 168

Ap policy to access this screen 168

Chapter 8 wireless 168

Each field is described in the following table 168

Label description 168

Zywall usg series user s guide 168

Ap group 169

Ap group to access this screen 169

Chapter 8 wireless 169

Each field is described in the following table 169

Label description 169

Note dcs is not supported on the radio which is working in repeater ap mode 169

Note you cannot remove a group with which an ap is associated 169

Note you should have enabled dcs in the applied ap radio profile berfore the aps can use dcs 169

Zywall usg series user s guide 169

Add edit ap group 170

Add edit 171

Chapter 8 wireless 171

Each field is described in the following table 171

Label description 171

Note reducing the output power also reduces the zywall usg s effective broadcast radius 171

Zywall usg series user s guide 171

Add edit continued 172

Chapter 8 wireless 172

Label description 172

Note load balancing is not supported on the radio which is working in root ap or repeater ap mode 172

Zywall usg series user s guide 172

Add edit continued 173

All new aps are supported 173

Aps don t have to downgrade firmware in order to be managed 173

Chapter 8 wireless 173

Firmware 173

Label description 173

Note if you enable this function you should ensure that there are multiple aps within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded ap will be kicked continuously and never be allowed to connect 173

The zywall usg should always have the latest ap firmware so that 173

The zywall usg stores an ap firmware in order to manage supported aps this screen allows the zywall usg to check for and download new ap firmware when it becomes available on the firmware server all aps managed by the zywall usg must have the same firmware version as the ap fimware on the zywall usg 173

Use check to see if the zywall usg has the latest ap firmware use apply to have the zywall usg download the latest ap firmware see more details for more information on the firmware from the firmware server if the zywall usg does not have enough space for the latest ap firmware then the zywall usg will delete an existing firmware that no ap is using before downloading the new ap firmware 173

When an ap connects to the zywall usg wireless controller the zywall usg will check if the ap has the same firmware version as the ap fimware on the zywall usg if yes then the zywall usg can manage it if no then the ap must upgrade or downgrade its firmware to be the same version as the ap firmware on the zywall usg and reboot 173

Zywall usg series user s guide 173

Chapter 8 wireless 174

Each field is described in the following table 174

Firmware 174

Firmware to access this screen 174

Label description 174

Zywall usg series user s guide 174

Chapter 8 wireless 175

Firmware continued 175

Label description 175

Mon mode 175

Mon mode to access this screen 175

Use this screen to assign aps either to the rogue ap list or the friendly ap list a rogue ap is a wireless access point operating in a network s coverage area that is not under the control of the network administrator and which can potentially open up holes in a network s security 175

Zywall usg series user s guide 175

Add edit rogue friendly 176

Add edit rogue friendly list 176

Chapter 8 wireless 176

Each field is described in the following table 176

Label description 176

Mon mode 176

Mon mode table to display this screen 176

Zywall usg series user s guide 176

Add edit rogue friendly 177

Auto healing 177

Auto healing to access this screen 177

Chapter 8 wireless 177

Each field is described in the following table 177

Label description 177

Zywall usg series user s guide 177

Dynamic channel selection 178

Technical reference 178

Load balancing 179

Interface overview 181

Interfaces 181

What you can do in this chapter 181

Interface characteristics 182

Types of interfaces 182

What you need to know 182

Chapter 9 interfaces 183

Characteristics ethernet ethernet ppp cellular vlan bridge virtual 183

Characteristics these characteristics are listed in the following table and discussed in more detail below 183

In the zywall usg interfaces are usually created on top of other interfaces only ethernet interfaces are created directly on top of the physical ports or port groups the relationships between interfaces are explained in the following table 183

Interface required port interface 183

Note the format of interface names other than the ethernet and ppp interface names is strict each name consists of 2 4 letters interface type followed by a number x for most interfaces x is limited by the maximum number of the type of interface for vlan interfaces x is defined by the number you enter in the vlan name field for example ethernet interface names are wan1 wan2 lan1 lan2 dmz vlan interfaces are vlan0 vlan1 vlan2 and so on 183

Relationships between interfaces 183

Table 83 ethernet ppp cellular vlan bridge and virtual interface characteristics 183

Table 84 relationships between different types of interfaces 183

The names of virtual interfaces are derived from the interfaces on which they are created for example virtual interfaces created on ethernet interface wan1 are called wan1 1 wan1 2 and so on virtual interfaces created on vlan interface vlan2 are called vlan2 1 vlan2 2 and so on you cannot specify the number after the colon in the web configurator it is a sequential number you can specify the number after the colon if you use the cli to set up a virtual interface 183

Zywall usg series user s guide 183

Ipv6 addressing 184

Ipv6 overview 184

Note you cannot set up a ppp interface virtual ethernet interface or virtual vlan interface if the underlying interface is a member of a bridge you also cannot add an ethernet interface or vlan interface to a bridge if the member interface has a virtual interface or ppp interface on top of it 184

Prefix and prefix length 184

Link local address 185

Prefix delegation 185

Stateless autoconfiguration 185

Subnet masking 185

Dhcpv6 186

Ipv6 router advertisement 186

Port role screen 186

Table 86 models with port role 186

What you need to do first 186

Default interface zone 187

Ethernet summary screen 187

Physical ports 187

Chapter 9 interfaces 188

Each field is described in the following table 188

Ethernet 188

Exchanged the more efficient the routers should be however the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management the zywall usg supports two routing protocols rip and ospf see chapter 10 on page 279 for background information about these routing protocols 188

Label description 188

Zywall usg series user s guide 188

Ethernet edit 189

Note if you create ip address objects based on an interface s ip address subnet or gateway the zywall usg automatically updates every rule or setting that uses the object whenever the interface s ip address settings change for example if you change the lan s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object 189

Igmp proxy 190

Chapter 9 interfaces 197

Label description 197

This screen s fields are described in the table below 197

Zywall usg series user s guide 197

Chapter 9 interfaces 198

Edit continued 198

Label description 198

Zywall usg series user s guide 198

Chapter 9 interfaces 199

Edit continued 199

Label description 199

Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 199

Note this field displays the combined address after you click ok and reopen this screen 199

Zywall usg series user s guide 199

Chapter 9 interfaces 200

Edit continued 200

Label description 200

Note make sure the hosts also support router preference to make this function work 200

Zywall usg series user s guide 200

Chapter 9 interfaces 201

Edit continued 201

Label description 201

Note this field displays the combined address after you click ok and reopen this screen 201

Zywall usg series user s guide 201

Chapter 9 interfaces 202

Edit continued 202

Label description 202

Zywall usg series user s guide 202

Chapter 9 interfaces 203

Edit continued 203

Label description 203

Zywall usg series user s guide 203

Chapter 9 interfaces 204

Edit continued 204

Label description 204

Zywall usg series user s guide 204

Add edit dhcpv6 request release options 205

Object references 205

Add dhcpv6 request lease options 206

Add edit dhcp extended options 206

Add edit extended options 206

Chapter 9 interfaces 206

Edit select dhcp server in the dhcp setting section and then click add or edit in the extended options table 206

Label description 206

Select a dhcpv6 request or lease object in the select one object field and click ok to save it click cancel to exit without saving the setting 206

The following table describes labels that can appear in this screen 206

Zywall usg series user s guide 206

Add edit extended options 207

Chapter 9 interfaces 207

Label description 207

Option name code description 207

Table 91 dhcp extended options 207

The following table lists the available dhcp extended options defined in rfcs on the zywall usg see rfcs for more information 207

Zywall usg series user s guide 207

Ppp interface summary 208

Ppp interfaces 208

Chapter 9 interfaces 209

Each field is described in the table below 209

Ipv6 screen you can also configure ppp interfaces used for your ipv6 networks on this screen to access this screen click the add icon or an edit icon in the ppp interface screen 209

Label description 209

Note you have to set up an isp account before you create a pppoe pptp interface 209

Ppp interface add or edit 209

Zywall usg series user s guide 209

Chapter 9 interfaces 211

Each field is explained in the following table 211

Label description 211

Note multiple ppp interfaces can use the same base interface 211

Zywall usg series user s guide 211

Add continued 212

Chapter 9 interfaces 212

Label description 212

Note this field displays the combined address after you click ok and reopen this screen 212

Zywall usg series user s guide 212

Add continued 213

Chapter 9 interfaces 213

Label description 213

Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 213

Zywall usg series user s guide 213

Cellular configuration screen 214

Note the actual data rate you obtain varies depending on the mobile broadband device you use the signal strength to the service provider s base station and so on 214

Cellular 215

Chapter 9 interfaces 215

Mobile phone and data standards data speed gsm based cdma based 215

Name type 215

Note install or connect a compatible mobile broadband usb device to use a cellular connection 215

Note the actual data rate you obtain varies depending on your mobile environment the environmental factors may include the number of mobile devices which are currently connected to the mobile network the signal strength to the mobile network and so on 215

Note the wan ip addresses of a zywall usg with multiple wan interfaces must be on different subnets 215

See the following table for a comparison between 2g 2 g 2 5g 3g and 4g wireless technologies 215

Table 94 2g 2 g 2 5g 3g 3 g and 4g wireless technologies 215

Zywall usg series user s guide 215

Cellular 216

Chapter 9 interfaces 216

Label description 216

The following table describes the labels in this screen 216

Zywall usg series user s guide 216

Add edit cellular configuration 217

Cellular choose slot 217

Add edit 219

Chapter 9 interfaces 219

Label description 219

The following table describes the labels in this screen 219

Zywall usg series user s guide 219

Add edit continued 220

Chapter 9 interfaces 220

Label description 220

Zywall usg series user s guide 220

Add edit continued 221

Chapter 9 interfaces 221

Label description 221

Zywall usg series user s guide 221

Add edit continued 222

Chapter 9 interfaces 222

Label description 222

Zywall usg series user s guide 222

Add edit continued 223

Chapter 9 interfaces 223

Gre tunneling 223

Gre tunnels encapsulate a wide variety of network layer protocol packet types inside ip tunnels a gre tunnel serves as a virtual point to point link between the zywall usg and another router over an ipv4 network at the time of writing the zywall usg only supports gre tunneling in ipv4 networks 223

Label description 223

The zywall usg uses tunnel interfaces in generic routing encapsulation gre ipv6 in ipv4 and 6to4 tunnels 223

Tunnel interfaces 223

Zywall usg series user s guide 223

Internet 224

Ipv4 ipv6 ipv6 224

Ipv6 in ipv4 tunneling 224

Ipv6 ipv4 224

Ipv6 over ipv4 tunnels 224

Configuring a tunnel 225

Internet 225

Ipv6 ipv4 225

To4 tunneling 225

Add or edit to open the following screen 226

Chapter 9 interfaces 226

Each field is explained in the following table 226

Label description 226

Tunnel 226

Tunnel add or edit screen 226

Zywall usg series user s guide 226

Add edit 227

Chapter 9 interfaces 227

Each field is explained in the following table 227

Label description 227

Zywall usg series user s guide 227

Add edit continued 228

Chapter 9 interfaces 228

Label description 228

Zywall usg series user s guide 228

Add edit continued 229

Chapter 9 interfaces 229

Label description 229

Zywall usg series user s guide 229

Vlan interfaces 230

Note each vlan interface is created on top of only one ethernet interface 231

Vlan interfaces overview 231

Vlan summary screen 231

Chapter 9 interfaces 232

Each field is explained in the following table 232

Label description 232

Zywall usg series user s guide 232

Vlan add edit 233

Add edit 235

Chapter 9 interfaces 235

Each field is explained in the following table 235

Label description 235

Zywall usg series user s guide 235

Add edit continued 236

Chapter 9 interfaces 236

Label description 236

Zywall usg series user s guide 236

Add edit continued 237

Chapter 9 interfaces 237

Label description 237

Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 237

Note this field displays the combined address after you click ok and reopen this screen 237

Zywall usg series user s guide 237

Add edit continued 238

Chapter 9 interfaces 238

Label description 238

Note make sure the hosts also support router preference to make this function work 238

Zywall usg series user s guide 238

Add edit continued 239

Chapter 9 interfaces 239

Label description 239

Note this field displays the combined address after you click ok and reopen this screen 239

Zywall usg series user s guide 239

Add edit continued 240

Chapter 9 interfaces 240

Label description 240

Zywall usg series user s guide 240

Add edit continued 241

Chapter 9 interfaces 241

Label description 241

Zywall usg series user s guide 241

A bridge creates a connection between two or more network segments at the layer 2 mac address level in the following example bridge x connects four network segments 242

Add edit continued 242

Bridge interfaces 242

Bridge overview 242

Chapter 9 interfaces 242

Label description 242

This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces 242

Zywall usg series user s guide 242

Bridge interface overview 243

Bridge 244

Bridge summary 244

Chapter 9 interfaces 244

Each field is described in the following table 244

In this example virtual ethernet interface lan1 1 is also removed from the routing table when lan1 is added to br0 virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed 244

Ip address es destination ip address es destination 244

Label description 244

Table 103 example routing table before and after bridge interface br0 is created continued 244

Zywall usg series user s guide 244

Bridge add edit 245

Bridge continued 245

Chapter 9 interfaces 245

Label description 245

This screen lets you configure ip address assignment interface bandwidth parameters dhcp settings and connectivity check for each bridge interface to access this screen click the add or edit icon in the bridge summary screen the following screen appears 245

Zywall usg series user s guide 245

Add edit 247

Chapter 9 interfaces 247

Each field is described in the table below 247

Label description 247

Zywall usg series user s guide 247

Add edit continued 248

Chapter 9 interfaces 248

Label description 248

Zywall usg series user s guide 248

Add edit continued 249

Chapter 9 interfaces 249

Label description 249

Note this field displays the combined address after you click ok and reopen this screen 249

Zywall usg series user s guide 249

Add edit continued 250

Chapter 9 interfaces 250

Label description 250

Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 250

Zywall usg series user s guide 250

Add edit continued 251

Chapter 9 interfaces 251

Label description 251

Note make sure the hosts also support router preference to make this function work 251

Note this field displays the combined address after you click ok and reopen this screen 251

Zywall usg series user s guide 251

Add edit continued 252

Chapter 9 interfaces 252

Label description 252

Zywall usg series user s guide 252

Add edit continued 253

Chapter 9 interfaces 253

Label description 253

Zywall usg series user s guide 253

Add edit continued 254

Chapter 9 interfaces 254

Label description 254

Like other interfaces virtual interfaces have an ip address subnet mask and gateway used to make routing decisions however you have to manually specify the ip address and subnet mask virtual interfaces cannot be dhcp clients like other interfaces you can restrict bandwidth through virtual interfaces but you cannot change the mtu the virtual interface uses the same mtu that the underlying interface uses unlike other interfaces virtual interfaces do not provide dhcp services and they do not verify that the gateway is available 254

This screen lets you configure ip address assignment and interface parameters for virtual interfaces to access this screen click the create virtual interface icon in the ethernet vlan or bridge interface summary screen 254

Use virtual interfaces to tell the zywall usg where to route packets virtual interfaces can also be used in vpn gateways see chapter 22 on page 385 and vrrp groups see chapter 34 on page 557 254

Virtual interfaces 254

Virtual interfaces add edit 254

Virtual interfaces can be created on top of ethernet interfaces vlan interfaces or bridge interfaces virtual vlan interfaces recognize and use the same vlan id otherwise there is no difference between each type of virtual interface network policies for example security policies that apply to the underlying interface automatically apply to the virtual interface as well 254

Zywall usg series user s guide 254

Chapter 9 interfaces 255

Create virtual interface 255

Each field is described in the table below 255

Label description 255

Zywall usg series user s guide 255

Interface technical reference 256

Ip address assignment 256

Lan1 wan1 256

Dhcp settings 257

Interface parameters 257

Pppoe pptp overview 258

Trunk overview 259

What you need to know 259

Least load first 260

Load balancing algorithms 260

Spillover 261

Weighted round robin 261

The trunk summary screen 262

Add or edit 263

Chapter 9 interfaces 263

Configuring a user defined trunk 263

Label description 263

Trunk continued 263

Trunk in the user configuration table click the add or edit icon to open the following screen use this screen to create or edit a wan trunk entry 263

Zywall usg series user s guide 263

Add or edit 264

Chapter 9 interfaces 264

Each field is described in the table below 264

Label description 264

Zywall usg series user s guide 264

Add or edit continued 265

Chapter 9 interfaces 265

Configuring the system default trunk 265

Edit system default 265

Label description 265

Note the available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk 265

Note you can configure the bandwidth of an interface in the corresponding interface edit screen 265

Trunk screen and the system default section select the default trunk entry and click edit to open the following screen use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface 265

Zywall usg series user s guide 265

Chapter 9 interfaces 266

Each field is described in the table below 266

Edit system default 266

Label description 266

Zywall usg series user s guide 266

Policy and static routes overview 267

Routing 267

What you can do in this chapter 267

How you can use policy routing 268

Note bandwidth management in policy routes has priority over application patrol bandwidth management 268

Note the zywall usg automatically uses snat for traffic it routes from internal interfaces to external interfaces for example lan to wan traffic 268

Policy routes versus static routes 268

Policy routing 268

Static routes 268

What you need to know 268

Diffserv 269

Dscp marking and per hop behavior 269

Policy route screen 269

Chapter 10 routing 270

Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information 270

Label description 270

Policy route 270

The following table describes the labels in this screen 270

Zywall usg series user s guide 270

Chapter 10 routing 271

Label description 271

Policy route continued 271

Policy route edit screen 271

Routing to open the policy route screen then click the add or edit icon in the ipv4 configuration or ipv6 configuration section the add policy route or 271

Zywall usg series user s guide 271

Add edit 273

Add edit ipv6 configuration 273

Chapter 10 routing 273

Label description 273

The following table describes the labels in this screen 273

Zywall usg series user s guide 273

Add edit continued 274

Chapter 10 routing 274

Label description 274

Zywall usg series user s guide 274

Add edit continued 275

Chapter 10 routing 275

Label description 275

Zywall usg series user s guide 275

Chapter 10 routing 276

Ip static route screen 276

Ipv6 screen you can also configure static routes used for your ipv6 networks on this screen 276

Label description 276

Select a static route index number and click add or edit the screen shown next appears use this screen to configure the required information for a static route 276

Static route 276

Static route add edit screen 276

The following table describes the labels in this screen 276

Zywall usg series user s guide 276

Add ipv4 configuration 277

Add ipv6 configuration 277

Chapter 10 routing 277

Label description 277

The following table describes the labels in this screen 277

Zywall usg series user s guide 277

Assured forwarding af phb for diffserv 278

Maximize bandwidth usage 278

Nat and snat 278

Policy routing technical reference 278

Finding out more 279

Routing protocols overview 279

The rip screen 279

What you need to know 279

Chapter 10 routing 280

Label description 280

Rip to open the following screen 280

Rip uses udp port 520 280

Second the zywall usg can also redistribute routing information from non rip networks specifically ospf networks and static routes to the rip network costs might be calculated differently however so you use the metric field to specify the cost in rip terms 280

The following table describes the labels in this screen 280

Use the rip screen to specify the authentication method and maintain the policies for redistribution 280

Zywall usg series user s guide 280

Ospf areas 281

The ospf screen 281

Ospf routers 282

Virtual links 283

Configuring the ospf screen 284

Ospf configuration 284

Chapter 10 routing 285

Label description 285

Ospf area add edit screen 285

Ospf continued 285

The ospf area add edit screen allows you to create a new area or edit an existing one to access this screen go to the ospf summary screen see section 10 on page 281 and click either the add icon or an edit icon 285

Zywall usg series user s guide 285

Chapter 10 routing 286

Label description 286

The following table describes the labels in this screen 286

Zywall usg series user s guide 286

Add continued 287

Chapter 10 routing 287

Label description 287

The virtual link add edit screen allows you to create a new virtual link or edit an existing one when the ospf add or edit screen see section 10 on page 285 has the type set to normal a virtual link table displays click either the add icon or an entry and the edit icon to display a screen like the following 287

Virtual link add edit screen 287

Zywall usg series user s guide 287

Authentication is used to guarantee the integrity but not the confidentiality of routing updates the transmitting router uses its key to encrypt the original message into a smaller message and the smaller message is transmitted with the original message the receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it if the received message is verified then the receiving router accepts the updated routing information the transmitting and receiving routers must have the same key 288

Authentication types 288

Chapter 10 routing 288

Here is more detailed information about rip and ospf 288

Label description 288

Md5 authentication using an md5 password and authentication id 288

Md5 is an authentication method that produces a 128 bit checksum called a message digest for each packet it also includes an authentication id which can be set to any value between 1 and 255 the zywall usg only accepts packets if these conditions are satisfied 288

None no authentication is used 288

Routing protocol technical reference 288

Text authentication using a plain text password and the unencrypted password is sent over the network this method is usually used temporarily to prevent network problems 288

The following table describes the labels in this screen 288

The packet s authentication id is the same as the authentication id of the interface that received it 288

The zywall usg supports three types of authentication for rip and ospf routing protocols 288

Zywall usg series user s guide 288

Ddns overview 290

What you can do in this chapter 290

What you need to know 290

Chapter 11 ddns 291

Ddns to open the following screen 291

Label description 291

The ddns screen 291

The following table describes the labels in this screen 291

Zywall usg series user s guide 291

The dynamic dns add edit screen 292

Add custom 293

Chapter 11 ddns 293

Label description 293

The following table describes the labels in this screen 293

Zywall usg series user s guide 293

Add continued 294

Chapter 11 ddns 294

Label description 294

Note the zywall usg may not determine the proper ip address if there is an http proxy server between the zywall usg and the ddns server 294

Zywall usg series user s guide 294

Add continued 295

Chapter 11 ddns 295

Label description 295

Zywall usg series user s guide 295

Nat overview 296

The nat screen 296

What you can do in this chapter 296

What you need to know 296

Chapter 12 nat 297

Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information 297

Label description 297

Nat the following screen appears providing a summary of the existing nat rules 297

The following table describes the labels in this screen 297

Zywall usg series user s guide 297

The nat add edit screen 298

Add continued 299

Chapter 12 nat 299

Label description 299

Zywall usg series user s guide 299

Add continued 300

Chapter 12 nat 300

Label description 300

Zywall usg series user s guide 300

Nat loopback 301

Nat technical reference 301

Xxx lan smtp com 301

Xxx lan smtp com 1 301

Http redirect 303

Overview 303

What you can do in this chapter 303

What you need to know 303

Http redirect security policy and policy route 304

Note you can configure up to one http redirect rule for each incoming interface 304

The http redirect screen 304

Chapter 13 http redirect 305

Http redirect 305

Http redirect to open the http redirect screen then click the add or edit icon to open the http redirect edit screen where you can configure the rule 305

Label description 305

The following table describes the labels in this screen 305

The http redirect edit screen 305

Zywall usg series user s guide 305

Chapter 13 http redirect 306

Label description 306

The following table describes the labels in this screen 306

Zywall usg series user s guide 306

Alg overview 307

What you need to know 307

Ftp alg 308

H 23 alg 308

Sip alg 308

Peer to peer calls and the zywall usg 309

Voip calls from the wan with multiple outgoing calls 309

Voip with multiple wan ip addresses 309

Before you begin 310

Note if the zywall usg provides an alg for a service you must enable the alg in order to use the application patrol on that service s traffic 310

The alg screen 310

Chapter 14 alg 311

Label description 311

The following table describes the labels in this screen 311

Zywall usg series user s guide 311

Alg continued 312

Chapter 14 alg 312

Label description 312

Zywall usg series user s guide 312

Alg and trunks 313

Alg technical reference 313

Nat traversal 315

Upnp and nat pmp overview 315

What you need to know 315

Cautions with upnp and nat pmp 316

Upnp screen 316

Chapter 15 upnp 317

Click the start icon control panel and then the network and sharing center 317

Label description 317

Make sure the computer is connected to a lan port of the zywall usg turn on your computer and the zywall usg 317

Technical reference 317

The following table describes the fields in this screen 317

The sections show examples of using upnp 317

This section shows you how to use the upnp feature in windows 7 upnp server is installed in windows 7 activate upnp on the zywall usg 317

Turning on upnp in windows 7 example 317

Zywall usg series user s guide 317

Auto discover your upnp enabled network device 319

Using upnp in windows xp example 319

Note when the upnp enabled device is disconnected from your computer all port mappings will be deleted automatically 320

Web configurator easy access 321

Ip mac binding 324

Ip mac binding overview 324

What you can do in this chapter 324

What you need to know 324

Chapter 16 ip mac binding 325

Edit to open the ip mac binding edit screen use this screen to configure an interface s ip to mac address binding settings 325

Interfaces used with ip mac binding 325

Ip mac address bindings are grouped by interface you can use ip mac binding with ethernet bridge vlan and wlan interfaces you can also enable or disable ip mac binding and logging in an interface s configuration screen 325

Ip mac binding edit 325

Ip mac binding summary 325

Ip mac binding to open the ip mac binding summary screen this screen lists the total number of ip to mac address bindings for devices connected to each supported interface 325

Label description 325

Summary 325

The following table describes the labels in this screen 325

Zywall usg series user s guide 325

Chapter 16 ip mac binding 326

Edit to open the ip mac binding edit screen click the add or edit icon to open the following screen use this screen to configure an interface s ip to mac address binding settings 326

Label description 326

Static dhcp edit 326

The following table describes the labels in this screen 326

Zywall usg series user s guide 326

Chapter 16 ip mac binding 327

Exempt list 327

Exempt list to open the ip mac binding exempt list screen use this screen to configure ranges of ip addresses to which the zywall usg does not apply ip mac binding 327

Ip mac binding exempt list 327

Label description 327

The following table describes the labels in this screen 327

Zywall usg series user s guide 327

Chapter 16 ip mac binding 328

Exempt list continued 328

Label description 328

Zywall usg series user s guide 328

Layer 2 isolation 329

Overview 329

What you can do in this chapter 329

Chapter 17 layer 2 isolation 330

Ip addresses that are not listed in the white list are blocked from communicating with other devices in the layer 2 isolation enabled internal interface s except for broadcast packets 330

Label description 330

Layer 2 isolation 330

Layer 2 isolation general screen 330

Note you can enable this feature only when the security policy is enabled 330

The following table describes the labels in this screen 330

White list 330

White list screen 330

Zywall usg series user s guide 330

Add edit white list rule 331

Chapter 17 layer 2 isolation 331

Label description 331

Note you can configure up to 100 white list rules on the zywall usg 331

Note you can enable this feature only when the security policy is enabled 331

Note you need to know the ip address of each connected device that you want to allow to be accessed by other devices when layer 2 isolation is enabled 331

The following table describes the labels in this screen 331

This screen allows you to create a new rule in the white list or edit an existing one to access this screen click the add button or select an entry from the list and click the edit button 331

White list 331

Zywall usg series user s guide 331

Add edit 332

Chapter 17 layer 2 isolation 332

Label description 332

The following table describes the labels in this screen 332

Zywall usg series user s guide 332

Inbound load balancing 333

Inbound load balancing overview 333

What you can do in this chapter 333

Chapter 18 inbound load balancing 334

Dns inbound lb 334

Inbound lb 334

Inbound lb to open the following screen 334

Label description 334

Note after you finish the inbound load balancing settings go to security policy and nat screens to configure the corresponding rule and virtual server to allow the internet users to access your internal servers 334

The following table describes the labels in this screen 334

The inbound lb screen 334

Use the inbound lb add edit screen see section 18 on page 335 to add or edit a dns load balancing rule 334

Zywall usg series user s guide 334

Chapter 18 inbound load balancing 335

Inbound lb and then the add or edit icon to open this screen 335

Inbound lb continued 335

Label description 335

The inbound lb add edit screen 335

Zywall usg series user s guide 335

Add edit 336

Chapter 18 inbound load balancing 336

Label description 336

The following table describes the labels in this screen 336

Zywall usg series user s guide 336

Add edit continued 337

Add or edit and then an add or edit icon to open this screen 337

Chapter 18 inbound load balancing 337

Label description 337

Select a load balancing method to use from the drop down list box 337

Select weighted round robin to balance the traffic load between interfaces based on their respective weights an interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight for example if the weight ratio of wan1 and wan2 interfaces is 2 1 the zywall usg chooses wan1 for 2 sessions traffic and wan2 for every session s traffic in each round of 3 new sessions 337

The inbound lb member add edit screen 337

Zywall usg series user s guide 337

Add edit 338

Chapter 18 inbound load balancing 338

Label description 338

The following table describes the labels in this screen 338

Zywall usg series user s guide 338

Web auth overview 339

Web authentication 339

What you can do in this chapter 339

Forced user authentication 340

Note this works with http traffic only the zywall usg does not display the login screen when users attempt to send other kinds of traffic 340

Single sign on 340

Web authentication screen 340

What you need to know 340

Chapter 19 web authentication 341

Label description 341

The following table gives an overview of the objects you can configure 341

Web authentication 341

Web authentication web portal 341

Zywall usg series user s guide 341

Chapter 19 web authentication 342

Label description 342

Web authentication continued 342

Zywall usg series user s guide 342

Creating editing an authentication policy 343

Creating exceptional services 343

Add authentication policy 344

Chapter 19 web authentication 344

In the following figure u user logs into a domain controller dc which passes the user s login credentials to the sso agent the sso agent checks that these credentials are correct with the ad server and if the ad server confirms so the sso then notifies the zywall usg to allow access for the user to the permitted resource internet access for example 344

Label description 344

Sso overview 344

The following table gives an overview of the objects you can configure 344

The sso single sign on function integrates domain controller and zywall usg authentication mechanisms so that users just need to log in once single login to get access to permitted resources 344

Zywall usg series user s guide 344

Note the zywall usg the dc the sso agent and the ad server must all be in the same domain and be able to communicate with each other 345

Sso does not support ipv6 ldap or radius you must use it in an ipv4 network environment with windows ad active directory authentication database 345

Web authentication screen 345

Configuration overview 346

Configure the zywall usg to communicate with sso 346

Screen field screen field 346

Sso zywall usg configuration 346

Zywall usg sso 346

Chapter 19 web authentication 347

Enable web authentication 347

Enable web authentication and add a web authentication policy 347

Label description 347

The following table gives an overview of the objects you can configure 347

Zywall usg series user s guide 347

Create a security policy 348

Configure user information 349

Configure an authentication method 350

Configure active directory 351

Sso agent configuration 352

Overview 357

What you can do in this chapter 357

A dedicated rtls ssid is recommended 358

At least three aps managed by the zywall usg the more aps the better since it increases the amount of information the ekahau rtls controller has for calculating the location of the tags 358

Before you begin 358

Chapter 20 rtls 358

Configuring rtls 358

Ekahau rtls controller in blink mode with tzsp updater enabled 358

For example if the ekahau rtls controller is behind a firewall open ports 8550 8553 and 8569 to allow traffic the aps send to reach the ekahau rtls controller 358

Ip addresses for the ekahau wi fi tags 358

Port number type description 358

Rtls to open this screen use this screen to turn rtls real time location system on or off and specify the ip address and server port of the ekahau rtls controller 358

Security policies to allow rtls traffic if the zywall usg security policy control is enabled or the ekahau rtls controller is behind a firewall 358

Table 148 rtls traffic port numbers 358

The following table lists default port numbers and types of packets rtls uses 358

You need 358

Zywall usg series user s guide 358

Chapter 20 rtls 359

Label description 359

The following table describes the labels in this screen 359

Zywall usg series user s guide 359

Overview 360

Security policy 360

One security 361

Chapter 21 security policy 363

Figure 245 example of l2tp over ipsec troubleshooting 2 363

For example at the time of writing these are the onesecurity icons you can see 363

In the zywall usg you will see icons that link to onesecurity walkthroughs troubleshooting and so on in certain screens 363

Onesecurity icon screen 363

Table 150 onesecurity icons 363

Zywall usg series user s guide 363

Onesecurity icon screen 364

Table 150 onesecurity icons continued 364

What you can do in this chapter 364

Default directional security policy behavior 365

Stateful inspection 365

To device policies 365

What you need to know 365

Asymmetrical routes 366

Global security policies 366

Security policy rule criteria 366

Session limits 366

The security policy screen 366

User specific security policies 366

Configuring the security policy control screen 367

Chapter 21 security policy 368

Label description 368

Policy control 368

The following table describes the labels in this screen 368

Zywall usg series user s guide 368

Chapter 21 security policy 369

Label description 369

Note allowing asymmetrical routes may let traffic from the wan go directly to the lan without passing through the zywall usg a better solution is to use virtual interfaces to put the zywall usg and the backup gateway on separate subnets 369

Policy control continued 369

Zywall usg series user s guide 369

Chapter 21 security policy 370

In the security policy control screen click the edit or add icon to display the security policy edit or add screen 370

Label description 370

Policy control continued 370

The security policy control add edit screen 370

Zywall usg series user s guide 370

Chapter 21 security policy 371

Label description 371

The following table describes the labels in this screen 371

Zywall usg series user s guide 371

Add continued 372

Anomaly detection and prevention adp protects against anomalies based on violations of protocol standards rfcs requests for comments and abnormal flows such as port scans this section introduces adp anomaly profiles and applying an adp profile to a traffic direction 372

Anomaly detection and prevention overview 372

Chapter 21 security policy 372

Label description 372

Note if you specified a source ip address group instead of any in the field below the user s ip address should be within the ip address range 372

Zywall usg series user s guide 372

General screen 373

Label description 373

Profile screen 373

Protocol anomalies 373

The anomaly detection and prevention general screen 373

Traffic anomalies 373

Adp profiles consist of traffic anomaly profiles and protocol anomaly profiles to create a new profile select a base profile and then click ok to go to the profile details screen type a new profile name enable or disable individual policies and then edit the default log options and actions 374

Chapter 21 security policy 374

Creating new adp profiles 374

General 374

Label description 374

Note depending on your network topology and traffic load applying every packet direction to an anomaly profile may affect the zywall usg s performance 374

Profile screens 374

Profile to view the following screen 374

To counter this you could create a monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an in line profile whereby you configure appropriate actions to be taken when a packet matches a policy 374

When creating adp profiles you may find that certain policies are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the zywall usg as each network is different false positives and false negatives are common on initial adp deployment 374

Zywall usg series user s guide 374

Chapter 21 security policy 375

Label description 375

Profile 375

Profile screen click the edit or add icon and choose a base profile traffic anomaly is the first tab in the profile 375

The following table describes the labels in this screen 375

Traffic anomaly profiles 375

Zywall usg series user s guide 375

Add traffic anomaly 376

Chapter 21 security policy 376

Labels description 376

The following table describes the labels in this screen 376

Zywall usg series user s guide 376

Add traffic anomaly continued 377

Chapter 21 security policy 377

Labels description 377

Zywall usg series user s guide 377

Protocol anomalies 378

Add protocol anomaly 379

Chapter 21 security policy 379

Label description 379

The following table describes the labels in this screen 379

Zywall usg series user s guide 379

Add protocol anomaly 380

Chapter 21 security policy 380

Label description 380

Session control 380

Session control to display the security policy session control screen use this screen to limit the number of concurrent nat security policy sessions a client can use you can apply a default limit for all users and individual limits for specific users addresses or both the individual limit takes priority if you apply both 380

The session control screen 380

Zywall usg series user s guide 380

Chapter 21 security policy 381

Label description 381

Session control 381

Session control and the add or edit icon to display the add or edit screen use this screen to configure rules that define a session limit for specific users or addresses 381

The following table describes the labels in this screen 381

The session control add edit screen 381

Zywall usg series user s guide 381

Add edit 382

Chapter 21 security policy 382

Label description 382

Note if you specified an ip address or address group instead of any in the field below the user s ip address should be within the ip address range 382

Security policy example applications 382

Suppose you decide to block lan users from using irc internet relay chat through the internet to do this you would configure a lan to wan security policy that blocks irc traffic from any source ip address from going to any destination address you do not need to specify a schedule since you need the security policy to always be in effect the following figure shows the results of this policy 382

The following table describes the labels in this screen 382

Zywall usg series user s guide 382

Alternatively you configure a lan1 to wan policy with the ceo s user name say ceo to allow irc traffic from any source ip address to go to any destination address 384

Chapter 21 security policy 384

Figure 256 limited lan to wan irc traffic example 384

Table 161 limited lan1 to wan irc traffic example 1 384

Table 162 limited lan1 to wan irc traffic example 2 384

The first row allows any lan1 computer to access the irc service on the wan by logging into the zywall usg with the ceo s user name 384

The first row allows the lan1 computer at ip address 172 6 to access the irc service on the wan 384

The policy for the ceo must come before the policy that blocks all lan1 to wan irc traffic if the policy that blocks all lan1 to wan irc traffic came first the ceo s irc traffic would match that policy and the zywall usg would drop it and not check any other security policies 384

The second row blocks lan1 access to the irc service on the wan 384

The third row is the default policy of allowing all traffic from the lan1 to go to the wan 384

The third row is the default policy of allowing allows all traffic from the lan1 to go to the wan 384

User source destination schedule utm profile action 384

Your security policy would have the following configuration 384

Your security policy would have the following settings 384

Zywall usg series user s guide 384

Ipsec vpn 385

Virtual private networks vpn overview 385

Ssl vpn 386

L2tp vpn 387

What you can do in this chapter 387

What you need to know 388

Application scenarios 389

Chapter 22 ipsec vpn 389

Finding out more 389

Remote access client role 389

Remote access server role 389

See section 22 on page 410 for ipsec vpn background information 389

See the help in the ipsec vpn quick setup wizard screens 389

Site to site site to site with dynamic peer 389

Table 163 ipsec vpn application scenarios 389

The zywall usg s application scenarios make it easier to configure your vpn connection settings 389

Zywall usg series user s guide 389

Before you begin 390

The vpn connection screen 390

Chapter 22 ipsec vpn 391

Each field is discussed in the following table 391

Label description 391

The vpn connection add edit ike screen 391

Vpn connection 391

Vpn connection screen see section 22 on page 390 and click either the add icon or an edit icon 391

Zywall usg series user s guide 391

Chapter 22 ipsec vpn 393

Each field is described in the following table 393

Label description 393

Zywall usg series user s guide 393

Chapter 22 ipsec vpn 394

Edit continued 394

Label description 394

Zywall usg series user s guide 394

Chapter 22 ipsec vpn 395

Edit continued 395

Label description 395

Zywall usg series user s guide 395

Chapter 22 ipsec vpn 396

Edit continued 396

Label description 396

Zywall usg series user s guide 396

Chapter 22 ipsec vpn 397

Edit continued 397

Label description 397

Zywall usg series user s guide 397

Chapter 22 ipsec vpn 398

Each field is discussed in the following table see section 22 on page 399 for more information 398

Label description 398

The vpn gateway screen 398

Vpn gateway 398

Vpn gateway the following screen appears 398

Zywall usg series user s guide 398

Chapter 22 ipsec vpn 399

Label description 399

The vpn gateway add edit screen 399

The vpn gateway add edit screen allows you to create a new vpn gateway policy or edit an existing one to access this screen go to the vpn gateway summary screen see section 22 on page 398 and click either the add icon or an edit icon 399

Vpn gateway continued 399

Zywall usg series user s guide 399

Add edit 401

Chapter 22 ipsec vpn 401

Each field is described in the following table 401

Label description 401

Note the zywall usg and remote ipsec router must use the same authentication method to establish the ike sa 401

Zywall usg series user s guide 401

Add edit continued 402

Chapter 22 ipsec vpn 402

Label description 402

Note the ipsec routers must trust each other s certificates 402

Zywall usg series user s guide 402

Add edit continued 403

Chapter 22 ipsec vpn 403

Label description 403

Note if peer id type is ip please read the rest of this section 403

Zywall usg series user s guide 403

Add edit continued 404

Chapter 22 ipsec vpn 404

Label description 404

Zywall usg series user s guide 404

Add edit continued 405

Chapter 22 ipsec vpn 405

Label description 405

Zywall usg series user s guide 405

Vpn concentrator 406

Vpn concentrator requirements and suggestions 406

The vpn concentrator add edit screen 407

Vpn concentrator screen 407

Zywall usg ipsec vpn client configuration provisioning 408

A subnet or range remote policy 409

Chapter 22 ipsec vpn 409

Configuration provisioning 409

Each field is discussed in the following table 409

In the zywall usg quick setup wizard you can use the vpn settings for configuration provisioning wizard to create a vpn rule that will not violate these restrictions 409

Ipv4 rules with ikev2 version 409

Ipv4 rules with user based psk authentication 409

Ipv6 rules 409

Label description 409

The following vpn gateway rules configured on the zywall usg cannot be provisioned to the ipsec vpn client 409

Zywall usg series user s guide 409

Ike sa overview 410

Ipsec vpn background information 410

Note both routers must use the same negotiation mode 410

Ike sa proposal 411

Ip addresses of the zywall usg and remote ipsec router 411

Note both routers must use the same encryption algorithm authentication algorithm and dh key group 411

Authentication 412

Diffie hellman dh key exchange 412

Note the zywall usg and the remote ipsec router must use the same pre shared key 413

Note the zywall usg s local and peer id type and content must match the remote ipsec router s peer and local id type and content respectively 413

Additional topics for ike sa 414

Negotiation mode 414

Vpn nat and nat traversal 414

Certificates 415

X auth extended authentication 415

Active protocol 416

Encapsulation 416

Ipsec sa overview 416

Local network and remote network 416

Note the ipsec sa stays connected even if the underlying ike sa is not available anymore 416

Note the zywall usg and remote ipsec router must use the same active protocol 416

Note the zywall usg and remote ipsec router must use the same encapsulation 416

Note you must set up the certificates for the zywall usg and remote ipsec router first 416

Additional topics for ipsec sa 417

Authentication and the security parameter index spi 417

Ipsec sa proposal and perfect forward secrecy 417

Nat for inbound and outbound traffic 417

Note the zywall usg and remote ipsec router must use the same spi 417

Source address in inbound packets inbound traffic source nat 418

Source address in outbound packets outbound traffic source nat 418

68 24 172 6 24 419

Destination address in inbound packets inbound traffic destination nat 419

Ipsec vpn example scenario 419

Lan lan 419

Overview 420

Ssl vpn 420

What you can do in this chapter 420

What you need to know 420

Ssl access policy objects 421

The ssl access privilege screen 421

Access privilege 422

Chapter 23 ssl vpn 422

Label description 422

The following table describes the labels in this screen 422

The ssl access privilege policy add edit screen 422

To create a new or edit an existing ssl access policy click the add or edit icon in the access privilege screen 422

Zywall usg series user s guide 422

Add edit continued 424

Chapter 23 ssl vpn 424

Label description 424

Note although you can select admin and limited admin accounts in this screen they are reserved for device configuration only you cannot use them to access the ssl vpn portal 424

Note to allow access to shared files on a windows 7 computer within windows 7 you must enable sharing on the folder and also go to the network and sharing center s advanced sharing settings and turn on the current network profile s file and printer sharing 424

Zywall usg series user s guide 424

Add edit continued 425

Chapter 23 ssl vpn 425

Global setting 425

Label description 425

Ssl vpn and click the global setting tab to display the following screen use this screen to set the ip address of the zywall usg or a gateway device on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen 425

The ssl global setting screen 425

Zywall usg series user s guide 425

Chapter 23 ssl vpn 426

Click apply to start the file transfer process 426

Click browse to locate the logo graphic make sure the file is in gif jpg or png format 426

Follow the steps below to upload a custom logo to display on the remote user ssl vpn screens 426

Global setting 426

How to upload a custom logo 426

Label description 426

Log in as a user to verify that the new logo displays properly 426

Note the logo graphic must be gif jpg or png format the graphic should use a resolution of 103 x 29 pixels to avoid distortion when displayed the zywall usg automatically resizes a graphic of a different resolution to 103 x 29 pixels the file size must be 100 kilobytes or less transparent background is recommended 426

Ssl vpn and click the global setting tab to display the configuration screen 426

The following table describes the labels in this screen 426

Zywall usg series user s guide 426

Zywall usg secuextender 427

Example configure zywall usg for secuextender 428

Label description 428

Overview 431

Ssl user screens 431

What you need to know 431

Certificates 432

Finding out more 432

Remote ssl user login 432

Required information 432

System requirements 432

Note available resource links vary depending on the configuration your network administrator made 435

The ssl vpn user screens 435

Bookmarking the zywall usg 436

Chapter 24 ssl user screens 436

Description 436

Figure 295 remote user screen 436

In any remote user screen click the add to favorite icon 436

Table 178 remote user screen overview 436

The following table describes the various parts of a remote user screen 436

You can create a bookmark of the zywall usg by clicking the add to favorite icon this allows you to access the zywall usg using the bookmark without having to enter the address every time 436

Zywall usg series user s guide 436

Logging out of the ssl vpn user screens 437

Ssl user application screen 437

Note available actions you can perform in the file sharing screen vary depending on the rights granted to you on the file server 438

Ssl user file sharing 438

The main file sharing screen 438

Opening a file or folder 439

Downloading a file 440

Saving a file 440

Creating a new folder 441

Note make sure the length of the folder name does not exceed the maximum allowed on the file server 441

Renaming a file or folder 441

Deleting a file or folder 442

Note make sure the length of the name does not exceed the maximum allowed on the file server you may not be able to open a file if you change the file extension 442

Uploading a file 442

Note uploading a file with the same name and file extension replaces the existing file on the file server no warning message is displayed 443

Status 444

The zywall usg secuextender icon 444

Zywall usg secuextender windows 444

Chapter 25 zywall usg secuextender windows 445

Figure 308 zywall usg secuextender status 445

If you have problems with the zywall usg secuextender customer support may request you to provide information from the log right click the zywall usg secuextender icon in the system tray and select log to open a notepad file of the zywall usg secuextender s log 445

Label description 445

Table 179 zywall usg secuextender status 445

The following table describes the labels in this screen 445

View log 445

Zywall usg series user s guide 445

Stop the connection 446

Suspend and resume the connection 446

Uninstalling the zywall usg secuextender 446

L2tp vpn 448

Overview 448

What you can do in this chapter 448

What you need to know 448

L2tp vpn screen 449

L2tp_pool 449

Lan_subnet 449

Policy route 449

Using the quick setup vpn setup wizard 449

Chapter 26 l2tp vpn 450

L2tp vpn 450

Label description 450

Note modifying this vpn connection or the vpn gateway that it uses disconnects any existing l2tp vpn sessions 450

The following table describes the fields in this screen 450

Zywall usg series user s guide 450

Address for the wan ip address of the nat router 451

Chapter 26 l2tp vpn 451

Example l2tp and zywall usg behind a nat router 451

If the zywall usg z is behind a nat router n then do the following for remote clients c to access the network behind the zywall usg z using l2tp over ipv4 451

L2tp vpn continued 451

Label description 451

Select remote access server role as the vpn scenario for the remote client 451

Vpn connection and click add for ipv4 configuration to create a new vpn connection 451

Zywall usg series user s guide 451

Bwm bandwidth management 453

Overview 453

What you can do in this chapter 453

What you need to know 453

Connection and packet directions 454

Diffserv and dscp marking 454

Bandwidth management priority 455

Connection 455

Inbound 455

Outbound 455

Outbound and inbound bandwidth limits 455

Bandwidth management behavior 456

Bwm 1000 kbps 456

Configured rate effect 456

Maximize bandwidth usage 456

Priority effect 456

Maximize bandwidth usage effect 457

Priority and over allotment of bandwidth effect 457

The bandwidth management screen 457

Bandwidth management 458

Chapter 27 bwm bandwidth management 458

Label description 458

The following table describes the labels in this screen see section 27 on page 460 for more information as well 458

Zywall usg series user s guide 458

Bandwidth management 459

Chapter 27 bwm bandwidth management 459

Label description 459

Zywall usg series user s guide 459

Bandwidth management add edit screen allows you to create a new condition or edit an existing one 460

Bandwidth management screen see section 27 on page 457 and click either the add icon or an edit icon 460

Chapter 27 bwm bandwidth management 460

Edit for the default policy 460

P marking 460

Table 186 single tagged 802 q frame format 460

Table 187 802 q frame 460

Table 188 priority code and types of traffic priority traffic types 460

The bandwidth management add edit screen 460

The following table is a guide to types of traffic for the priority code 460

Use 802 p to prioritize outgoing traffic from a vlan interface the priority code is a 3 bit field within a 802 q vlan tag that s used to prioritize associated outgoing vlan traffic 0 is the lowest priority level and 7 is the highest 460

Zywall usg series user s guide 460

Add edit 461

Chapter 27 bwm bandwidth management 461

Label description 461

The following table describes the labels in this screen 461

Zywall usg series user s guide 461

Add edit 462

Chapter 27 bwm bandwidth management 462

Label description 462

Zywall usg series user s guide 462

Add edit 463

Chapter 27 bwm bandwidth management 463

Label description 463

Zywall usg series user s guide 463

Adding objects for the bwm policy 464

Label description 464

Add user 465

Chapter 27 bwm bandwidth management 465

Label description 465

Zywall usg series user s guide 465

Add schedule 466

Chapter 27 bwm bandwidth management 466

Label description 466

The following table describes the fields in the above screen 466

Zywall usg series user s guide 466

Add address 467

Chapter 27 bwm bandwidth management 467

Label description 467

The following table describes the fields in the above screen 467

Zywall usg series user s guide 467

Application patrol 468

Overview 468

What you can do in this chapter 468

What you need to know 468

Application patrol profile 469

Classification of applications 469

Custom ports for sip and the sip alg 469

Finding out more 469

Note the zywall usg allows the first eight packets to go through the security policy regardless of the application patrol policy for the application the zywall usg examines these first eight packets to identify the application 469

Note you must register for the idp apppatrol signature service at least the trial before you can use it 469

Chapter 28 application patrol 470

Label description 470

Profile 470

The following table describes the labels in this screen 470

Zywall usg series user s guide 470

Add edit 471

Chapter 28 application patrol 471

Label description 471

Profile 471

Profile then click add to create a new profile rule or click an existing profile and click edit or double click it to open the following screen 471

The application patrol profile add edit screen 471

The following table describes the labels in this screen 471

Zywall usg series user s guide 471

Add edit 472

Add edit continued 472

Chapter 28 application patrol 472

Click add or edit under profile management in the previous screen to display the following screen 472

Label description 472

The application patrol profile rule add application screen 472

The following table describes the labels in this screen 472

Zywall usg series user s guide 472

Add edit 473

Chapter 28 application patrol 473

Label description 473

Zywall usg series user s guide 473

Content filtering 474

Overview 474

What you can do in this chapter 474

What you need to know 474

Before you begin 475

Content filtering configuration guidelines 475

External web filtering service 475

Finding out more 475

Keyword blocking url checking 475

Content filter profile screen 476

Chapter 29 content filtering 477

Label description 477

Profile continued 477

Zywall usg series user s guide 477

Content filter add profile category service 478

Content filter profile add or edit screen 478

Category service 480

Chapter 29 content filtering 480

Label description 480

The following table describes the labels in this screen 480

Zywall usg series user s guide 480

Category service 481

Chapter 29 content filtering 481

Label description 481

Sites that use bots zombies including command and control site 481

Zywall usg series user s guide 481

Category description 482

Category service 482

Chapter 29 content filtering 482

Label description 482

Table 198 managed category descriptions 482

The following table describes the managed categories 482

Zywall usg series user s guide 482

Chapter 29 content filtering 483

Table 198 managed category descriptions continued 483

Zywall usg series user s guide 483

Chapter 29 content filtering 484

Table 198 managed category descriptions continued 484

Zywall usg series user s guide 484

Chapter 29 content filtering 485

Table 198 managed category descriptions continued 485

Zywall usg series user s guide 485

Chapter 29 content filtering 486

Content filter add filter profile custom service 486

Custom service to open the custom service screen you can create a list of good allowed web site addresses and a list of bad blocked web site addresses you can also block web sites based on whether the web site s address contains a keyword use this screen to add or remove specific sites or keywords from the filter list 486

Table 198 managed category descriptions continued 486

Zywall usg series user s guide 486

Chapter 29 content filtering 487

Custom service 487

Label description 487

The following table describes the labels in this screen 487

Zywall usg series user s guide 487

Chapter 29 content filtering 488

Custom service continued 488

Label description 488

Zywall usg series user s guide 488

Chapter 29 content filtering 489

Content filter trusted web sites screen 489

Custom service continued 489

Label description 489

Trusted web sites to open the trusted web sites screen you can create a common list of good allowed web site addresses when you configure filter profiles you can select the option to check the common trusted web sites list use this screen to add or remove specific sites from the filter list 489

Zywall usg series user s guide 489

Chapter 29 content filtering 490

Content filter forbidden web sites screen 490

Forbidden web sites to open the forbidden web sites screen you can create a common list of bad blocked web site addresses when you configure filter profiles you can select the option to check the common forbidden web sites list use this screen to add or remove specific sites from the filter list 490

Label description 490

The following table describes the labels in this screen 490

Trusted web sites 490

Zywall usg series user s guide 490

Chapter 29 content filtering 491

Content filter technical reference 491

External content filter server lookup procedure 491

Forbidden web sites 491

Label description 491

The content filter lookup process is described below 491

The following table describes the labels in this screen 491

This section provides content filtering background information 491

Zywall usg series user s guide 491

Before you begin 493

Overview 493

What you can do in this chapter 493

What you need to know 493

Note you must register in order to use packet inspection signatures see the registration screens 494

The idp profile screen 494

Base profiles 495

Chapter 30 idp 495

Figure 334 base profiles 495

Label description 495

Profile continued 495

Profile screen click add to display the following screen 495

Zywall usg series user s guide 495

Adding editing profiles 496

Base profile description 496

Chapter 30 idp 496

Packet inspection signatures examine the contents of a packet for malicious data it operates at layer 4 to layer 7 an idp profile is a group of idp signatures that have the same log and action settings in group view you can configure the same log and action settings for all idp signatures by severity level in the add profile screen you may also configure signature exceptions in the sameview 496

Table 203 base profiles 496

The following table describes this screen 496

You could create a new monitor profile that creates logs but all actions are disabled observe the logs over time and try to eliminate the causes of the false alarms when you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 496

You may also find that certain signatures are triggering too many false positives or false negatives a false positive is when valid traffic is flagged as an attack a false negative is when invalid traffic is wrongly allowed to pass through the zywall usg as each network is different false positives and false negatives are common on initial idp deployment 496

You may want to create a new profile if not all signatures in a base profile are applicable to your network in this case you should disable non applicable signatures so as to improve zywall usg idp processing efficiency 496

Zywall usg series user s guide 496

Group view screen 497

Profile group view screen 497

Chapter 30 idp 498

Group view continued 498

Label description 498

Zywall usg series user s guide 498

Chapter 30 idp 499

Group view continued 499

Label description 499

Zywall usg series user s guide 499

Add profile query view 500

Chapter 30 idp 500

Group view continued 500

In the group view screen click switch to query view to search for signatures by criteria such as name id severity policy type platform service platforms or actions 500

Label description 500

Query view 500

Zywall usg series user s guide 500

Chapter 30 idp 501

Policy type description 501

Policy types 501

Table 205 policy types 501

This table describes policy types as categorized in the zywall usg 501

Zywall usg series user s guide 501

An idp service group is a set of related packet inspection signatures 502

Chapter 30 idp 502

Idp service groups 502

Policy type description 502

Table 205 policy types continued 502

Table 206 idp service groups 502

The n a service group is for signatures that are not for a specific service 502

Zywall usg series user s guide 502

Chapter 30 idp 503

Label description 503

Profile query view 503

The following table describes the fields specific to this screen s query view 503

Zywall usg series user s guide 503

Actions any 504

Chapter 30 idp 504

Label description 504

Platform windows 504

Policy type dos 504

Profile query view continued 504

Query example 504

Service any 504

Severity high 504

This example shows a search with these criteria 504

Zywall usg series user s guide 504

Idp custom signatures 505

Ip packet header 505

Chapter 30 idp 506

Figure 338 ip v4 packet headers 506

Header description 506

Table 208 ip v4 packet headers 506

The header fields are discussed in the following table 506

Zywall usg series user s guide 506

Chapter 30 idp 507

Custom signature s the first screen shows a summary of all custom signatures created click the sid or name heading to sort click the add icon to create a new signature or click the edit icon to edit an existing signature you can also delete custom signatures here or save them to your computer 507

Custom signatures 507

Label description 507

Note the zywall usg checks all signatures and continues searching even after a match is found if two or more rules have conflicting actions for the same packet then the zywall usg applies the more restrictive action reject both reject receiver or reject sender drop none in this order if a packet matches a rule for reject receiver and it also matches a rule for reject sender then the zywall usg will reject both 507

The following table describes the fields in this screen 507

Zywall usg series user s guide 507

Add edit custom signatures 508

Add edit 510

Chapter 30 idp 510

Label description 510

The following table describes the fields in this screen 510

Zywall usg series user s guide 510

Add edit continued 511

Chapter 30 idp 511

Label description 511

Zywall usg series user s guide 511

Add edit continued 512

Before creating a custom signature you must first clearly understand the vulnerability 512

Chapter 30 idp 512

Custom signature example 512

Label description 512

Zywall usg series user s guide 512

Analyze packets 513

Understand the vulnerability 513

Applying custom signatures 514

Host intrusions 515

Idp technical reference 515

Network intrusions 515

Verifying custom signatures 515

68 24 111 content 00 01 a5 msg mountd access 516

Action 516

Chapter 30 idp 516

Protocol 516

Snort signatures 516

Source and destination ip addresses and netmasks 516

Source and destination ports information 516

Table 211 zywall usg snort equivalent terms 516

The rule header contains the rule s 516

The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken 516

The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options the words before the colons in the rule options section are the option keywords 516

The whole lan is compromised host based intrusions may be used to cause network based intrusions when the goal of the host virus is to propagate attacks on the network or attack computer server operating system vulnerabilities with the goal of bringing down the computer server typical network based intrusions are sql slammer blaster nimda mydoom etc 516

These are some equivalent snort terms in the zywall usg 516

You may want to refer to open source snort signatures when creating custom zywall usg ones most snort rules are written in a single line snort rules are divided into two logical sections the rule header and the rule options as shown in the following example 516

Zywall usg series user s guide 516

Zywall usg term snort equivalent term 516

Chapter 30 idp 517

Note not all snort functionality is supported in the zywall usg 517

Table 211 zywall usg snort equivalent terms continued 517

Zywall usg series user s guide 517

Zywall usg term snort equivalent term 517

Anti virus 518

Overview 518

What you can do in this chapter 518

Anti virus engines 519

How the zywall usg anti virus scanner works 519

Since the zywall usg erases the infected portion of the file before sending it you may not be able to open the file 519

Virus and worm 519

What you need to know 519

Zywall usg anti virus scanner 519

Anti virus profile screen 520

Finding out more 520

Notes about the zywall usg anti virus 520

Chapter 31 anti virus 521

Label description 521

Profile 521

The following table describes the labels in this screen 521

Zywall usg series user s guide 521

Anti virus profile add or edit 522

Chapter 31 anti virus 522

Label description 522

Profile continued 522

Profile screen to display the configuration screen as shown next 522

Zywall usg series user s guide 522

Chapter 31 anti virus 523

Label description 523

The following table describes the labels in this screen 523

Zywall usg series user s guide 523

Anti virus black list 524

Anti virus black list or white list add edit 525

Black list 525

Black list or white list screen click the add icon or an edit icon to display the following screen 525

Chapter 31 anti virus 525

For a black list entry enter a file pattern that should cause the zywall usg to log and delete a file 525

For a white list entry enter a file pattern that should cause the zywall usg to allow a file 525

Label description 525

The following table describes the labels in this screen 525

Zywall usg series user s guide 525

Anti virus white list 526

Chapter 31 anti virus 526

Label description 526

The following table describes the labels in this screen 526

White list to display the screen shown next use the black white list screen to set up anti virus black blocked and white allowed lists of virus file patterns click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 526

Zywall usg series user s guide 526

Av signature searching 527

Chapter 31 anti virus 527

If internet explorer opens a warning screen about a script making internet explorer run slowly and the computer maybe becoming unresponsive just click no to continue click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 527

Label description 527

Signature to display this screen use this screen to locate signatures and display details about them 527

The following table describes the labels in this screen 527

White list 527

Zywall usg series user s guide 527

Anti virus technical reference 528

Chapter 31 anti virus 528

Label description 528

Signature 528

Table 218 common computer virus types 528

The following table describes some of the common computer viruses 528

The following table describes the labels in this screen 528

Type description 528

Types of computer viruses 528

Zywall usg series user s guide 528

Computer virus infection and prevention 529

Types of anti virus scanner 529

Anti spam 530

Overview 530

What you can do in this chapter 530

What you need to know 530

Before you begin 531

E mail header buffer size 531

E mail headers 531

Finding out more 531

Smtp and pop3 531

Anti spam to open the anti spam profile screen use this screen to turn the anti spam feature on or off and manage anti spam policies you can also select the action the zywall usg takes when the mail sessions threshold is reached 532

Chapter 32 anti spam 532

Click on the icons to go to the onesecurity com website where there is guidance on configuration walkthroughs troubleshooting and other information 532

Configure your zones before you configure anti spam 532

Label description 532

Profile 532

Profilel 532

The anti spam profile screen 532

The following table describes the labels in this screen 532

Zywall usg series user s guide 532

Chapter 32 anti spam 533

Label description 533

Profile 533

Profile screen to display the configuration screen as shown next use this screen to configure an anti spam policy that controls what traffic direction of e mail to check which e mail protocols to scan the scanning options and the action to take on spam traffic 533

The anti spam profile add or edit screen 533

Zywall usg series user s guide 533

Chapter 32 anti spam 534

Label description 534

The following table describes the labels in this screen 534

Zywall usg series user s guide 534

Add continued 535

Add edit screen 535

Chapter 32 anti spam 535

Label description 535

The mail scan screen 535

Zywall usg series user s guide 535

Chapter 32 anti spam 536

Label description 536

Mail scan 536

The following table describes the labels in this screen 536

Zywall usg series user s guide 536

Black white list to display the anti spam black list screen 537

Chapter 32 anti spam 537

Configure the black list to identify spam e mail you can create black list entries based on the sender s or relay server s ip address or e mail address you can also create entries that check for particular e mail header fields with specific values or specific subject text click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 537

Label description 537

Mail scan 537

The anti spam black list screen 537

Zywall usg series user s guide 537

Black list 538

Chapter 32 anti spam 538

Label description 538

The following table describes the labels in this screen 538

Zywall usg series user s guide 538

Chapter 32 anti spam 539

In the anti spam black list or white list screen click the add icon or an edit icon to display the following screen 539

Label description 539

The anti spam black or white list add edit screen 539

The following table describes the labels in this screen 539

Use this screen to configure an anti spam black list entry to identify spam e mail you can create entries based on specific subject text or the sender s or relay s ip address or e mail address you can also create entries that check for particular header fields and values 539

Zywall usg series user s guide 539

Black white list and then the white list tab to display the anti spam white list screen 540

Chapter 32 anti spam 540

Configure the white list to identify legitimate e mail you can create white list entries based on the sender s or relay s ip address or e mail address you can also create entries that check for particular header fields and values or specific subject text 540

Label description 540

Regular expressions in black or white list entries 540

The anti spam white list screen 540

The following applies for a black or white list entry based on an e mail subject e mail address or e mail header value 540

The wildcard can be anywhere in the text string and you can use more than one wildcard you cannot use two wildcards side by side there must be other characters between them 540

The zywall usg checks the first header with the name you specified in the entry so if the e mail has more than one received header the zywall usg checks the first one 540

Use a question mark to let a single character vary for example use a c without the quotation marks to specify abc acc and so on 540

You can also use a wildcard for example if you configure def com any e mail address that ends in def com matches so mail def com matches 540

Zywall usg series user s guide 540

Chapter 32 anti spam 541

Label description 541

The following table describes the labels in this screen 541

White list 541

Zywall usg series user s guide 541

The dnsbl screen 542

Chapter 32 anti spam 543

Label description 543

The following table describes the labels in this screen 543

Zywall usg series user s guide 543

Anti spam technical reference 544

A a a a b b b b 545

A a a a not spam 545

Dnsbl a 545

Dnsbl b 545

Dnsbl c 545

Ips a a a a b b b b 545

C c c c d d d d 546

C c c c not spam 546

D d d d not spam 546

Dnsbl a 546

Dnsbl b 546

Dnsbl c 546

Ips c c c c d d d d 546

A b c d not spam 547

A b c d spam 547

A b c d w x y z 547

Dnsbl a 547

Dnsbl b 547

Dnsbl c 547

Ips a b c d w x y z 547

Overview 548

Ssl inspection 548

What you can do in this chapter 548

What you need to know 548

Before you begin 549

The ssl inspection profile screen 549

1myprofile 550

Add edit 550

Add edit ssl inspection profiles 550

Add to create a new profile or select an existing profile and click edit to change its settings 550

Chapter 33 ssl inspection 550

Label description 550

My profile 550

Mymy12_3 4 550

Myprofile 550

Profile continued 550

The following table describes the fields in this screen 550

Whatalongprofilename123456789012 550

Zywall usg series user s guide 550

Add edit continued 551

Chapter 33 ssl inspection 551

Label description 551

Zywall usg series user s guide 551

Add edit continued 552

Chapter 33 ssl inspection 552

Exclude list screen 552

Exclude list to display the following screen use add to put a new item in the list or edit to change an existing one or remove to delete an existing entry 552

Label description 552

There may be privacy and legality issues regarding inspecting a user s encrypted session the legal issues may vary by locale so it s important to check with your legal department to make sure that it s ok to intercept ssl traffic from your zywall usg users 552

To ensure individual privacy and meet legal requirements you can configure an exclusion list to exclude matching sessions to destination servers this traffic is not intercepted and is passed through uninspected 552

Zywall usg series user s guide 552

Add edit 553

Chapter 33 ssl inspection 553

Exclude list 553

Label description 553

The following table describes the fields in this screen 553

Zywall usg series user s guide 553

Certificate update screen 554

Install a ca certificate in a browser 555

Firefox browser 556

Device ha 557

Overview 557

What you can do in this chapter 557

What you need to know 557

Before you begin 558

Device ha general 558

Finding out more 558

Note only zywall usgs of the same model and firmware version can synchronize 558

Note subscribe to services on the backup zywall usg before synchronizing it with the master zywall usg 558

Synchronization 558

Chapter 34 device ha 559

General 559

Label description 559

Note it is not recommended to use stp spanning tree protocol with device ha 559

The active passive mode screen 559

The following table describes the labels in this screen 559

The master and backup zywall usg form a single virtual router in the following example master zywall usg a and backup zywall usg b form a virtual router 559

Virtual router 559

Zywall usg series user s guide 559

Cluster id 560

Monitored interfaces in active passive mode device ha 560

Virtual router and management ip addresses 560

Configuring active passive mode device ha 561

Active passive mode continued 563

Chapter 34 device ha 563

Label description 563

Zywall usg series user s guide 563

A bridge interface s device ha settings are not retained if you delete the bridge interface 564

Active passive mode continued 564

Active passive mode edit monitored interface 564

Chapter 34 device ha 564

If you configure device ha settings for an ethernet interface and later add the ethernet interface to a bridge the zywall usg retains the interface s device ha settings and uses them again if you later remove the interface from the bridge if the bridge is later deleted or the interface is removed from it device ha will recover the interface s setting 564

Label description 564

Zywall usg series user s guide 564

Chapter 34 device ha 565

Label description 565

Note do not connect the bridge interfaces on two zywall usgs without device ha activated on both doing so could cause a broadcast storm 565

The following table describes the labels in this screen 565

Zywall usg series user s guide 565

Active passive mode device ha with bridge interfaces 566

Br0 ge4 ge5 566

Device ha technical reference 566

First option for connecting the bridge interfaces on two zywall usgs 566

Second option for connecting the bridge interfaces on two zywall usgs 567

Synchronization 568

Object 570

What you need to know 570

Zones overview 570

Chapter 35 object 571

Extra zone traffic 571

Extra zone traffic is traffic to or from any interface or vpn tunnel that is not assigned to a zone for example in figure 375 on page 570 traffic to or from computer c is extra zone traffic 571

Inter zone traffic 571

Inter zone traffic is traffic between interfaces or vpn tunnels in different zones for example in figure 375 on page 570 traffic between vlan 1 and the internet is inter zone traffic this is the normal case when zone based security and policy settings apply 571

Label description 571

Some zone based security and policy settings may apply to extra zone traffic especially if you can set the zone attribute in them to any or all see the specific feature for more information 571

The following table describes the labels in this screen 571

The zone screen 571

Zywall usg series user s guide 571

User group overview 572

Zone edit 572

Ext user accounts 573

Note the default admin account is always authenticated locally regardless of the authentication method setting see chapter 35 on page 637 for more information about authentication methods 573

User account 573

User types 573

What you need to know 573

Ext group user accounts 574

Finding out more 574

Note if the zywall usg tries to authenticate an ext user using the local database the attempt always fails 574

Note you cannot put access users and admin users in the same user group 574

Note you cannot put the default admin account into any user group 574

User awareness 574

User groups 574

Chapter 35 object 575

Label description 575

The following table describes the labels in this screen 575

The user add edit screen allows you to create a new user account or edit an existing one 575

The zywall usg supports ttls using pap so you can use the zywall usg s local user database to authenticate users with wpa or wpa2 instead of needing an external radius server 575

User add edit screen 575

User group 575

User group user summary screen 575

Zywall us 575

Zywall usg series user s guide 575

Alphanumeric a z 0 9 there is no unicode support 576

Chapter 35 object 576

Dashes 576

Enter a user name from 1 to 31 characters 576

Here are the reserved user names 576

Rules for user names 576

The first character must be alphabetical a z a z an underscore _ or a dash other limitations on user names are 576

The user name can only contain the following characters 576

To access this screen go to the user screen see section 35 4 on page 664 and click either the add icon or an edit icon 576

User names are case sensitive if you enter a user bob but use bob when connecting via cifs or ftp it will use the account settings used for bob not bob 576

User names have to be different than user group names 576

Zywall usg series user s guide 576

_ underscores 576

Chapter 35 object 577

Label description 577

The following table describes the labels in this screen 577

Zywall us 577

Zywall usg series user s guide 577

Add continued 578

Chapter 35 object 578

Group add edit screen 578

Label description 578

The following table describes the labels in this screen see section 35 on page 578 for more information as well 578

The group add edit screen allows you to create a new user group or edit an existing one to access this screen go to the group screen see section 35 on page 578 and click either the add icon or an edit icon 578

User group group summary screen 578

Zywall usg series user s guide 578

Chapter 35 object 579

Label description 579

Setting 579

The following table describes the labels in this screen 579

The setting screen controls default settings login settings lockout settings and other user settings for the zywall usg you can also use this screen to specify when users must log in to the zywall usg before it routes traffic for them 579

User group setting screen 579

Zywall usg series user s guide 579

Chapter 35 object 580

Label description 580

Setting 580

The following table describes the labels in this screen 580

Zywall usg series user s guide 580

Chapter 35 object 581

Label description 581

Setting continued 581

Zywall us 581

Zywall usg series user s guide 581

Chapter 35 object 582

Default user authentication timeout settings edit screens 582

Label description 582

Setting continued 582

Setting screen see section 35 on page 579 and click one of the default authentication timeout settings section s edit icons 582

The default authentication timeout settings edit screen allows you to set the default authentication timeout settings for the selected type of user account these default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings you can still manually configure any user account s authentication timeout settings 582

Zywall usg series user s guide 582

Access users cannot use the web configurator to browse the configuration of the zywall usg instead after access users log into the zywall usg the following screen appears 583

Chapter 35 object 583

Figure 384 web configurator for non admin users 583

Label description 583

The following table describes the labels in this screen 583

User aware login example 583

Zywall us 583

Zywall usg series user s guide 583

Chapter 35 object 584

Label description 584

Mac address 584

Mac address to open this screen 584

Note you need to configure an ssid security profile s mac authentication settings to have the ap use the zywall usg s local database to authenticate wireless clients by their mac addresses 584

Table 242 web configurator for non admin users 584

The following table describes the labels in this screen 584

User group mac address summary screen 584

Zywall usg series user s guide 584

Chapter 35 object 585

Label description 585

Mac address add edit screen 585

Mac address continued 585

The following table describes the labels in this screen 585

This screen allows you to create a new allowed device or edit an existing one to access this screen go to the mac address screen see section 35 on page 584 and click either the add icon or an edit icon 585

This section provides some information on users who use an external authentication server in order to log in 585

User group technical reference 585

Zywall usg series user s guide 585

Ap profile overview 586

Creating a large number of ext user accounts 586

Setting up user attributes in an external server 586

What you need to know 586

Wireless profiles 586

Ieee 802 x 587

Radio screen 587

Wpa and wpa2 587

Chapter 35 object 588

Label description 588

Note you can have a maximum of 32 radio profiles on the zywall usg 588

The following table describes the labels in this screen 588

Zywall usg series user s guide 588

Add edit radio profile 589

Add edit radio profile continued 590

Chapter 35 object 590

Label description 590

Note if you change the country code later channel selection is set to manual automatically 590

Zywall usg series user s guide 590

Add edit radio profile continued 591

Chapter 35 object 591

Label description 591

Zywall usg series user s guide 591

Add edit radio profile continued 592

Chapter 35 object 592

Label description 592

Zywall usg series user s guide 592

Note you can have a maximum of 32 ssid profiles on the zywall usg 593

Ssid list 593

Ssid screen 593

Add edit ssid profile 594

Chapter 35 object 594

Label description 594

Ssid list continued 594

The following table describes the labels in this screen 594

This screen allows you to create a new ssid profile or edit an existing one to access this screen click the add button or select an ssid profile from the list and click the edit button 594

Zywall usg series user s guide 594

Add edit ssid profile continued 595

Chapter 35 object 595

Label description 595

Note it is highly recommended that you create security profiles for all of your ssids to enhance your network security 595

Zywall usg series user s guide 595

Add edit ssid profile continued 596

Chapter 35 object 596

Label description 596

Note you can have a maximum of 32 security profiles on the zywall usg 596

Security list 596

The following table describes the labels in this screen 596

This screen allows you to manage wireless security configurations that can be used by your ssids wireless security is implemented strictly between the ap broadcasting the ssid and the stations that are connected to it 596

Zywall usg series user s guide 596

Add edit security profile 597

Note this screen s options change based on the security mode selected only the default screen is displayed here 597

Add edit security profile 598

Chapter 35 object 598

Label description 598

The following table describes the labels in this screen 598

Zywall usg series user s guide 598

Add edit security profile 599

Chapter 35 object 599

Label description 599

Zywall usg series user s guide 599

Chapter 35 object 600

Label description 600

Mac filter list 600

Note you can have a maximum of 32 mac filtering profiles on the zywall usg 600

The following table describes the labels in this screen 600

Zywall usg series user s guide 600

Add edit mac filter profile 601

Chapter 35 object 601

Label description 601

The following table describes the labels in this screen 601

This screen allows you to create a new mac filtering profile or edit an existing one to access this screen click the add button or select a mac filter profile from the list and click the edit button 601

Zywall usg series user s guide 601

Active scan 602

Mon profile 602

Overview 602

Passive scan 602

What you can do in this chapter 602

What you need to know 602

Add edit mon profile 603

Chapter 35 object 603

Label description 603

Mon profile 603

The following table describes the labels in this screen 603

This screen allows you to create a new monitor mode profile or edit an existing one to access this screen click the add button or select and existing monitor mode profile and click the edit button 603

Zywall usg series user s guide 603

Add edit mon profile 604

Chapter 35 object 604

Label description 604

The following table describes the labels in this screen 604

Zywall usg series user s guide 604

Rogue aps 605

Technical reference 605

Application 606

Application categories of applications include at the time of writing 606

Chapter 35 object 606

Figure 400 application categories and associated signatures 606

Friendly aps 606

If you have more than one ap in your wireless network you should also configure a list of friendly aps friendly aps are other wireless access points that are detected in your network as well as any others that you know are not a threat those from recognized networks for example it is recommended that you export save your list of friendly aps often especially if you have a network with a large number of access points 606

Table 256 categories of applications 606

The following table shows the types of categories currently supported a and the associated signatures for each category b 606

Zywall usg series user s guide 606

Application 607

Chapter 35 object 607

Label description 607

The following table describes the labels in this screen 607

Use the application group screen section 35 on page 611 to group application objects as an individual object that can be used in app patrol profiles 607

Use the application screen section on page 607 to create application objects that can be used in app patrol profiles 607

Zywall usg series user s guide 607

Add application rule 608

Application continued 608

Application to create a new application rule in the first screen you type a name to identify this application object and write an optional brief description of it 608

Chapter 35 object 608

Label description 608

The following table describes the labels in this screen 608

You then click add again to choose the signatures that should go into this object 608

Zywall usg series user s guide 608

Add application object by category or service 609

Add application object 610

Add by service 610

Chapter 35 object 610

Label description 610

The following table describes the labels in this screen 610

Zywall usg series user s guide 610

Application group 611

Application group screen 611

Chapter 35 object 611

Label description 611

The following table describes the labels in this screen 611

Zywall usg series user s guide 611

Add application group rule 612

Address overview 612

Address summary screen 613

What you need to know 613

Add edit 614

Address continued 614

Chapter 35 object 614

Ipv4 address add edit screen 614

Ipv4 address add edit screen allows you to create a new address or edit an existing one to access this screen go to the address screen see section 35 on page 613 and click either the add icon or an edit icon in the ipv4 address configuration section 614

Label description 614

Zywall usg series user s guide 614

Add edit 615

Chapter 35 object 615

Ipv6 address add edit screen 615

Ipv6 address add edit screen allows you to create a new address or edit an existing one to access this screen go to the address screen see section 35 on page 613 and click either the add icon or an edit icon in the ipv6 address configuration section 615

Label description 615

Note the zywall usg automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change 1 s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object 615

The following table describes the labels in this screen 615

Zywall usg series user s guide 615

Add edit 616

Address group 616

Address group click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 616

Address group summary screen 616

Chapter 35 object 616

Label description 616

Note the zywall usg automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change 1 s ip address the zywall usg automatically updates the corresponding interface based lan subnet address object 616

The following table describes the labels in this screen 616

Zywall usg series user s guide 616

Address group 617

Address group add edit screen 617

Chapter 35 object 617

Label description 617

The address group add edit screen allows you to create a new address group or edit an existing one to access this screen go to the address group screen see section 35 on page 616 and click either the add icon or an edit icon in the ipv4 address group configuration or ipv6 address group configuration section 617

The following table describes the labels in this screen see section 35 on page 617 for more information as well 617

Zywall usg series user s guide 617

Chapter 35 object 618

Label description 618

Service overview 618

The following table describes the labels in this screen 618

Use service objects to define tcp applications udp applications and icmp messages you can also create service groups to refer to multiple service objects in other features 618

Use the service group screens section 35 on page 619 to view and configure the zywall usg s list of service groups 618

Use the service screens section 35 on page 619 to view and configure the zywall usg s list of services and their definitions 618

Zywall usg series user s guide 618

Ip protocols 619

Service objects and service groups 619

The service summary screen 619

What you need to know 619

The service add edit screen 620

Chapter 35 object 621

Label description 621

Service group 621

The following table describes the labels in this screen 621

The service group summary screen 621

The service group summary screen provides a summary of all service groups in addition this screen allows you to add edit and remove service groups 621

Zywall usg series user s guide 621

Chapter 35 object 622

Label description 622

Service group 622

The following table describes the labels in this screen see section 35 on page 622 for more information as well 622

The service group add edit screen 622

The service group add edit screen allows you to create a new service group or edit an existing one to access this screen go to the service group screen see section 35 on page 621 and click either the add icon or an edit icon 622

Zywall usg series user s guide 622

Note schedules are based on the zywall usg s current date and time 623

One time schedules 623

Recurring schedules 623

Schedule overview 623

What you need to know 623

Chapter 35 object 624

Label description 624

Schedule 624

Schedules always begin and end in the same day recurring schedules are useful for defining the workday and off work hours 624

The following table describes the labels in this screen see section 35 on page 625 and section 35 on page 626 for more information as well 624

The schedule summary screen 624

Zywall usg series user s guide 624

Chapter 35 object 625

Edit one time 625

Label description 625

Schedule continued 625

The following table describes the labels in this screen 625

The one time schedule add edit screen 625

The one time schedule add edit screen allows you to define a one time schedule or edit an existing one to access this screen go to the schedule screen see section 35 on page 624 and click either the add icon or an edit icon in the one time section 625

Zywall usg series user s guide 625

Chapter 35 object 626

Edit one time continued 626

Edit recurring 626

Label description 626

The recurring schedule add edit screen 626

The recurring schedule add edit screen allows you to define a recurring schedule or edit an existing one to access this screen go to the schedule screen see section 35 on page 624 and click either the add icon or an edit icon in the recurring section 626

The year month and day columns are not used in recurring schedules and are disabled in this screen the following table describes the remaining labels in this screen 626

Zywall usg series user s guide 626

Chapter 35 object 627

Configuration 627

Label description 627

Schedule group 627

The following table describes the fields in the above screen 627

The schedule group add edit screen 627

The schedule group add edit screen allows you to define a schedule group or edit an existing one to access this screen go to the schedule screen see and click either the add icon or an edit icon in the schedule group section 627

The schedule group screen 627

Zywall usg series user s guide 627

Aaa server overview 628

Cancel 628

Chapter 35 object 628

Group members 628

Label description 628

Member list 628

The following table describes the fields in the above screen 628

You can use a aaa authentication authorization accounting server to provide access control to your network the aaa server can be a active directory ldap or radius server use the aaa server screens to create and manage objects that contain settings for using aaa servers you use 628

Zywall usg series user s guide 628

Directory service ad ldap 629

Radius server 629

Aaa servers supported by the zywall usg 630

Directory structure 630

What you need to know 630

Active directory or ldap server summary 631

Base dn 631

Bind dn 631

Distinguished name dn 631

Adding an active directory or ldap server 632

O zyxel c u 632

Chapter 35 object 634

Cn zywalladmi 634

Label description 634

O zyxel c u 634

The following table describes the labels in this screen 634

Zywall usg series user s guide 634

Zywalladmi 634

Add continued 635

Chapter 35 object 635

Label description 635

Radius 635

Radius server summary 635

Radius to display the radius screen 635

The following table describes the labels in this screen 635

Use the radius screen to manage the list of radius servers the zywall usg can use in authenticating users 635

Zywall usg series user s guide 635

Adding a radius server 636

Add continued 637

After you set up an authentication method object in the auth method screens you can use it in the vpn gateway screen to authenticate vpn users for establishing a vpn connection refer to the chapter on vpn for more information 637

Auth method overview 637

Auth method screens section 35 0 on page 638 to create and manage authentication method objects 637

Authentication method objects set how the zywall usg authenticates wireless http https clients and peer ipsec routers extended authentication clients configure authentication method objects to have the zywall usg use the local user database and or the authentication servers and authentication server groups specified by aaa server objects by default user accounts created and stored on the zywall usg are authenticated locally 637

Before you begin 637

Chapter 35 object 637

Configure aaa server objects before you configure authentication method objects 637

Example selecting a vpn authentication method 637

Follow the steps below to specify the authentication method for a vpn connection 637

Label description 637

Zywall usg series user s guide 637

Authentication method objects 638

Note you can create up to 16 authentication method objects 638

Creating an authentication method object 639

Note you can not select two server objects of the same type 639

Certificate overview 640

What you need to know 640

Advantages of certificates 641

Factory default certificate 641

Self signed certificates 641

Certificate file formats 642

Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 642

Verifying a certificate 642

The my certificates screen 643

Chapter 35 object 644

Label description 644

My certificates 644

My certificates and then the add icon to open the my certificates add screen use this screen to have the zywall usg create a self signed certificate enroll a certificate with a certification authority or generate a certification request 644

The following table describes the labels in this screen 644

The my certificates add screen 644

Zywall usg series user s guide 644

Chapter 35 object 645

Label description 645

The following table describes the labels in this screen 645

Zywall usg series user s guide 645

Add continued 646

Chapter 35 object 646

If you configured the my certificate create screen to have the zywall usg enroll a certificate and the certificate enrollment is not successful you see a screen with a return button that takes you back to the my certificate create screen click return and check your information in the my certificate create screen make sure that the certification authority information is correct and that your internet connection is working properly if you want the zywall usg to enroll a certificate online 646

Label description 646

Zywall usg series user s guide 646

The my certificates edit screen 647

Chapter 35 object 648

Label description 648

The following table describes the labels in this screen 648

Zywall usg series user s guide 648

Chapter 35 object 649

Edit continued 649

Import to open the my certificate import screen follow the instructions in this screen to save an existing certificate to the zywall usg 649

Label description 649

Note you can import a certificate that matches a corresponding certification request that was generated by the zywall usg you can also import a certificate in pkcs 12 format including the certificate s public and private keys 649

The certificate you import replaces the corresponding request in the my certificates screen 649

The my certificates import screen 649

You must remove any spaces from the certificate s filename before you can import it 649

Zywall usg series user s guide 649

Chapter 35 object 650

Import 650

Label description 650

The following table describes the labels in this screen 650

The trusted certificates screen 650

Trusted certificates 650

Trusted certificates to open the trusted certificates screen this screen displays a summary list of certificates that you have set the zywall usg to accept as trusted the zywall usg also accepts any valid certificate signed by a certificate on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certificates 650

Zywall usg series user s guide 650

Chapter 35 object 651

Label description 651

The following table describes the labels in this screen 651

The trusted certificates edit screen 651

Trusted certificates 651

Trusted certificates and then a certificate s edit icon to open the trusted certificates edit screen use this screen to view in depth information about the certificate change the certificate s name and set whether or not you want the zywall usg to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority 651

Zywall usg series user s guide 651

Chapter 35 object 653

Label description 653

The following table describes the labels in this screen 653

Zywall usg series user s guide 653

Chapter 35 object 654

Edit continued 654

Import to open the trusted certificates import screen follow the instructions in this screen to save a trusted certificate to the zywall usg 654

Label description 654

Note you must remove any spaces from the certificate s filename before you can import the certificate 654

The trusted certificates import screen 654

Zywall usg series user s guide 654

Certificates technical reference 655

Isp account overview 655

Isp account edit 656

Isp account summary 656

Chapter 35 object 657

Label description 657

The following table describes the labels in this screen 657

Zywall usg series user s guide 657

A web based application allows remote users to access an intranet site using standard web browsers 658

Application types 658

Chapter 35 object 658

Edit continued 658

Label description 658

Ssl application overview 658

Ssl vpn screen for a user account user group 658

Use the ssl application edit screen to create or edit web based application objects to allow remote users to access an application via standard web browsers section 35 3 on page 661 658

Use the ssl application screen section 35 3 on page 660 to view the zywall usg s configured ssl application objects 658

Web based 658

What you need to know 658

You can also use the ssl application edit screen to specify the name of a folder on a linux or windows file server which remote users can access using a standard web browser section 35 3 on page 661 658

You can configure the following ssl application on the zywall usg 658

Zywall usg series user s guide 658

Example specifying a web site for access 659

Remote desktop connections 659

Remote user screen links 659

Weblinks 659

The ssl application screen 660

Creating editing an ssl application object 661

Note if you are creating a file sharing ssl application you must also configure the shared folder on the file server for remote access refer to the document that comes with your file server 661

Add edit file sharing 662

Add edit web application file sharing 662

Chapter 35 object 662

Label description 662

Note you must enter the http or https prefix 662

The following table describes the labels in this screen 662

Zywall usg series user s guide 662

Add edit web application file sharing 663

Chapter 35 object 663

Dhcpv6 overview 663

Label description 663

The lease screen see section 35 on page 578 allows you to configure dhcpv6 lease type objects 663

The request screen see section 35 4 on page 664 allows you to configure dhcpv6 request type objects 663

This section describes how to configure dhcpv6 request type and lease type objects 663

Zywall usg series user s guide 663

Dhcpv6 request add edit screen 664

The dhcpv6 request screen 664

Chapter 35 object 665

Dhcpv6 lease add edit screen 665

Label description 665

The dhcpv6 lease screen 665

The following table describes the labels in this screen 665

The lease add edit screen allows you to create a new lease object or edit an existing one 665

To access this screen go to the lease screen see section 35 4 on page 665 and click either the add icon or an edit icon 665

Zywall usg series user s guide 665

Chapter 35 object 666

Label description 666

The following table describes the labels in this screen 666

Zywall usg series user s guide 666

Overview 667

System 667

What you can do in this chapter 667

Host name 668

Note only connect one usb device it must allow writing it cannot be read only and use the fat16 fat32 ext2 or ext3 file system 668

Note see each section for related background information and term definitions 668

Usb storage 668

Chapter 36 system 669

Date and time 669

Date time the screen displays as shown you can manually set the zywall usg s time and date or have the zywall usg get the date and time from a time server 669

For effective scheduling and logging the zywall usg system time must be accurate the zywall usg s real time chip rtc keeps track of the time and date there is also a software mechanism to set the time manually or get the current time and date from an external server 669

Label description 669

The following table describes the labels in this screen 669

Usb storage 669

Zywall usg series user s guide 669

Chapter 36 system 670

Date and time 670

Label description 670

The following table describes the labels in this screen 670

Zywall usg series user s guide 670

Chapter 36 system 671

Date and time continued 671

Label description 671

Zywall usg series user s guide 671

Pre defined ntp time servers list 672

Time server synchronization 672

Console port speed 673

Configuring the dns screen 674

Dns overview 674

Dns server address assignment 674

Chapter 36 system 675

Label description 675

The following table describes the labels in this screen 675

Zywall usg series user s guide 675

Chapter 36 system 676

Dns continued 676

Label description 676

Zywall usg series user s guide 676

Chapter 36 system 677

Dns continued 677

Label description 677

Zywall usg series user s guide 677

Adding an address ptr record 678

Address record 678

Ptr record 678

Adding a cname record 679

Cname record 679

Domain zone forwarder 679

Label description 679

Adding a domain zone forwarder 680

Chapter 36 system 680

Click the add icon in the domain zone forwarder table to add a domain zone forwarder record 680

Domain zone forwarder add 680

Fully qualified domain name without the host for example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name 680

Label description 680

The following table describes the labels in this screen 680

Zywall usg series user s guide 680

0 mx record 681

1 adding a mx record 681

2 security option control 681

3 editing a security option control 681

4 adding a dns service control rule 682

Chapter 36 system 682

Click the add icon in the service control table to add a service control rule 682

Label description 682

Security option control edit customize 682

The following table describes the labels in this screen 682

Zywall usg series user s guide 682

A service cannot be used to access the zywall usg when 683

Chapter 36 system 683

Label description 683

Note to allow the zywall usg to be accessed from a specified computer using a service make sure you do not have a service control rule or to zywall usg security policy rule to block that traffic 683

Service access limitations 683

Service control rule add 683

The allowed ip address address object in the service control table does not match the client ip address the zywall usg disallows the session 683

The following figure shows secure and insecure management of the zywall usg coming in from the wan https and ssh access are secure http and telnet access are not secure 683

The following table describes the labels in this screen 683

To stop a service from accessing the zywall usg clear enable in the corresponding service screen 683

Www overview 683

You have disabled that service in the corresponding screen 683

Zywall usg series user s guide 683

System timeout 684

Configuring www service control 685

Chapter 36 system 686

Label description 686

Service control 686

The following table describes the labels in this screen 686

Zywall usg series user s guide 686

Chapter 36 system 687

Label description 687

Service control continued 687

Zywall usg series user s guide 687

Chapter 36 system 688

Click add or edit in the service control table in a www ssh telnet ftp or snmp screen to add a service control rule 688

Label description 688

Service control continued 688

Service control rules 688

Zywall usg series user s guide 688

Chapter 36 system 689

Customizing the www login page 689

Label description 689

Login page to open the login page screen use this screen to customize the web configurator login screen you can also customize the page that displays after an access user logs into the web configurator to access network services like the internet 689

The following table describes the labels in this screen 689

Zywall usg series user s guide 689

Chapter 36 system 692

Enter a pound sign followed by the six digit hexadecimal number that represents the desired color for example use 000000 for black 692

Enter rgb followed by red green and blue values in parenthesis and separate by commas for example use rgb 0 0 0 for black 692

Label description 692

Login page 692

Note use a gif jpg or png of 100 kilobytes or less 692

The following table describes the labels in the screen 692

Your desired color should display in the preview screen on the right after you click in another field click apply or press enter if your desired color does not display your browser may not support it try selecting another color 692

Zywall usg series user s guide 692

Https example 693

Internet explorer warning messages 693

Mozilla firefox warning messages 693

Avoiding browser warning messages 694

Login screen 694

Enrolling and importing ssl client certificates 695

Installing the ca s certificate 695

Installing your personal certificate s 696

Using a certificate when accessing the zywall usg example 699

How ssh works 701

Chapter 36 system 702

Configuring ssh 702

Label description 702

Requirements for using ssh 702

Ssh implementation on the zywall usg 702

Ssh to change your zywall usg s secure shell settings use this screen to specify from which zones ssh can be used to manage the zywall usg you can also specify from which ip addresses the access can come 702

The following table describes the labels in this screen 702

You must install an ssh client program on a client computer windows or linux operating system that is used to connect to the zywall usg over ssh 702

Your zywall usg supports ssh versions 1 and 2 using rsa authentication and four encryption methods aes 3des archfour and blowfish the ssh server is implemented on the zywall usg for management using port 22 by default 702

Zywall usg series user s guide 702

A window displays prompting you to store the host key in you computer click yes to continue 703

Chapter 36 system 703

Configure the ssh client to accept connection using ssh version 1 703

Enter the password to log in to the zywall usg the cli screen displays next 703

Example 1 microsoft windows 703

Figure 487 ssh example 1 store host key 703

Label description 703

Launch the ssh client and specify the connection information ip address port number for the zywall usg 703

Secure telnet using ssh examples 703

Ssh continued 703

This section describes how to access the zywall usg using the secure shell client program 703

This section shows two examples using a command interface and a graphical interface ssh client program to remotely access the zywall usg the configuration and connection steps are similar for most ssh client programs refer to your ssh client program user s guide 703

Zywall usg series user s guide 703

Configuring telnet 704

Example 2 linux 704

Telnet 704

Chapter 36 system 705

Label description 705

Telnet 705

The following table describes the labels in this screen 705

Zywall usg series user s guide 705

Chapter 36 system 706

Configuring ftp 706

Ftp tab the screen appears as shown use this screen to specify from which zones ftp can be used to access the zywall usg you can also specify from which ip addresses the access can come 706

Label description 706

The following table describes the labels in this screen 706

You can upload and download the zywall usg s firmware and configuration files using ftp to use this feature your computer must have an ftp client 706

Zywall usg series user s guide 706

Chapter 36 system 707

Ftp continued 707

Label description 707

Simple network management protocol is a protocol used for exchanging management information between network devices your zywall usg supports snmp agent functionality which allows a manager station to manage and monitor the zywall usg through the network the zywall usg supports snmp version one snmpv1 version two snmpv2c and version 3 snmpv3 the next figure illustrates an snmp management operation 707

Zywall usg series user s guide 707

Snmpv3 and security 708

Chapter 36 system 709

Configuring snmp 709

Object label object id description 709

Security can be further enhanced by encrypting the snmp messages sent from the managers encryption protects the contents of the snmp messages when the contents of the snmp messages are encrypted only the intended recipients can read them 709

Snmp tab the screen appears as shown use this screen to configure your snmp settings including from which zones snmp can be used to access the zywall usg you can also specify from which ip addresses the access can come 709

Snmp traps 709

Supported mibs 709

Table 315 snmp traps 709

The zywall usg supports mib ii that is defined in rfc 1213 and rfc 1215 the zywall usg also supports private mibs zywall mib and zyxel zywall zld common mib to collect information about cpu and memory usage and vpn total throughput the focus of the mibs is to let administrators collect statistical data and monitor status and performance you can download the zywall usg s mibs from www zyxel com 709

The zywall usg will send traps to the snmp manager when any one of the following events occurs 709

Zywall usg series user s guide 709

Chapter 36 system 710

Label description 710

Note your login password must consist of at least 8 printable characters for snmpv3 an error message will display if your login password has fewer characters 710

The following table describes the labels in this screen 710

Zywall usg series user s guide 710

Chapter 36 system 711

Label description 711

Snmp continued 711

Zywall usg series user s guide 711

Auth server 712

Auth server tab the screen appears as shown use this screen to enable the authentication server feature of the zywall usg and specify the radius client s ip address 712

Authentication server 712

Chapter 36 system 712

Label description 712

The following table describes the labels in this screen 712

Zywall usg series user s guide 712

Add edit 713

Add edit trusted radius client 713

Auth server continued 713

Auth server to display the auth server screen click the add icon or an edit icon to display the following screen use this screen to create a new entry or edit an existing one 713

Chapter 36 system 713

Label description 713

The following table describes the labels in this screen 713

Zywall usg series user s guide 713

Cloudcnm screen 714

Chapter 36 system 715

Cloudcnm 715

Cloudcnm to allow the zywall usg to find the cloudcnm server 715

Label description 715

Perform site to site hub spoke fully meshed and remote access vpn provisioning 715

The following table describes the labels in this screen 715

The zywall usg must be able to communicate with the cloudcnm server 715

To allow cloudcnm management of your zywall usg 715

You must have a cloudcnm license with cnm id number or a cloudcnm url identifying the server 715

Zywall usg series user s guide 715

Chapter 36 system 716

Cloudcnm continued 716

Ipv6 screen 716

Ipv6 to open the following screen use this screen to enable ipv6 support for the zywall usg s web configurator screens 716

Label description 716

Language 716

Language screen 716

Language to open the following screen use this screen to select a display language for the zywall usg s web configurator screens 716

Note see the cloudcnm user guide for more information on cloudcnm 716

The following table describes the labels in this screen 716

Zywall usg series user s guide 716

Chapter 36 system 717

Figure 500 zon utility screen 717

Icon description 717

In the zon utility select a device and then use the icons to perform actions the following table describes the icons numbered from left to right in the zon utility screen 717

Label description 717

Table 322 zon utility icons 717

The following figure shows the zon utility screen 717

The following table describes the labels in this screen 717

The zon utility issues requests via zdp and in response to the query the zyxel device responds with basic information including ip address firmware version location system and model name the information is then displayed in the zon utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it you can download the zon utility at www zyxel com and install it on a computer 717

The zyxel one network zon utility uses the zyxel discovery protocol zdp for discovering and configuring zdp aware zyxel devices in the same broadcast domain as the computer on which zon is installed 717

Zywall usg series user s guide 717

Zyxel one network zon utility 717

Chapter 36 system 718

Ethernet neighbor for information on using smart connect link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the zywall usg that you re logged into using the web configurator 718

Icon description 718

Label description 718

Table 322 zon utility icons 718

Table 323 zon utility fields 718

The following table describes the fields in the zon utility main screen 718

Zon screen 718

Zywall usg series user s guide 718

Zyxel one network zon system screen 718

Chapter 36 system 719

Label description 719

The following table describes the labels in this screen 719

Zywall usg series user s guide 719

Email daily report 720

Log and report 720

Overview 720

What you can do in this chapter 720

Chapter 37 log and report 722

Email daily report 722

Label description 722

Log screen use the e mail profiles to mail log messages 722

Log setting screens 722

The following table describes the labels in this screen 722

The log setting screens control log messages and alerts a log message stores the information for viewing or regular e mailing later and an alert is e mailed immediately usually alerts are used for events that require more serious attention such as system errors and attacks 722

Zywall usg series user s guide 722

Log setting summary 723

Chapter 37 log and report 724

Edit system log settings 724

Label description 724

Log setting continued 724

The log settings edit screen controls the detailed settings for each log in the system log which includes the e mail profiles go to the log settings summary screen see section 37 on page 723 and click the system log edit icon 724

Zywall usg series user s guide 724

Chapter 37 log and report 727

Edit system log 727

Edit system log ap 727

Label description 727

The following table describes the labels in this screen 727

Zywall usg series user s guide 727

Chapter 37 log and report 728

Edit system log continued 728

Label description 728

Zywall usg series user s guide 728

Chapter 37 log and report 729

Edit log on usb storage setting 729

Edit system log continued 729

Label description 729

The edit log on usb storage setting screen controls the detailed settings for saving logs to a connected usb storage device go to the log setting summary screen see section 37 on page 723 and click the usb storage edit icon 729

Zywall usg series user s guide 729

Chapter 37 log and report 731

Edit remote server log settings 731

Edit usb storage 731

Label description 731

The following table describes the labels in this screen 731

The log settings edit screen controls the detailed settings for each log in the remote server syslog go to the log settings summary screen see section 37 on page 723 and click a remote server edit icon 731

Zywall usg series user s guide 731

Chapter 37 log and report 733

Edit remote server 733

Edit remote server ap 733

Label description 733

The following table describes the labels in this screen 733

Zywall usg series user s guide 733

Chapter 37 log and report 734

Edit remote server continued 734

Label description 734

Log category settings screen 734

The log category settings screen allows you to view and to edit what information is included in the system log usb storage e mail profiles and remote servers at the same time it does not let you change other log settings for example where and how often log information is e mailed or remote server names to access this screen go to the log settings summary screen see section 37 on page 723 and click the log category settings button 734

Zywall usg series user s guide 734

Chapter 37 log and report 737

Label description 737

Log category settings 737

The following table describes the fields in this screen 737

Zywall usg series user s guide 737

Chapter 37 log and report 738

Label description 738

Log category settings continued 738

Zywall usg series user s guide 738

File manager 739

Overview 739

What you can do in this chapter 739

What you need to know 739

Comments in configuration files or shell scripts 740

Note exit or must follow sub commands if it is to make the zywall usg exit sub command mode 740

Errors in configuration files or shell scripts 741

The configuration file screen 741

Configuration file flow at restart 742

Do not turn off the zywall usg while configuration file upload is in progress 742

Chapter 38 file manager 743

Configuration file 743

Label description 743

Rename 743

The following table describes the labels in this screen 743

Zywall usg series user s guide 743

Chapter 38 file manager 744

Configuration file continued 744

Label description 744

Zywall usg series user s guide 744

Chapter 38 file manager 745

Configuration file continued 745

Find the firmware package at www zyxel com in a file that usually uses the system model name with a bin extension for example zywall bin 745

Firmware package to open the firmware package screen use the firmware package screen to check your current firmware version and upload firmware to the zywall usg you can upload firmware to be the running firmware or standby firmware 745

Label description 745

Note the web configurator is the recommended method for uploading firmware you only need to use the command line interface if you need to recover the firmware see the cli reference guide for how to determine if you need to recover the firmware and how to recover it 745

The firmware package screen 745

The zywall usg s firmware package cannot go through the zywall usg when you enable the anti virus destroy compressed files that could not be decompressed option the zywall usg classifies the firmware package as not being able to be decompressed and deletes it you can upload the firmware package to the zywall usg with the option enabled so you only need to clear 745

Zywall usg series user s guide 745

Chapter 38 file manager 746

Firmware package 746

Label description 746

The destroy compressed files that could not be decompressed option while you download the firmware package see section 31 on page 522 for more on the anti virus destroy compressed files that could not be decompressed option 746

The firmware update can take up to five minutes do not turn off or reset the zywall usg while the firmware update is in progress 746

The following table describes the labels in this screen 746

Zywall usg series user s guide 746

After five minutes log in again and check your new firmware version in the dashboard screen 747

After you see the firmware upload in process screen wait a few minutes before logging into the zywall usg again 747

Chapter 38 file manager 747

Figure 517 firmware upload in process 747

Figure 518 network 747

Figure 519 firmware upload error 747

Firmware package continued 747

If the upload was not successful the following message appears in the status bar at the bottom of the screen 747

Label description 747

Note the zywall usg automatically reboots after a successful upload 747

The zywall usg automatically restarts causing a temporary network disconnect in some operating systems you may see the following icon on your desktop 747

Zywall usg series user s guide 747

Chapter 38 file manager 748

Each field is described in the following table 748

Label description 748

Note you should include write commands in your scripts if you do not use the write command the changes will be lost when the zywall usg restarts you could use multiple write commands in a long script 748

Rename 748

Shell script 748

Shell script to open the shell script screen use the shell script screen to store name download upload and run shell script files you can store multiple shell script files on the zywall usg at the same time 748

The shell script screen 748

Use shell script files to have the zywall usg use commands that you specify use a text editor to create the shell script files they must use a zysh filename extension 748

Zywall usg series user s guide 748

Chapter 38 file manager 749

Label description 749

Shell script continued 749

Zywall usg series user s guide 749

Diagnostics 750

Overview 750

The diagnostic screen 750

What you can do in this chapter 750

Chapter 39 diagnostics 751

Diagnostics 751

Files to open the diagnostic files screen this screen lists the files of diagnostic information the zywall usg has collected and stored in a connected usb storage device you may need to send these files to customer support for troubleshooting 751

Label description 751

The diagnostics files screen 751

The following table describes the labels in this screen 751

Zywall usg series user s guide 751

Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this 752

The packet capture screen 752

Chapter 39 diagnostics 753

Label description 753

Note if you have existing capture files and have not selected the continuously capture and overwrite old ones option you may need to set this size larger or delete existing capture files 753

Note the zywall usg reserves some onboard storage space as a buffer 753

Note the zywall usg reserves some usb storage space as a buffer 753

Packet capture 753

The following table describes the labels in this screen 753

Zywall usg series user s guide 753

Chapter 39 diagnostics 754

Files to open the packet capture files screen this screen lists the files of packet captures stored on the zywall usg or a connected usb storage device you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 754

Label description 754

Packet capture continued 754

The packet capture files screen 754

Zywall usg series user s guide 754

Chapter 39 diagnostics 755

Label description 755

System log 755

System log to open the system log files screen this screen lists the files of system logs stored on a connected usb storage device the files are in comma separated value csv format you can download them to your computer and open them in a tool like microsoft s excel 755

The following table describes the labels in this screen 755

The system log screen 755

Zywall usg series user s guide 755

Chapter 39 diagnostics 756

Label description 756

Network tool 756

Network tool to display this screen 756

The following table describes the labels in this screen 756

The network tool screen 756

Use this screen to ping or traceroute an ip address 756

Zywall usg series user s guide 756

Capture 757

Chapter 39 diagnostics 757

Label description 757

Note new capture files overwrite existing files of the same name change the file prefix field s setting to avoid this 757

The following table describes the labels in this screen 757

The wireless frame capture screen 757

Use this screen to capture wireless network traffic going through the ap interfaces connected to your zywall usg studying these frame captures may help you identify network problems 757

Wireless frame capture to display this screen 757

Zywall usg series user s guide 757

Capture continued 758

Chapter 39 diagnostics 758

Files to open this screen this screen lists the files of wireless frame captures the zywall usg has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 758

Label description 758

Note if you have existing capture files you may need to set this size larger or delete existing capture files 758

The wireless frame capture files screen 758

Zywall usg series user s guide 758

Chapter 39 diagnostics 759

Label description 759

The following table describes the labels in this screen 759

Zywall usg series user s guide 759

Overview 760

Packet flow explore 760

The routing status screen 760

What you can do in this chapter 760

Chapter 40 packet flow explore 764

Label description 764

Routing status 764

The following table describes the labels in this screen 764

Zywall usg series user s guide 764

Chapter 40 packet flow explore 765

Label description 765

Note once a packet matches the criteria of an snat rule the zywall usg takes the corresponding action and does not perform any further flow checking 765

Routing status continued 765

Snat status 765

Snat status policy route snat 765

The order of the snat flow may vary depending on whether you 765

The snat status screen 765

Trunk screen 765

Use policy routes to control 1 1 nat by using the policy control virtual server rules activate command 765

Zywall usg series user s guide 765

Chapter 40 packet flow explore 766

Label description 766

Snat status 766

Snat status 1 1 snat 766

Snat status default snat 766

Snat status loopback snat 766

The following table describes the labels in this screen 766

Zywall usg series user s guide 766

Chapter 40 packet flow explore 767

Label description 767

Snat status continued 767

Zywall usg series user s guide 767

Overview 768

Shutdown 768

The shutdown screen 768

What you need to know 768

Troubleshooting 769

I cannot update the anti virus signatures 770

I cannot update the idp application patrol signatures 770

I configured security settings but the zywall usg is not applying them for certain interfaces 770

I downloaded updated anti virus or idp application patrol signatures why has the zywall usg not re booted yet 770

The content filter category service is not working 770

The zywall usg is not applying the custom policy route i configured 770

I cannot enter the interface name i want 771

I cannot set up a ppp interface 771

I cannot set up a ppp interface virtual ethernet interface or virtual vlan interface on an ethernet interface 771

My rules and settings that apply to a particular interface no longer work 771

The zywall usg is not applying the custom security policy i configured 771

Hackers have accessed my wep encrypted wireless lan 772

I cannot configure a particular vlan interface on top of an ethernet interface even though i have it configured it on top of another ethernet interface 772

I created a cellular interface but cannot connect through it 772

The data rates through my cellular connection are no where near the rates i expected 772

The wireless security is not following the re authentication timer setting i specified 772

The zywall usg is not applying an interface s configured ingress bandwidth limit 772

The zywall usg is deleting some zipped files 773

The zywall usg is not applying my application patrol bandwidth management settings 773

The zywall usg is not scanning some zipped files 773

The zywall usg s anti virus scanner cleaned an infected file but now i cannot use the file 773

The zywall usg s performance seems slower after configuring idp 773

The zywall usg s performance slowed down after i configured many new application patrol entries 773

I cannot configure some items in idp that i can configure in snort 774

I uploaded a custom signature file and now all of my earlier custom signatures are gone 774

Idp is dropping traffic that matches a rule that says no action should be taken 774

The zywall usg routes and applies snat for traffic from some interfaces but not from others 774

The zywall usg s performance seems slower after configuring adp 774

I cannot create a second http redirect rule for an incoming interface 775

I cannot get dynamic dns to work 775

I cannot get the application patrol to manage ftp traffic 775

I cannot get the application patrol to manage h 23 traffic 775

I cannot get the application patrol to manage sip traffic 775

The zywall usg keeps resetting the connection 775

I cannot set up an ipsec vpn tunnel to another device 776

I cannot download the zywall usg s firmware package 777

I logged into the ssl vpn but cannot see some of the resource links 777

I uploaded a logo to show in the ssl vpn user screens but it does not display properly 777

The vpn connection is up but vpn traffic cannot be transmitted through the vpn tunnel 777

I cannot add the admin users to a user group with access users 778

I cannot get the radius server to authenticate the zywall usg s default admin account 778

I changed the lan ip address and can no longer access the internet 778

I configured application patrol to allow and manage access to a specific service but access is blocked 778

I configured policy routes to manage the bandwidth of tcp and udp traffic but the bandwidth management is not being applied properly 778

The zywall usg fails to authentication the ext user user accounts i configured 778

I cannot access the zywall usg from a computer connected to the internet 779

I cannot add the default admin account to a user group 779

I cannot get a certificate to import into the zywall usg 779

Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 779

The schedule i configured is not being applied at the configured times 779

I can only see newer logs older logs are missing 780

I cannot get the firmware uploaded using the commands 780

I uploaded a logo to display on the upper left corner of the web configurator login screen and access page but it does not display properly 780

I uploaded a logo to use as the screen or window background but it does not display properly 780

Note exit or must follow sub commands if it is to make the zywall usg exit sub command mode 780

The commands in my configuration file or shell script are not working properly 780

The zywall usg s traffic throughput rate decreased after i started collecting traffic statistics 780

My earlier packet capture files are missing 781

My packet capture captured less than i wanted or failed 781

Note this procedure removes the current configuration 781

Resetting the zywall usg 781

Getting more troubleshooting help 782

Customer support 783

Ppendi 783

Austria 784

Europe 784

Malaysia 784

Pakistan 784

Philipines 784

Singapore 784

Taiwan 784

Thailand 784

Vietnam 784

Belarus 785

Belgium 785

Bulgaria 785

Denmark 785

Estonia 785

Finland 785

France 785

Germany 785

Hungary 785

Latvia 785

Lithuania 786

Netherlands 786

Norway 786

Poland 786

Romania 786

Russia 786

Slovakia 786

Sweden 786

Switzerland 786

Argentina 787

Ecuador 787

Latin america 787

Middle east 787

North america 787

Turkey 787

Ukraine 787

Africa 788

Australia 788

Oceania 788

South africa 788

Legal information 789

Ppendi 789

Appendix b legal information 790

Ce emc statement 790

List of national codes 790

Safety warnings 790

Zywall usg series user s guide 790

Appendix b legal information 791

Environment statment 791

European union disposal and recycling information 791

Zywall usg series user s guide 791

Environmental product declaration 792

Appendix b legal information 793

Open source licenses 793

Registration 793

Trademarks 793

Viewing certifications 793

Zywall usg series user s guide 793

Zyxel limited warranty 793

台灣 793

警告使用者這是甲類的資訊產品在居住的環境中使用時可能會造成射頻干擾在這種情況下使用者會被要求採取某些適當的對策 793

Antenna information 794

Appendix b legal information 794

Canada 794

Fcc emc statement 794

Fcc radiation exposure statement 794

Industry canada ices statement 794

Industry canada rss gen rss 247 statement 794

Model list usg40 usg40w usg60 usg60w 794

Regulatory notice and statement class b 794

United states of america 794

Zywall usg series user s guide 794

Appendix b legal information 795

Declaration of conformity with regard to eu directive 1999 5 ec r tte directive 795

Déclaration d exposition aux radiations 795

European union 795

Industry canada radiation exposure statement 795

Informations antenne for external antenna 795

Zywall usg series user s guide 795

Appendix b legal information 796

National restrictions 796

Zywall usg series user s guide 796

Appendix b legal information 797

List of national codes 797

Safety warnings 797

Zywall usg series user s guide 797

Appendix b legal information 798

Environment statement 798

Erp energy related products 798

European union disposal and recycling information 798

Zywall usg series user s guide 798

Appendix b legal information 800

Viewing certifications 800

Zywall usg series user s guide 800

Zyxel limited warranty 800

台灣 800

Appendix b legal information 801

Open source licenses 801

Registration 801

Zywall usg series user s guide 801

Ppendi 802

Product features 802

Appendix c product features 803

Model name 803

Table 345 product features 803

Zywall usg series user s guide 803

Appendix c product features 804

Model name 804

Table 345 product features 804

Zywall usg series user s guide 804

Appendix c product features 805

Model name 805

Table 345 product features 805

Zywall usg series user s guide 805

Appendix c product features 806

Model name 806

Table 345 product features 806

Zywall usg series user s guide 806

Appendix c product features 807

Model name 807

Table 345 product features 807

Zywall usg series user s guide 807

Appendix c product features 808

Model name 808

Table 345 product features 808

Zywall usg series user s guide 808

Numbers 809

Symbols 809

Zyxel ZyWALL 1100 [382/829] Security policy example applications

Содержание

Похожие устройства