ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual Download Page 646

Page: 646 / 1156

Chapter 35 ADP

ZyWALL USG 300 User’s Guide

646

DOUBLE-ENCODING

ATTACK

This rule is IIS specific. IIS does two passes through the

request URI, doing decodes in each one. In the first pass,

IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is

done. In the second pass ASCII, bare byte, and %u

encodings are done.

IIS-BACKSLASH-

EVASION ATTACK

This is an IIS emulation rule that normalizes backslashes to

slashes. Therefore, a request-URI of “/abc\xyz” gets

normalized to “/abc/xyz”.

IIS-UNICODE-

CODEPOINT-ENCODING

ATTACK

This rule can detect attacks which send attack strings

containing non-ASCII characters encoded by IIS Unicode.

IIS Unicode encoding references the unicode.map file.

Attackers may use this method to bypass system

parameter checks in order to get information or privileges

from a web server.

MULTI-SLASH-

ENCODING ATTACK

This rule normalizes multiple slashes in a row, so something

like: “abc/////////xyz” get normalized to “abc/xyz”.

NON-RFC-DEFINED-

CHAR ATTACK

This rule lets you receive a log or alert if certain non-RFC

characters are used in a request URI. For instance, you may

want to know if there are NULL bytes in the request-URI.

NON-RFC-HTTP-

DELIMITER ATTACK

This is when a newline “\n” character is detected as a

delimiter. This is non-standard but is accepted by both

Apache and IIS web servers.

OVERSIZE-CHUNK-

ENCODING ATTACK

This rule is an anomaly detector for abnormally large chunk

sizes. This picks up the apache chunk encoding exploits and

may also be triggered on HTTP tunneling that uses chunk

encoding.

OVERSIZE-REQUEST-

URI-DIRECTORY ATTACK

This rule takes a non-zero positive integer as an argument.

The argument specifies the max character directory length

for URL directory. If a URL directory is larger than this

argument size, an alert is generated. A good argument

value is 300 characters. This should limit the alerts to IDS

evasion type attacks, like whisker.

SELF-DIRECTORY-

TRAVERSAL ATTACK

This rule normalizes self-referential directories. So, “/abc/./

xyz” gets normalized to “/abc/xyz”.

U-ENCODING ATTACK

This rule emulates the IIS %u encoding scheme. The %u

encoding scheme starts with a %u followed by 4

characters, like %uXXXX. The XXXX is a hex encoded value

that correlates to an IIS unicode codepoint. This is an ASCII

value. An ASCII character is encoded like, %u002f = /,

%u002e = ., etc.

UTF-8-ENCODING

ATTACK

The UTF-8 decode rule decodes standard UTF-8 unicode

sequences that are in the URI. This abides by the unicode

standard and only uses % encoding. Apache uses this

standard, so for any Apache servers, make sure you have

this option turned on. When this rule is enabled, ASCII

decoding is also enabled to enforce correct functioning.

Table 176

HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION

Summary of Contents for Unified Security Gateway ZyWALL 300

Page 1: ... com ZyWALL USG 300 Unified Security Gateway Copyright 2011 ZyXEL Communications Corporation Firmware Version 2 20 Edition 4 4 2011 Default Login Details LAN Port P1 IP Address https 192 168 1 1 User Name admin Password 1234 ...

Page 2: ......

Page 3: ...ssential terms used in the ZyWALL what prerequisites are needed to configure a feature and how to use that feature It is highly recommended you read Chapter 7 on page 117 for ZyWALL application examples Subsequent chapters are arranged by menu item as defined in the Web Configurator Read each chapter carefully for detailed information on that menu item To find specific information in this guide us...

Page 4: ...tion from this link Read the Tech Doc Overview to find out how to efficiently use the User Guide Quick Start Guide and Command Line Interface Reference Guide in order to better understand how to use your product Knowledge Base If you have a specific question about your product the answer may be here This is a collection of answers to previously asked questions about ZyXEL products Forum This conta...

Page 5: ...l number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Disclaimer Graphics in this book may differ slightly from the product due to differences in operating systems operating system versions or if you installed updated firmware software for your device Every effort has been made to ensure that the information in this man...

Page 6: ... key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click...

Page 7: ...User s Guide 7 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ...

Page 8: ...d and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make su...

Page 9: ...ical Reference 221 Dashboard 223 Monitor 237 Registration 281 Signature Update 289 Interfaces 295 Trunks 369 Policy and Static Routes 379 Routing Protocols 395 Zones 409 DDNS 413 NAT 419 HTTP Redirect 429 ALG 433 IP MAC Binding 441 Authentication Policy 447 Firewall 455 IPSec VPN 473 SSL VPN 513 SSL User Screens 525 SSL User Application Screens 535 SSL User File Sharing 537 ZyWALL SecuExtender 545...

Page 10: ...ser Group 723 Addresses 739 Services 745 Schedules 751 AAA Server 757 Authentication Method 767 Certificates 773 ISP Accounts 795 SSL Application 799 Endpoint Security 807 System 815 Log and Report 867 File Manager 887 Diagnostics 899 Packet Flow Explore 909 Reboot 917 Shutdown 919 Troubleshooting 921 Product Specifications 941 ...

Page 11: ...ounted Installation Procedure 34 1 3 Front Panel 35 1 3 1 Front Panel LEDs 35 1 4 Management Overview 35 1 5 Starting and Stopping the ZyWALL 37 Chapter 2 Features and Applications 39 2 1 Features 39 2 2 Applications 41 2 2 1 VPN Connectivity 42 2 2 2 SSL VPN Network Access 42 2 2 3 User Aware Access Control 44 2 2 4 Multiple WAN Interfaces 44 2 2 5 Device HA 45 Chapter 3 Web Configurator 47 3 1 W...

Page 12: ...2 1 Choose an Ethernet Interface 76 5 2 2 Select WAN Type 76 5 2 3 Configure WAN Settings 77 5 2 4 WAN and ISP Connection Settings 78 5 2 5 Quick Setup Interface Wizard Summary 80 5 3 VPN Quick Setup 81 5 4 VPN Setup Wizard Wizard Type 82 5 5 VPN Express Wizard Scenario 83 5 5 1 VPN Express Wizard Configuration 84 5 5 2 VPN Express Wizard Summary 85 5 5 3 VPN Express Wizard Finish 86 5 5 4 VPN Adv...

Page 13: ... DDNS 105 6 5 10 NAT 105 6 5 11 HTTP Redirect 106 6 5 12 ALG 107 6 5 13 Auth Policy 107 6 5 14 Firewall 107 6 5 15 IPSec VPN 108 6 5 16 SSL VPN 108 6 5 17 L2TP VPN 109 6 5 18 Application Patrol 109 6 5 19 Anti Virus 110 6 5 20 IDP 110 6 5 21 ADP 110 6 5 22 Content Filter 110 6 5 23 Anti Spam 111 6 5 24 Device HA 111 6 6 Objects 112 6 6 1 User Group 112 6 7 System 113 6 7 1 DNS WWW SSH TELNET FTP S...

Page 14: ...cies With Bandwidth Restrictions 150 7 7 5 Set Up MSN Policies 153 7 7 6 Set Up Firewall Rules 154 7 8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 155 7 9 How to Use Endpoint Security and Authentication Policies 157 7 9 1 Configure the Endpoint Security Objects 157 7 9 2 Configure the Authentication Policy 159 7 10 How to Configure Service Control 160 7 10 1 Allow HTTP...

Page 15: ... the L2TP VPN Settings Example 188 8 5 Configuring L2TP VPN in Windows Vista XP or 2000 189 8 5 1 Configuring L2TP in Windows Vista 189 8 5 2 Configuring L2TP in Windows XP 199 8 5 3 Configuring L2TP in Windows 2000 205 Part II Technical Reference 221 Chapter 9 Dashboard 223 9 1 Overview 223 9 1 1 What You Can Do in this Chapter 223 9 2 The Dashboard Screen 223 9 2 1 The CPU Usage Screen 231 9 2 2...

Page 16: ...10 13 1 Regular Expressions in Searching IPSec SAs 264 10 14 The SSL Connection Monitor Screen 265 10 15 L2TP over IPSec Session Monitor Screen 266 10 16 The Anti Virus Statistics Screen 267 10 17 The IDP Statistics Screen 269 10 18 The Content Filter Statistics Screen 271 10 19 Content Filter Cache Screen 272 10 20 The Anti Spam Statistics Screen 275 10 21 The Anti Spam Status Screen 277 10 22 Lo...

Page 17: ...2 WLAN Add Edit WEP Security 335 13 6 3 WLAN Add Edit WPA PSK WPA2 PSK Security 336 13 6 4 WLAN Add Edit WPA WPA2 Security 337 13 7 WLAN Interface MAC Filter 339 13 8 VLAN Interfaces 341 13 8 1 VLAN Summary Screen 343 13 8 2 VLAN Add Edit 344 13 9 Bridge Interfaces 351 13 9 1 Bridge Summary 353 13 9 2 Bridge Add Edit 354 13 10 Auxiliary Interface 360 13 10 1 Auxiliary Interface Overview 360 13 10 ...

Page 18: ... The RIP Screen 396 16 3 The OSPF Screen 397 16 3 1 Configuring the OSPF Screen 401 16 3 2 OSPF Area Add Edit Screen 404 16 3 3 Virtual Link Add Edit Screen 405 16 4 Routing Protocol Technical Reference 406 Chapter 17 Zones 409 17 1 Zones Overview 409 17 1 1 What You Can Do in this Chapter 409 17 1 2 What You Need to Know 410 17 2 The Zone Screen 411 17 3 Zone Edit 412 Chapter 18 DDNS 413 18 1 DDN...

Page 19: ...2 The ALG Screen 437 21 3 ALG Technical Reference 439 Chapter 22 IP MAC Binding 441 22 1 IP MAC Binding Overview 441 22 1 1 What You Can Do in this Chapter 441 22 1 2 What You Need to Know 442 22 2 IP MAC Binding Summary 442 22 2 1 IP MAC Binding Edit 443 22 2 2 Static DHCP Edit 444 22 3 IP MAC Binding Exempt List 445 Chapter 23 Authentication Policy 447 23 1 Overview 447 23 1 1 What You Can Do in...

Page 20: ...n 478 25 2 2 The VPN Connection Add Edit Manual Key Screen 485 25 3 The VPN Gateway Screen 488 25 3 1 The VPN Gateway Add Edit Screen 489 25 4 VPN Concentrator 497 25 4 1 IPSec VPN Concentrator Example 497 25 4 2 VPN Concentrator Screen 500 25 4 3 The VPN Concentrator Add Edit Screen 500 25 5 IPSec VPN Background Information 501 Chapter 26 SSL VPN 513 26 1 Overview 513 26 1 1 What You Can Do in th...

Page 21: ...ating a New Folder 541 29 5 Renaming a File or Folder 542 29 6 Deleting a File or Folder 542 29 7 Uploading a File 543 Chapter 30 ZyWALL SecuExtender 545 30 1 The ZyWALL SecuExtender Icon 545 30 2 Statistics 546 30 3 View Log 547 30 4 Suspend and Resume the Connection 547 30 5 Stop the Connection 548 30 6 Uninstalling the ZyWALL SecuExtender 548 Chapter 31 L2TP VPN 549 31 1 Overview 549 31 1 1 Wha...

Page 22: ...hite List Add Edit 588 33 5 Anti Virus White List 589 33 6 Signature Searching 590 33 7 Anti Virus Technical Reference 593 Chapter 34 IDP 595 34 1 Overview 595 34 1 1 What You Can Do in this Chapter 595 34 1 2 What You Need To Know 595 34 1 3 Before You Begin 596 34 2 The IDP General Screen 597 34 3 Introducing IDP Profiles 599 34 3 1 Base Profiles 600 34 4 The Profile Summary Screen 601 34 5 Crea...

Page 23: ...s 634 35 3 4 Traffic Anomaly Profiles 634 35 3 5 Protocol Anomaly Profiles 637 35 3 6 Protocol Anomaly Configuration 637 35 4 ADP Technical Reference 641 Chapter 36 Content Filtering 649 36 1 Overview 649 36 1 1 What You Can Do in this Chapter 649 36 1 2 What You Need to Know 649 36 1 3 Before You Begin 651 36 2 Content Filter General Screen 651 36 3 Content Filter Policy Add or Edit Screen 654 36...

Page 24: ...er 701 39 1 2 What You Need to Know 701 39 1 3 Before You Begin 702 39 2 Device HA General 703 39 3 The Active Passive Mode Screen 704 39 3 1 Configuring Active Passive Mode Device HA 706 39 4 Configuring an Active Passive Mode Monitored Interface 709 39 5 The Legacy Mode Screen 711 39 6 Configuring the Legacy Mode Screen 712 39 7 Device HA Technical Reference 716 Chapter 40 User Group 723 40 1 Ov...

Page 25: ...48 42 3 1 The Service Group Add Edit Screen 750 Chapter 43 Schedules 751 43 1 Overview 751 43 1 1 What You Can Do in this Chapter 751 43 1 2 What You Need to Know 751 43 2 The Schedule Summary Screen 752 43 2 1 The One Time Schedule Add Edit Screen 753 43 2 2 The Recurring Schedule Add Edit Screen 754 Chapter 44 AAA Server 757 44 1 Overview 757 44 1 1 Directory Service AD LDAP 757 44 1 2 RADIUS Se...

Page 26: ...6 3 The Trusted Certificates Screen 787 46 3 1 The Trusted Certificates Edit Screen 788 46 3 2 The Trusted Certificates Import Screen 792 46 4 Certificates Technical Reference 793 Chapter 47 ISP Accounts 795 47 1 Overview 795 47 1 1 What You Can Do in this Chapter 795 47 2 ISP Account Summary 795 47 2 1 ISP Account Edit 796 Chapter 48 SSL Application 799 48 1 Overview 799 48 1 1 What You Can Do in...

Page 27: ...g an Address PTR Record 826 50 6 6 Domain Zone Forwarder 827 50 6 7 Adding a Domain Zone Forwarder 827 50 6 8 MX Record 828 50 6 9 Adding a MX Record 829 50 6 10 Adding a DNS Service Control Rule 829 50 7 WWW Overview 830 50 7 1 Service Access Limitations 831 50 7 2 System Timeout 831 50 7 3 HTTPS 831 50 7 4 Configuring WWW Service Control 832 50 7 5 Service Control Rules 836 50 7 6 Customizing th...

Page 28: ...USB Storage Setting 877 51 3 4 Edit Remote Server Log Settings 881 51 3 5 Active Log Summary Screen 883 Chapter 52 File Manager 887 52 1 Overview 887 52 1 1 What You Can Do in this Chapter 887 52 1 2 What you Need to Know 887 52 2 The Configuration File Screen 890 52 3 The Firmware Package Screen 894 52 4 The Shell Script Screen 896 Chapter 53 Diagnostics 899 53 1 Overview 899 53 1 1 What You Can ...

Page 29: ...1 Overview 919 56 1 1 What You Need To Know 919 56 2 The Shutdown Screen 919 Chapter 57 Troubleshooting 921 57 1 Resetting the ZyWALL 939 57 2 Getting More Troubleshooting Help 940 Chapter 58 Product Specifications 941 58 1 3G PCMCIA Card Installation 947 Appendix A Log Descriptions 949 Appendix B Common Services 1015 Appendix C Displaying Anti Virus Alert Messages in Windows 1019 Appendix D Impor...

Page 30: ...Table of Contents ZyWALL USG 300 User s Guide 30 ...

Page 31: ...31 PART I User s Guide ...

Page 32: ...32 ...

Page 33: ...r P2P control NAT port forwarding policy routing DHCP server and many other powerful features Flexible configuration helps you set up the network and enforce security policies efficiently See Chapter 2 on page 39 for a more detailed overview of the ZyWALL s features The front panel physical Gigabit Ethernet ports labeled 1 2 3 and so on are mapped to Gigabit Ethernet ge interfaces By default 1 is ...

Page 34: ...holes on one side of the ZyWALL and secure it with the included bracket screws smaller than the rack mounting screws 2 Attach the other bracket in a similar fashion Figure 1 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack Secure the ZyWALL to the rack with t...

Page 35: ...tes and then restart the device see Section 1 5 on page 37 If the LED turns red again then please contact your vendor SYS Green Off The ZyWALL is not ready or has failed On The ZyWALL is ready and running Flashing The ZyWALL is restarting AUX Green Off The AUX port is not connected Flashing The AUX port is sending or receiving packets On The AUX port is connected P1 P2 Green Off There is no traffi...

Page 36: ...se text based commands to configure the ZyWALL You can access it using remote management for example SSH or Telnet or via the console port See the Command Reference Guide for more information about the CLI Console Port You can use the console port to manage the ZyWALL using CLI commands See the Command Reference Guide for more information about the CLI The default settings for the console port are...

Page 37: ...ebooting the ZyWALL A warm start without powering down and powering up again occurs when you use the Reboot button in the Reboot screen or when you use the reboot command The ZyWALL writes all cached data to the local storage stops the system processes and then does a warm start Using the RESET button If you press the RESET button the ZyWALL sets the configuration to its default values and then re...

Page 38: ...Chapter 1 Introducing the ZyWALL ZyWALL USG 300 User s Guide 38 ...

Page 39: ...es reliable secure Internet access set up one or more of the following Multiple WAN ports and configure load balancing between these ports One or more 3G cellular connections An auxiliary backup Internet connection A backup ZyWALL in the event the master ZyWALL fails device HA Virtual Private Networks VPN Use IPSec SSL or L2TP VPN to provide secure communication between two sites over the Internet...

Page 40: ... violations of protocol standards RFCs Requests for Comments Abnormal flows such as port scans The ZyWALL s ADP protects against network based intrusions See Section 35 3 4 on page 634 and Section 35 3 5 on page 637 for more on the kinds of attacks that the ZyWALL can protect against You can also create your own custom ADP rules Bandwidth Management Bandwidth management allows you to allocate netw...

Page 41: ...ted of being used by spammers Application Patrol Application patrol App Patrol manages instant messenger IM peer to peer P2P applications like MSN and BitTorrent You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol has powerful bandwidth management including traffic prioritization to enhanc...

Page 42: ...gure the ZyWALL to provide SSL VPN network access to remote users There are two SSL VPN network access modes reverse proxy and full tunnel 2 2 2 1 Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the final destination the ZyWALL appears to be the server to remote users This provides an added layer o...

Page 43: ...el mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This allows them to access network resources in the same way as if they were part of the internal network Figure 7 Network Access Mode Full Tunnel Mode Web Mail File Share Web based Application LAN 192 168 1 X https Web Mail File Share Web based Application https Application S...

Page 44: ...ormation and shared resources based on the user who is trying to access it Figure 8 Applications User Aware Access Control 2 2 4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port or set up multiple connections on different ports In either case you can balance the loads between them Figure 9 Applications Multiple WAN Interfaces ...

Page 45: ...ures and Applications ZyWALL USG 300 User s Guide 45 2 2 5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network Figure 10 Applications Device HA ...

Page 46: ...Chapter 2 Features and Applications ZyWALL USG 300 User s Guide 46 ...

Page 47: ...eb Configurator you must Use Internet Explorer 7 or later or Firefox 1 5 or later Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScript enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution is 1024 x 768 pixels 3 2 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connected See the Quick St...

Page 48: ... password default 1234 If your account is configured to use an ASAS authentication server use the OTP One Time Password token to generate a number Enter it in the One Time Password field The number is only good for one login You must use the token to generate a new number the next time you log in 4 Click Login If you logged in using the default user name and password the Update Admin Info screen F...

Page 49: ...n If you change the default password the Login screen Figure 11 on page 48 appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default configuration see Chapter 4 on page 65 otherwise the dashboard appears as shown next Figure 13 Dashboard 3 3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts as il...

Page 50: ...e Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the ZyWALL Site Map Click this to see an overview of links to the Web Configurator screens Object Reference Click this to open a screen where you can check which configuration items reference an object Console Click this to open the console in which you can use the co...

Page 51: ...menus and their screens Figure 16 Navigation Panel 3 3 2 1 Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs See Chapter 9 on page 223 for details on the dashboard Table 5 About LABEL DESCRIPTION Boot Module This shows the version number of the software t...

Page 52: ...clients Cellular Status Displays details about the ZyWALL s 3G connection status USB Storage Displays information about a connected USB storage device AppPatrol Statistics Displays bandwidth and protocol statistics VPN Monitor IPSec Displays and manages the active IPSec SAs SSL Lists users currently logged into the VPN SSL client portal You can also log out individual users and delete related sess...

Page 53: ...anage Ethernet interfaces and virtual Ethernet interfaces PPP Create and manage PPPoE and PPTP interfaces Cellular Configure a cellular Internet connection for an installed 3G card WLAN Configure settings for an installed wireless LAN card VLAN Create and manage VLAN interfaces and virtual VLAN interfaces Bridge Create and manage bridges and virtual bridge interfaces Auxiliary Manage the AUX port ...

Page 54: ...P VPN L2TP VPN Configure L2TP Over IPSec VPN settings AppPatrol General Enable or disable traffic management by application and see registration and signature information Common Manage traffic of the most commonly used web file transfer and e mail protocols IM Manage instant messenger traffic Peer to Peer Manage peer to peer traffic VoIP Manage VoIP traffic Streaming Manage streaming traffic Other...

Page 55: ... Group Create and manage groups of users Setting Manage default settings for all users general settings for user sessions and rules to force user authentication Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create and manage TCP and UDP services Service Group Create and manage groups of services Schedul...

Page 56: ...HTTPS and general authentication Login Page Configure how the login and access user screens look SSH Configure SSH server and SSH service settings TELNET Configure telnet server settings for the ZyWALL FTP Configure FTP server settings SNMP Configure SNMP communities and services Dial in Mgmt Configure settings for an out of band management connection through a modem connected to the AUX port Vant...

Page 57: ...ages such as those resulting from misconfiguration display in a popup window Figure 17 Warning Message Table 8 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the ZyWALL Firmware Package View the current firmware version and to upload firmware Shell Script Manage and run shell script files for the ZyWALL Diagnos...

Page 58: ...en Figure 18 Site Map 3 3 3 3 Object Reference Click Object Reference to open the Object Reference screen Select the type of object and the individual object and click Refresh to show which configuration settings reference the object The following example shows which configuration settings reference the ldap users user object in this case the first firewall rule Figure 19 Object Reference ...

Page 59: ...L DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s con...

Page 60: ... a Column s Criteria 2 Click the down arrow next to a column heading for more options about how to display the entries The options available vary depending on the type of fields in the column Here are some examples of what you can do Sort in ascending alphabetical order Sort in descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filte...

Page 61: ...mn heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new location Figure 24 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time Figure 25 Navigating Pages of Table Entries ...

Page 62: ...ck Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an en...

Page 63: ...r 3 Web Configurator ZyWALL USG 300 User s Guide 63 you can also use the Shift or Ctrl key to select multiple entries and then use the arrow button to move them to the other list Figure 27 Working with Lists ...

Page 64: ...Chapter 3 Web Configurator ZyWALL USG 300 User s Guide 64 ...

Page 65: ...ure Internet connection settings and activate subscription services This chapter provides information on configuring the Web Configurator s installation setup wizard See the feature specific chapters in this User s Guide for background information Figure 28 Installation Setup Wizard Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the insta...

Page 66: ... Internet connections Leave it cleared to configure just one This option appears when you are configuring the first WAN interface Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP WAN Interface This is the interface you are configuring for Internet access Zone S...

Page 67: ...een The following fields display if you selected static IP address assignment IP Subnet Mask Enter the subnet mask for this WAN connection s IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps ...

Page 68: ... outgoing connection requests Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by the remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only MSCHAP Your ZyWALL accepts MSCHAP only MSCHAP V2 Your ZyWALL accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long...

Page 69: ...in name to an IP address and vice versa Enter a DNS server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses these in the order you specify here to resolve domain names for VPN DDNS and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not config...

Page 70: ...SP if given Server IP Type the IP address of the PPTP server Type a Connection ID or connection name It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router You can use alphanumeric and _ characters and it can be up to 31 characters long 4 1 5 2 WAN IP Address Assignments First WAN Interface Thi...

Page 71: ...cond WAN Interface The screens for configuring the second WAN interface are similar to the first see Section 4 1 1 on page 66 Figure 33 Internet Access Step 3 Second WAN Interface 4 1 7 Internet Access Finish You have set up your ZyWALL to access the Internet After configuring the WAN interface s a screen displays with your settings If they are not correct click Back Figure 34 Internet Access Ethe...

Page 72: ...n Use this screen to register your ZyWALL with myZXEL com and activate trial periods of subscription security features if you have not already done so If the ZyWALL is already registered this screen displays your user name and which trial services are activated if any You can still activate any un activated trial services Note You must be connected to the Internet to register Use the Registration ...

Page 73: ...rd Use six to 20 alphanumeric characters and the underscore Spaces are not allowed Type it again in the Confirm Password field E Mail Address Enter your e mail address Use up to 80 alphanumeric characters periods and the underscore are also allowed without spaces Country Code Select your country from the drop down box list Trial Service Activation You can try a trial service subscription The trial...

Page 74: ...Chapter 4 Installation Setup Wizard ZyWALL USG 300 User s Guide 74 ...

Page 75: ...his User s Guide for background information In the Web Configurator click Configuration Quick Setup to open the first Quick Setup screen Figure 37 Quick Setup WAN Interface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP See Section 5 2 on page 76 VPN SETUP Use VPN SETUP to configure a VPN...

Page 76: ... an interface to connect to the internet Click Next Figure 38 WAN Interface Quick Setup Wizard 5 2 1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next Figure 39 Choose an Ethernet Interface 5 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection is to use Choose Ethernet when the WAN port is u...

Page 77: ...ion provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access information exactly as your ISP gave it to you 5 2 3 Configure WAN Settings Use this screen to select to which zone the interface belongs and whether the interface should use a fixed or dynamic IP address Figure 41 WAN Interface Setup Step 2 WAN Interfa...

Page 78: ...s This screen is read only if you set the IP Address Assignment to Static Note Enter the Internet access information exactly as your ISP gave it to you Figure 42 WAN and ISP Connection Settings PPTP Shown The following table describes the labels in this screen Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Interne...

Page 79: ...P Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection Base Interface This displays the identity of the Ethernet interface you configure to connect with a modem or router Base IP Address Type the static IP address assigned to you by your ISP IP Subnet Mask Type the subnet mask assigned to you by your ISP if given Server IP Type the IP address of the PPT...

Page 80: ...to access it DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice ve rsa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for VPN DDNS and the time server Back Click Back to return to the previo...

Page 81: ...ection will not time out Yes means the ZyWALL uses the idle timeout Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which s...

Page 82: ...lect which type of VPN connection you want to configure Figure 45 VPN Setup Wizard Wizard Type Express Use this wizard to create a VPN connection with another ZLD based ZyWALL using a pre shared key and default security settings Advanced Use this wizard to configure detailed VPN security settings such as using certificates The VPN connection can be to another ZLD based ZyWALL or other IPSec device...

Page 83: ...igure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote Access Server Role Choose this to a...

Page 84: ... use the same password Use 8 to 31 case sensitive ASCII characters or 8 to 31 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP addres...

Page 85: ...iation Local Policy Static IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy Static IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gate...

Page 86: ...Express Wizard Finish Now you can use the VPN tunnel Figure 49 VPN Express Wizard Step 6 Note If you have not already done so use the myZyXEL com link and register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 87: ...elect the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSec devi...

Page 88: ...e gateway to identify the remote IPSec device by its IP address or a domain name Use 0 0 0 0 if the remote IPSec device has a dynamic WAN IP address My Address interface Select an interface from the drop down list box to use on your ZyWALL Negotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords No...

Page 89: ...an Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit random number SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel NAT Traversal Select this if the VPN tunnel must pass through NAT there is a NAT router between the IPSec devices Note The remote IPSec dev...

Page 90: ...r SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit ...

Page 91: ...nd the VPN gateway Secure Gateway IP address or domain name of the remote IPSec device Pre Shared Key VPN tunnel password Certificate The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy IP address and subnet mask of the computers on the netw...

Page 92: ...5 5 8 VPN Advanced Wizard Finish Now you can use the VPN tunnel Figure 54 VPN Wizard Step 6 Advanced Note If you have not already done so you can register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 93: ...u configure the trunk you should configure a policy route for it as well You might also have to configure criteria for the policy route Section 6 6 on page 112 identifies the objects that store information used by other features Section 6 7 on page 113 introduces some of the tools available for system management 6 1 Object based Configuration The ZyWALL stores information or settings as objects Yo...

Page 94: ...Zones groups of interfaces and VPN tunnels simplify security settings Here is an overview of zones interfaces and physical ports in the ZyWALL Figure 55 Zones Interfaces and Physical Ethernet Ports Table 13 Zones Interfaces and Physical Ethernet Ports Zones WAN LAN DMZ A zone is a group of interfaces and VPN tunnels Use zones to apply security settings such as firewall IDP remote management anti v...

Page 95: ... tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Then you can configure the IP address and subnet mask of the bridge It is also possible to configure zone level security between the membe...

Page 96: ...iguration The LAN zone contains the ge1 interface The LAN zone is a protected zone The ge1 interface uses 192 168 1 1 PORT INTERFACE ZONE IP ADDRESS AND DHCP SETTINGS SUGGESTED USE WITH DEFAULT SETTINGS 1 ge1 LAN 192 168 1 1 DHCP server enabled Protected LAN 2 3 ge2 ge3 WAN DHCP clients Connections to the Internet 4 5 ge4 ge5 DMZ 192 168 2 1 ge4 and 192 168 3 1 ge5 DHCP server disabled Public serv...

Page 97: ... This section highlights some differences in terminology or organization between the ZLD based ZyWALL and other routers particularly ZyNOS routers Table 15 ZLD ZyWALL Terminology That is Different Than ZyNOS ZYNOS FEATURE TERM ZLD ZYWALL FEATURE TERM IP alias Virtual interface Gateway policy VPN gateway Network policy IPSec SA VPN connection Hub and spoke VPN VPN concentrator Table 16 ZLD ZyWALL T...

Page 98: ... interfaces you don t need to configure anything to all LAN to WAN or WLAN to WAN traffic The ZyWALL automatically adds all of the external interfaces to the default WAN trunk External interfaces include ppp cellular and AUX interfaces as well as any Ethernet interfaces that are set as external interfaces Examples of internal interfaces are WLAN interfaces and any Ethernet interfaces that you conf...

Page 99: ...how to route them The following figure shows how the ZLD 2 20 firmware s routing table compares with the earlier 2 1x firmware s routing table The checking flow is from top to bottom As soon as the packets match an entry in one of the sections the ZyWALL stops checking the packets against the routing table and moves on to the other checks for example the firewall check Figure 58 Routing Table Chec...

Page 100: ...dynamic IPSec rules option moves the routes for dynamic IPSec rules up above the policy routes see Section 25 2 on page 476 5 Static and Dynamic Routes This section contains the user configured static routes and the dynamic routing information learned from other routers through RIP and OSPF See Chapter 15 on page 379 for more information 6 Default WAN Trunk For any traffic coming in through an int...

Page 101: ...uding Many 1 to 1 is also included in the NAT table 3 NAT loopback is now included in the NAT table instead of requiring a separate policy route 4 SNAT is also now performed by default and included in the NAT table 6 5 Feature Configuration Overview This section provides information about configuring the main features in the ZyWALL The features are listed in the same sequence as the menu item s in...

Page 102: ...quence of menu items and tabs you should click to find the main screen s for this feature See the web help or the related User s Guide chapter for information about each screen PREREQUISITES These are other features you should configure before you configure the main screen s for this feature If you did not configure one of the prerequisites first you can often select an option to create a new obje...

Page 103: ...nks to set up load balancing using two or more interfaces Example See Chapter 7 on page 117 6 5 6 Policy Routes Use policy routes to override the ZyWALL s default routing behavior in order to send packets through the appropriate interface or VPN tunnel You can also use policy routes for bandwidth management out of the ZyWALL port triggering MENU ITEM S Configuration Licensing Update PREREQUISITES ...

Page 104: ...For the Next Hop fields select Interface as the Type if you have a single WAN connection or Trunk if you have multiple WAN connections 9 Select the interface that you are using for your WAN connection ge2 and ge3 are the default WAN interfaces If you have multiple WAN connections select the trunk 10 Specify the amount of bandwidth FTP traffic can use You may also want to set a low priority for FTP...

Page 105: ...ou create a zone the ZyWALL does not create any firewall rules assign an IDP profile or configure remote management for the new zone Example For example to create the DMZ 2 zone and add an interface click Network Zone and then the Add icon 6 5 9 DDNS Dynamic DNS maps a domain name to a dynamic IP address The ZyWALL helps maintain this mapping 6 5 10 NAT Use Network Address Translation NAT to make ...

Page 106: ...ets received for the original IP address 6 In Mapping Type select Port 7 Enter 21 in both the Original and the Mapped Port fields 6 5 11 HTTP Redirect Configure this feature to have the ZyWALL transparently forward HTTP web traffic to a proxy server This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next t...

Page 107: ...ss the network 6 5 14 Firewall The firewall controls the travel of traffic between or within zones You can also configure the firewall to control traffic for NAT DNAT and policy routes SNAT You can configure firewall rules based on schedules specific users or user groups source or destination addresses or address groups and services or service groups Each of these objects must be configured in a d...

Page 108: ...ss Leave the Access field set to Allow and the Log field set to No Note The ZyWALL checks the firewall rules in order Make sure each rule is in the correct place in the sequence 6 5 15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP IP for communication The ZyWALL also offers hub and spoke VPN Example See Chapter 7 o...

Page 109: ... user account for Bob User Group 2 Click AppPatrol Peer to Peer to go to the application patrol configuration screen Click the BitTorrent application patrol entry s Edit icon Set the default policy s access to Drop Add another policy Select the user account that you created for Bob You can leave the source destination and log settings at the default WHERE USED Policy routes zones MENU ITEM S Confi...

Page 110: ... anomalies 6 5 22 Content Filter Use content filtering to block or allow access to specific categories of web site content individual web sites and web features such as cookies You can define which user accounts or groups can access what content and at what times You must have a subscription in order to use the category based content filtering You can subscribe using the menu item or one of the wi...

Page 111: ... the category based content filtering service is not available 7 Select the Arts Entertainment category you need to click Advanced to display it and click OK 8 Click General to go to the content filter general configuration screen 9 Enable the content filter 10 Add a policy that uses the schedule the filtering profile and the user that you created 6 5 23 Anti Spam Use anti spam to detect and take ...

Page 112: ... groups address VPN connections local remote network NAT policy routes criteria next hop HOST NAT authentication policies firewall application patrol source destination content filter NAT HOST user settings force user authentication address groups remote management System address group Policy routes criteria firewall application patrol source destination content filter user settings force user aut...

Page 113: ...management connection through an external serial modem connected to the AUX port Example Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN 1 Create an administrator account Configuration Object User Group guest Access network services ext user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication server If ...

Page 114: ... manage Configuration files Use configuration files to back up and restore the complete configuration of the ZyWALL You can store multiple configuration files in the ZyWALL and switch between them without restarting Shell scripts Use shell scripts to run a series of CL I commands These are useful for large repetitive configuration changes for example creating a lot of VPN tunnels and for troublesh...

Page 115: ...yWALL USG 300 User s Guide 115 Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the ZyWALL or remove the power Not doing so can cause the firmware to become corrupt MENU ITEM S Maintenance Shutdown ...

Page 116: ...Chapter 6 Configuration Basics ZyWALL USG 300 User s Guide 116 ...

Page 117: ...ptions of individual screens see Technical Reference on page 221 7 1 How to Configure Interfaces Port Grouping and Zones This tutorial shows how to configure Ethernet interfaces port grouping and zones for the following example configuration see Section 6 2 2 on page 96 for the default configuration Interface ge2 uses a static IP address of 1 2 3 4 and is in the WAN zone DMZ servers are connected ...

Page 118: ... 1 1 Configure a WAN Ethernet Interface You need to assign the ZyWALL s ge2 interface a static IP address of 1 2 3 4 Click Configuration Network Interface Ethernet and double click the ge2 interface s entry Select Use Fixed IP Address and configure the IP addr ess subnet mask and default gateway settings and click OK Figure 61 Configuration Network Interface Ethernet Edit ge2 7 1 2 Configure Zones...

Page 119: ... Enter VPN as the name select Default_L2TP_VPN_Connection and move it to the Member box and click OK Figure 62 Configuration Network Zone WAN Edit 7 1 3 Configure Port Grouping Here is how to combine physical ports P4 and P5 into the ge4 interface port group 1 Click Configuration Network Interface Port Grouping ...

Page 120: ... Ethernet interfaces ge5 has a Status of Port Group Inactive Figure 64 Dashboard Interface Status Summary After Port Grouping 7 2 How to Configure a Cellular Interface Use 3G cards for cellular WAN Internet connections Table 275 on page 941 lists the compatible 3G devices In this example you install or connect the 3G card before you configure the cellular interfaces but is also possible to reverse...

Page 121: ...r 4 Enable the interface and add it to a zone It is highly recommended that you set the Zone to WAN to apply your WAN zone security settings to this 3G connection Leaving Zone set to none has the ZyWALL not apply any security settings to the 3G connection Enter the PIN Code provided by the cellular 3G service provider 0000 in this example Figure 66 Configuration Network Interface Cellular Edit ...

Page 122: ...work throughput Plus if a WAN connection goes down the ZyWALL still sends traffic through the remaining WAN connections For a simple test disconnect all of the ZyWALL s wired WAN connections If you can still access the Internet your cellular interface is properly configured and your cellular device is working To fine tune the load balancing configuration see Chapter 14 on page 369 See also Section...

Page 123: ... balancing settings 7 3 1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface 1 Click Configuration Network Interface Ethernet and double click the ge2 entry Enter the available bandwidth 1000 kbps in the Egress Bandwidth field Click OK Figure 69 Configuration Network Interface Ethernet Edit ge2 2 ...

Page 124: ...ick Configuration Network Interface Trunk Click the Add icon 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin Add ge2 and enter 2 in the Weight column Add ge3 and enter 1 in the Weight column Click OK Figure 70 Configuration Network Interface Trunk Add ...

Page 125: ... have different wireless LAN networks using different SSIDs You can configure the WLAN interfaces before or after you install the wireless LAN card This example shows how to create a WLAN interface that uses WPA or WPA2 security and the ZyWALL s local user database for authentication 7 4 1 Set Up User Accounts The ZyWALL supports TTLS using PAP so you can use the ZyWALL s local user database with ...

Page 126: ...n_user Enter and re enter the user s password Click OK Figure 72 Configuration Object User Group User Add 3 Use the Add icon in the Configuration Object User Group User screen to set up the remaining user accounts in similar fashion 7 4 2 Create the WLAN Interface 1 Click Configuration Network Interface WLAN Add to open the WLAN Add screen ...

Page 127: ...s example This determines which security settings the ZyWALL applies to the WLAN interface Configure the SSID ZYXEL_WPA in this example If all of your wireless clients support WPA2 select WPA2 Enterprise as the Security Type otherwise select WPA WPA 2 Enterprise Set the Authentication Type to Auth Method The ZyWALL can use its default authentication method the local user database and its default c...

Page 128: ...Chapter 7 Tutorials ZyWALL USG 300 User s Guide 128 Figure 73 Configuration Network Interface WLAN Add ...

Page 129: ...s client not included with the ZyWALL use the wireless network 7 4 3 1 Configure the ZyXEL Wireless Client Utility This example covers how to configure ZyXEL s wireless client utility not included with the ZyWALL to use the WLAN interface See Section 7 4 3 2 on page 133 instead for how to use Funk Odyssey s wireless client software if you want the wireless client to validate the ZyWALL s certifica...

Page 130: ...he wireless client utility and click Profile Figure 75 ZyXEL Wireless Client 2 Add a new profile This example uses ZYXEL_WPA as the name It is also the SSID name of the wireless network Select Infrastructure and click Next Figure 76 ZyXEL Wireless Client Profile ...

Page 131: ...re 77 ZyXEL Wireless Client Profile Security Type 4 Set the encryption type to TKIP and the EAP type to TTLS Configure wlan_user as the Login Name and enter the account s password also wlan_user in this example In TTLS Protocol select PAP Click Next Figure 78 ZyXEL Wireless Client Profile Security Settings ...

Page 132: ...apter 7 Tutorials ZyWALL USG 300 User s Guide 132 5 Confirm your settings and click Save Figure 79 ZyXEL Wireless Client Profile Save 6 Click Activate Now Figure 80 ZyXEL Wireless Client Profile Activate ...

Page 133: ...less client validate the ZyWALL s certificate you can go to Section 7 4 3 4 on page 141 7 4 3 2 Configure the Funk Odyssey Wireless Client This example shows how to configure Funk s Odyssey Access Client Manager wireless client software not included with the ZyWALL to use the WLAN interface 1 Open the Odyssey wireless client software and click Profiles Add Figure 82 Odyssey Access Client Manager P...

Page 134: ...ser Info tab configure wlan_user as the Login name In the Password sub tab select Prompt for long name and password Figure 83 Odyssey Access Client Manager Profiles User Info 3 Click the Authentication tab and select Validate server certificate Figure 84 Odyssey Access Client Manager Profiles Authentication ...

Page 135: ...ls ZyWALL USG 300 User s Guide 135 4 Click the TTLS tab and select PAP Then click OK Figure 85 Odyssey Access Client Manager Profiles Authentication 5 Click Networks Add Figure 86 Odyssey Access Client Manager Networks ...

Page 136: ...Networks Add Use the next section to import the ZyWALL s certificate into the wireless client 7 4 3 3 Wireless Clients Import the ZyWALL s Certificate You must import the ZyWALL s certificate into the wireless clients if they are to validate the ZyWALL s certificate Use the Configuration Object Certificate Edit screen see Section 46 2 2 on page 783 to export the certificate the ZyWALL is using for...

Page 137: ...de 137 1 In Internet Explorer click Tools Internet Options Content and click the Certificates button Figure 88 Internet Explorer Tools Internet Options Content 2 Click Import Figure 89 Internet Explorer Tools Internet Options Content Certificates ...

Page 138: ...ting to All Files in order to see the certificate file Figure 90 Internet Explorer Certificate Import Wizard File Open Screen 4 When you get to the Certificate Store screen select the option to automatically select the certificate store based on the type of certificate Figure 91 Internet Explorer Certificate Import Wizard Certificate Store Screen ...

Page 139: ...Chapter 7 Tutorials ZyWALL USG 300 User s Guide 139 5 If you get a security warning screen click Yes to proceed Figure 92 Internet Explorer Certificate Import Certificate Warning Screen ...

Page 140: ...e ZyWALL s My Certificates screen s Subject and Issuer fields respectively Figure 93 Internet Explorer Trusted Root Certification Authorities The My Certificates screen indicates what type of information is being displayed such as Common Name CN Organizational Unit OU Organization O and Country C Figure 94 Configuration Object Certificate My Certificates Repeat the steps to import the certificate ...

Page 141: ... 5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel see Section 5 4 on page 82 for details on the VPN quick setup wizard Figure 96 VPN Example In this example the ZyWALL is router X 1 2 3 4 and the remote IPSec router is router Y 2 2 2 2 Create the VPN tunnel between ZyWALL X s LAN subnet 192 168 1 0 24 and the L...

Page 142: ...nd then click the Add icon 2 Enable the VPN gateway and name it VPN_GW_EXAMPLE For My Address select Interface and ge2 For the Peer Gateway Address select Static Address and enter 2 2 2 2 in the Primary field For the Authentication Select Pre Shared Key and enter 12345678 Click OK Figure 97 Configuration VPN IPSec VPN VPN Gateway Add 7 5 2 Set Up the VPN Connection The VPN connection manages the I...

Page 143: ...ck the Add icon 4 Enable the VPN connection and name it VPN_CONN_EXAMPLE Under VPN Gateway select Site to site and the VPN gateway VPN_GW_EXAMPLE Under Policy select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote Click OK Figure 99 Configuration VPN IPSec VPN VPN Connection Add 5 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel To trig...

Page 144: ... Concentrator A hub and spoke IPSec VPN connects IPSec VPN tunnels to form one secure network This reduces the number of VPN connections that you have to set up and maintain in the network Here is an example of a hub and spoke VPN that does not use the ZyWALL s VPN concentrator feature Here branch office A has a ZyNOS based ZyWALL and headquarters HQ and branch office B have USG ZyWALLs or ZyWALL ...

Page 145: ... Local Policy 192 168 168 0 192 168 169 255 Remote Policy 192 168 167 0 255 255 255 0 Disable Policy Enforcement VPN Gateway VPN Tunnel2 My Address 10 0 0 1 Peer Gateway Address 10 0 0 3 VPN Connection VPN Tunnel 2 Local Policy 192 168 167 0 192 168 168 255 Remote Policy 192 168 169 0 255 255 255 0 Disable Policy Enforcement Branch Office B USG ZyWALL or ZyWALL 1050 VPN Gateway My Address 10 0 0 3...

Page 146: ...olicy routes so the only way to get traffic destined for another spoke router to go through the ZyNOS ZyWALL s VPN tunnel is to make the remote policy cover both tunnels Since the USG ZyWALLs or ZyWALL 1050s automatically handle the routing for VPN tunnels if a USG ZyWALL or ZyWALL 1050 is a hub router and the local policy covers both tunnels the automatic routing takes care of it without needing ...

Page 147: ...er names from the RADIUS server to a text file then you might create a script to create the user accounts instead This example uses the Web Configurator 1 Click Configuration Object User Group User Click the Add icon 2 Enter the same user name that is used in the RADIUS server and set the User Type to ext user because this user account is authenticated by an external server Click OK Figure 101 Con...

Page 148: ... Member list This example only has one member in this group so click OK Of course you could add more members later Figure 102 Configuration Object User Group Group Add 3 Repeat this process to set up the remaining user groups 7 7 3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server First configure the settings for the RADIUS server Then...

Page 149: ...default entry Click the Add icon Select group radius because the ZyWALL should use the specified RADIUS server for authentication Click OK Figure 104 Configuration Object Auth method Add 3 Click Configuration Auth Policy In the Authentication Policy Summary section click the Add icon 4 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them ...

Page 150: ...ers try to browse the web or use any HTTP HTTPS application the Login screen appears They have to log in using the user name and password in the RADIUS server 7 7 4 Web Surfing Policies With Bandwidth Restrictions Use application patrol AppPatrol to enforce the web surfing and MSN policies You must have already subscribed for the application patrol service You can subscribe using the Configuration...

Page 151: ...ick Configuration AppPatrol If application patrol and bandwidth management are not enabled enable them and click Apply Figure 106 Configuration AppPatrol General 2 Click the Common tab and double click the http entry Figure 107 Configuration AppPatrol Common ...

Page 152: ... Double click the Default policy Figure 108 Configuration AppPatrol Common http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web Click OK Figure 109 Configuration AppPatrol Common http Edit Default ...

Page 153: ...n the Inbound and Outbound fields Click OK Repeat this process to add exceptions for all the other user groups that are allowed to browse the web Figure 110 Configuration AppPatrol Common http Edit Default 7 7 5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days 1 Click Configuration Object Schedule Click the Add ico...

Page 154: ... the steps in Section 7 7 4 on page 150 to set up the appropriate policies for MSN in application patrol Make sure to specify the schedule when you configure the policy for the Sales group s MSN access 7 7 6 Set Up Firewall Rules Use the firewall to control access from LAN to the DMZ 1 Click Configuration Firewall Add Set the From field as LAN and the To field as DMZ Set the Access field to deny a...

Page 155: ...that are allowed to access the DMZ 7 8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts If the RADIUS server has different user groups distinguished by the value of a specific attribute you can configure the make a couple of slight changes in the configuration to have the RADIUS se...

Page 156: ...ication port and key set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs This example uses Class This attribute s value is called a group identifier it determines to which group a user belongs In this example the values are Finance Engineer Sales and Boss Figure 114 Configuration Object AAA Server RADIUS Add ...

Page 157: ...up User Add 3 Repeat this process to set up the remaining groups of user accounts 7 9 How to Use Endpoint Security and Authentication Policies Here is how to use endpoint security to make sure that users computers meet specific security requirements before they are allowed to access the network This example requires users to have Kaspersky Internet security or anti virus software on their computer...

Page 158: ...tries to the allowed list you can double click an entry to move it Select Endpoint must have Anti Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti Virus anti virus software entries to the allowed list The following figure shows the configuration screen example Figure 116 Configuration Object Endpoint Security Add ...

Page 159: ...an authentication policy to use endpoint security objects Enable the policy and name it Set the Source Address to LAN and the Destination Address to any the Schedule set to none and Authentication set to required to apply this policy to all users Select Force User Authentication to redirect the HTTP traffic of users who are not yet logged in to the ZyWALL s login screen Enable EPS checking and mov...

Page 160: ...ge example when a user s computer does not meet an endpoint security object s requirements Click Close to return to the login screen Figure 119 Example Endpoint Security Error Message 7 10 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access to the Web Configurator and separate rules that control HTTP and HTTPS ...

Page 161: ... configure service control to allow management or user HTTP or HTTPS access make sure the firewall is not configured to block that access 7 10 1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to block administrator HTTPS access from all zones except the LAN 1 Click Configuration System WWW 2 In HTTPS Admin Service Control click the Add icon Figure 120 Co...

Page 162: ...4 Select the new rule and click the Add icon Figure 122 Configuration System WWW First Example Admin Service Rule Configured 5 In the Zone field select ALL and set the Action to Deny Click OK Figure 123 Configuration System WWW Service Control Rule Edit ...

Page 163: ...he LAN zone Non admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL s zones to use SSL VPN for example 7 11 How to Allow Incoming H 323 Peer to peer Calls Suppose you have a H 323 device on the LAN for VoIP calls and you want it to be able to receive peer to peer calls from the WAN Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H 32...

Page 164: ...Calls Example 7 11 1 Turn On the ALG Click Configuration Network ALG Select Enable H 323 ALG and Enable H 323 transformations and click Apply Figure 126 Configuration Network ALG 7 11 2 Set Up a NAT Policy For H 323 In this example you need a NAT policy to forward H 323 TCP port 1720 traffic received on the ZyWALL s 10 0 0 8 WAN IP address to LAN IP address 192 168 1 56 10 0 0 8 192 168 1 56 ...

Page 165: ...figuration Object Address Add to create an address object for the public WAN IP address called WAN_IP for H323 here Then use it again to create an address object for the H 323 device s private LAN IP address called LAN_H323 here Figure 127 Create Address Objects ...

Page 166: ... Original IP to the WAN address object WAN_IP for H323 Set the Mapped IP to the H 323 device s LAN IP address object LAN_H323 Set the Port Mapping Type to Port the Protocol Type to TCP and the original and mapped ports to 1720 Click OK Figure 128 Configuration Network NAT Add 7 11 3 Set Up a Firewall Rule For H 323 The default firewall rule for WAN to LAN traffic drops all traffic Here is how to c...

Page 167: ...LL applies NAT to traffic before applying the firewall rule Set the Service to H 323 Click OK Figure 129 Configuration Firewall Add 7 12 How to Allow Public Access to a Web Server This is an example of making an HTTP web server in the DMZ zone accessible from the Internet the WAN zone In this example you have public IP address 1 1 1 1 that you will use on the ge3 interface and map to the HTTP serv...

Page 168: ...1 1 1 Figure 132 Creating the Address Object for the Public IP Address 7 12 2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1 1 1 1 on ge3 to the HTTP server s private IP address of 192 168 3 7 In the Configuration Network NAT screen click the Add icon and create a new NAT entry as follows Set the Incoming Interface to ge3 Set the Original IP to the Public_HTTP_Server...

Page 169: ...tails Figure 133 Creating the NAT Entry 7 12 3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1 1 1 1 in order to access the HTTP server If a domain name is registered for IP address 1 1 1 1 users can just go to the domain name to access the web server ...

Page 170: ... DMZ_HTTP DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and the Service to HTTP and click OK Figure 134 Configuration Firewall Add 7 13 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet the WAN zone In this example you have public I...

Page 171: ...ZyWALL USG 300 User s Guide 171 address 1 1 1 2 that you will use on the ge3 interface and map to the IPPBX s private IP address of 192 168 3 7 The local SIP clients are on the LAN Figure 135 IPPBX Example Network Topology ...

Page 172: ... Transformations and click Apply Figure 136 Configuration Network ALG 7 13 2 Create the Address Objects Use Configuration Object Address Add to create the address objects 1 Create a host address object named IPPBX DMZ for the IPPBX s private DMZ IP address of 192 168 3 9 Figure 137 Creating the Address Object for the IPPBX s Private IP Address ...

Page 173: ... and also be able to send calls to the WAN so you set the Classification to NAT 1 1 Set the Incoming Interface to ge2 Set the Original IP to the WAN address object IPPBX Public If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls Set the Mapped IP to the IPPBX s DMZ IP address object IPPBX DMZ Set the Port Mapping Type to Port the Protocol Type ...

Page 174: ...Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls ...

Page 175: ..._DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and click OK Figure 140 Configuration Firewall Add 7 13 5 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients o...

Page 176: ...ultiple Static Public WAN IP Addresses for LAN to WAN Traffic If your ISP gave you a range of static public IP addresses here is how to configure a policy route to have the ZyWALL use them for traffic it sends out from the LAN 7 14 1 Create the Public IP Address Range Object Click Configuration Object Address Add to create the address object that represents the range of static public IP addresses ...

Page 177: ...tional it is recommended This example uses LAN to WAN Range Specifying a Source Address is also optional although recommended This example uses LAN_SUBNET Set the Source Network Address Translation to Public IPs and click OK Figure 143 Configuring the Policy Route 7 15 How to Use Active Passive Device HA Here is an example of using device HA High Availability to backup ZyWALL A the master with ZyW...

Page 178: ...Takes Over Each ZyWALL s ge1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup ZyWALL A s management IP address is 192 168 1 3 and ZyWALL B s is 192 168 1 5 Figure 145 Device HA Management IP Addresses 7 15 1 Before You Start ZyWALL A should already be configured You will use device HA to copy ZyWALL A s settings to B lat...

Page 179: ...WALL 1 Log into ZyWALL A the master and click Configuration Device HA Active Passive Mode Double click ge1 s entry 2 Configure 192 168 1 3 as the Management IP and 255 255 255 0 as the Manage IP Subnet Mask Click OK Figure 146 Configuration Device HA Active Passive Mode Edit Master ZyWALL Example ...

Page 180: ...rough the ge2 interface so select the ge1 and ge2 interfaces and click Activate Enter a Synchronization Password mySyncPassword in this example and click Apply Figure 147 Configuration Device HA Active Passive Mode Master ZyWALL Example 4 Click the General tab Turn on device HA and click Apply Figure 148 Configuration Device HA General Master ZyWALL Example ...

Page 181: ...the same subscription services like content filtering and anti virus to which ZyWALL A is subscribed See Chapter 11 on page 281 for more on the subscription services 2 In ZyWALL B click Configuration Device HA Active Passive Mode Click ge1 s Edit icon 3 Configure 192 168 1 5 as the Management IP and 255 255 255 0 as the Subnet Mask Click OK Figure 149 Configuration Device HA Active Passive Mode Ed...

Page 182: ...nization Server Address to 192 168 1 1 the Port to 21 and the Password to mySyncPassword Select Auto Synchronize and set the Interval to 60 Click Apply Figure 150 Configuration Device HA Active Passive Mode Backup ZyWALL Example 5 Click the General tab Turn on device HA and click Apply Figure 151 Configuration Device HA General Master ZyWALL Example ...

Page 183: ...B s management IP address 192 168 1 5 and check the configuration You can use the Maintenance File Manager Configuration File screen to save copies of the ZyWALLs configuration files that you can compare 2 To test your device HA configuration disconnect ZyWALL A s ge1 or ge2 interface Computers on LAN should still be able to access the Internet If they cannot check your connections and device HA c...

Page 184: ...Chapter 7 Tutorials ZyWALL USG 300 User s Guide 184 ...

Page 185: ...nnects through the Internet You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192 168 1 x subnet 8 2 Configuring the Default L2TP VPN Gateway Example 1 Click Configuration VPN Network IPSec VPN VPN Gateway to ...

Page 186: ...bnet as the specified My Address click Configure Network Routing Policy Route Show Advanced Settings and select Use Policy Route to Override Direct Route Select Pre Shared Key and configure a password This example uses top secret Click OK Figure 153 Configuration VPN IPSec VPN VPN Gateway Edit 2 Select the Default_L2TP_VPN_GW entry and click Activate and click Apply to turn on the entry Figure 154...

Page 187: ...Advanced Settings button Configure and enforce the local and remote policies Create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses the ge2 interface s IP address 172 16 1 2 and is named L2TP_IFACE Set the Application Scenario to Remote Access Server Role Set the Local Policy to use ...

Page 188: ...ck Configuration VPN L2TP VPN and configure the following Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 It is called L2TP_POOL here Enable the connection Set the VPN Connection to the Default_L2TP_VPN_Connection Set the IP Address Pool to L2TP_POOL This example uses the default authentication method the ZyWALL s local user data base Select a user or group of users th...

Page 189: ... sections go along with the L2TP VPN configuration example in Section 8 1 on page 185 Before you configure the client issue one of the following commands from the Windows command prompt to make sure the computer is running the Microsoft IPSec service Make sure you include the quotes For Windows XP use net start ipsec services For Windows 2000 use net start ipsec policy agent 8 5 1 Configuring L2TP...

Page 190: ...SG 300 User s Guide 190 2 Select Connect to a workplace and click Next Figure 158 Set up a connection or network Chose a connection type 3 Select Use my Internet connection VPN Figure 159 Connect to a workplace How do you want to connect ...

Page 191: ...PN 172 16 1 2 in this example For the Destination Name enter L2TP to ZyWALL Select Don t connect now just set it up so I can connect later and click Next Figure 160 Connect to a workplace Type the Internet address to connect to 5 Enter the user name and password of a user account that can use the L2TP VPN connection and click Next Figure 161 Connect to a workplace Type your user name and password ...

Page 192: ...Guide 192 6 Click Close Figure 162 Connect to a workplace The connection is ready to use 7 In the Network and Sharing Center screen click Connect to a network Right click the L2TP VPN connection and select Properties Figure 163 Connect L2TP to ZyWALL ...

Page 193: ...ncryption to Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 165 Connect ZyWALL L2TP Security Advanced 10 Click Yes When you use L2TP VPN to connect to the ZyWALL the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel ...

Page 194: ...Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings Figure 167 L2TP to ZyWALL Properties Networking 12 Select Use preshared key for authentication and enter the pre shared key of the VPN gateway configuration that the ZyWALL is using for L2TP VPN top secret in this example Click OK to close the IPSec Settings window and then click OK again to close the Properties window Figure 168 L2TP ...

Page 195: ...USG 300 User s Guide 195 13 Select the L2TP VPN connection and click Connect Figure 169 L2TP to ZyWALL Properties Networking 14 Enter the user name and password of your ZyWALL user account Click Connect Figure 170 Connect L2TP to ZyWALL ...

Page 196: ...word are verified and notifies you when the connection is established Figure 171 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network you can select Work if you want your computer to be discoverable by computers behind the ZyWALL Figure 172 Set Network Location ...

Page 197: ...r the network location has been set click Close Figure 173 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray Click it and then the L2TP connection to open a status screen Figure 174 Connection System Tray Icon ...

Page 198: ... status screen Figure 175 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 176 ZyWALL L2TP Status Details 21 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 199: ...VPN connection 1 Click Start Control Panel Network Connections New Connection Wizard 2 Click Next in the Welcome screen 3 Select Connect to the network at my workplace and click Next Figure 177 New Connection Wizard Network Connection Type 4 Select Virtual Private Network connection and click Next Figure 178 New Connection Wizard Network Connection ...

Page 200: ...ZyWALL USG 300 User s Guide 200 5 Type L2TP to ZyWALL as the Company Name Figure 179 New Connection Wizard Connection Name 6 Select Do not dial the initial connection and click Next Figure 180 New Connection Wizard Public Network ...

Page 201: ...igured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN 172 16 1 2 in this example Figure 181 New Connection Wizard VPN Server Selection 8 Click Finish 9 The Connect L2TP to ZyWALL screen appears Click Properties Security Figure 182 Connect L2TP to ZyWALL 172 16 1 2 ...

Page 202: ...settings and click Settings Figure 183 Connect L2TP to ZyWALL Security 11 Select Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 184 Connect ZyWALL L2TP Security Advanced ...

Page 203: ... Figure 185 L2TP to ZyWALL Properties Security 13 Select the Use pre shared key for authentication check box and enter the pre shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click OK Figure 186 L2TP to ZyWALL Properties Security IPSec Settings ...

Page 204: ... L2TP to ZyWALL Properties Networking 15 Enter the user name and password of your ZyWALL account Click Connect Figure 188 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified 17 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 189 ZyWALL L2TP System Tray Icon ...

Page 205: ...00 Windows 2000 does not support using pre shared keys by default Use the following procedures to edit the registry and then configure the computer to use the L2TP client 8 5 3 1 Editing the Windows 2000 Registry In Windows 2000 you need to create a registry entry and restart the computer to have it use pre shared keys 1 Click Start Run Type regedit and click OK Figure 191 Starting the Registry Ed...

Page 206: ...trolSet Services Rasman P arameters Figure 192 Registry Key 4 Right click Parameters and select New DWORD Value Figure 193 New DWORD Value 5 Enter ProhibitIpSec as the name And make sure the Data displays as 0 s Figure 194 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section ...

Page 207: ...000 IPSec Policy After you have created the registry entry and restarted the computer use these directions to configure an IPSec policy for the computer to use 1 Click Start Run Type mmc and click OK Figure 195 Run mmc 2 Click Console Add Remove Snap in Figure 196 Console Add Remove Snap in ...

Page 208: ...Add IP Security Policy Management Add Finish Click Close OK Figure 197 Add IP Security Policy Management Finish 4 Right click IP Security Policies on Local Machine and click Create IP Security Policy Click Next in the welcome screen Figure 198 Create IP Security Policy ...

Page 209: ...ser s Guide 209 5 Name the IP security policy L2TP to ZyWALL and click Next Figure 199 IP Security Policy Name 6 Clear the Activate the default response rule check box and click Next Figure 200 IP Security Policy Request for Secure Communication ...

Page 210: ... User s Guide 210 7 Leave the Edit Properties check box selected and click Finish Figure 201 IP Security Policy Completing the IP Security Policy Wizard 8 In the properties dialog box click Add Next Figure 202 IP Security Policy Properties Add ...

Page 211: ...300 User s Guide 211 9 Select This rule does not specify a tunnel and click Next Figure 203 IP Security Policy Properties Tunnel Endpoint 10 Select All network connections and click Next Figure 204 IP Security Policy Properties Network Type ...

Page 212: ...ide 212 11 Select Use this string to protect the key exchange preshared key type password in the text box and click Next Figure 205 IP Security Policy Properties Authentication Method 12 Click Add Figure 206 IP Security Policy Properties IP Filter List ...

Page 213: ...in the Addressing tab Select My IP Address in the Source address drop down list box Select A specific IP Address in the Destination address drop down list box and type the ZyWALL s WAN IP address 172 16 1 2 in this example in the IP Address field Make certain the Mirrored Also match packets with the exact opposite source and destination addresses check box is selected and click Apply Figure 208 Fi...

Page 214: ...llowing in the Filter Properties window s Protocol tab Set the protocol type to UDP from port 1701 Select To any port Click Apply OK and then Close Figure 209 Filter Properties Protocol 16 Select ZyWALL WAN_IP and click Next Figure 210 IP Security Policy Properties IP Filter List ...

Page 215: ...d Close Figure 211 IP Security Policy Properties IP Filter List 18 In the Console window right click L2TP to ZyWALL and select Assign Figure 212 Console L2TP to ZyWALL Assign 8 5 3 3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy use these directions to create a network connection ...

Page 216: ...e 213 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next Figure 214 New Connection Wizard Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click Next Figure 215 New Connection Wizard Destination Address 172 16 1 2 ...

Page 217: ...7 4 Select For all users and click Next Figure 216 New Connection Wizard Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish Figure 217 New Connection Wizard Naming the Connection 6 Click Properties Figure 218 Connect L2TP to ZyWALL ...

Page 218: ...Settings Figure 219 Connect L2TP to ZyWALL Security 8 Select Optional encryption allowed connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Click Yes if a screen pops up Figure 220 Connect L2TP to ZyWALL Security Advanced ...

Page 219: ...k OK Figure 221 Connect L2TP to ZyWALL Networking 10 Enter your user name and password and click Connect It may take up to one minute to establish the connection and register on the network Figure 222 Connect L2TP to ZyWALL 11 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 223 ZyWALL L2TP System Tray Icon ...

Page 220: ...tails and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 224 L2TP to ZyWALL Status Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 221: ...221 PART II Technical Reference ...

Page 222: ...222 ...

Page 223: ...rmation Use the VPN status screen see Section 9 2 1 on page 231 to look at the VPN tunnels that are currently established Use the DHCP Table screen see Section 9 2 5 on page 234 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Current Users screen see Section 9 2 6 on page 235 to look at a list of the users currently lo...

Page 224: ... widget Refresh Time Setting C Set the interval for refreshing the information displayed in the widget Refresh Now D Click this to update the widget s information immediately Close this Module E Click this to close the widget Use Widget Setting to re open it Virtual Device Rear Panel Click this to view details about the ZyWALL s rear panel Hover your cursor over a connected interface or slot to di...

Page 225: ...part of a port group and is not connected The status for an installed WLAN card is none For cellular 3G interfaces see Section 13 5 on page 317 for the status that can appear For the auxiliary interface Inactive The auxiliary interface is disabled Connected The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected HA Status This field displays the statu...

Page 226: ...you can upload firmware See Section 52 3 on page 894 System Status System Uptime This field displays how long the ZyWALL has been running since it last restarted or was turned on Current Date Time This field displays the current date and time in the ZyWALL The format is yyyy mm dd hh mm ss VPN Status Click this to look at the VPN tunnels that are currently established See Section 9 2 1 on page 231...

Page 227: ... Hover your cursor over this field to display the Show CPU Usage icon that takes you to a chart of the ZyWALL s recent CPU usage Memory Usage This field displays what percentage of the ZyWALL s RAM is currently being used Hover your cursor over this field to display the Show Memory Usage icon that takes you to a chart of the ZyWALL s recent memory usage Flash Usage This field displays what percent...

Page 228: ...appear For the auxiliary interface Inactive The auxiliary interface is disabled Connected The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If the PPP interface is disabled it does not appear in the list For WLAN interfaces Up The WLAN int...

Page 229: ... device is detected USB Flash Drive Indicates a connected USB storage device and the drive s storage capacity Status The status for an installed WLAN card is none For cellular 3G interfaces see Section 10 11 on page 256 for the status that can appear Ready A USB storage device connected to the ZyWALL is ready for the ZyWALL to use Unused The ZyWALL is unable to mount a USB storage device connected...

Page 230: ...P address of virus infected files that the ZyWALL has detected Destination IP This is the destination IP address of virus infected files that the ZyWALL has detected Occurrence This is how many times the ZyWALL has detected the event described in the entry Top 5 Intrusions This is the entry s rank in the list of the most commonly detected intrusions Signature ID This is the IDentification number o...

Page 231: ... Figure 226 Dashboard CPU Usage The following table describes the labels in this screen Table 23 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usage The x axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in the window right a...

Page 232: ...ard Figure 227 Dashboard Memory Usage The following table describes the labels in this screen Table 24 Dashboard Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in the windo...

Page 233: ...rd Figure 228 Dashboard Session Usage The following table describes the labels in this screen Table 25 Dashboard Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in t...

Page 234: ...s reserved for specific MAC addresses To access this screen click the icon beside DHCP Table in the dashboard Figure 230 Dashboard DHCP Table Table 26 Dashboard VPN Status LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec SA is encapsulated Algorithm This f...

Page 235: ...sort order Host Name This field displays the name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries by...

Page 236: ...ield displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user See Chapter 40 on page 723 Type This field displays the way the user logged in to the ZyWALL IP address This field displays the IP address of the computer used to log in to the ZyWALL ...

Page 237: ...age 248 to view sessions by user or service Use the System Status DDNS Status screen see Section 10 6 on page 250 to view the status of the ZyWALL s DDNS domain names The System Status IP MAC Binding screen Section 10 7 on page 251 lists the devices that have received an IP address from ZyWALL interfaces with IP MAC binding enabled Use the System Status Login Users screen Section 10 8 on page 252 ...

Page 238: ... Statistics Content Filter screen Section 10 18 on page 271 to start or stop data collection and view content filter statistics Use the Anti X Statistics Content Filter Cache screen Section 10 19 on page 272 to view and configure your ZyWALL s URL caching Use the Anti X Statistics Anti Spam screen Section 10 20 on page 275 to start or stop data collection and view spam statistics Use the Anti X St...

Page 239: ... is not connected Speed Duplex The physical port is connected This field displays the port speed and duplex setting Full or Half TxPkts This field displays the number of packets transmitted from the ZyWALL on the physical port since it was last connected RxPkts This field displays the number of packets received by the ZyWALL on the physical port since it was last connected Collisions This field di...

Page 240: ...TION Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table bps The y axis represents the speed of transmission or reception time The...

Page 241: ...atus Interface Status to access this screen Figure 234 Monitor System Status Interface Status Last Update This field displays the date and time the information in the window was last updated System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on Table 30 Monitor System Status Port Statistics Switch to Graphic View LABEL DESCRIPTION ...

Page 242: ...ical ports associated with it its entry is displayed in light gray text Expand Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces Name This field displays the name of each interface If there is a Expand icon plus sign next to the name click this to look at the status of virtual interfaces on top of this interface Port This field disp...

Page 243: ...interface is enabled and connected Disconnected The auxiliary interface is not connected For virtual interfaces this field always displays Up If the virtual interface is disabled it does not appear in the list For VLAN and bridge interfaces this field always displays Up If the VLAN or bridge interface is disabled it does not appear in the list For PPP interfaces Connected The PPP interface is conn...

Page 244: ...rface cannot use one of these ways to get or to update its IP address this field displays n a Interface Statistics This table provides packet statistics for each interface Refresh Click this button to update the information in the screen Expand Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces Name This field displays the name of ea...

Page 245: ...e cases because the ZyWALL counts HTTP GET packets Please see Table 32 on page 246 for more information Most used protocols or service ports and the amount of traffic on each one LAN IP with heaviest traffic and how much traffic has been sent to and from each one You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting information for these reports You can...

Page 246: ...ic for each one Web Site Hits displays the most visited Web sites and how many times each one has been visited Each type of report has different information in the report below Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display These fields are available when the Traffic Type is Host IP Address...

Page 247: ...yed The unit of measure is bytes Kbytes Mbytes Gbytes or Tbytes depending on the amount of traffic for the particular protocol or service port The count starts over at zero if the number of bytes passes the byte count limit See Table 33 on page 247 These fields are available when the Traffic Type is Web Site Hits This field is the rank of each record The domain names are sorted by the number of hi...

Page 248: ... Protocol or service port used Source address Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all the active sessions by user service source IP address or destination IP address You can also filter the information by user protocol service or service group source address and or destination address and view it by user Click Monit...

Page 249: ... part of the user name or use wildcards in this field you must enter the whole user name Service This field displays when View is set to all sessions Select the service or service group whose sessions you want to view The ZyWALL identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined See Chapter 42 on page 745 f...

Page 250: ...s the destination IP address and port in each active session If you are looking at the sessions by destination IP report click or to display or hide details about a destination IP address s sessions Rx This field displays the amount of information received by the source in the active session Tx This field displays the amount of information transmitted by the source in the active session Duration T...

Page 251: ...s the ZyWALL is currently attempting to resolve the IP address for the domain name Last Update Time This shows when the last attempt to resolve the IP address for the domain name occurred in year month day hour minute second format Table 35 Monitor System Status DDNS Status continued LABEL DESCRIPTION Table 36 Monitor System Status IP MAC Binding LABEL DESCRIPTION Interface Select a ZyWALL interfa...

Page 252: ... Status IP MAC Binding continued LABEL DESCRIPTION Table 37 Monitor System Status Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry User ID This field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining fo...

Page 253: ...the index number of the MAC address MAC Address This displays the MAC address in XX XX XX XX XX XX format of a connected wireless station Strength This displays the strength of the wireless client s radio signal The signal strength mainly depends on the antenna output power and the wireless client s distance from the ZyWALL Connect Rate This displays what data transfer rate of the wireless client ...

Page 254: ...ellular Status The following table describes the labels in this screen Table 39 Monitor System Status Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen This field is a sequential value and it is not associated with any interface Extension Slot This field displays where the entry s cellular card is located Connected Device This field displays the mo...

Page 255: ...e is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is applying your configuration to the 3G device Inactive The 3G interface is disabled Active The 3G interface is enabled Incorrect device The connected 3G device is not compatible with the ZyWALL Correct device The ZyWALL detected a compa...

Page 256: ...e Info This field displays other details about the 3G connection Table 39 Monitor System Status Cellular Status continued LABEL DESCRIPTION Table 40 Monitor System Status USB Storage LABEL DESCRIPTION Device description This is a basic description of the type of USB device Usage This field displays how much of the USB storage device s capacity is currently being used out of its total capacity and ...

Page 257: ...to have the ZyWALL mount a connected USB storage device This button is grayed out if the file system is not supported unknown by the ZyWALL none no USB storage device is connected Detail This field displays any other information the ZyWALL retrieves from the USB storage device Deactivated the use of a USB storage device is disabled turned off on the ZyWALL OutofSpace the available disk space is le...

Page 258: ...scribes the labels in this screen Table 41 Monitor AppPatrol Statistics General Settings LABEL DESCRIPTION Refresh Interval Select how often you want the statistics display to update Display Protocols Select the protocols for which to display statistics Select All selects all of the protocols Clear All clears all of the protocols Click Expand to display individual protocols Collapse hides them Sta...

Page 259: ...istics The y axis represents the amount of bandwidth used The x axis shows the time period over which the bandwidth usage occurred A solid line represents a protocol s incoming bandwidth usage This is the protocol s traffic that the ZyWALL sends to the initiator of the connection A dotted line represents a protocol s outgoing bandwidth usage This is the protocol s traffic that the ZyWALL sends out...

Page 260: ... application s traffic the ZyWALL has sent in kilobytes Dropped Data KB This is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Data KB This is how much of the application s traffic the ZyWALL has discarded and notified the client that the traffic was reje...

Page 261: ...und traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN to the WAN is the outbound traffic Forwarded Data KB This is how much of the application s t...

Page 262: ...tion initiated from the LAN to the WAN the traffic sent from the WAN to the LAN is the inbound traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN t...

Page 263: ...licies for an IPSec SA and click Search to find it You can use a keyword or regular expression Use up to 30 alphanumeric and _ characters See Section 10 13 1 on page 264 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Disconnect Select an IPSec SA and click this button to disconnect it Total Connection This field displays the tot...

Page 264: ...e VPN connection or policy name has to match if you do not use a question mark or asterisk Encapsulation This field displays how the IPSec SA is encapsulated Policy This field displays the content of the local and remote policies for this IPSec SA The IP addresses not the address objects are displayed Algorithm This field displays the encryption and authentication algorithms used in the SA Up Time...

Page 265: ...L LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user s connection and delete corresponding session information from the ZyWALL This field displays the index number User This field displays the account user name used to establish thisSSL VPN connection Access This field displays the name of the SSL VPN application the user is accessing Login Address This fi...

Page 266: ...onitor L2TP over IPSec LABEL DESCRIPTION Disconnect Select a connection and click this button to disconnect it This is the index number of a current L2TP VPN session User Name This field displays the remote user s user name Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL Assigned IP This field displays the IP address that the ZyWALL assigned ...

Page 267: ... in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refre...

Page 268: ... the most virus infected files Select Destination IP to list the most common destination IP addresses for virus infected files that ZyWALL has detected This field displays the entry s rank in the list of the top entries Virus name This column displays when you display the entries by Virus Name This displays the name of a detected virus Source IP This column displays when you display the entries by...

Page 269: ...ute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statist...

Page 270: ... top entries Signature Name This column displays when you display the entries by Signature Name The signature name identifies a specific intrusion pattern Click the hyperlink for more detailed information on the intrusion Type This column displays when you display the entries by Signature Name It shows the categories of intrusions See Table 164 on page 606 for more information Severity This column...

Page 271: ...isplays after you click Apply All of the statistics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to...

Page 272: ...ation Restricted Web Features This is the number of web pages to which the ZyWALL did not allow access due to the content filtering custom service s restricted web features configuration Forbidden Web Sites This is the number of web pages to which the ZyWALL did not allow access because they matched the content filtering custom service s forbidden web sites list URL Keywords This is the number of ...

Page 273: ...s by that column s criteria Click the heading cell again to reverse the sort order Figure 257 Anti X Content Filter Cache The following table describes the labels in this screen Table 50 Anti X Content Filter Cache LABEL DESCRIPTION URL Cache Entry Refresh Click this button to reload the list of content filter cache entries Flush Click this button to clear all web site addresses from the cache man...

Page 274: ...tes left before the URL entry is discarded from the cache URL Cache Setup Maximum TTL Type the maximum time to live TTL 1 to 720 hours This sets how long the ZyWALL is to keep an entry in the URL cache before discarding it The external content filtering database frequently adds previously un categorized web sites and sometimes changes a web site s category Setting this limit higher will speed up t...

Page 275: ...his screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refresh Cl...

Page 276: ...hreshold Mail Sessions Dropped This is how many e mail sessions the ZyWALL dropped because they exceeded the maximum number of e mail sessions that the anti spam feature can check at a time You can see the ZyWALL s threshold of concurrent e mail sessions in the Anti Spam Status screen Use the Anti Spam General screen to set whether the ZyWALL forwards or drops sessions that exceed this threshold T...

Page 277: ...he lighter shaded part of the bar and the pop up show the historical high The first number to the right of the bar is how many e mail sessions the ZyWALL is presently checking for spam Th e second number is the maximum number of e mail sessions that the ZyWALL can check at once An e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL DNSBL Stati...

Page 278: ...ss this screen click Monitor Log The log is displayed in the following screen Note When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first For individual log descriptions see Appendix A on page 949 For the maximum number of log messages in the ZyWALL see Chapter 58 on page 941 Events th...

Page 279: ...Interface This displays when you show the filter Select the source interface of the packet that generated the log message Destination Interface This displays when you show the filter Select the destination interface of the packet that generated the log message Service This displays when you show the filter Select the service whose log messages you would like to see The W eb Configurator uses the p...

Page 280: ... displays the reason the log message was generated The text count x where x is a number appears at the end of the Message field if log consolidation is turned on see Log Consolidation in Table 257 on page 874 and multiple entries were aggregated to generate into this one Source This field displays the source IP address and the port number in the event that generated the log message Destination Thi...

Page 281: ...L com myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL To update signature files or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL Note You need to create a myZyXEL com account before you can register your device and activate...

Page 282: ...not a separate trial period for each anti virus engine After the trial expires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using an iCard...

Page 283: ...istration Screen Use this screen to register your ZyWALL with myZyXEL com and activate a service such as content filtering Click Configuration Licensing Registration in the navigation panel to open the screen as shown next Figure 261 Configuration Licensing Registration ...

Page 284: ...You can use up to 80 alphanumeric characters periods and the underscore are also allowed without spaces Country Select your country from the drop down box list Seller Details Use this section to enter your seller information Seller s Name Enter your seller s name Seller s E mail Enter your seller s e mail address Seller s Contact Number Enter your seller s phone number VAT Number Enter your seller...

Page 285: ... network After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com You will get automatic e mail notification of new signature releases from mySecurityZone after you activate the IDP AppPatrol service You can also check for new signatures at http mysecurity zyxel com Content Filter Category Service The content filter...

Page 286: ...in the list Service This lists the services that available on the ZyWALL Status This field displays whether a service is activated Licensed or not Not Licensed or expired Expired Registration Type This field displays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard This field is blank when a service is not activated For an anti virus s...

Page 287: ...ription If a standard service subscription runs out you need to buy a new iCard specific to your ZyWALL and enter the new PIN number to extend the service Service License Refresh Click this button to renew service license information such as the registration status and expiration day Table 55 Configuration Licensing Registration Service continued LABEL DESCRIPTION ...

Page 288: ...Chapter 11 Registration ZyWALL USG 300 User s Guide 288 ...

Page 289: ...n page 595 for details on IDP See Chapter 32 on page 553 for details on application patrol Use the Configuration Licensing Update System Protect screen Section 12 4 on page 293 to update the system protection signatures 12 1 2 What you Need to Know You need a valid service registration to update the anti virus signatures and the IDP AppPatrol signatures You do not need a service registration to up...

Page 290: ...rsion 2 11 and updating the anti virus signatures automatically upgrades the ZyXEL anti virus engine to v2 0 v2 0 has more virus signatures and offers improved non executable file scan throughput Current Version This field displays the anti virus signatures version number currently used by the ZyWALL This number is defined by the ZyXEL Security Response Team ZSRT who maintain and update them This ...

Page 291: ...re found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and day specified You should select a time when your network is not busy for minimal interruptio...

Page 292: ...mber of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date This field displays the date and time the set was released Signature Update Use these fields to have the ZyWALL check for new IDP signatures at myZyXEL com If new signatures are found...

Page 293: ...ystem protection feature is enabled by default and can only be disabled via the commands You do not need an IDP subscription to use the system protection feature or to download updated system protection signatures Figure 266 Configuration Licensing Update System Protect Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time The time format is the 24...

Page 294: ... these fields to have the ZyWALL check for new signatures at myZyXEL com If new signatures are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and ...

Page 295: ...gure the Ethernet interfaces Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces Use the PPP screens Section 13 4 on page 310 for PPPoE or PPTP Internet connections Use the Cellular screens Section 13 5 on page 317 to configure settings for interfaces for Internet connections through an installed 3G card Use...

Page 296: ...ysical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a softwa...

Page 297: ...e vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the Web Configurator it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual interface Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the ph...

Page 298: ... Section 7 1 on page 117 for an example of configuring Ethernet interfaces port grouping and zones See Section 7 2 on page 120 for an example of configuring a cellular 3G interface See Section 7 4 on page 125 for an example of setting up a wireless LAN See Chapter 14 on page 369 to configure load balancing using trunks VLAN interface Ethernet interface bridge interface Ethernet interface VLAN inte...

Page 299: ...rfaces If you assign more than one physical port to a representative interface you create a port group Port groups have the following characteristics There is a layer 2 Ethernet switch between physical ports in the port group This provides wire speed throughput but no security It can increase the bandwidth between the port group and other interfaces 13 2 2 Port Grouping Screen Define the relations...

Page 300: ...s exchange routing information with other routers and how much information is exchanged through each one The more routing information is exchanged the more efficient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management The ZyWALL supports two routing protocols RIP and OSPF See Chapter 16...

Page 301: ...click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the...

Page 302: ... interfaces to do the following things Enable and disable RIP in the underlying physical port or port group Select which direction s routing information is exchanged The ZyWALL can receive routing information send routing information or do both Select which version of RIP to support in each direction The ZyWALL supports RIP 1 RIP 2 and both versions Select the broadcasting method used by RIP 2 pac...

Page 303: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 303 Figure 269 Configuration Network Interface Ethernet Edit ...

Page 304: ...ou must manually configure a policy route to add routing and SNAT settings for the interface Interface Name Specify a name for the interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long Port This is the name of the Ethernet interface s physical port Zone Select the zone to which this interface is to belong You use zones to apply security setting...

Page 305: ...lowed values are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into s...

Page 306: ...re is already a DHCP server on the network DHCP Relay the ZyWALL routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the ZyWALL assigns IP addresses and provides subnet mask gateway and DNS server information to the network The ZyWALL is the DHCP server for the network These fields appear if the ZyWALL is a DHCP Relay Relay Server 1 ...

Page 307: ...the computer names on your network and the IP addresses that they are currently using Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid Enable IP MAC Binding Select this opt...

Page 308: ...ackets using subnet broadcasting otherwise the ZyWALL uses multicasting OSPF Setting See Section 16 3 on page 397 for more information about OSPF Area Select the area in which this inte rface belongs Select None to disable OSPF in this interface Priority Enter the priority between 0 and 255 of this interface when the area is looking for a Designated Router DR or Backup Designated Router BDR The hi...

Page 309: ... assigned default MAC address By default the ZyWALL uses the factory assigned MAC address to identify itself Overwrite Default MAC Address Select this option to have the interface use a different MAC address Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning Once it is successfully configured the address wi...

Page 310: ...display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list ot...

Page 311: ...the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP interfaces are interfaces between the ZyWALL and only one computer Therefore the subnet mask is always 255 255 255 255 In additi...

Page 312: ... a user configured PPP interface select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface orto manually establish the connection for a Dial on Dema...

Page 313: ...is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the interface Base Interface This field displays the interface on the top of which the PPPoE PPTP interface is Account Profile This field displays the ISP account used by this PPPoE PPTP interface Apply Click Apply to save y...

Page 314: ...Network Interface PPP Add Each field is explained in the following table Table 65 Configuration Network Interface PPP Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields General Settings ...

Page 315: ...ection available ISP Setting Account Profile Select the ISP account that this PPPoE PPTP interface uses The drop down box lists ISP accounts by name Use Create new Object if you need to configure a new ISP account see Chapter 47 on page 795 for details Protocol This field is read only It displays the protocol specified in the ISP account User Name This field is read only It displays the user name ...

Page 316: ...ct this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attemp...

Page 317: ...o users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices Note The actual data rate you obtain varies depending on the 3G card you use the signal strength to the service provider s base station and so on OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 65 C...

Page 318: ...a hybrid 2 5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS EGPRS...

Page 319: ...elect it and click Connect You might use this in testing the interface or to manually establish the connection Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field ...

Page 320: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 320 Figure 275 Configuration Network Interface Cellular Add ...

Page 321: ...y Nailed Up Select this if the connection should always be up Clear this to have the ZyWALL to establish the connection only when there is traffic You might not nail up the connection if there is little traffic through the interface or if it costs money to keep the connection available Idle timeout This value specifies the time in seconds 0 360 that elapses before the ZyWALL automatically disconne...

Page 322: ...s are not allowed Password This field displays when you select an authentication type other than None This field is read only if you selected Device in the profile selection and the password is included in the 3G card s profile If this field is configurable enter the password for this SIM card exactly as the service provider gave it to you You can use 0 63 alphanumeric and _ characters Spaces are ...

Page 323: ...n on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeo...

Page 324: ...fy the type of network to use if you are charged differently for different types of network or you only have one type of network available to you Select GPRS EDGE GSM only to have this interface only use a 2 5G or 2 75G network respectively If you only have a GSM network available to you you may want to select this so the ZyWALL does not spend time looking for a WCDMA network Select UMTS HSDPA WCD...

Page 325: ... time or data limit is exceeded Log Select None to not create a log Log to create a log or Log alert to create an alert log If you select Log or Log alert you can also select recurring every to have the ZyWALL send a log or alert for this event periodically Specify how often from 1 to 65535 minutes to send the log or alert New 3G connection Select Allow to permit new 3G connections or Disallow to ...

Page 326: ... the name of the wireless network It stands for Service Set IDentity Different wireless networks in the same area should use different channels Like radio stations or television channels each wireless network uses a specific channel or frequency to send and receive information Every wireless client in a wireless network must use security compatible with the AP Security stops unauthorized devices f...

Page 327: ...een Table 69 Configuration Network Interface WLAN LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields WLAN Device Settings Extension Slot Select the slot for which you want to configure wireless device settings Enable WLAN Device Select this to turn on the wireless LAN card It is recommended that you configur...

Page 328: ...e Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Fragmentation Threshold This is the threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Output Power Select the percentage of output power that this WLAN card is to use If there is a high density of APs in the area decrease the o...

Page 329: ... according to the security features you select It displays as shown next when you set the Security Type to none IP Address This field displays the current IP address of the WLAN interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynamically assigned DHCP IP addresses are always static i...

Page 330: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 330 Figure 278 Configuration Network Interface WLAN Add No Security ...

Page 331: ...omething that is difficult to guess Hide SSID Broadcast Select to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning Block Intra BSS Traffic Select this to prevent wireless clients in this profile s BSS from communicating with one another Maximum Associations Specify the highest number of wireless clients that are allowed to connect to the wireless inte...

Page 332: ...500 DHCP Settings DHCP Select what type of DHCP service the ZyWALL provides to the wireless network Choices are None the ZyWALL does not provide any DHCP services There is already a DHCP server on the network DHCP Relay the ZyWALL routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the ZyWALL assigns IP addresses and provides subnet ...

Page 333: ...P clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addres...

Page 334: ...rity to zero if the interface can not be the DR or BDR Link Cost Enter the cost between 1 and 65 535 to route packets through this interface Passive Interface Select this to stop forwarding OSPF routing information from the selected interface As a result this interface only receives routing information Authentication Select an authentication method or disable authentication To exchange OSPF routin...

Page 335: ...echanism Use the strongest security mechanism that all the wireless devices in your network support For example use WPA PSK or WPA2 PSK or WPA or WPA2 if your wireless devices support it If your wireless devices support nothing stronger than WEP use the highest encryption level available To configure and enable WEP encryption click Configuration Network Interface WLAN Add or Edit to open the WLAN ...

Page 336: ...rface WLAN Add WPA PSK WPA2 PSK or WPA WPA2 PSK Security Table 72 Configuration Network Interface WLAN Add WEP Security LABEL DESCRIPTION WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network Select 64 bit WEP or 128 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit...

Page 337: ...ncryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Timer Specify how often wireless stations have to resend usernames and passwords in order to stay connected N...

Page 338: ...you set the Authentication Type field to Auth Method Select an authentication method object that defines how the ZyWALL authenticates a wireless user The ZyWALL s default configuration also includes an authentication method object named default that you can use You can configure the default authentication method object but it s default configuration uses the ZyWALL s local database for authenticat...

Page 339: ...US server s listening port number the default is 1812 Radius Server Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyWALL The key is not sent over the network This key must be the same on the external authentication server and ZyWALL ReAuthentication Timer Specify how often wireless stations have to resend user na...

Page 340: ...listed will be denied access to the router Add Click this to add an entry to the table Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This is the index number of the MAC address MAC Address This displays the MAC address in XX XX XX XX XX X...

Page 341: ...onnected to hubs and the hubs are connected to the router Alternatively you can divide the physical networks into three VLANs Figure 284 Example After VLAN Each VLAN is a separate network with separate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the swit...

Page 342: ... example you can create different content filtering rules for each VLAN each department in the example above and you can set different bandwidth limits for each VLAN These rules are also independent of the physical network so you can change the physical network without changing policies In this example the new switch handles the following types of traffic Inside VLAN 2 Between the router and VLAN ...

Page 343: ...ace To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry ...

Page 344: ...s screen click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen The following screen appears Mask This field displays the interface s subnet mask in dot decimal notation Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 76 Configuration Network Interfac...

Page 345: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 345 Figure 286 Configuration Network Interface VLAN Edit ...

Page 346: ...095 are reserved Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment Get Automatically Select this if this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically You should not select this if the interface is ...

Page 347: ...a failure and how many consecutive failures are required before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to...

Page 348: ...ress broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the ZyWALL can allocate 10 10 10 10 to 10 10 10 254 or 245 IP addresses If this field is blank the IP Pool Start Address mu...

Page 349: ... able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Address Enter the MAC address to which to assign this entry s IP address Description Enter a description to help identify this static DHCP entry You can use alpha...

Page 350: ...n method in the area None disable authentication Text authenticate OSPF routing information using a plain text password MD5 authenticate OSPF routing information using MD5 encryption Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to 16 characte...

Page 351: ...table It also looks up the destination MAC address in the table If the bridge knows on which port the destination MAC address is located it sends the packet to that port If the destination MAC address is not in the table the bridge broadcasts the packet on every port except the one on which it was received In the example above computer A sends a packet to computer B Bridge X records the source add...

Page 352: ...aces Any number of Ethernet interfaces and any associated virtual Ethernet interfaces When you create a bridge interface the ZyWALL removes the members entries from the routing table and adds the bridge interface s entries to the routing table For example this table shows the routing table before and after you create bridge interface br0 250 250 250 0 23 between ge1 and vlan1 In this example virtu...

Page 353: ...where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed wh...

Page 354: ...nfigure IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each bridge interface To access this screen click the Add icon at the top of the Add column in the Bridge Summary screen or click an Edit icon in the Bridge Summary screen The following screen appears ...

Page 355: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 355 Figure 288 Configuration Network Interface Bridge Add ...

Page 356: ...f the bridge interface An interface is not available in the following situations There is a virtual interface on top of it It is already used in a different bridge interface Select one and click the arrow to add it to the bridge interface Each bridge interface can only have one VLAN interface Member This field displays the interfaces that are part of the bridge interface Select one and click the a...

Page 357: ... Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into smaller fragments Allowed v...

Page 358: ...that another interface received from its DHCP server ZyWALL the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses tha...

Page 359: ...nnectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the nu...

Page 360: ... use the auxiliary interface Note You have to connect an external modem to the auxiliary port The ZyWALL uses the auxiliary interface to dial out in two situations 1 You click the Connect icon on the ZyWALL Status screen 2 The load auxiliary interface must connect to satisfy load balancing requirements You have to add the auxiliary interface to a trunk first When the ZyWALL hangs up the call it dr...

Page 361: ... is read only and displays the zone to which the auxiliary interface belongs Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Port Speed Select the speed of the connection between the ZyWALL and external computer Dialing Type Tone select this if the telephone uses tone based dialing Pulse sel...

Page 362: ... comma to pause during dialing Use a plus sign to tell the external modem to make an international call User Name Enter the user name required for authentication Password Enter the password required for authentication Retype to confirm Enter the password again to make sure you have not typed it incorrectly Authentication Type Select the authentication protocol to use for outgoing calls Choices are...

Page 363: ...ration Network Interface Add LABEL DESCRIPTION Interface Properties Interface Name This field is read only It displays the name of the virtual interface which is automatically derived from the underlying Ethernet interface VLAN interface or bridge interface Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 ch...

Page 364: ...ways have the same priority the ZyWALL uses the one that was configured first Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the ZyWALL can send through the interface to the network Allowed values are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from th...

Page 365: ...t with a destination address of 5 5 5 5 it might not find any entries in the routing table In this case the packet is dropped However if there is a default router to which the ZyWALL should send this packet you can specify it as a gateway in one of the interfaces For example if there is a default router at 200 200 200 100 you can create a gateway at 200 200 200 100 on ge2 In this case the ZyWALL c...

Page 366: ...ddresses subnet masks gateways and some network information such as the IP addresses of DNS servers on computers in the network This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently In DHCP every network has at least one DHCP server When a computer a DHCP client joins the network it submits a DHCP request The DHCP servers get the re...

Page 367: ...ce provides the same gateway you specify for the interface See IP Address Assignment on page 364 DNS servers The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients You can specify each IP address manually for example a company s own DNS server or you can refer to DNS servers that other interfaces received from DHCP servers for example a DNS serve...

Page 368: ... systems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuration of the modem PPTP is used to set up virtual private networks VPN in unsecure TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the second on...

Page 369: ...a You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B Or maybe one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP...

Page 370: ...es through the best WAN interface for that type of traffic If that interface s connection goes down the ZyWALL can still send its traffic through another interface You can define multiple trunks for the same physical interfaces Link Sticking You can have the ZyWALL send each local computer s traffic that is going to the same destination through a single WAN interface for a specified period of time...

Page 371: ...d bandwidth refers to the bandwidth an interface is currently using Least Load First The least load first algorithm uses the current or recent outbound bandwidth utilization of each trunk member interface as the load balancing index es when making decisions about to which interface a new session is to be distributed The outbound bandwidth utilization is defined as the measured outbound throughput ...

Page 372: ...distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively The ZyWALL assigns the traffic of two sessions to ge2 for every session s traffic assigned to ge3 Figure 294 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the inte...

Page 373: ...old of the first interface is set to 800K The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface Figure 295 Spillover Algorithm Example Finding Out More See Section 6 5 5 on page 103 for related information on the Trunk screens See Section 7 3 on page 122 for an example of how to configure load balancing See Section 14 4 on page 377 for more backgrou...

Page 374: ... this button to display a greater or lesser number of configuration fields Enable Link Sticking Enable link sticking to have the ZyWALL route sessions from one source to the same destination through the same link for a period of time This is useful for accessing servers that are incompatible with a user s sessions coming from different links For example this is useful when a server requires authen...

Page 375: ...dds all external interfaces into the pre configured system default SYSTEM_DEFAULT_WAN_TRUNK You cannot delete it You can create your own User Configuration trunks Add Click this to create a new user configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove Th...

Page 376: ...traffic traveling from an internal interface ex LAN to an external interface ex WAN Inbound means the opposite The table lists the trunk s member interfaces You can add edit remove or move entries for user configured trunks Add Click this to add a member interface to the trunk Select an interface and click Add to add a new member interface after the selected member interface Edit Double click an e...

Page 377: ...L sends through each member interface The higher an interface s weight is relative to the weights of the interfaces the more traffic the ZyWALL sends through that interface Ingress Bandwidth This field displays with the least load first load balancing algorithm It displays the maximum number of kilobits of data the ZyWALL is to allow to come in through the interface per second Egress Bandwidth Thi...

Page 378: ...Chapter 14 Trunks ZyWALL USG 300 User s Guide 378 ...

Page 379: ... default gateway R1 You create one policy route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 298 Example of Policy Routing Topology Note You can generally just use policy routes You only need to use static routes if you have a large network with multiple router...

Page 380: ... policy routes to manage other types of traffic like ICMP traffic and send traffic through VPN tunnels Note Bandwidth management in policy routes has priority over application patrol bandwidth management Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use ...

Page 381: ...ng the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to ...

Page 382: ...red policy routes and turn policy routing based bandwidth management on or off A policy route defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria can include the user name source address and incoming interface destination address schedule IP protocol ICMP UDP TCP etc and port The actions that can ...

Page 383: ...it Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change a rule s position in the numbered list se...

Page 384: ...SCP value of the outgoing packets that match this route If this field displays a DSCP value the ZyWALL applies that DSCP value to the route s outgoing packets preserve means the ZyWALL does not modify the DSCP value of the route s outgoing packets default means the ZyWALL sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following the a...

Page 385: ...onfiguration Network Routing Policy Route Add The following table describes the labels in this screen Table 92 Configuration Network Routing Policy Route Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Configuration Enable Select this to activate the policy Description Enter a descriptive name of up to 31 printable ASCII c...

Page 386: ...e of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 391 for more details User Defined DSCP Code Use this field to specify a custom DSCP code point Schedule Select a schedule to control when the policy route is active none means the route is active at all times if enabled Service Select a service or service group to identify the type of traffic to which this policy route ...

Page 387: ...h the specified interface Auto Disable This field displays when you select Interface or Trunk in the Type field Select this to have the ZyWALL automatically disable this policy route when the next hop s connection is down DSCP Marking DSCP Marking Set how the ZyWALL handles the DSCP value of the outgoing packets that match this route Select one of the pre defined DSCP values to apply or select Use...

Page 388: ...before using a port triggering rule Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it You can also just double click an entry to be able to modify it Remove Select an entry and click this to delete it Move The ordering of your rules is important as they are applied in order o...

Page 389: ...andwidth unbudgeted and do not enable Maximize Bandwidth Usage Bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic The smaller the number the higher the priority If you set the maximum bandwidth to 0 the bandwidth priority will be changed to 0 after you click OK That means the route has the highest priority and will get all the bandwidth it needs up to the maximum ava...

Page 390: ...to remove it before doing so This is the number of an individual static route Destination This is the destination IP address Subnet Mask This is the IP subnet mask Next Hop This is the IP address of the next hop gateway or the interface through which the traffic is routed The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to their d...

Page 391: ...s If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the Gateway IP Select the radio button and enter the IP address of the next hop gateway The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to their destinations ...

Page 392: ...computer Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service The ZyWALL records the IP address of a client computer that sends traffic to a remote server to request a service incoming service When the ZyWALL receives a new connection trigger service from the remote server the ZyWALL forwards the traf...

Page 393: ...route is not using among the policy routes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their priority...

Page 394: ...Chapter 15 Policy and Static Routes ZyWALL USG 300 User s Guide 394 ...

Page 395: ... in this Chapter Use the RIP screen see Section 16 2 on page 396 to configure the ZyWALL to use RIP to receive and or send routing information Use the OSPF screen see Section 16 3 on page 397 to configure general OSPF settings and manage OSPF areas Use the OSPF Area Add Edit screen see Section 16 3 2 on page 404 to create or edit an OSPF area 16 1 2 What You Need to Know The ZyWALL supports two st...

Page 396: ...gs before you can use it in an interface First the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent This is discussed in more detail in Authentication Types on page 407 Second the ZyWALL can also redistribute routing information from non RIP networks specifically OSPF networks and static routes to the RIP networ...

Page 397: ...nd 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of alphanumeric characters and the underscore and it can be up to 16 characters long Redistribute Active OSPF Select this to use RIP to advertise routes that were learned through OSPF Metric Type the cost for routes provided by OSPF The metric represe...

Page 398: ...ents a group of adjacent networks and is identified by a 32 bit ID In OSPF this number may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal area has routing information about the OSPF AS any netw...

Page 399: ...o confirm which neighbor layer 3 devices exist and then they exchange database descriptions DDs to create a synchronized link state database The link state database contains records of router IDs their associated links and path costs The link state database is then constantly updated through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to comput...

Page 400: ...DR All of the routers only exchange information with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR and BDR are selected by priority if two routers have the same priority the highest router ID is used The DR and BDR are selected in each group of routers that are directly connected to each other If a router is directly connected to several gro...

Page 401: ...the backbone You cannot create a virtual link to a router in a different area OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 13 3 1 on page 302 4 Set up virtual links as needed 16 3 1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL uses i...

Page 402: ...istribute Active RIP Select this to advertise routes that were learned from RIP The ZyWALL advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas Type Select how OSPF calculates the cost associated with routing information from RIP Choices are Type 1 and Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS cost is ignored Metr...

Page 403: ...eas in the ZyWALL Add Click this to create a new OSPF area Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This field is a sequential value and it is not associated with a specific area Area This field displays the 32 bit I...

Page 404: ... information about the OSPF AS and about networks outside the OSPF AS Stub This area is an stub area It has routing information about the OSPF AS but not about networks outside the OSPF AS It depends on a default route to send information outside the OSPF AS NSSA This area is a Not So Stubby Area NSSA per RFC 1587 It has routing information about the OSPF AS and networks that are outside the OSPF ...

Page 405: ...hould set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone Add Click this to create a new virtual link Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This ...

Page 406: ...entication Text uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Same as Area has the virtual link also use the Authentication settings above Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the ...

Page 407: ...ord and authentication ID MD5 is an authentication method that produces a 128 bit checksum called a message digest for each packet It also includes an authentication ID which can be set to any value between 1 and 255 The ZyWALL only accepts packets if these conditions are satisfied The packet s authentication ID is the same as the authentication ID of the interface that received it The packet s me...

Page 408: ...Chapter 16 Routing Protocols ZyWALL USG 300 User s Guide 408 ...

Page 409: ... settings such as firewall rules Anti X and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 311 Example Zones 17 1 1 What You Can Do in this Chapter Use the...

Page 410: ...ple DMZ to DMZ but many other types of zone based security and policy settings do not affect intra zone traffic Inter zone Traffic Inter zone traffic is traffic between interfaces or VPN tunnels in different zones For example in Figure 311 on page 409 traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone ...

Page 411: ...his to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry ...

Page 412: ...ters underscores _ or dashes but the first character cannot be a number This value is case sensitive Block Intra zone Traffic Select this check box to block network traffic between members in the zone Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces and VPN tunnels that you want to add to the zone you are editing and click the right ar...

Page 413: ...he domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the ZyWALL When registration is complete the DNS service provider gives you a pass...

Page 414: ... Figure 314 Configuration Network DDNS The following table describes the labels in this screen Table 105 Configuration Network DDNS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it befo...

Page 415: ...ernate interface to use for updating the IP address mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name The ZyWALL uses the backup interface and IP address when the primary interface is disabled its link is down or its connectivity check fails from interface The IP address comes from the specified interface auto detected The DDNS server checks the sou...

Page 416: ...able 106 Configuration Network DDNS Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Enable DDNS Profile Select this check box to use this DDNS entry Profile Name When you are adding a DDNS entry type a descriptive name for this DDNS entry in the ZyWALL You may use 1 31 alphanumeric characters undersco...

Page 417: ...ce The ZyWALL uses the IP address of the specified interface This option appears when you select a specific interface in the Primary Binding Address Interface field Auto If the interface has a dynamic IP address the DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name You may want to use this if there are one or more NAT routers betw...

Page 418: ...feature to alias subdomains to be aliased to the same IP address as your dynamic domain name This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname Mail Exchanger This option is only available with a DynDNS account DynDNS can route e mail for your domain name to a mail server called a mail exchanger For example DynDNS routes e mail fo...

Page 419: ...n the private network available by using ports to forward packets to the appropriate private IP address Suppose you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network ...

Page 420: ...13 3 on page 173 for an example of how to configure NAT to allow SIP traffic from the WAN to an IPPBX or SIP server on the DMZ 19 2 The NAT Screen The NAT summary screen provides a summary of all NAT rules and their configuration In addition this screen allows you to create new NAT rules and edit and delete existing NAT rules To access this screen login to the Web Configurator and click Configurat...

Page 421: ...splays the original destination IP address or address object of traffic that matches this NAT entry It displays any if there is no restriction on the original destination IP address Mapped IP This field displays the new destination IP address for the packet Protocol This field displays the service used by the packets for this NAT entry It displays any if there is no restriction on the services Ori...

Page 422: ...iguration Network NAT Add The following table describes the labels in this screen Table 108 Configuration Network NAT Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Enable Rule Use this option to turn the NAT rule on or off Rule Name Type in the name of the NAT rule The name is used to refer to the NAT rule You may use 1 31 alp...

Page 423: ...ing interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User Defined Select this to manually enter an IP address in the User Defined field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Host address select a host address object to use the IP address...

Page 424: ...destination ports this NAT rule supports Original End Port This field is available if Mapping Type is Ports Enter the end of the range of original destination ports this NAT rule supports Mapped Start Port This field is available if Mapping Type is Ports Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is available if ...

Page 425: ...fter you configure your NAT rule settings click the Firewall link to configure a firewall rule to allow the NAT rule s traffic to come in The ZyWALL checks NAT rules before it applies To ZyWALL firewall rules so To ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules The ZyWALL still checks other firewall rules according to the source IP address and mapped IP address OK Cli...

Page 426: ... 1 NAT loopback uses the IP address of the ZyWALL s LAN interface 192 168 1 1 as the source address of the traffic going from the LAN users to the LAN SMTP server Figure 320 LAN to LAN Traffic The LAN SMTP server replies to the ZyWALL s LAN IP address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the original destination ...

Page 427: ...N user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 321 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 1 1 1 1 SMTP NAT Source 192 168 1 21 SMTP ...

Page 428: ...Chapter 19 NAT ZyWALL USG 300 User s Guide 428 ...

Page 429: ...t connected to the LAN zone wants to open a web page its HTTP request is redirected to proxy server A first If proxy server A cannot find the web page in its cache a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 322 HTTP Redirect Example 20 1 1 What You Can Do in this Chapter Use the HTTP Redirect screens see ...

Page 430: ... 1 Firewall 2 Application Patrol 3 HTTP Redirect 4 Policy Route Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule the ZyWALL checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched You need to make sure there is no firewall rule s blocking the HTTP requests from the client to the proxy server You also need to manua...

Page 431: ...table describes the labels in this screen Table 109 Configuration Network HTTP Redirect LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry sel...

Page 432: ...d settings Table 109 Configuration Network HTTP Redirect continued LABEL DESCRIPTION Table 110 Network HTTP Redirect Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off Name Enter a name to identify this rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select th...

Page 433: ...er Internet H 323 A teleconferencing protocol suite that provides audio data and video conferencing FTP File Transfer Protocol an Internet file transfer service The following example shows SIP signaling 1 and audio 2 sessions between SIP clients A and B and the SIP server Figure 325 SIP ALG Example The ALG feature is only needed for traffic that goes through the ZyWALL s NAT 21 1 1 What You Can Do...

Page 434: ...rver from the WAN H 323 ALG The H 323 ALG supports peer to peer H 323 calls The H 323 ALG handles H 323 calls that go through NAT or that the ZyWALL routes You can also make other H 323 calls that do not go through NAT or routing Examples would be calls between LAN IP addresses that are on the same subnet The H 323 ALG allows calls to go out through NAT For example you could make a call from a pri...

Page 435: ...es the application patrol see Chapter 32 on page 553 to use the same port numbers for SIP traffic Likewise configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic Peer to Peer Calls and the ZyWALL The ZyWALL ALG can allow peer to peer VoIP calls for both H 323 and SIP You must configure the firewall and NAT ...

Page 436: ...return traffic for the calls initiated from the LAN IP addresses For example you configure firewall and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1 You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2 You configure corresponding policy routes to have calls from LAN IP address A...

Page 437: ...to allow sessions initiated from the WAN 21 2 The ALG Screen Click Configuration Network ALG to open the ALG screen Use this screen to turn ALGs off or on configure the port numbers to which they apply and configure SIP ALG time outs Note If the ZyWALL provides an ALG for a service you must enable the ALG in order to use the application patrol on that service s traffic Figure 329 Configuration Net...

Page 438: ...out Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout the ZyWALL deletes the signaling session after the timeout period Enter the SIP signaling ses...

Page 439: ...could also have a trunk with one interface set to active and a second interface set to passive The ZyWALL does not automatically change ALG managed Enable FTP ALG Turn on the FTP ALG to detect FTP File Transfer Program traffic and help build FTP sessions through the ZyWALL s NAT Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic s ba...

Page 440: ...ard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service NetMeeting uses H 323 SIP The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up ...

Page 441: ...WALL Suppose you configure access privileges for IP address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 330 IP MAC Binding Example 22 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 22 2 on page 442 ...

Page 442: ...MAC Binding Summary Click Configuration Network IP MAC Binding to open the IP MAC Binding Summary screen This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface Figure 331 Configuration Network IP MAC Binding Summary The following table describes the labels in this screen Table 112 Configuration Network IP MAC Binding Summary LABEL DESCRIP...

Page 443: ...nding This field displays the interface s total number of IP MAC bindings and IP addresses that the interface has assigned by DHCP Apply Click Apply to save your changes back to the ZyWALL Table 112 Configuration Network IP MAC Binding Summary continued LABEL DESCRIPTION Table 113 Configuration Network IP MAC Binding Edit LABEL DESCRIPTION IP MAC Binding Settings Interface Name This field displays...

Page 444: ...mputer s MAC address is in the table the ZyWALL assigns the corresponding IP address You can also access this table from the interface s edit screen Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it befor...

Page 445: ...s to assign to a device with the entry s MAC address MAC Address Enter the MAC address of the device to which the ZyWALL assigns the entry s IP address Description Enter up to 64 printable ASCII characters to help identify the entry For example you may want to list the computer s owner OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table ...

Page 446: ...yWALL does not apply IP MAC binding Add icon Click the Add icon to add a new entry Click the Remove icon to delete an entry A window displays asking you to confirm that you want to delete it Apply Click Apply to save your changes back to the ZyWALL Table 115 Configuration Network IP MAC Binding Exempt List continued LABEL DESCRIPTION ...

Page 447: ...ystem OS option and security requirements to gain access See Chapter 49 on page 807 for how to configure endpoint security objects to use with authentication policies In the following figure the ZyWALL s authentication policy requires endpoint security checking on local user A A passes authentication and the endpoint security check and is given access Local user B passes authentication but fails t...

Page 448: ...tch one of the authentication policy s endpoint security objects in order to gain access Forced User Authentication Instead of making users for which user aware policies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet Note This works with HTTP traf...

Page 449: ...ck Remove to delete it or them Authentication Policy Summary Use this table to manage the ZyWALL s list of authentication policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and c...

Page 450: ...he source address object to which this policy applies Destination This displays the destination address object to which this policy applies Schedule This field displays the schedule object that dictates when the policy applies none means the policy is active at all times if enabled Authentication This field displays the authentication requirement for users when their traffic matches this policy Th...

Page 451: ...e from the member list and click the left arrow button to remove them Figure 337 Configuration Auth Policy Add Exceptional Service 23 2 2 Creating Editing an Authentication Policy Click Configuration Auth Policy and then the Add or Edit icon to open the Endpoint Security Edit screen Use this screen to configure an authentication policy ...

Page 452: ... up to 60 printable ASCII characters for the policy Spaces are allowed This field is available for user configured policies User Authentication Policy Use this section of the screen to determine which traffic requires or does not require the senders to be authenticated in order to be routed Source Address Select a source address or address group for whom this policy applies Select any if the polic...

Page 453: ...ation Enable EPS Checking Select this to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the policy s selected endpoint security objects before granting access Periodical checking time Select this and specify a number of minutes to have the ZyWALL repeat the endpoint security check at a regular interval Available EPS Object Selected EPS O...

Page 454: ...Chapter 23 Authentication Policy ZyWALL USG 300 User s Guide 454 ...

Page 455: ...n from within the LAN zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Figure 339 Default Firewall Action 24 1 1 What You Can Do in this Chapter Use the Firewall screens Sectio...

Page 456: ... allowed for certain default services described in To ZyWALL Rules on page 457 All other WAN to ZyWALL traffic is dropped From WAN to any other than the ZyWALL Traffic from the WAN to any of the networks behind the ZyWALL is dropped From DMZ to ZyWALL Traffic from the DMZ to the ZyWALL itself is allowed for certain default services described in To ZyWALL Rules on page 457 All other DMZ to ZyWALL t...

Page 457: ...ich is not in a zone Global Firewall Rules Firewall rules with from any and or to any as the packet direction are called global firewall rules The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface Firewall...

Page 458: ...s such as file sharing applications may use a large number of NAT sessions A single client could use all of the available NAT sessions and prevent others from connecting to or through the ZyWALL The ZyWALL lets you limit the number of concurrent NAT firewall sessions a client can use Finding Out More See Section 6 5 14 on page 107 for related information on the Firewall screens See Section 7 7 6 o...

Page 459: ...rules Any traffic that does not match the first firewall rule will match the second rule and the ZyWALL forwards it Now suppose that your company wants to let the CEO use IRC You can configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO logs into...

Page 460: ...rvice on the WAN The second row blocks LAN access to the IRC service on the WAN The third row is the firewall s default policy of allowing all traffic from the LAN to go to the WAN Alternatively you configure a LAN to WAN rule with the CEO s user name say CEO to allow IRC traffic from any source IP address to go to any destination address Your firewall would have the following configuration Table ...

Page 461: ...e ZyWALL would drop it and not check any other firewall rules 24 1 4 Firewall Rule Configuration Example The following Internet firewall rule example allows Doom players from the WAN to IP addresses 192 168 1 10 through 192 168 1 15 Dest_1 on the LAN 1 Click Configuration Firewall In the summary of firewall rules click Add in the heading row to configure a new first entry Remember the sequence pri...

Page 462: ...gure 344 Firewall Example Create a Service Object 6 Select From WAN and To LAN1 7 Enter the name of the firewall rule 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service Enter a description and configure the rest of the screen as follows Click OK when you are done Figure 345 Firewall Example Edit a Firewall Rule ...

Page 463: ...wever allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets Virtual interfaces allow you to partition your network into logical sections over the same interface See the chapter about interfaces for more information By putting LAN ...

Page 464: ...to the selected direction Note the following If you enable intra zone traffic blocking see the chapter about zones the firewall automatically creates implicit rules to deny packet passage between the interfaces in the specified zone Besides configuring the firewall you also need to configure NAT rules to allow computers on the WAN to access LAN devices See Chapter 19 on page 419 for more informati...

Page 465: ...If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL s LAN IP address return traffic may not go through the ZyWALL This is called an asymmetrical or triangle route This causes the ZyWALL to reset the connection as the connection has not been acknowledged Select this check box to have the ZyWALL permit the use of asymmetrical route topology on the network not reset ...

Page 466: ...nactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering The following read only fields summarize the rules you have created that apply to t...

Page 467: ...e passage of packets allow Log This field shows you whether a log and alert is created when packets match this rule or not Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 122 Configuration Firewall continued LABEL DESCRIPTION Table 123 Configuration Firewall Add LABEL DESCRIPTION Create new Object Use to configure an...

Page 468: ... address should be within the IP address range Source Select a source address or address group for whom this rule applies Select any if the policy is effective for every source Destination Select a destination address or address group for whom this rule applies Select any if the policy is effective for every destination Service Select a service or service group from the drop down list box Access U...

Page 469: ... Create rules below to apply other limits for specific users or addresses Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts can have Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s setti...

Page 470: ...to which this session limit r ule applies Address This is the address object to which this session limit rule applies Limit This is how many concurrent sessions this user or address is allowed to have Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 124 Configuration Firewall Session Limit continued LABEL DESCRIPTION ...

Page 471: ...ddress range Address Select a source address or address group for whom this rule applies Select any if the policy is effective for every source address Session Limit per Host Use this field to set a limit to the number of concurrent NAT firewall sessions this rule s users or addresses can have For this rule s users and addresses this setting overrides the Default Session per Host setting in the ge...

Page 472: ...Chapter 24 Firewall ZyWALL USG 300 User s Guide 472 ...

Page 473: ...k like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is an example of an IPSec VPN tunnel Figure 352 IPSec VPN Example The VPN tunnel connects the ZyWALL X and the remote peer IPSec router Y These routers then connect the local network A and remote network B 25 1...

Page 474: ...meters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Figure 353...

Page 475: ... IPSec router s address but you specify the remote policy the addresses of the devices behind the remote IPSec router This ZyWALL must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the addre...

Page 476: ...virtual Ethernet interface VLAN interface or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA You should set up the interface first See Chapter 13 on page 295 In a VPN gateway you can enable extended authentication If the ZyWALL is in server mode you should set up the authentication method AAA server first The authentication method spe...

Page 477: ...his to have the ZyWALL automatically obtain source and destination addresses for all dynamic IPSec rules See Section 6 4 2 on page 99 for how this option affects the routing table Ignore Don t Fragment setting in packet header Select this to fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the IP header turned on When you clear this the ZyWALL drop...

Page 478: ... bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the IPSec SA VPN Gateway This field displays the associated VPN gateway s If there is no VPN gateway this field displays manual key Encapsulation This field displays what encapsulation the IP...

Page 479: ...Chapter 25 IPSec VPN ZyWALL USG 300 User s Guide 479 Figure 355 Configuration VPN IPSec VPN VPN Connection Edit IKE ...

Page 480: ...BIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa VPN Gateway Application Scenario Select the scenario that best describes your intended VPN connection Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose...

Page 481: ...e Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryption If you select AH you must select an Authentication algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an E...

Page 482: ...SHA1 and MD5 SHA1 is generally considered stronger than MD5 but it is also slower The ZyWALL and the remote IPSec router must both have a proposal that uses the same authentication algorithm Perfect Forward Secrecy PFS Select whether or not you want to enable Perfect Forward Secrecy PFS and if you do which Diffie Hellman key group to use for encryption Choices are none disable PFS DH1 enable PFS a...

Page 483: ...t and Last IP Address in the Remote Policy Select this to have the ZyWALL check the connection to the first and last IP addresses in the connection s remote policy Make sure one of these is the peer gateway s LAN IP address Log Select this to have the ZyWALL generate a log every time it checks this VPN connection Inbound Outbound traffic NAT Outbound Traffic Source NAT This translation hides the s...

Page 484: ...click this to delete it Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed This field is a sequential value and it is not associated with a specific NAT record However the order of records is the sequence in which conditions are check...

Page 485: ... either the Add icon or an existing manual key entry s Edit icon In the VPN Gateway section of the screen select Manual Key Note Only use manual key as a temporary solution because it is not as secure as a regular IPSec SA Figure 356 Configuration VPN IPSec VPN VPN Connection Add Manual Key This table describes labels specific to manual key configuration See Section 25 2 on page 476 for descriptio...

Page 486: ...ot encryption If you select AH you must select an Authentication Algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an Encryption Algorithm and Authentication Algorithm The ZyWALL and remote IPSec router must use the same protocol Encryption Algorithm This field is applicable when the Active Protocol is ...

Page 487: ...r 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key Authentication Key Enter the authentication key which depends on the authentication algorithm MD5 type a unique key 16 20 characters long SHA1 type a unique key 20 characters long You can use any alphanumeric characters or _ If you want to enter the key in hexadecimal type 0x at the beginn...

Page 488: ... to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object References Select an entry and click Object References to open a screen that shows which settings use...

Page 489: ...olicy or edit an existing one To access this screen go to the VPN Gateway summary screen see Section 25 3 on page 488 and click either the Add icon or an Edit icon Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 130 Configuration VPN IPSec VPN VPN Gateway continued LABEL DESCRIPTION ...

Page 490: ...Chapter 25 IPSec VPN ZyWALL USG 300 User s Guide 490 Figure 358 Configuration VPN IPSec VPN VPN Gateway Edit ...

Page 491: ...ss or the IP address corresponding to the domain name 0 0 0 0 is invalid Peer Gateway Address Select how the IP address of the remote IPSec router in the IKE S A is defined Select Static Address to enter the domain name or the IP address of the remote IPSec router You can provide a second IP address or domain name for the ZyWALL to try if it cannot establish an IKE SA with the first one Fall back ...

Page 492: ...KE SA Then select the certificate the ZyWALL uses to identify itself to the remote IPsec router This certificate is one of the certificates in My Certificates If this certificate is self signed import it into the remote IPsec router If this certificate is signed by a CA the remote IPsec router must trust that CA Note The IPSec routers must trust each other s certificates The ZyWALL uses one of its...

Page 493: ...rs including spaces although trailing spaces are truncated This value is only used for identification and can be any string E mail the ZyWALL is identified by an e mail address you can use up to 31 ASCII characters including spaces although trailing spaces are truncated This value is only used for identification and can be any string Peer ID Type Select which type of identification is used to iden...

Page 494: ...ct alternative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the ZyWALL uses the IP address specified in the Secure Gateway Address field This is not recommended ...

Page 495: ...DES encryption algorithm AES128 a 128 bit key with the AES encryption algorithm AES192 a 192 bit key with the AES encryption algorithm AES256 a 256 bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same key size and encryption algorithm Longer keys require more processing power resulting in increased latency and decreased throughput Authentication Select...

Page 496: ...unnel for example use extended authentication to enforce a user name and password check This way even though they all know the VPN tunnel s security settings each still has to provide a unique user name and password Enable Extended Authentication Select this if one of the routers the ZyWALL or the remote IPSec router verifies a user name and password from the other router using the local user data...

Page 497: ...lidate the policy routes in each spoke router depending on the IP addresses and subnets of each spoke However a VPN concentrator is not for every situation The hub router is a single failure point so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic...

Page 498: ...IPSec VPN Concentrator Example This IPSec VPN concentrator example uses the following settings Branch Office A ZyNOS based ZyWALL VPN Gateway VPN Tunnel 1 My Address 10 0 0 2 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 1 Local Policy 192 168 11 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enforcement Policy Route Source 192 168 11 0 Destination 192 168 12 0 Ne...

Page 499: ...orcement Concentrator Add VPN tunnel 1 and VPN tunnel 2 to an IPSec VPN concentrator Firewall Block traffic from VPN tunnel 2 from accessing the LAN Branch Office B USG ZyWALL or ZyWALL 1050 VPN Gateway VPN Tunnel 2 My Address 10 0 0 3 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 2 Local Policy 192 168 12 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enforcement...

Page 500: ...The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL To access this screen click Configuration VPN IPSec VPN Concentrator The following screen appears Figure 361 Configuration VPN IPSec VPN Concentrator Each field is discussed in the following table See Section 25 4 3 on page 500 for more information 25 4 3 The VPN Concentrator Add Edit Screen The VPN Concentrator Add E...

Page 501: ...the first character cannot be a number This value is case sensitive Member Select the concentrator s IPSec VPN connection policies Note You must disable policy enforcement in each member See Section 25 2 1 on page 478 IPSec VPN connection policies that do not belong to a VPN concentrator appear under Available Select any VPN connection policies that you want to add to the VPN concentrator and clic...

Page 502: ... IP address or a domain name for either or both IP addresses Sometimes your ZyWALL might offer another alternative such as using the IP address of a port or interface as well You can also specify the IP address of the remote IPSec router as 0 0 0 0 This means that the remote IPSec router can have any IP address In this case only the remote IPSec router can initiate an IKE SA because the ZyWALL doe...

Page 503: ...th of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data It is faster than 3DES Some ZyWALLs also offer stronger forms of AES that apply 192 bit or 256 bit keys to 128 bit blocks of data In most ZyWALLs you can select one of the following authentication algorithms for each proposal The algorithms...

Page 504: ...her in steps 5 and 6 as illustrated below The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps Figure 365 IKE SA Main Negotiation Mode Steps 5 6 Authentication continued You have to create and distribute a pre shared key The ZyWALL and remote IPSec router use it in the authentication process though it is n...

Page 505: ...page 505 the ZyWALL and the remote IPSec router authenticate each other successfully In contrast in Table 135 on page 505 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router In this case you usually set the peer ID type to Any This is less secure ...

Page 506: ...t aggressive mode only takes three steps to establish an IKE SA Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted It is usually used in remote access situations where the address of the initiator is not known by the responder and both parties want to use pre shared keys for authentication For example t...

Page 507: ... same VPN tunnel to connect to a single IPSec router For example this might be used with telecommuters In extended authentication one of the routers the ZyWALL or the remote IPSec router provides a user name and password to the other router which uses a local user database and or an external server to verify the user name and password If the user name or password is wrong the routers do not establ...

Page 508: ... to the remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols AH Authentication Header RFC 2402 and ESP Encapsulating Security Payload RFC 2406 Note The ZyWALL and remote IPSec router must...

Page 509: ...nd Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see IKE SA Proposal on page 502 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the ZyWALL and remote IPSec router perform a DH key exchange every time...

Page 510: ...y several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use Note The ZyWALL and remote IPSec router must use the same encryption key and authentication key Authentication and the Security Parameter Index SPI For authentication the ZyWALL and remote IPSec router use the SPI instead of pre shared keys ID ...

Page 511: ...twork B If you do not configure it the remote IPSec router may not route messages for computer M through the IPSec SA because computer M s IP address is not part of its local policy To set up this NAT you have to specify the following information Source the original source address most likely computer M s network Destination the original destination address the remote network B SNAT the translated...

Page 512: ... this kind of NAT The ZyWALL checks these rules similar to the way it checks rules for a firewall The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination ports in...

Page 513: ...vice on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen 26 1 2 What You Need to Know There are two SSL VPN network access modes reverse proxy and full tunnel Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the final de...

Page 514: ...work Access Mode Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks apply Endpoint Security EPS checking to require users computers to comply with defined corporate policies before they can access the SSL VPN tunnel limit user access to specific applications or files on the network allow user access to specific networks assign private IP addres...

Page 515: ...Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Endpoint Security Endpoint Security Endpoint Security EPS checking makes sure users computers comply with defined corporate policies before they can access the SSL VPN tunnel Application SSL Application Configure an SSL application object to specify the type of application and ...

Page 516: ...it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for ...

Page 517: ...Chapter 26 SSL VPN ZyWALL USG 300 User s Guide 517 Apply Click Apply to save the settings Reset Click Reset to discard all changes Table 137 VPN SSL VPN Access Privilege LABEL DESCRIPTION ...

Page 518: ...SG 300 User s Guide 518 26 2 1 The SSL Access Policy Add Edit Screen To create a new or edit an existing SSL access policy click the Add or Edit icon in the Access Privilege screen Figure 372 VPN SSL VPN Access Privilege Add Edit ...

Page 519: ...s of the user account and or user group s to which y ou have not applied an SSL access policy yet To associate a user or user group to this SSL access policy select a user account or user group and click to add to the Selected User Group Objects list You can select more than one name To remove a user or user group select the name s in the Selected User Group Objects list and click Note Although yo...

Page 520: ...ted Application Objects list You can select more than one application To remove an SSL application select the name s in the Selected Application Objects list and click Network Extension Optional Enable Network Extension Select this option to create a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on t...

Page 521: ...tting The following table describes the labels in this screen OK Click Ok to save the changes and return to the main Access Privilege screen Cancel Click Cancel to discard all changes and return to the main Access Privilege screen Table 138 VPN SSL VPN Access Privilege Add Edit continued LABEL DESCRIPTION Table 139 VPN SSL VPN Global Setting LABEL DESCRIPTION Global Setting Network Extension Local...

Page 522: ...fy a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully You can enter up to 60 characters a z A Z 0 9 with spaces allowed Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web browser on the remote user computer The ZyXEL company logo is the default logo Specify the location and file nameof the logo grap...

Page 523: ... 4 Log in as a user to verify that the new logo displays properly The following shows an example logo on the remote user screen Figure 374 Example Logo Graphic Display 26 4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL use the ZyWALL login screen s SSL VPN button to establish an SSL VPN connection See Section 27 2 on page 526 for details ...

Page 524: ...s depending on your network connection Once the connection is up you should see the client portal screen The following shows an example Figure 376 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access an SSL VPN connection is not activated message displays in the Login screen Clear the Login to SSL VPN check box and try logging in again For more information on u...

Page 525: ...k Web Access OWA Network Resource Access Methods As a remote user you can access resources on the local network using one of the following methods Using a supported web browser Once you have successfully logged in through the ZyWALL you can access intranet sites web based applications or web based e mails using one of the supported web browsers Using the ZyWALL SecuExtender client Once you have su...

Page 526: ...nd access network resources the domain name or IP address of the ZyWALL the login account user name and password if also required the user name and or password to access the network resource Certificates The remote user s computer establishes an HTTPS connection to the ZyWALL to access the login screen If instructed by your network administrator you must install or import a certificate provided by...

Page 527: ...the Address in a Web Browser 2 Click OK or Yes if a security screen displays Figure 379 Login Security Screen 3 A login screen displays Enter the user name and password of your login account If a token password is also required enter it in the One Time Password field 4 Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources Figure 380 Login Screen ...

Page 528: ...et a message about needing Java download and install it and restart your browser and re login If a certificate warning screen displays click OK Yes or Continue Figure 381 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client As shown next you may have to click some pop ups to get your browser to allow the installation Figure 382 ActiveX Object Installation Blocked by Browser ...

Page 529: ...nternet Explorer click Install Figure 383 SecuExtender Blocked by Internet Explorer 8 The ZyWALL tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click Run Figure 384 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer Figure 385 SecuExtender Progress ...

Page 530: ... finish installing the SecuExtender client on your computer Figure 386 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you See Figure 387 on page 531 for a screen example Note Available resource links vary depending on the configuration your network administrator made ...

Page 531: ...o to the Application or File Sharing screen 2 Click this icon to create a bookmark to the SSL VPN user screen in your web browser 3 Click this icon to display the on line help window 4 Click this icon to log out and terminate the secure connection 5 Select your preferred language for the interface 6 This part of the screen displays a list of the resources available to you In the Application screen...

Page 532: ... user screen click the Add to Favorite icon 2 A screen displays Accept the default name in the Name field or enter a descriptive name to identify this link 3 Click OK to create a bookmark in your web browser Figure 388 Add Favorite 27 5 Logging Out of the SSL VPN User Screens To properly terminate a connection click on the Logout icon in any remote user screen 1 Click the Logout icon in any remote...

Page 533: ...hapter 27 SSL User Screens ZyWALL USG 300 User s Guide 533 3 An information screen displays to indicate that the SSL VPN connection is about to terminate Figure 390 Logout Connection Termination Progress ...

Page 534: ...Chapter 27 SSL User Screens ZyWALL USG 300 User s Guide 534 ...

Page 535: ...an access depends on the ZyWALL s configuration 28 2 The Application Screen Click the Application tab to display the screen The Name field displays the descriptive name for an application The Type field displays wether the application is a web site Web Server or web based e mail using Microsoft Outlook Web Access OWA To access a web based application simply click a link in the Application screen t...

Page 536: ...Chapter 28 SSL User Application Screens ZyWALL USG 300 User s Guide 536 ...

Page 537: ...play and access shared files folders on a file server You can also perform the following actions Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folder Upload a file Note Available actions you can perform in the File Sharing screen vary depending on the rig...

Page 538: ...hared folder s available The following figure shows an example with one file share Figure 392 File Sharing 29 3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon ...

Page 539: ...SG 300 User s Guide 539 3 If an access user name and password are required a screen displays as shown in the following figure Enter the account information and click Login to continue Figure 393 File Sharing Enter Access User Name and Password ...

Page 540: ...ick a folder to access it For this example click on a doc file to open the Word document Figure 394 File Sharing Open a Word File 29 3 1 Downloading a File You are prompted to download a fil e which cannot be opened using a web browser Follow the on screen instructions to download and save the file to your computer Then launch the associated application to open the file ...

Page 541: ... the on screen instructions Figure 395 File Sharing Save a Word File 29 4 Creating a New Folder To create a new folder in the file share location click the New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the file server Figure 396 File Sharing Save a Word ...

Page 542: ...dow displays Specify the new name and or file extension in the field provided You can enter up to 356 characters Then click Apply Note Make sure the length of the name does not exceed the maximum allowed on the file server You may not be able to open a file if you change the file extension Figure 398 File Sharing Rename 29 6 Deleting a File or Folder Click the Delete icon next to a file or folder ...

Page 543: ...ify the location and or name of the file you want to upload Or click Browse to locate it 3 Click Upload to send the file to the file server 4 After the file is uploaded successfully you should see the name of the file and a message in the screen Figure 399 File Sharing File Upload Note Uploading a file with the same name and file extension replaces the existing file on the file server No warning m...

Page 544: ...Chapter 29 SSL User File Sharing ZyWALL USG 300 User s Guide 544 ...

Page 545: ...ications must be installed on your computer For example to use the VNC remote desktop program you must have the VNC client installed on your computer 30 1 The ZyWALL SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 400 ZyWALL SecuExtender Icon Red the SSL VPN tunnel is not connected You cannot connect to the SSL application and network re...

Page 546: ... SSL VPN connection DNS Domain Name System maps a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a compu ter before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are the IP add...

Page 547: ...ESCRIPTION 2009 03 12 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG SecuExtender log C Documents and Settings 11746 SecuExtender log 2009 03 12 13 35 50 SecuExtender Agent DETAIL Check Parameters 2009 03 12 13 35 50 SecuExtender...

Page 548: ...d select Stop Connection to disconnect the SSL VPN tunnel 30 6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender 1 Click start All Programs ZyXEL ZyWALL SecuExtender Uninstall 2 In the confirmation screen click Yes Figure 403 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 404 ZyWALL SecuExtende...

Page 549: ...reen see Section 31 2 on page 551 to configure the ZyWALL s L2TP VPN settings 31 1 2 What You Need to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it See Chapter 25 on page 473 for informatio...

Page 550: ...address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key Policy Route You must configure a policy route to let remote users a...

Page 551: ...ettings Note Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings The remote users must make any needed matching configuration changes and re establish the sessions using the new settings Figure 407 Configuration VPN L2TP VPN The following table describes the fields in this screen Table 142 Configuration VPN IPSec VPN VPN Connection LABEL DESCRIPTION Create new Object Use t...

Page 552: ...r user group that can use the L2TP VPN tunnel Use Create new Object if you need to configure a new user account see Section 40 2 1 on page 726 for details Otherwise select any to allow any user with a valid account and password on the ZyWALL to log in Keep Alive Timer The ZyWALL sends a Hello message after waiting this long without receiving any traffic from the remote user The ZyWALL disconnects ...

Page 553: ...VoIP call sound quality 32 1 1 What You Can Do in this Chapter Use the General summary screen see Section 32 2 on page 563 to enable and disable application patrol Use the Common Instant Messenger Peer to Peer VoIP and Streaming see Section 32 3 on page 564 screens to look at the applications the ZyWALL can recognize and review the settings for each one You can also enable and disable the rules fo...

Page 554: ...hedule user source and destination information Your custom policies take priority over the policy s default settings Classification of Applications There are two ways the ZyWALL can identify the application The first is called auto The ZyWALL looks at the IP payload OSI level 7 inspection and attempts to match it with known patterns for specific applications Usually this occurs at the beginning of...

Page 555: ...for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Use application patrol to set a DSCP value for an application s traffic that the ZyWALL sends out Bandwidth Management When you allow an application you can restrict the bandwidth it uses or even the bandwidth that particular features in the application like voi...

Page 556: ...ore sending the traffic out a LAN zone interface Figure 408 LAN to WAN Connection and Packet Directions Outbound and Inbound Bandwidth Limits You can limit an application s outbound or inbound bandwidth This limit keeps the traffic from using up too much of the out going interface s bandwidth This way you can make sure there is bandwidth for other applications When you apply a bandwidth limit to o...

Page 557: ...e lowest priority Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL uses the fairness based scheduler to divide any unused bandwidth on the out going interface amongst applications that need more bandwidth and have ...

Page 558: ... for server B Maximize Bandwidth Usage Effect With maximize bandwidth usage enabled after each server gets its configured rate the rest of the available bandwidth is divided equally between the two So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kbps for...

Page 559: ...for a description of DSCP marking 32 1 3 Application Patrol Bandwidth Management Examples Bandwidth management is very useful when applications are competing for limited bandwidth For example say you have a WAN zone interface connected to an ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection The following sections give some simplified examples of using application patrol poli...

Page 560: ...32 1 3 2 SIP Any to WAN Bandwidth Management Example Manage SIP traffic going to the WAN zone from a VIP user on the LAN or DMZ Outbound traffic to the WAN from the LAN and DMZ is limited to 200 kbps The ZyWALL applies this limit before sending the traffic to the WAN Inbound traffic to the LAN and DMZ from the WAN is also limited to 200 kbps The ZyWALL applies this limit before sending the traffic...

Page 561: ...WAN to Any instead of Any to WAN 32 1 3 4 HTTP Any to WAN Bandwidth Management Example Inbound traffic gets more bandwidth as the local users will probably download more than they upload and the ADSL connection supports this Second highest priority 2 Set policies for other applications except SIP to lower priorities so the local users HTTP traffic gets sent before non SIP traffic Enable maximize b...

Page 562: ... you do not want to give FTP more bandwidth Figure 414 FTP WAN to DMZ Bandwidth Management Example 32 1 3 6 FTP LAN to DMZ Bandwidth Management Example The LAN and DMZ zone interfaces are connected to Ethernet networks not an ADSL device so you limit both outbound and inbound traffic to 50 Mbps Fourth highest priority 4 Disable maximize bandwidth usage since you do not want to give FTP more bandwi...

Page 563: ... 416 Configuration App Patrol General The following table describes the labels in this screen See Section 32 3 1 on page 565 for more information as well Table 147 Configuration App Patrol General LABEL DESCRIPTION Enable Application Patrol Select this check box to turn on application patrol Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL You must e...

Page 564: ...ion Status This field displays whether a service is activated Licensed or not Not Licensed or expired Expired Registration Type This field displays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard None displays when the service is not activated Apply new Registration This link appears if you have not registered for the service or only ...

Page 565: ...PTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific application Status The activate light bulb icon is lit when the entry is active and d...

Page 566: ...s field displays the name of the application Classification Specify how the ZyWALL should identify this application Choices are Auto the ZyWALL identifies this application by matching the IP payload with the application s pattern s Service Ports the ZyWALL identifies this application by looking at the destination port in the IP header Service Port This is available if the Classification is Service...

Page 567: ...Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWALL by putting more common conditions at ...

Page 568: ...s show the amount of bandwidth the application s traffic that matches the policy can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the application to use Inbound refers to the traffic the ZyWALL sends to a connection s initiator If no displays here this policy does not apply bandwidth management for the app...

Page 569: ...instant messenger service Figure 419 Application Policy Edit The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 149 Application Edit continued LABEL DESCRIPTION Table 150 Application Policy Edit LABEL DESCRIPTION Create new Object Use to configure any new settings obje...

Page 570: ...ffective for every destination Access This field controls what the ZyWALL does with packets for this application that match this policy Choices are forward the ZyWALL routes the packets for this application Drop the ZyWALL does not route the packets for this application and does not notify the client of its decision Reject the ZyWALL does not route the packets for this application and notifies the...

Page 571: ... the traffic the ZyWALL sends to a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the application s traffic that the ZyWALL sends to the initiator Traffic with bandwidth management disabled inbound and outbound are both set to 0 is automatically treated as the lowest priority 7 If the sum of the bandwidths for routes using the same next hop is higher...

Page 572: ... gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority The ZyWALL uses a fairness based round robin scheduler to divide bandwidth between applications with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In thiscase the traffic is automatically treated as being set to the lowes...

Page 573: ...entry to the number that you typed Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWALL by...

Page 574: ...r Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 391 for more details BWM These fields show the amount of bandwidth the traffic can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the matching t...

Page 575: ...e ZyWALL generate a log log log and alert log alert or neither no when traffic matches this policy See Chapter 51 on page 867 for more on logs Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 151 AppPatrol Other continued LABEL DESCRIPTION Table 152 AppPatrol Other Edit LABEL DESCRIPTION Create new Object Use to confi...

Page 576: ...CP and UDP Select any to apply the policy to both TCP and UDP traffic Access This field controls what the ZyWALL does with packets that match this policy Choices are forward the ZyWALL routes the packets Drop the ZyWALL does not route the packets and does not notify the client of its decision Reject the ZyWALL does not route the packets and notifies the client of its decision DSCP Marking Set how ...

Page 577: ...y traffic uses all of the actual bandwidth Priority This field displays when the inbound or outbound bandwidth management is not set to 0 Enter a number between 1 and 7 to set the priority for traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic with a lower priority The ZyWALL uses a fairness based round r...

Page 578: ...ion Patrol ZyWALL USG 300 User s Guide 578 OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 152 AppPatrol Other Edit continued LABEL DESCRIPTION ...

Page 579: ...es two interfaces to the LAN zone Figure 422 ZyWALL Anti Virus Example 33 1 1 What You Can Do in this Chapter Use the General screens Section 33 2 on page 582 to turn anti virus on or off set up anti virus policies and check the anti virus engine type and the anti virus license and signature status Use the Black White List screen Section 33 3 on page 587 to set up anti virus black blocked and whit...

Page 580: ...elf The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable ZyWALL Anti Virus Scanner The ZyWALL has a built in signature database Setting up the ZyWALL between your local network and the Internet allows the ZyWALL to scan files transmitting through the ena...

Page 581: ...an detect polymorphic viruses 2 When a virus is detected an alert message is displayed in Microsoft Windows computers Refer to Appendix C on page 1019 if your Windows computer does not display the alert messages 3 Changes to the ZyWALL s anti virus settings affect new sessions not the sessions that already existed before you applied the changed settings 4 The ZyWALL does not scan the following fil...

Page 582: ...age 281 for how to register for the anti virus service You may need to customize the zones in the Network Zone used for the anti virus scanning direction 33 2 Anti Virus Summary Screen Click Configuration Anti X Anti Virus to display the configuration screen as shown next Figure 423 Configuration Anti X Anti Virus General ...

Page 583: ...ble ASCII characters X5O P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H Policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off ...

Page 584: ...ick this link to go to the screen where you can register for the service Signature Information The following fields display information on the current signature set that the ZyWALL is using Anti Virus Engine Type This field displays whether the ZyWALL is set to use ZyXEL s anti virus engine or the one powered by Kaspersky Upgrading the ZyWALL to firmware version 2 11 and updating the anti virus si...

Page 585: ... Select this check box to have the ZyWALL apply this anti virus policy to check traffic for viruses From To Select source and destination zones for traffic to scan for viruses The anti virus policy has the ZyWALL scan traffic coming from the From zone and going to the To zone Protocols to Scan Select which protocols of traffic to scan for viruses HTTP applies to traffic using TCP ports 80 8080 and...

Page 586: ...ature s log Create a log on the ZyWALL when a packet matches a signature s log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert when a packet matches a signature s White List Black List Checking Check White List Select this check box to check files against the white list Check Black List Select this...

Page 587: ...ord encryption Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip Note The ZyWALL s firmware package cannot go through the ZyWALL with this option enabled The ZyWALL classifies the ...

Page 588: ...LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns Use the black list to log and delete files with names that match the black list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select...

Page 589: ... for viruses Use up to 80 characters Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends wit...

Page 590: ...irus check on files with names that match the white list patterns Use the white list to have the ZyWALL not perform the anti virus check on files with names that match the white list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate In...

Page 591: ...making Internet Explorer run slowly and the computer maybe becoming unresponsive just click No to continue Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 428 Configuration Anti X Anti Virus Signature Search by Severity ...

Page 592: ...yWALL search the signatures based on your specified criteria Query all signatures and export Click Export to have the ZyWALL save all of the anti virus signatures to your computer in a txt file Query Result This is the entry s index number in the list Name This is the name of the anti virus signature Click the Name column heading to sort your search results in ascending or descending order accordi...

Page 593: ...TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able to copy and attach itself to other programs that are executed on an infected computer Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executes during startup The virus causes computer crashes and to some extend renders the infecte...

Page 594: ... share the resources such as CPU time on the computer for file inspection You have to update the virus signatures and or perform virus scans on all computers in the network regularly A network based anti virus NAV scanner is often deployed as a dedicated security device such as your ZyWALL on the network edge NAV scanners inspect real time data traffic such as E mail messages or web that tends to ...

Page 595: ...ge 599 to add a new profile edit an existing profile or delete an existing profile Use the Anti X IDP Custom Signature screens Section 34 8 on page 614 to create a new signature edit an existing signature delete existing signatures or save signatures to your computer 34 1 2 What You Need To Know Packet Inspection Signatures A signature identifies a malicious or suspicious packet and specifies an a...

Page 596: ...uration Changes to the ZyWALL s IDP settings affect new sessions not the sessions that already existed before you applied the changed settings Finding Out More See Section 6 5 20 on page 110 for IDP prerequisite information See Chapter 35 on page 629 for anomaly detection and protection See Section 34 9 on page 626 for more information on network based intrusions See Section 34 6 2 on page 606 for...

Page 597: ...ys and IDP is not enabled Figure 429 Configuration Anti X IDP General The following table describes the screens in this screen Table 160 Configuration Anti X IDP General LABEL DESCRIPTION General Settings Enable Signature Detection You must register for IDP service in order to use packet inspection signatures If you don t have a standard license you can register for a once off trial one Policies U...

Page 598: ...her LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone IDP Profile This field shows which IDP profile is bound to which traffic direction Select an IDP profile to apply to the entry s...

Page 599: ...n anomaly detection Current Version This field displays the IDP signature set version number This number gets larger as the set is enhanced Signature Number This field displays the number of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date ...

Page 600: ...ot log alerts and no action is taken on packets that trigger them wan Signatures for all services are enabled Signatures with a medium high or severe severity level greater than two generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low or low severity level less than or equal to two are disabled lan This profile is most suitable for common LAN ...

Page 601: ...SMTP SNMP SQL TELNET Oracle MySQL are enabled Signatures with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Signatures with a low or medium severity level two or three generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low severity level one are disabled OK Click OK to sa...

Page 602: ...he false alarms When you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 34 5 1 Procedure To Create a New Profile To create a new profile 1 Click the Add icon in the Configuration Anti X IDP Profile screen to display a pop up screen allowing you to choose ...

Page 603: ...figuration Anti X IDP Profile and then add a new or edit an existing profile select Packet inspection signatures examine the contents of a packet for malicious data It operates at layer 4 to layer 7 34 6 1 Profile Group View Screen Figure 432 Configuration Anti X IDP Profile Edit Group View ...

Page 604: ...by criteria such as name ID severity attack type vulnerable attack platforms service category log options or actions Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon These are the log options no Select this option on an individual signature or a complete service g...

Page 605: ... the ZyWALL send a reset to both the sender and receiver when a packet matches the signature If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index number in the list Status The activate light bulb icon is lit when the entry is active and di...

Page 606: ...n the final profile screen to complete the profile Table 163 Configuration Anti X IDP Profile Group View continued LABEL DESCRIPTION Table 164 Policy Types POLICY TYPE DESCRIPTION P2P Peer to peer P2P is where computing devices link directly to each other and can directly initiate communication with each other they do not need an intermediary A device can be both the client and the server In the Z...

Page 607: ...e overflow buffer region to obtain control of the system install a backdoor or use the victim to launch attacks on other devices Virus Worm A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a program that is designed to copy itself from one computer to another on a network A worm s uncontrolled replication consumes system reso...

Page 608: ...n that group If you select original setting for service group logs and or actions all signatures within that group are returned to their last saved settings Figure 433 Configuration Anti X IDP Profile Edit IDP Service Group 34 6 4 Profile Query View Screen Click Switch to query view in the screen as shown in Figure 432 on page 603 to go to a signature query screen In the query view screen you can ...

Page 609: ...oup View screen Switch to group view Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation logs and or actions Query Signatures Select the criteria on which to perform the search Search all custom signatures Select this check box to search for signatures you created or imported in the Custom Signatures screen You c...

Page 610: ...rl key if you want to make multiple selections Action Search for signatures by the response the ZyWALL takes when a packet matches a signature See Table 163 on page 604 for action details Hold down the Ctrl key if you want to make multiple selections Activation Search for activated and or inactivated signatures here Log Search for signatures by log option here See Table 163 on page 604 for option ...

Page 611: ... 34 IDP ZyWALL USG 300 User s Guide 611 34 6 5 Query Example This example shows a search with these criteria Severity severe and high Attack Type DDoS Platform Windows 2000 and Windows XP computers Service Any ...

Page 612: ...Chapter 34 IDP ZyWALL USG 300 User s Guide 612 Actions Any Figure 435 Query Example Search Criteria Figure 436 Query Example Search Results ...

Page 613: ...ates IP version 4 IHL IP Header Length is the number of 32 bit words forming the total length of the header usually five Type of Service The Type of Service also known as Differentiated Services Code Point DSCP is usually set to 0 but may indicate particular quality of service needs from the network Total Length This is the size of the datagram in bytes It is the combined length of the header and ...

Page 614: ... router or bridge where the packet is not protected by a link layer cyclic redundancy check Packets with an invalid checksum are discarded by all nodes in an IP network Source IP Address This is the IP address of the original sender of the packet Destination IP Address This is the IP address of the final destination of the packet Options IP options is a variable length list of IP options for a dat...

Page 615: ... entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Export To save an entry or entries as a file on your computer select them and click Export Click Save in the file download dialog box and then select a location and name for the file Custom signatures must end with the rules file name extension ...

Page 616: ...mport custom signatures previously saved to your computer to the ZyWALL Note The name of the complete custom signature file on the ZyWALL is custom rules If you import a file named custom rules then all custom signatures on the ZyWALL are overwritten with the new file If this is not your intention make sure that the files you import are not named custom rules File Path Type the file path and name ...

Page 617: ...0 User s Guide 617 Try to write signatures that target a vulnerability for example a certain type of traffic on certain operating systems instead of a specific exploit Figure 439 Configuration Anti X IDP Custom Signatures Add Edit ...

Page 618: ... that is the operating systems you want to protect from this intrusion SGI refers to Silicon Graphics Incorporated who manufactures multi user Unix workstations that run the IRIX operating system SGI s version of UNIX A router is an example of a network device Service Select the IDP service group that the intrusion exploits or targets See Table 165 on page 607 for a list of IDP service groups The ...

Page 619: ...al Smaller or Greater and then type in a number IP Options IP options is a variable length list of IP options for a datagram that define IP Security Option IP Stream Identifier security and handling restrictions for the military Record Route have each router record its IP address Loose Source Routing specifies a list of IP addresses that must be traversed by the datagram Strict Source Routing spec...

Page 620: ...ence Number Use this field to check for a specific TCP sequence number Ack Number Use this field to check for a specific TCP acknowledgement number Window Size Use this field to check for a specific TCP window size Transport Protocol UDP Port Select the check box and then enter the source and destination UDP port numbers that will trigger this signature Transport Protocol ICMP Type Use this field ...

Page 621: ...r Decode as URI A Uniform Resource Identifier URI is a string of characters for identifying an abstract or physical resource RFC 2396 A resource can be anything that has identity for example an electronic document an image a service today s weather report for Taiwan a collection of other resources An identifier is an object that can act as a reference to something that has identity Example URIs ar...

Page 622: ...mation about the attack as you can The more specific your signature the less chance it will cause false positives As an example say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic OK Click this button to save your changes to the ZyWALL and return to the summary screen Cancel Click this button to return to the summary scree...

Page 623: ...yzer also known as a network or protocol analyzer such as Wireshark or Ethereal to investigate some more Figure 440 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53 The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2 Therefore enter 010 as the first pattern ...

Page 624: ...own in the following figure Figure 441 Example Custom Signature 34 8 3 Applying Custom Signatures After you create your custom signature it becomes available in the IDP service group category in the Configuration Anti X IDP Profile Edit screen Custom signatures have an SID from 9000000 to 9999999 ...

Page 625: ... may also want to configure an alert if it is for a serious attack and needs immediate attention After you apply the signature to a zone you can see if it works by checking the logs Monitor Log The Priority column shows warn for signatures that are configured to generate a log only It shows critical for signatures that are configured to generate a log and alert All IDP signatures come under the ID...

Page 626: ...ver in with the goal of accessing confidential information or destroying information on a computer You must install a host IDP directly on the system being protected It works closely with the operating system monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them Disadvantages of host IDPs are that you have to install them on each device that...

Page 627: ...nort rules are divided into two logical sections the rule header and the rule options as shown in the following example alert tcp any any 192 168 1 0 24 111 content 00 01 a5 msg mountd access The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options The words before the colons in the rule options section are the option keywords The ru...

Page 628: ...dow Size window Transport Protocol UDP In Snort rule header Port In Snort rule header Transport Protocol ICMP Type itype Code icode ID icmp_id Sequence Number icmp_seq Payload Options Snort rule options Payload Size dsize Offset relative to start of payload offset Relative to end of last match distance Content content Case insensitive nocase Decode as URI uricontent Table 170 ZyWALL Snort Equivale...

Page 629: ...t inspection 2 ADP traffic and anomaly rules are updated when you upload new firmware This is different from the IDP packet inspection signatures and the system protect signatures you download from myZyXEL com 35 1 2 What You Can Do in this Chapter Use Anti X ADP General Section 35 2 on page 631 to turn anomaly detection on or off and apply anomaly profiles to traffic directions Use Anti X ADP Pro...

Page 630: ... apply ADP profiles to traffic flowing from one zone to another Base ADP Profiles Base ADP profiles are templates that you use to create new ADP profiles The ZyWALL comes with several base profiles See Table 172 on page 633 for details on ADP base profiles ADP Policy An ADP policy refers to application of an ADP profile to a traffic flow Finding Out More See Section 6 5 21 on page 110 for ADP prer...

Page 631: ...ctly in the table Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change an entry s position i...

Page 632: ... subnet to a computer on another LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone Note Depending on your network topology and traffic load applying every packet direction to an anom...

Page 633: ...on Anti X ADP Profile Table 172 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled No logs are generated nor actions are taken all All traffic anomaly and protocol anomaly rules are enabled Rules with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Rules with a very low low...

Page 634: ... could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a rule ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles To create a new profile select a base profile see Table 172 on page 633 and then click OK to go to the profile details screen Type a new profile name enable or disable individual rules and then edit th...

Page 635: ...pter 35 ADP ZyWALL USG 300 User s Guide 635 belonging to this profile make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab Figure 447 Profiles Traffic Anomaly ...

Page 636: ...lds and sample times are set high so most traffic anomaly attacks will be detected however you will have more logs and false positives Block Period Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate L...

Page 637: ...ab Name This is the name of the traffic anomaly rule Click the Name column heading to sort in ascending or descending order according to the rule name Log These are the log options To edit this select an item and use the Log icon Action This is the action the ZyWALL should take when a packet matches a rule To edit this select an item and use the Action icon Threshold For flood detection you can se...

Page 638: ...Chapter 35 ADP ZyWALL USG 300 User s Guide 638 Figure 448 Profiles Protocol Anomaly ...

Page 639: ...id unique profile names MyProfile mYProfile Mymy12_3 4 These are invalid profile names 1mYProfile My Profile MyProfile Whatalongprofilename123456789012 HTTP Inspection TCP Decoder UDP Decoder ICMP Decoder Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon Select whe...

Page 640: ...t both Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to both the sender and receiver when a packet matches the rule If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index number in ...

Page 641: ... Portscan IP Portscan An IP port scan searches not only for TCP UDP and ICMP protocols in use by the remote computer but also additional IP protocols such as EGP Exterior Gateway Protocol or IGP Interior Gateway Protocol Determining these additional protocols can help reveal if the destination device is a workstation a printer or a router OK Click OK to save your settings to the ZyWALL complete th...

Page 642: ...that is they are one to many port scans One host scans a single port on multiple hosts This may occur when a new exploit comes out and the attacker is looking for a specific service These are some port sweep types TCP Portsweep UDP Portsweep IP Portsweep ICMP Portsweep Filtered Port Scans A filtered port scan may indicate that there were no network errors ICMP unreachables or TCP RSTs or responses...

Page 643: ... address of the network The router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If an attacker A spoofs the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only saturate the receiving network B but the network of the spoofed source I...

Page 644: ...all outstanding SYN ACK responses on a backlog queue SYN ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for other users Figure 451 SYN Flood LAND Attack In a LAND attack hackers flood SYN packets into a network with a spoofed source ...

Page 645: ...r a space delimiter Apache uses this so if you have an Apache server you need to enable this option ASCII ENCODING ATTACK This rule can detect attacks where malicious attackers use ASCII encoding to encode attack strings Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server BARE BYTE UNICODING ENCODING ATTACK Bare byte encoding ...

Page 646: ...ted by both Apache and IIS web servers OVERSIZE CHUNK ENCODING ATTACK This rule is an anomaly detector for abnormally large chunk sizes This picks up the apache chunkencoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding OVERSIZE REQUEST URI DIRECTORY ATTACK This rule takes a non zero positive integer as an argument The argument specifies the max character directory...

Page 647: ...ean the packet was truncated TTCP DETECTED ATTACK T TCP provides a way of bypassing the standard three way handshake found in TCP thus speeding up transactions However this could lead to unauthorized access to the system by spoofing connections UNDERSIZE LEN ATTACK This is when a TCP packet is sent which has a TCP datagram length of less than 20 bytes This may cause some applications to crash UNDE...

Page 648: ...ess than the ICMP header length This may cause some applications to crash TRUNCATED TIMESTAMP HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length This may cause some applications to crash Table 176 HTTP Inspection and TCP UDP ICMP Decoders continued LABEL DESCRIPTION ...

Page 649: ...n web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and an...

Page 650: ...bers When a matching policy is found the content filter allows or blocks the request depending on the settings of the filtering profile specified by the policy Some requests may not match any policy The ZyWALL allows the request if the default policy is not set to block The ZyWALL blocks the request if the default policy is set to block External Web Filtering Service When you register for and enab...

Page 651: ...ding Out More See Section 6 5 22 on page 110 for related information on these screens See Section 36 7 on page 673 for content filtering background technical information 36 1 3 Before You Begin You must configure an address object a schedule object and a filtering profile before you can set up a content filter policy You must subscribe to use the external database content filtering see the Licensi...

Page 652: ... Filter Report Service Select this check box to have the ZyWALL collect category based content filtering statistics Policies This is a list of the configured content filter policies Block web access when no policy is applied Select this check box to stop users from accessing the Internet by default when their attempted access does not match a content filter policy Add Click this to create a new en...

Page 653: ...tent filter policy You can define different policies for different time periods none means the content filter policy applies all of the time User This column displays the individual or group to which this policy applies any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user Filter Profile This column displays the name of the content fil...

Page 654: ...er is not active You can view content filter reports after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 675 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you...

Page 655: ... access to certain categories after the work day is over Select none to have the content filter policy apply all of the time Address Select the address or address group for which you want to use this policy Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any IP address Filter Profile Use the drop down list box to select the content...

Page 656: ... X Content Filter Filter Profile Add or Edit to open the Category Service screen Use this screen to enable external database content filtering and select which web site categories to block and or log Note You must register for external content filtering before you can use it See Section 11 2 on page 283 for how to register Table 179 Configuration Anti X Content Filter Filter Profile LABEL DESCRIPT...

Page 657: ...Chapter 36 Content Filtering ZyWALL USG 300 User s Guide 657 See Chapter 37 on page 675 for how to view content filtering reports Figure 455 Configuration Anti X Content Filter Filter Profile Add ...

Page 658: ...Chapter 36 Content Filtering ZyWALL USG 300 User s Guide 658 Figure 456 Configuration Anti X Content Filter Filter Profile Add Continue ...

Page 659: ...after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 675 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you have successfully registered the ZyWALL and activate...

Page 660: ...at match the other categories that you select below When external database content filtering blocks access to a web page it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page Select Log to record attempts to access web pages that match the other categories that you select below Action for Unrated Web Pages Sel...

Page 661: ...eck box to clear the selected categories below Security Threat unsafe These are categories of web pages that are known to pose a threat to users or their computers Phishing This category includes pages that are designed to appear as a legitimate bank or retailer with the intent to fraudulently capture sensitive data i e credit card numbers pin numbers Spyware Malware Sources This category includes...

Page 662: ...ot necessarily contain excessive violence sexual content or nudity These pages include very profane or vulgar content and pages that are not appropriate for children Alternative Sexuality Lifestyles This category includes pages that provide information promote or cater to alternative sexual expressions in their myriad forms It includes but is not limited to the full range of non traditional sexual...

Page 663: ...advice on performing illegal acts such as service theft evading law enforcement fraud burglary techniques and plagiarism It also includes pages that provide or sell questionable educational materials such as term papers Note This category includes sites identified as being malicious in any way such as having viruses spyware and etc Gambling This category includes pages where a user can place a bet...

Page 664: ...nd use of a desktop computer or private network remotely Suspicious This category includes pages considered to have suspicious content and or intent that poses an elevated security or privacy risk This is determined by analysis of web reputation factors It also includes sites that are part of the Web and email spam ecosystem Sites that are determined to be clearly malicious or benign will be place...

Page 665: ...gender identity including but not limited to lesbian gay bi sexual and transgender sites It does not include sites that are sexually gratuitous in nature which would typically fall under the Pornography category Military This category includes pages that promote or provide information on military branches or armed services Political Activist Groups This category includes pages sponsored by or whic...

Page 666: ...ers and players for audio and video clips Media Sharing This category includes pages that allow sharing of media e g photo sharing and have a low risk of including objectionable content such as adult or pornographic material Radio Audio Streams This category includes pages that provide streams or downloads of radio music or other audio content typically more than 15 minutes in length TV Video Stre...

Page 667: ...metry general psychiatry self help and support organizations dedicated to a disease or condition Leisure Art Culture This category includes pages that nurture and promote cultural understanding of fine art including but not limited to sculpture paintings and other visual art forms literature music dance ballet and performance art and the venues or foundations that support foster or house them such...

Page 668: ...ges that offer market information brokerage or trading services Job Search Careers This category includes pages that provide assistance in finding employment and tools for locating prospective employers Real Estate This category includes pages that provide information on renting buying or selling real estate or properties Auctions This category includes pages that support the offering and purchasi...

Page 669: ...ncludes pages that primarily report information or comments on current events or contemporary issues of the day It also includes radio stations and magazines It does not include pages that can be rated in other categories Reference This category includes pages containing personal professional or educational reference including online dictionaries maps census almanacs library catalogues genealogy r...

Page 670: ...ove specific sites or keywords from the filter list Table 181 Content Filter Warning Messages CASE WARNING MESSAGE Safe category The website access is restricted Pleaase contact with admministrator matched category If you feel this site is improperly categorized click here to double check the rating and see more details Spyware Malware This site contains malicious code or harmful content that coul...

Page 671: ...e You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Enable Custom Service Select this check box to allow trusted web sites and block forbidden web sites Content filter list customization may be enabled and disabled without re entering these site names Allow Web traffic for trusted web sites only When this box is...

Page 672: ...mit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to allow Java ActiveX or Cookies from sites that are known and trusted Trusted Web Sites These are sites that you want to allow access to regardless of their content rating can be allowed by adding them to this list Add Click this to create a new entry Edit Select an entry and clic...

Page 673: ...n allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Blocked URL Keywords This list displays the keywords already added Enter a keyword or a numerical IP address to block You can also enter a numerica...

Page 674: ...onfiguration 3 Use the Content Filter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses see Section 10 19 on page 272 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 4 If the ZyWALL has no record of the web site it queries the external content filter database and simultaneously send...

Page 675: ... register your device and activate the subscription services 37 2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen You need to register your iCard before you can view content filtering reports Alternatively you can also view content filtering rep...

Page 676: ...Chapter 37 Content Filter Reports ZyWALL USG 300 User s Guide 676 2 Fill in your myZyXEL com account information and click Login Figure 459 myZyXEL com Login ...

Page 677: ...ys Click your ZyWALL s model name and or MAC address under Registered ZyXEL Products the ZyWALL 70 is shown as an example here You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 461 on page 678 Figure 460 myZyXEL com Welcome ...

Page 678: ...4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens Figure 461 myZyXEL com Service Management 5 In the Web Filter Home screen click the Reports tab Figure 462 Content Filter Reports Main Screen ...

Page 679: ...orts Figure 463 Content Filter Reports Report Home 7 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen ...

Page 680: ...Chapter 37 Content Filter Reports ZyWALL USG 300 User s Guide 680 8 A chart and or list of requested web site categories display in the lower half of the screen Figure 464 Global Report Screen Example ...

Page 681: ...ntent Filter Reports ZyWALL USG 300 User s Guide 681 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested Figure 465 Requested URLs Example ...

Page 682: ...Chapter 37 Content Filter Reports ZyWALL USG 300 User s Guide 682 ...

Page 683: ... to have the ZyWALL check e mail against DNS Black Lists 38 1 2 What You Need to Know White list Configure white list entries to identify legitimate e mail The white list entries have the ZyWALL classify any e mail that is from a specified sender or uses a specified header field and header value as being legitimate see E mail Headers on page 684 for more on mail headers The anti spam feature check...

Page 684: ...use SMTP to send messages to a mail server The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it This is why many e mail applications require you to specify both the SMTP server and the POP or IMAP server even though they may actually be the same server The ZyWALL s anti spam feature checks SMTP TCP port 25 and POP3 TCP port 110 e mails The anti spam...

Page 685: ...is also known as a DNS spam blocking list The ZyWALL can check the routing addresses of e mail against DNSBLs and classify an e mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL Finding Out More See Section 38 7 on page 696 for more background information on anti spam 38 2 Before You Begin Configure your zones before you configure anti spam 38 3 The Anti Spam G...

Page 686: ...e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL Select how to handle concurrent e mail sessions that exceed the maximum number of concurrent e mail sessions that the anti spam feature can handle See the chapter of product specifications for the threshold Select Forward Session to have the ZyWALL allow the excess e mail sessions without any...

Page 687: ...ivate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Priority This is the position of an anti spam policy in the list Theordering of your anti spam policies is important as the ZyWALL applies them in sequence Once traffic matches an anti spam policy the ZyWALL applies that policy and does not check the traffic against any more policies From The anti spam poli...

Page 688: ...elect how the ZyWALL is to log the event when the DNSBL times out or an e mail matches the white list black list or DNSBL no Do not create a log log Create a log on the ZyWALL log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert From To Select source and destination zones for traffic to scan for spa...

Page 689: ...k list entry as spam Check DNSBL Select this check box to check e mail against the ZyWALL s configured DNSBL domains The ZyWALL classifies e mail that matches a DNS black list as spam Actions for Spam Mail Use this section to set how the ZyWALL is to handle spam mail SMTP Select how the ZyWALL is to handle spam SMTP mail Select drop to discard spam SMTP mail Select forward to allow spam SMTP mail ...

Page 690: ...ails that match the ZyWALL s spam black list Rule Summary Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active and d...

Page 691: ...ding list screen enable the anti spam feature in the anti spam general screen and configure an anti spam policy to use the list Type Use this field to base the entry on the e mail s subject source or relay IP address source e mail address or header Select Subject to have the ZyWALL check e mail for specific content in the subject line Select IP Address to have the ZyWALL check e mail for a specifi...

Page 692: ...otation Netmask This field displays when you select the IP type Enter the subnet mask here if applicable Sender E Mail Address This field displays when you select the E Mail type Enter a keyword up to 63 ASCII characters See Section 38 4 2 on page 692 for more details Mail Header Field Name This field displays when you select the Mail Header type Type the name part of an e mail header the part tha...

Page 693: ...7 Configuration Anti X Anti Spam Black White List White List LABEL DESCRIPTION General Settings Enable White List Checking Select this check box to have the ZyWALL forward e mail that matches an active white list entry without doing any more anti spam checking on that individual e mail Rule Summary Add Click this to create a new entry See Section 38 4 1 on page 691 for details Edit Select an entry...

Page 694: ...BLs Figure 471 Configuration Anti X Anti Spam DNSBL Type This field displays whether the entry is based on the e mail s subject source or relay IP address source e mail address or a header Content This field displays the subject content source or relay IP address source e mail address or header value for which the entry checks OK Click OK to save your changes Cancel Click Cancel to exit this scree...

Page 695: ...ddress in the mail header This is the IP of the sender or the first server that forwarded the mail Select last N IPs to have the ZyWALL start checking from the last IP address in the mail header This is the IP of the last server that forwarded the mail Query Timeout Setting SMTP Select how the ZyWALL is to handle SMTP mail mail going to an e mail server if the queries to the DNSBL domains time out...

Page 696: ... one non spam reply for each of an e mail s routing IP addresses the ZyWALL immediately classifies the e mail as legitimate and forwards it Any further DNSBL replies that come after the ZyWALL classifies an e mail as spam or legitimate have no effect The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours The ZyWALL checks an e mail s sender and relay IP addresses against...

Page 697: ...te query to each of its DNSBL domains for IP address b b b b 2 DNSBL A replies that IP address a a a a does not match any entries in its list not spam 3 DNSBL C replies that IP address b b b b matches an entry in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail and the defined ...

Page 698: ...er separate query to each of its DNSBL domains for IP address d d d d 2 DNSBL B replies that IP address d d d d does not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its list not spam 4 Now that the ZyWALL has received at least one non spam reply for each of the e mail s routing IP addresses the ZyWALL immediately classifies the e m...

Page 699: ...rate query to each of its DNSBL domains for IP address w x y z 2 DNSBL A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the ZyWALL receives a reply from DNSBL B saying IP address a b c d is in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in t...

Page 700: ...Chapter 38 Anti Spam ZyWALL USG 300 User s Guide 700 ...

Page 701: ...Active Passive Mode screens Section 39 3 on page 704 to use active passive mode device HA You can configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs Use the Legacy Mode screens Section 39 5 on page 711 to use legacy mode device HA You can configure general legacy mode HA settings including link monitoring configu...

Page 702: ...virus IDP application patrol and system protect and certificates Note Only ZyWALLs of the same model and firmware version can synchronize Otherwise you must manually configure the master ZyWALL s settings on the backup by editing copies of the configuration files in a text editor for example Finding Out More See Section 6 5 24 on page 111 for related information on these screens See Section 39 7 o...

Page 703: ...p between the master and backup ZyWALLs such as active active or using different ZyWALLs as the master for individual interfaces The master and its backups must all use the same device HA mode Click the link to go to the screen where you can configure the ZyWALL to use the device HA mode that it is not currently using Monitored Interface Summary This table shows the status of the interfaces that y...

Page 704: ...monitored interface s status in the virtual router Active This interface is up and using the virtual IP address and subnet mask Stand By This interface is a backup interface in the virtual router It is not using the virtual IP address and subnet mask Fault This interface is not functioning in the virtual router right now In active passive mode or in legacy mode with link monitoring enabled if one ...

Page 705: ...d backup ZyWALLs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can also have a management IP address...

Page 706: ...es 39 3 1 Configuring Active Passive Mode Device HA The Device HA Active Passive Mode screen lets you configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs To access this screen click Configuration Device HA Active Passive Mode Figure 480 Configuration Device HA Active Passive Mode A 192 168 1 1 B 192 168 1 1 192 16...

Page 707: ...This field is available for a backup ZyWALL Select this if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this one is enabled If the role is master the ZyWALL preempts by default Cluster Settings Cluster ID Type the cluster ID number A virtual router consists of a master ZyWALL and all of its backup ZyWALLs If you have multiple ZyWALL virtual routers on y...

Page 708: ...ynchronization to have a backup ZyWALL copy the master ZyWALL s configuration certificates AV signatures IDP and application patrol signatures and system protect signatures Every interface s management IP address must be in the same subnet as the interface s IP address the virtual router IP address Server Address If this ZyWALL is set to backup role enter the IP address or Fully Qualified Domain N...

Page 709: ...yWALL no backup ZyWALLs can synchronize from it If you leave this field blank in a backup ZyWALL it cannot synchronize from the master ZyWALL Auto Synchronize Select this to get the updated configuration automatically from the specified ZyWALL according to the specified Interval The first synchronization begins after the specified Interval the ZyWALL does not synchronize immediately Interval When ...

Page 710: ...interfaces or disable the bridge interfaces connect the bridge interfaces activate device HA and finally reactivate the bridge interfaces Virtual Router IP VRIP Subnet Mask This is the interface s static IP address and subnet mask in the virtual router Whichever ZyWALL is currently serving as the master uses this virtual router IP address and subnet mask These fields are blank if the interface is ...

Page 711: ...es that have static IP addresses You can only enable one VRRP group for each interface and you can only have one active VRRP group for each virtual router If you create a VRRP group for an Ethernet interface that has a VLAN interface configured on it make sure you create a separate VRRP group for the VLAN interface This will avoid an IP conflict if the backup ZyWALL takes over for the master When ...

Page 712: ...L DESCRIPTION General Settings Link Monitoring Enable link monitoring to have the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down This way the backup ZyWALL takes over all of the master ZyWALL s functions Stop Cellular WLAN interfaces while one of monitored interface is fault Select this to have the master ZyWALL shut down any 3G or wireless LAN inte...

Page 713: ...dress and subnet mask of an interface Synchronization Server Address Enter the IP address or Fully Qualified Domain Name FQDN of the ZyWALL from which to get configuration and subscription service updates for services to which the backup ZyWALL is subscribed Usually you should enter the IP address or FQDN of a virtual router on a secure network Sync Now This displays if the ZyWALL is set to use le...

Page 714: ...nfiguration Device HA Legacy Mode Add Interval This field is only available if Auto Synchronize is checked Type the number of minutes to wait between synchronizations Next Sync Time This appears the next time and date in hh mm yyyy mm dd format the ZyWALL will synchronize with the master Apply switch to Legacy Mode This appears when the ZyWALL is currently using active passive mode device HA Click...

Page 715: ...ace s IP address for management access You can use this IP address to access the ZyWALL whether it is the master or a backup This management IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface Manage IP Subnet Mask Enter the subnet mask of the interface s management IP address Role Select the role that ...

Page 716: ...thod and password Choices are None this virtual router does not use any authentication method Text this virtual router uses a plain text password for authentication Type the password in the field next to the radio button The password can consist of alphanumeric characters the underscore and some punctuation marks and it can be up to eight characters long IP AH MD5 this virtual router uses an encry...

Page 717: ...yWALL B are not connected 2 Configure the bridge interface on the master ZyWALL set the bridge interface as a monitored interface and activate device HA 3 Configure the bridge interface on the backup ZyWALL set the bridge interface as a monitored interface and activate device HA B A B A Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 718: ...interfaces activate device HA and finally reactivate the bridge interfaces as shown in the following example 1 In this case the ZyWALLs are already connected but the bridge faces have not been configured yet Configure a disabled bridge interface on the master ZyWALL but disable it Then set the bridge interface as a monitored interface and activate device HA B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br0 ge4 ...

Page 719: ...ce on the backup ZyWALL Then set the bridge interface as a monitored interface and activate device HA 3 Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL 4 Connect the ZyWALLs B A Br0 ge4 ge5 Br0 ge4 ge5 Disabled Disabled B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 720: ... address as the default gateway and forwards traffic for the network ZyWALL B is a backup It is using its management IP address 192 168 10 112 ZyWALL A sends regular messages to ZyWALL B to let ZyWALL B know that ZyWALL A is available If ZyWALL A becomes unavailable it stops sending messages to ZyWALL B ZyWALL B detects this and assumes the role of the master This is illustrated below Figure 485 E...

Page 721: ...still recommended that the backup ZyWALL synchronize with a master ZyWALL on a secure network The backup ZyWALL gets the configuration from the master ZyWALL The backup ZyWALL cannot become the master or be managed while it applies the new configuration This usually takes two or three minutes or longer depending on the configuration complexity The following restrictions apply with active passive m...

Page 722: ...Chapter 39 Device HA ZyWALL USG 300 User s Guide 722 ...

Page 723: ... users and other user groups You cannot put admin users in user groups The Setting screen see Section 40 4 on page 731 controls default settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them 40 1 2 What You Need To Know User Account A user account defines the priv...

Page 724: ...respectively Note If the ZyWALL tries to authenticate an ext user using the local database the attempt always fails Once an ext user user has been authenticated the ZyWALL tries to get the user type see Table 194 on page 723 from the external server If the external server does not have the information the ZyWALL sets the user type for this session to User For the rest of the user attributes such a...

Page 725: ...ave to log into the Z yWALL to use the network services it provides The ZyWALL automatically routes packets for everyone If you want to restrict network services that certain users can use via the ZyWALL you can require them to log in to the ZyWALL first The ZyWALL is then aware of the user who is logged in and you can create user aware policies that define what services they can use See Section 4...

Page 726: ...ng characters Alphanumeric A z 0 9 there is no unicode support _ underscores Table 195 Configuration Object User Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so O...

Page 727: ...S or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 40 2 on page 726 and click either the Add icon or an Edit icon Figure 487 Configuration User Group User Add adm admin any bin daemon debug devicehaecived ftp games halt ldap users lp mail news n...

Page 728: ... alphanumeric characters Retype This field is not available if you select the ext user or ext group user type Group Identifier This field is available for a ext group user type user account Specify the value of the AD or LDAP server s Group Membership Attribute that identifies the group to which this user belongs Associated AAA Server Object This field is available for a ext group user type user a...

Page 729: ...umber of minutes unlimited Unlike Lease Time the user has no opportunity to renew the session without logging out Configuration Validation Use a user account from the group specified above to test if the configuration is correct Enter the account s user name in the User Name field and click Test OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without sav...

Page 730: ...is field displays the name of each user group Description This field displays the description for each user group Member This field lists the members in the user group Each member is separated by a comma Table 197 Configuration Object User Group Group continued LABEL DESCRIPTION Table 198 Configuration User Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 a...

Page 731: ... been added to the user group The order of members is not important Select users and groups from the Available list that you want to be members of this group and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them Move any members you do not want included to the Available list OK C...

Page 732: ...entication Timeout Settings Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Ed...

Page 733: ...cally see Section 40 4 on page 731 the users can select this checkbox on their screen as well In this case the session is automatically renewed before the lease time expires Reauthentication Time This is the default reauthentication time in minutes for each type of user account It defines the number of minutes the user can be logged into the ZyWALL in one session before having to log in again Unli...

Page 734: ... on the number of simultaneous logins by non admin users If you do not select this access users can login as many times as they want as long as they use different IP addresses Maximum number per access account This field is effective when Limit for access account is checked Type the maximum number of simultaneous logins by each access user User Lockout Settings Enable logon retry limit Select this...

Page 735: ...ntained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 725 for more information about this type Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main scree...

Page 736: ...ically logs them out The ZyWALL sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 40 2 1 on page 726 Lease time field in the Setting screen see Section 40 4 on page 731 Updating lease time automatically This box appears if you checked the Allow renewing lease time automatically box in the Setting screen S...

Page 737: ...ge number of Ext User accounts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts See Chapter 52 on page 887 for more information about shell scripts Table 202 LDAP RADIUS Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR type ...

Page 738: ...Chapter 40 User Group ZyWALL USG 300 User s Guide 738 ...

Page 739: ... dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of memb...

Page 740: ...ck this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an examp...

Page 741: ...s subnet or gateway if the interface s IP address settings change For example if you change ge1 s IP address the ZyWALL automatically updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only availab...

Page 742: ...presents OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 204 Configuration Object Address Address Edit continued LABEL DESCRIPTION Table 205 Configuration Object Address Address Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the ent...

Page 743: ...ashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items fro...

Page 744: ...Chapter 41 Addresses ZyWALL USG 300 User s Guide 744 ...

Page 745: ...level protocol that is sent in this packet This section discusses three of the most common IP protocols Computers use Transmission Control Protocol TCP IP protocol 6 and User Datagram Protocol UDP IP protocol 17 to exchange data with each other TCP guarantees reliable delivery but is slower and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some ...

Page 746: ...P protocols TCP applications UDP applications ICMP messages user defined services for other types of IP protocols These objects are used in policy routes firewall rules and IDP profiles Use service groups when you want to create the same rule for several services instead of creating separate rules for each service Service groups may consist of services and other service groups The sequence of memb...

Page 747: ...uble click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value a...

Page 748: ... may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP and User Defined Starting Port Ending Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the service use...

Page 749: ...ck Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with a specific ...

Page 750: ...underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Availa...

Page 751: ...f all schedules in the ZyWALL Use the One Time Schedule Add Edit screen Section 43 2 1 on page 753 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 43 2 2 on page 754 to create or edit a recurring schedule 43 1 2 What You Need to Know One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time One ti...

Page 752: ...nfiguration Object Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which sett...

Page 753: ... confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of theschedule which is used to refer to the schedule Start Time This ...

Page 754: ... dates such as February 31 Hour 0 23 Minute 0 59 StartTime Specify the hour and minute when the schedule begins Hour 0 23 Minute 0 59 StopDate Specify the year month and day when the schedule ends Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends Hour 0 23 Minute 0 59 ...

Page 755: ...ing LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begins each day Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends each...

Page 756: ...Chapter 43 Schedules ZyWALL USG 300 User s Guide 756 ...

Page 757: ...see Chapter 45 on page 767 44 1 1 Directory Service AD LDAP LDAP AD allows a client the ZyWALL to connect to a server to retrieve information from a directory A network example is shown next Figure 506 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWALL tries to ...

Page 758: ...feature Purchase a ZyWALL OTP package in order to use this feature The package contains server software and physical OTP tokens PIN generators Do the following to use OTP See the documentation included on the ASAS CD for details 1 Install the ASAS server software on a computer 2 Create user accounts on the ZyWALL and in the ASAS server 3 Import each token s database file located on the included CD...

Page 759: ...ticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADI...

Page 760: ...any c JP Base DN A base DN specifies a directory A base DN usually contains information such as the name of an organization a domain name and or country For example o MyCompany c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zywallAdmin allows the ZyWALL to log into the LDAP AD server using the user na...

Page 761: ...erver Click Object AAA Server Active Directory or LDAP to display the Active Directory or LDAP screen Click the Add icon or an Edit icon to display the Table 214 Configuration Object AAA Server Active Directory or LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To re...

Page 762: ... Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD or LDAP server Backup Server Address If the AD or LDAP server has a backup server enter its address here Port Specify the port number on the AD or LDAP server ...

Page 763: ...gin Name Attribute Enter the type of identifier the users are to use to log in For example name or e mail address Alternative Login Name Attribute If there is a second type of identifier that the users can use to log in enter it here For example name or e mail address Group Membership Attribute An AD or LDAP server defines attributes for its accounts Enter the name of the attribute that the ZyWALL...

Page 764: ...e address of the AD or LDAP server Base DN This specifies a directory For example o ZyXEL c US Host Enter the IP address in dotted decimal notation or the domain name up to 63 alphanumeric characters of a RADIUS server Authentication Port The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with add...

Page 765: ... LABEL DESCRIPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the RADIUS server Authentication Port Specify the port number on the RADIUS server to which the ZyWALL sends authentication requests Enter a number ...

Page 766: ...es attributes for its accounts Select the name and number of the attribute that the ZyWALL is to check to determine to which group a user belongs If it does not display select user defined and specify the attribute s number This attribute s value is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group ...

Page 767: ... Auth Method screens Section 45 2 on page 768 to create and manage authentication method objects Finding Out More See Section 7 7 3 on page 148 for an example of how to set up user authentication using a radius server 45 1 2 Before You Begin Configure AAA server objects see Chapter 44 on page 757 before you configure authentication method objects 45 1 3 Example Selecting a VPN Authentication Metho...

Page 768: ...create up to 16 authentication method objects Figure 514 Configuration Object Auth Method The following table describes the labels in this screen Table 218 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and cl...

Page 769: ...lumn is important The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specify the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn t match...

Page 770: ...WALL confirms you want to remove it before doing so Move To change a method s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as ZyWALL authenticates the users using the authentication methods in the order they appea...

Page 771: ...1 Add icon Click Add to add a new entry Click Edit to edit the settings of an entry Click Delete to delete an entry OK Click OK to save the changes Cancel Click Cancel to discard the changes Table 219 Configuration Object Auth Method Add continued LABEL DESCRIPTION ...

Page 772: ...Chapter 45 Authentication Method ZyWALL USG 300 User s Guide 772 ...

Page 773: ...ed certificate It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate 46 1 2 What You Need to Know When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certifica...

Page 774: ...gorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked Certification authorities mai...

Page 775: ...s and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt t...

Page 776: ...en the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 517 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS conn...

Page 777: ...ate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The ZyWALL keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an entry select it and click Remove The ZyWALL confirm...

Page 778: ...uch as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates ...

Page 779: ... ZyWALL USG 300 User s Guide 779 ZyWALL create a self signed certificate enroll a certificate with a certification authority or generate a certification request Figure 519 Configuration Object Certificate My Certificates Add ...

Page 780: ...ich the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Organization Identify the company or group to which the certificate owner belongs You can use up to 31 char acters You can use alphanumeric characters the hyphen and the underscore Town City Identify the town or city where the certificate owner is located You can use ...

Page 781: ...en you select Create a certification request and enroll for a certificate immediately online Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Publi...

Page 782: ...ou select Create a certification request and enroll for a certificate immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol Just the Key field displays if your certification authority ...

Page 783: ... Screen Click Configuration Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 520 Configuration Object Certificate My Certificates Edit ...

Page 784: ...rtificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generate...

Page 785: ...icate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text edi...

Page 786: ...reen You must remove any spaces from the certificate s filename before you can import it Figure 521 Configuration Object Certificate My Certificates Import The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL You can only change the name Cancel Click Cancel to quit and return to the My Certificates screen Table 222 Configuration Object Certifi...

Page 787: ...rtificate on the ZyWALL Cancel Click Cancel to quit and return to the My Certificates screen Table 223 Configuration Object Certificate My Certificates Import continued LABEL DESCRIPTION Table 224 Configuration Object Certificate Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL s PKI storage space that is currently in use When the stora...

Page 788: ...ying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or co...

Page 789: ...ficates ZyWALL USG 300 User s Guide 789 authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 523 Configuration Object Certificate Trusted Certificates Edit ...

Page 790: ...SCP or LDAP server details OCSP Server Select this check box if the directory server uses OCSP Online Certificate Status Protocol URL Type the protocol IP address and pathname of the OCSP server ID The ZyWALL may need to authenticate itself in order to assess the OCSP server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification authority Passw...

Page 791: ...hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expir...

Page 792: ...ate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate int...

Page 793: ...network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a huge list When the ZyWALL requests certificate status information the OCSP server returns a expired current or unknown response Table 226 Configuration Object Certificate Trusted Certificates Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or...

Page 794: ...Chapter 46 Certificates ZyWALL USG 300 User s Guide 794 ...

Page 795: ...Section 13 4 on page 310 for information about PPPoE PPTP interfaces See Section 6 6 on page 112 for related information on these screens 47 1 1 What You Can Do in this Chapter Use the Object ISP Account screens Section 47 2 on page 795 to create and manage ISP accounts in the ZyWALL 47 2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL To access this screen click C...

Page 796: ...to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This ...

Page 797: ...yWALL accepts MSCHAP V2 only Encryption Method This field is available if this ISP account uses the PPTP protocol Use the drop down list box to select the type of Microsoft Point to Point Encryption MPPE Options are nomppe This ISP account does not use MPPE mppe 40 This ISP account uses 40 bit MPPE mppe 128 This ISP account uses 128 bit MMPE User Name Type the user name given to you by your ISP Pa...

Page 798: ...disconnects from the PPPoE PPTP server This value must be an integer between 0 and 360 If this value is zero this timeout is disabled OK Click OK to save your changes back to the ZyWALL If there are no errors the program returns to the ISP Account screen If there are errors a message box explains the error and the program stays in the ISP Account Edit screen Cancel Click Cancel to return to the IS...

Page 799: ...mote users to access an application via standard web browsers Section 48 2 1 on page 802 You can also use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser Section 48 2 2 on page 804 48 1 2 What You Need to Know Application Types You can configure the following types of SSL applications on th...

Page 800: ...ter does not use VNC or RDP client software The ZyWALL works with the following remote desktop connection software RDP Windows Remote Desktop supported in Internet Explorer VNC RealVNC TightVNC UltraVNC For example user A uses an SSL VPN connection to log into the ZyWALL Then he manages LAN computer B which has RealVNC server software installed Figure 527 SSL protected Remote Management Weblinks Y...

Page 801: ...info Select Web Page Encryption to prevent users from saving the web content Click Apply to save the settings The configuration screen should look similar to the following figure Figure 528 Example SSL Application Specifying a Web Site for Access 48 2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects Click Configuration Object SSL ...

Page 802: ...LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object Reference s Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 ...

Page 803: ...terface using supported web browsers The ZyWALL supports one OWA object Select VNC to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Select Weblink to create a link to a web site that you expect the SSL VPN us...

Page 804: ... displays if the Server Type is set to RDP or VNC Specify the IP address or Fully Qualified Domain Name FQDN of the computer s that you want to allow the remote users to manage Starting Port Ending Port This field displays if the Server Type is set to RDP or VNC Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to...

Page 805: ...nter a descriptive name to identify this object You can enter up to 31 characters 0 9 a z A Z and _ Spaces are not allowed Shared Path Specify the IP address domain name or NetBIOS name computer name of the file server and the name of the share to which you want to allow user access Enter the path in one of the following formats IP address share name domain name share name computer name share name...

Page 806: ...Chapter 48 SSL Application ZyWALL USG 300 User s Guide 806 ...

Page 807: ...dpoint security objects to use with the authentication policy and SSL VPN features For example an authentication policy could use an endpoint security object that requires a LAN user s computer to pass all of the object s checking items in order to access the network LAN user A passes all of the checks and is given access An SSL VPN tunnel could use a different endpoint security profile that only ...

Page 808: ...he endpoint must execute Processes that the endpoint cannot execute The size and version of specific files Multiple Endpoint Security Objects You can configure an authentication policy or SSL VPN policy to use multiple endpoint security objects This allows checking of computers with different OSs or security settings When a client attempts to log in the ZyWALL checks the client s computer against ...

Page 809: ...y s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the object See Section 13 3 2 on page 309 for an example Object Name This field displays the descriptive name that identifies this object Description If the entry has ...

Page 810: ...icon to open the Endpoint Security Edit screen Use this screen to configure an endpoint security object Figure 534 Configuration Object Endpoint Security Add Apply Click this button to save your changes to the ZyWALL Reset Click this button to return the screen to its last saved settings Table 232 Configuration Object Endpoint Security continued LABEL DESCRIPTION ...

Page 811: ...Chapter 49 Endpoint Security ZyWALL USG 300 User s Guide 811 ...

Page 812: ...cted Windows as the operating system you can enter the minimum Windows service pack number the user s computer must have installed The user s computer must have this service pack or higher For example 2 means service pack 2 Leave the field blank to have the ZyWALL ignore the Windows service pack number Passing Criterion Select whether the user s computer has to match just one of the endpoint secur...

Page 813: ...lick Remove to delete it or them The user s computer must pass all of the listed Windows registry value checks to pass this checking item Checking Item Required Processes If you selected Windows or Linux as the operating system you can use this section to list applications that a user s computer must be running Use the Processes Endpoints Must Have Running table to list processes that the user s c...

Page 814: ...be equal to greater than less than greater than or equal to less than or equal to or not equal to the size or version of the file listed in the entry Click Add to create a new entry Select one or more entries and click Remove to delete it or them The user s computer must pass one of the listed file information checks to pass this checking item OK Click OK to save your changes back to the ZyWALL Ca...

Page 815: ...omain name to its corresponding IP address and vice versa Use the System WWW screens see Section 50 7 on page 830 to configure settings for HTTP or HTTPS access to the ZyWALL and how the login and access user screens look Use the System SSH screen see Section 50 8 on page 847 to configure SSH Secure SHell used to securely access the ZyWALL s command line interface You can specify which zones allow...

Page 816: ...ge 862 to allow your ZyWALL to be managed by the Vantage CNM server Use the System Language screen see Section 50 14 on page 865 to set a language for the ZyWALL s Web Configurator screens Note See each section for related background information and term definitions 50 2 Host Name A host name is the unique name by which a device is known on a network Click Configuration System Host Name to open th...

Page 817: ... Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 234 Configuration System Host Name continued LABEL DESCRIPTION Table 235 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Turn USB storage on or off You need to enable USB storage both here and for a specific feature such as system logs or diagnostic...

Page 818: ...time based on your local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get the date and time from a time server Figure 537 Configuration System Date and Time The following table describes the labels in this screen Table 236 Configuration System Date and Time LABEL DESCRIPTION Current Time and ...

Page 819: ...ck this button to have the ZyWALL get the time and date from a time server see the Time Server Address field This also saves your changes except the daylight saving settings Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to early ...

Page 820: ...ng Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time a...

Page 821: ...nfiguring the Date Time screen To manually set the ZyWALL date and time 1 Click System Date Time 2 Select Manual under Time and Date Setup 3 Enter the ZyWALL s time in the New Time field 4 Enter the ZyWALL s date in the New Date field 5 Under Time Zone Setup select your Time Zone from the list 6 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for dayligh...

Page 822: ... Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it Table 238 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the console port Your ZyWALL suppor...

Page 823: ...WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 50 6 2 Configuring the DNS Screen Click Configuration System DNS to change your ZyWALL s DNS settings Use the DNS screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN DDNS and the time server You c...

Page 824: ...e forwarder entries in the order that they appear in this list Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subse...

Page 825: ...lect an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbe...

Page 826: ...n The ZyWALL allows you to configure address records about the ZyWALL itself or another device This way you can keep a record of DNS names and addresses that people on your network may use frequently If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record the ZyWALL can send the IP address in a DNS response without having to query a DNS name server 50 6 4 PTR Reco...

Page 827: ...orwarder record Figure 542 Configuration System DNS Domain Zone Forwarder Add Table 240 Configuration System DNS Address PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the t...

Page 828: ...fied DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A displays for any DNS server IP address ...

Page 829: ...ice Control table to add a service control rule Figure 544 Configuration System DNS Service Control Rule Add Table 242 Configuration System DNS MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for IP Address FQDN Enter the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field above OK ...

Page 830: ...uration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL Zone...

Page 831: ...re is a lease timeout for administrators The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires You can change the timeout settings in the User Group scree...

Page 832: ...ificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 443 by default on the ZyWALL s web server 2 HTTP connection requests from a web browser go to port 80 by ...

Page 833: ...PN for example Figure 547 Configuration System WWW Service Control The following table describes the labels in this screen Table 244 Configuration System WWW Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs con...

Page 834: ...HTTPS to log into the ZyWALL to log into SSL VPN for example You can also specify the IP addresses from which the users can access the ZyWALL Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click R...

Page 835: ...emove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control ru...

Page 836: ...Table 245 Configuration System Service Control Rule Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access...

Page 837: ... 837 also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 40 on page 723 for more on access user accounts Figure 549 Configuration System WWW Login Page ...

Page 838: ...he login and access pages Figure 550 Login Page Customization Figure 551 Access Page Customization You can specify colors in one of the following ways Logo Title Message Note Message Background last line of text color of all text Logo Title Message Note Message Window last line of text color of all text Background ...

Page 839: ...nd file name of the logo graphic or click Browse to locate it Note Use a GIF JPG or PNG of 100 kilobytes or less Click Upload to transfer the specified graphic file from your computer to the ZyWALL Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Title...

Page 840: ...een in Internet Explorer Select Yes to proceed to the Web Configurator login screen if you select No then Web Configurator access is blocked Figure 552 Security Alert Dialog Box Internet Explorer Note Message Enter a note to display below the title Use up to 64 printable ASCII characters Spaces are allowed Window Background Set how the window s background looks To use a graphic select Picture and ...

Page 841: ...tificate is from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 553 Security Certificate 1 Netscape Figure 554 Security Certificate 2 Netscape 50 7 7 3 Avoiding Browser Warning Messages Here are the main reasons your browser ...

Page 842: ...es issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix D on page 1025 for details 50 7 7 4 Login Screen After you accept the certificate the ZyWALL login screen appears The lock displayed in the bottom of the browser status bar denotes a secure connection Figure 555 Login Screen Internet Explorer 50 ...

Page 843: ...d CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 50 7 7 5 1 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next Figure 557 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier ...

Page 844: ...Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 558 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 559 Personal Certificate ...

Page 845: ... you by the CA Figure 560 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 561 Personal Certificate Import Wizard 4 ...

Page 846: ...u should see the following screen when the certificate is correctly installed on your computer Figure 563 Personal Certificate Import Wizard 6 50 7 7 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 564 Access the ZyWALL Via HTTPS ...

Page 847: ...yWALL This screen displays even if you only have a single certificate as in the example Figure 565 SSL Client Authentication 3 You next see the Web Configurator login screen Figure 566 Secure Web Configurator Login Screen 50 8 SSH You can use SSH Secure SHell to securely access the ZyWALL s command line interface Specify which zones allow SSH access and from which IP address the access can come ...

Page 848: ...N Example 50 8 1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1 Figure 568 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and s...

Page 849: ...50 8 2 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for management using port 22 by default 50 8 3 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connec...

Page 850: ... needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 773 for details Service Control This specif...

Page 851: ...e the host key in you computer Click Yes to continue Figure 570 SSH Example 1 Store Host Key Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule Zone This is the zone on the ZyWALL the u...

Page 852: ...L using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER Then enter the password to log in to the ZyWALL Figure 572 SSH Example 2 Log in 3 The CLI screen displays next 50 9 Telnet You can use Telnet to access the ZyWALL s command line interface Specify which zones ...

Page 853: ...rt number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which ZyWALL zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 245 on page 836 for details on the screen that opens Edit ...

Page 854: ...n configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of the IP address es with which the...

Page 855: ... if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for FTP connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 773 for details Service Control This spe...

Page 856: ...h a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is th...

Page 857: ...work management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager a...

Page 858: ...al throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zyxel com 50 11 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs 50 11 3 Configuring SNMP To change your ZyWALL s SNMP settings click Configuration System SNMP tab The screen appea...

Page 859: ...mber for a service if needed however you must use the same port number in order to use that service for remote management Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the managem...

Page 860: ...select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the ...

Page 861: ...t connections Figure 577 Configuration System Dial in Mgmt The following table describes the labels in this screen Table 252 Configuration System Dial in Mgmt LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Dial in Server Properties Click Advanced to display more configuration fields and edit the details ...

Page 862: ...notifying the Vantage CNM administrator Port Speed Use the drop down list box to select the speed of the connection between the ZyWALL s auxiliary port and the external modem Available speeds are 9600 19200 38400 57600 or 115200 bps Initial String Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL s auxiliary port during connection initializatio...

Page 863: ...ntage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields Enable Select this check box to allow Vantage CNM to manage your ZyWALL Server IP Address FQDN Enter the IP address or fully qualified domain name of the Vantage server If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router enter the WAN IP address of the NAT ro...

Page 864: ...ustom in the Device Management IP field Keepalive Interval Set how often the ZyWALL sends a keep alive packet to the Vantage CNM server if there is no other traffic The keep alive packets maintain the Vantage CNM server s control session Periodic Inform Interval Select this option to have the ZyWALL periodically send Inform messages to the Vantage CNM server HTTPS Authentication When you are using...

Page 865: ...onfiguration System Language The following table describes the labels in this screen Table 254 Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL s Web Configurator screens You also need to open a new browsersession to display the screens in the new language Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return ...

Page 866: ...Chapter 50 System ZyWALL USG 300 User s Guide 866 ...

Page 867: ...re and how to send daily reports and what reports to send Use the Maintenance Log Setting screens Section 51 3 on page 869 to specify settings for recording log messages e mailing them and sending them to a remote server 51 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your ZyWALL Note Data collecti...

Page 868: ... 300 User s Guide 868 Click Configuration Log Report Email Daily Report to display the following screen Configure this screen to have the ZyWALL e mail you system statistics every day Figure 580 Configuration Log Report Email Daily Report ...

Page 869: ...WALL s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you sel...

Page 870: ...ngs tab controls which events generate alerts and where alerts are e mailed The Log Settings Summary screen provides a summary of all the settings You can use the Log Settings Edit screen to maintain the detailed settings such as log categories e mail addresses server names etc for any log Alternatively if you want to edit what events is included in each log you can also use the Active Log Summary...

Page 871: ...ivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific log Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the ZyWALL or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the View Log...

Page 872: ...Chapter 51 Log and Report ZyWALL USG 300 User s Guide 872 Figure 582 Configuration Log Report Log Setting Edit System Log ...

Page 873: ...Chapter 51 Log and Report ZyWALL USG 300 User s Guide 873 ...

Page 874: ... day of the week the log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notation SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication chec...

Page 875: ...ory fields in the View Log tab The Default category includes debugging messages generated by open source software System log Select which events you want to log by Log Category There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark create log messages and alerts from this category enable normal logs and debug logs yellow che...

Page 876: ...hen multiple log messages were aggregated Log Consolidation Interval Type how often in seconds to consolidate log information If the same log message appears multiple times it is aggregated into one log message with the text count x where x is the number of original log messages appended at the end of the Message field OK Click this to save your changes and return to the previous screen Cancel Cli...

Page 877: ...3 3 Edit Log on USB Storage Setting The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device Go to the Log Setting Summary screen see Section 51 3 1 on page 870 and click the USB storage Edit icon ...

Page 878: ...Chapter 51 Log and Report ZyWALL USG 300 User s Guide 878 Figure 583 Configuration Log Report Log Setting Edit USB Storage s ...

Page 879: ... screen Table 258 Configuration Log Report Log Setting Edit USB Storage LABEL DESCRIPTION Duplicate logs to USB storage if ready Select this to have the ZyWALL save a copy of its system logs to a connected USB storage device Use the Active Log section to specify what kinds of messages to include Active Log ...

Page 880: ...Log Category This field displays each category of messages The Default category includes debugging messages generated by open source software Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from th...

Page 881: ...Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server syslog Go to the Log Settings Summary screen see Section 51 3 1 on page 870 and click a remote server Edit icon Figure 584 Configuration Log Report Log Setting Edit Remote Server ...

Page 882: ...or all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is...

Page 883: ...where and how often log information is e mailed or remote server names To access this screen go to the Log Settings Summary screen see Section 51 3 1 on page 870 and click the Active Log Summary button Figure 585 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 51 3 2 on page 871 whe...

Page 884: ...on for any category to a connected USB storage device enable normal logs green check mark create log messages and alerts for all categories and save them to a connected USB storage device enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories and save them to a connected USB storage device E mail Server 1 Use the E Mail Server 1 ...

Page 885: ... the ZyWALL does not e mail debugging information however even if this setting is selected E mail Server 1 E mail Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The ZyWALL does not e mail debugging information even if it is recorded in the ...

Page 886: ...Chapter 51 Log and Report ZyWALL USG 300 User s Guide 886 ...

Page 887: ...the Configuration File screen see Section 52 2 on page 890 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL Use the Firmware Package screen see Section 52 3 on page 894 to check your current firmware version and upload firmware to the ZyWALL Use the Shell Script screen se...

Page 888: ...Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote managemen...

Page 889: ...onfiguration file or run a shell script the ZyWALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on ...

Page 890: ... and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file as a back up file If there is an error the ZyWALL generates a log and copies the startup config conf configuration f...

Page 891: ...ance File Manager Configuration File Rename Specify the new name for the configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the ZyWALL You can only delete manually saved configur...

Page 892: ...Copy to open the Copy File screen Figure 589 Maintenance File Manager Configuration File Copy Specify a name for the duplicate configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Table 262 Maintenance File Manager Configuration File continued LABEL DESCRIPTION ...

Page 893: ...his gets the ZyWALL started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the ZyWALL apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish applyi...

Page 894: ...t recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration Size This column displays the size in KB of a configuration file Last Modified This column displays the date and time that the individual configuration files were last changed or saved Upload...

Page 895: ...not be decompressed option while you download the firmware package See Section 33 2 1 on page 585 for more on the anti virus Destroy compressed files that could not be decompressed option The firmware update can take up to five minutes Do not turn off or reset the ZyWALL while the firmware update is in progress Figure 591 Maintenance File Manager Firmware Package The following table describes the ...

Page 896: ... After five minutes log in again and check your new firmware version in the HOME screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Figure 594 Firmware Upload Error 52 4 The Shell Script Screen Use shell script files to have the ZyWALL use commands that you specify Use a text editor to create the shell script files They must use a zy...

Page 897: ...k a shell script s row to select it and click Rename to open the Rename File screen Figure 596 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a shell script file s row to selec...

Page 898: ...ed to wait awhile for the ZyWALL to finish applying the commands This column displays the number for each shell script file entry File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last Modified This column displays the date and time that the individual shell script files were last changed or saved Upload She...

Page 899: ...hrough the ZyWALL Use the Maintenance Diagnostics Core Dump screens see Section 53 4 on page 906 to have the ZyWALL save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer support for troubleshooting Use the Maintenance Diagnostics System Log screens see Section 53 5 on page 907 to download files of system logs ...

Page 900: ...bleshooting Figure 599 Maintenance Diagnostics Files Table 265 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB storage i...

Page 901: ...N Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the ava...

Page 902: ...row button to move them to the Capture Interfaces list Use the Shift and or Ctrl key to select multiple objects IP Type Select the protocol of traffic for which to capture packets Select any to capture packets for all types of traffic Host IP Select a host IP address object for which to capture packets Select any to capture packets for all hosts Select User Defined to be able to enter an IP addres...

Page 903: ... The valid range is 1 to 10000 The ZyWALL stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individual packet capture files After a packet capture file reaches this size the ZyWALL starts another packet capture file Duration Set a time limit...

Page 904: ...LL s throughput or performance may be affected while a packet capture is in progress After the ZyWALL finishes the capture it saves a separate capture file for each selected interface The total number of packet capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding more packet captures will fail Stop Click this bu...

Page 905: ...s set to 1500 bytes Figure 602 Packet Capture File Example This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is interface name file suffix cap Size This column displays the ...

Page 906: ... following table describes the labels in this screen 53 4 1 Core Dump Files Screen Click Maintenance Diagnostics Core Dump Files to open the core dump files screen This screen lists the core dump files stored on the ZyWALL or a Table 269 Maintenance Diagnostics Core Dump LABEL DESCRIPTION Save core dump to USB storage if ready Select this to have the ZyWALL save a process s core dump to an attache...

Page 907: ...es LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that y...

Page 908: ...k Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space File Name...

Page 909: ...iew the overall source IP address conversion SNAT flow and each SNAT function s settings 54 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance Pack...

Page 910: ...responding action and does not perform any further flow checking Figure 606 Maintenance Packet Flow Explore Routing Status Direct Route Figure 607 Maintenance Packet Flow Explore Routing Status Policy Route Figure 608 Maintenance Packet Flow Explore Routing Status 1 1 SNAT Figure 609 Maintenance Packet Flow Explore Routing Status SitetoSite VPN ...

Page 911: ...ntenance Packet Flow Explore Routing Status Dynamic VPN Figure 611 Maintenance Packet Flow Explore Routing Status Static Dynamic Route Figure 612 Maintenance Packet Flow Explore Routing Status Default WAN Trunk Figure 613 Maintenance Packet Flow Explore Routing Status Main Route ...

Page 912: ...ctivated S this is a static route C this is a direct connected route O this is a dynamic route learned through OSPF R this is a dynamic route learned through RIP G the route is to a gateway router in the same network this is a route which forces a route lookup to fail B this is a route which discards packets L this is a recursive route Persist This is the remaining time of a dynamically learned ro...

Page 913: ...e This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address Outgoing This is the name of an interface which transmits packets out of the ZyWALL Gateway This is the IP address of the gateway in the same network of the outgoing interface The following fields are available if you click SiteToSite VPN or Dynam...

Page 914: ...s the criteria of an SNAT rule the ZyWALL takes the corresponding action and does not perform any further flow checking Figure 614 Maintenance Packet Flow Explore SNAT Status Policy Route SNAT Figure 615 Maintenance Packet Flow Explore SNAT Status 1 1 SNAT Figure 616 Maintenance Packet Flow Explore SNAT Status Loopback SNAT Figure 617 Maintenance Packet Flow Explore SNAT Status Default SNAT ...

Page 915: ...iginal destination IP address es Outgoing This is the outgoing interface that the SNAT rule uses to transmit packets SNAT This is the source IP address es that the SNAT rule uses finally The following fields are available if you click Loopback SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any entry NAT Rule This is the name of an activated NAT rule wh...

Page 916: ...Chapter 54 Packet Flow Explore ZyWALL USG 300 User s Guide 916 ...

Page 917: ...command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 57 1 on page 939 reset returns the device to its default configuration 55 2 The Reboot Screen The Reboot screen is part of the Web configurator so that remote users can restart the device To access this screen click Maintenance Reboot Figure 618 Maintenance Re...

Page 918: ...Chapter 55 Reboot ZyWALL USG 300 User s Guide 918 ...

Page 919: ...ZyWALL or remove the power Not doing so can cause the firmware to become corrupt 56 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 56 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 619 Maintenance Shutdown Click the Shutdown button to shut down the ZyWALL Wait for the device to shut down before you manual...

Page 920: ...Chapter 56 Shutdown ZyWALL USG 300 User s Guide 920 ...

Page 921: ...d contact your local vendor Cannot access the ZyWALL from the LAN Check the cable connection between the ZyWALL and your computer or switch Ping the ZyWALL from a LAN computer Make sure your computer s Ethernet card is installed and functioning properly Also make sure that its IP address is in the same subnet as the ZyWALL s In the computer click Start All Programs Accessories and then Command Pro...

Page 922: ...more noticeable with a large browser window You can try shrinking the browser window if this is an issue I cannot access the Internet Check the ZyWALL s connection to the Ethernet jack with Internet access Make sure the Internet gateway device such as a DSL modem is working properly Check the WAN interface s status in the Dashboard Use the installation setup wizard again and make sure that you ent...

Page 923: ...em for certain interfaces Many security settings are usually applied to zones Make sure you assign the interfaces to the appropriate zones When you create an interface there is no security applied on it until you assign it to a zone The ZyWALL is not applying the custom policy route I configured The ZyWALL checks the policy routes in the order that they are listed So make sure that your custom pol...

Page 924: ...ace You cannot set up a PPP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it My rules and settings that apply to a particular interface no longer work The interface s IP address may ha...

Page 925: ...nded that you use a more effective security mechanism Use the strongest security mechanism that all the wireless devices in your network support WPA2 or WPA2 PSK is recommended The wireless security is not following the re authentication timer setting I specified If a RADIUS server authenticates wireless stations the re authentication timer on the RADIUS server has priority Change the RADIUS serve...

Page 926: ...s not affect the functionality you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list The ZyWALL s anti virus scanner cleaned an infected file but now I cannot use the file The scanning engine checks the contents of the packets for virus If a virus pattern is matched the ZyWALL removes the infected portion of the file along with the rest of the f...

Page 927: ...tion should be taken The ZyWALL checks all signatures and continues searching even after a match is found If two or more rules have conflicting actions for the same packet then the ZyWALL applies the more restrictive action reject both reject receiver or reject sender drop none in this order If a packet matches a rule for reject receiver and it also matches a rule for reject sender then the ZyWALL...

Page 928: ...g and SNAT behavior for an interface with the Interface Type set to Internal or External The ZyWALL is not applying a policy route s port triggering settings You also need to create a firewall rule to allow an incoming service I cannot get Dynamic DNS to work You must have a public WAN IP address to use Dynamic DNS Make sure you recorded your DDNS account s user name password and domain name and h...

Page 929: ...ZyWALL s firewall to permit the use of asymmetrical route topology on the network so it does not reset the connection although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets See Asymmetrical Ro...

Page 930: ...ces from the network before testing your new VPN connection The old route may have been learnt by RIP and would take priority over the new VPN connection To test whether or not a tunnel is working ping from a computer at one site to a computer at the other Before doing so ensure that both computers have Internet access via the IPSec routers It is also helpful to have a way to look at the packets t...

Page 931: ...gured L2TP correctly on the remote user computers See Section 8 5 on page 189 for examples Make sure you configured an appropriate policy route on the ZyWALL Make sure there is not a firewall between the ZyWALL and the remote users If it is possible that the remote user s public IP address could be in the same subnet as the specified My Address click Configure Network Routing Policy Route Show Adv...

Page 932: ...ckground is recommended I logged into the SSL VPN but cannot see some of the resource links Available resource links vary depending on the SSL application object s configuration I logged into the SSL VPN but cannot perform some actions in the File Sharing screen The actions that you can perform in the File Sharing screen vary depending on the rights granted to you in the SSL application object s c...

Page 933: ...s for your LAN that are not based on the interface I configured application patrol to allow and manage access to a specific service but access is blocked If you want to use a service make sure both the firewall and application patrol allow the service s packets to go through the ZyWALL The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL I...

Page 934: ...iple ZyWALL virtual routers on your network use a different cluster ID to identify each virtual router There can only be one master ZyWALL in each virtual router same cluster ID A broadcast storm results when I turn on Device HA Do not connect the bridge interfaces on two ZyWALLs without device HA activated on both Either activate device HA before connecting the bridge interfaces or disable the br...

Page 935: ...o work Only ZyWALLs of the same model and firmware version can synchronize Device HA synchronization is not working for subscription services Subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL Synchronization includes updates for services to which the master and backup ZyWALLs are both subscribed For example a backup subscribed to IDP AppPatrol but not anti v...

Page 936: ... is not included The ZyWALL currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in ...

Page 937: ... When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first The commands in my configuration file or shell script are not working properly In a configuration file or shell script use or as the first character of a command line to have the ZyWALL treat the line as a comment Your configurati...

Page 938: ... any new capture files you generate If you have existing capture files you may need to set this size larger or delete existing capture files The ZyWALL stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires My earlier packet capture files are missing New capture files overwrite existing files of ...

Page 939: ...If you cannot access the ZyWALL by any method try restarting it by turning the power off and then on again If you still cannot access the ZyWALL by any method or you forget the administrator password s you can reset the ZyWALL to its factory default settings Any configuration files or shell scripts that you saved on the ZyWALL should still be available afterwards Use the following procedure to res...

Page 940: ...and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the ZyWALL to restart You should be able to access the ZyWALL using the default settings 57 2 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 941: ...MAC addresses 7 Ethernet Interfaces Number of Ethernet interfaces 7 All Ethernet interfaces are Gigabit Ethernet full duplex RJ 45 connectors auto negotiation auto MDI MDIX auto crossover Management interface RS 232 DB9F connector AUX port RS 232 DB9M connector USB Slots 2 2 0 plug and play Compatible USB Cards 3G See www zyxel com for the supported 3G cards Extension Card Slot Slot for optional h...

Page 942: ...l alias 4 per interface 4 per interface 4 per interface PPP system default NA NA 7 PPP user created 8 8 8 Bridge 8 8 8 ROUTING Static Routes 128 128 128 Policy Routes 1 000 1 000 1 000 Sessions 60 000 60 000 60 000 ARP Table Size 1024 1024 1024 MAC Table Size For Bridge Mode only 8K 8K 8K NAT NAT Entries Port Forwarding up to 1 024 up to 1 024 up to 1 024 Trigger Port Rules up to 8 per PR rule up ...

Page 943: ...rvice Groups 200 200 200 Maximum service object in one group 128 128 128 Schedule Objects 128 128 128 ISP Accounts 16 16 32 Maximum Number of LDAP Groups 8 8 8 Maximum Number of LDAP Servers for Each LDAP Group 2 2 2 Maximum Number of RADIUS Groups 8 8 8 Maximum Number of RADIUSServers for Each RADIUS Group 2 2 2 Maximum AD server for each AD group 4 4 4 Maximum AD group number 16 16 16 Maximum Nu...

Page 944: ...ntries 1024 1024 1024 Admin E mail Addresses 2 2 2 Syslog Servers 4 4 4 IDP Maximum Number of IDP Profiles 8 8 8 Custom Signatures 128 128 128 Maximum Number of IDP Rules 32 32 32 CONTENT FILTER Maximum Number of Content Filter Policies 16 16 16 Maximum Number of Content Filter Profiles 16 16 16 Maximum Number of Forbidden Domain Entries 128 per profile 128 per profile 128 per profile Maximum Numb...

Page 945: ... or 1 RAR PPM 50 ZIP files 8 RAR LZSS or 1 RAR PPM 50 ZIP files 8 RAR LZSS or 1 RAR PPM Maximum Number of Anti Virus Rules 32 32 32 Maxi mum Number of Anti Virus White List Entries 256 256 256 Maximum Number of Anti Virus Black List Entries 256 256 256 Maximum Number of Anti Virus Statistics 500 500 500 Maximum Anti Virus Statistics Ranking 10 10 10 SSL VPN Maximum SSL VPN Connections 2 without a ...

Page 946: ...12 1750 1876 1982 1995 1996 2136 2163 2181 2230 2308 2535 2536 2537 2538 2539 2671 2672 2673 2782 3007 3090 Built in service DHCP server RFCs 1542 2131 2132 2485 2489 Built in service HTTP server RFCs 1945 2616 2965 2732 2295 Built in service SNMP agent RFCs 1067 1213 2576 2578 2579 2580 2741 2667 2981 3371 Login LDAP support RFCs 2251 2252 2253 2254 2255 2256 2589 2829 2830 Used by Apache RFCs 24...

Page 947: ... Product Specifications ZyWALL USG 300 User s Guide 947 58 1 3G PCMCIA Card Installation Only insert a compatible 3G card Slide the connector end of the card into the slot Note Do not force bend or twist the card ...

Page 948: ...Chapter 58 Product Specifications ZyWALL USG 300 User s Guide 948 ...

Page 949: ...ort to 80 The content filtering checking for unsafe web sites has been changed to use port 80 due to a configuration change Content filter has been changed zsb port to 23 The content filtering checking for unsafe web sites has been changed to use port 23 due to a configuration change Table 279 Forward Web Site Logs LOG MESSAGE DESCRIPTION s Trusted Web site The device allowed access to a web site ...

Page 950: ...lid service license 4 Rating service is restarting 5 Can t connect to rating server 6 Query failed 7 Query timeout 8 Too many queries 9 Unknown reason s website host s s cache hit The web site s category exists in the device s local cache and access was blocked according to a content filter profile 1st s website host 2nd s website category s Not in trusted web list The web site is not a trusted ho...

Page 951: ...policy with the specified index number d has been added to the end of the list Anti Spam policy d has been deleted The anti spam policy with the specified index number d has been removed Anti Spam policy d has been moved to d The anti spam policy with the specified index number first d was moved to the specified index number second d White List checking has been activated The anti spam white list ...

Page 952: ...een added DNSBL domain s has been modified to s The specified DNSBL domain name first s has been changed to the second s DNSBL domain s has been deleted The specified DNSBL domain name s has been removed DNSBL domain s has been activated The specified DNSBL domain name s has been turned on DNSBL domain s has been deactivated The specified DNSBL domain name s has been turned off Match White List d ...

Page 953: ...e IP address given to the SSL user The s address object is invalid IP in SSL Policy s The listed address object first s is not an allowed IP for the listed SSL policy second s The s address object does not has assignable IP in SSL Policy s There are no more assignable IP addresses in the listed address object first s The address object is used by the listed SSL policy second s The s address object...

Page 954: ...n SSL VPN policy s So s will not be injected to client side The IP pool is in the same subnet as the specified address object first s in the listed SSL VPN policy second s so the listed address third s will not be given to an SSL VPN client The s is same subnet with IP pool in SSL VPN policy s So s will not be injected to client side The specified address object first s is in the same subnet as th...

Page 955: ... logged out SSLVPN idle timeout The specified user was signed out by the device due to an idle timeout The first s is the type of user account The second s is the user s user name The third s is the name of the service the user is using HTTP or HTTPS Failed login attempt to SSLVPN from s login on a lockout address An SSL VPN login attempt from the listed user s was blocked due to too many failed l...

Page 956: ...ecause the user name does not exist User s has been denied from L2TP service Disallowed User A user with the specified user name s was denied access to the L2TP over IPSec service because the user name is not specified in the L2TP over IPSec configuration User s has been denied from L2TP service Incorrect Password A user with the specified user name s was denied access to the L2TP over IPSec servi...

Page 957: ...roup name cannot create too many groups d 1st max group num s cannot find entry s 1st zysh group name 2st zysh entry name s cannot remove entry s 1st zysh group name 2st zysh entry name List OPS can t alloc entry s 1st zysh entry name can t retrieve entry s 1st zysh entry name can t get entry s 1st zysh entry name can t print entry s 1st zysh entry name s cannot retrieve entries from list 1st zysh...

Page 958: ...zysh table name Unable to move entry d 1st zysh entry num s invalid index 1st zysh table name Unable to delete entry d 1st zysh entry num Unable to change entry d 1st zysh entry num s cannot retrieve entries from table 1st zysh table name s invalid old new index 1st zysh table name Unable to move entry d 1st zysh entry num s apply failed at initial stage 1st zysh table name s apply failed at main ...

Page 959: ...er first num was moved to the specified index number second num New ADP rule has been appended An ADP rule has been added to the end of the list ADP rule num has been inserted An ADP rule has been inserted num is the number of the new rule ADP rule num has been modified The ADP rule of the specified number has been changed ADP profile name has been deleted The ADP rule with the specified name has ...

Page 960: ... compressed file because there were too many compressed files at the same time 1st s The protocol of the packet 2nd s The filename of the related file s due to more than one layer compressed file s could not be decompressed The ZyWALL could not decompress a compressed file because it contained other compressed files 1st s The protocol of the packet 2nd s The filename of the related file s due to p...

Page 961: ...was too large AV signature update has failed An anti virus signatures update failed for unknown reasons Anti Virus signatures missing refer to your user documentation to recover the default database file When the ZyWALL started it could not find the anti virus signature file See the CLI reference guide for how to restore the default system database Update signature version has failed An attempt to...

Page 962: ...file pattern was deleted from the white or black list 1st s The file pattern 2nd s The white list or black list File pattern s has been added in s An anti virus file pattern was added to the white or black list 1st s The file pattern 2nd s The white list or black list s has been s An anti virus file pattern white list or black list was turned on or off 1st s The white list or black list 2nd s Acti...

Page 963: ...sing HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL lease timeout The ZyWALL is signing the specified user out due to a lease timeout 1st s The type of user account 2nd s The user s user name 3rd s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL idle timeout The ZyWALL is signing the specified user out...

Page 964: ...able 288 myZyXEL com Logs LOG MESSAGE DESCRIPTION Send registration message to MyZyXEL com server has failed The device was not able to send a registration message to MyZyXEL com Get server response has failed The device sent packets to the MyZyXEL com server but did not receive a response The root cause may be that the connection is abnormal Timeout for get server response zysh need to catch MyZy...

Page 965: ...ervice activation has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device Service expiration check has failed s The service expiration day check failed this log will append an error message returned by the MyZyXEL com server s error message returned by myZyXEL com server Service expiration check has ...

Page 966: ...te has stopped because the device couldn t resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Verify server s certificate has failed Update stop The device could not process an HTTPS connection because it could not verify the myZyXEL com server s certificate The update has stopped Send download request to update server has failed The device s attempt to send a download me...

Page 967: ...ti Virus signature download has succeeded The device successfully downloaded an anti virus signature file Anti Virus signature update has succeeded The device successfully downloaded and applied an anti virus signature file Anti Virus signature download has failed The device still cannot download the anti virus signature after 3 retries System protect signature download has succeeded The device su...

Page 968: ... check The device processes a service expiration day check immediately after it starts up After register Do expiration daily check immediately The device processes a service expiration day check immediately after device registration Time is up Do expiration daily check The processes a service expiration day check every 24 hrs Read MyZyXEL com storage has failed Read data from EEPROM has failed Ope...

Page 969: ... get server response After the device sent packets to a server the device did not receive any response from the server The root cause may be a network delay issue Download file size is wrong The file size downloaded for AS is not identical with content length Parse HTTP header has failed Device can t parse the HTTP header in a response returned by a server Maybe some HTTP headers are missing Table...

Page 970: ...tom IDP signature failed The error sid and message are displayed Custom signature import error line line sid sid error_message An attempt to import a custom IDP signature failed The errored line number in the file the error sid and error message are displayed Custom signature replace error line line sid sid error_message Custom IDP signature replacing failed Error line number of file sid and messa...

Page 971: ...ast signature file update failed IDP signature update failed Can not update synchronized file An attempt to update the IDP signatures failed Rebuilding of the IDP device HA synchronized file failed IDP signature update from version version to version version has succeeded An IDP signature update succeeded The previous and updated IDP signature versions are listed IDP system protect signature updat...

Page 972: ...update the IDP signatures failed due to an internal system error System internal error Create IDP traffic anomaly entry failed There was an internal system error Query signature version failed The device could not get the signature version from the new signature package it downloaded from the update server Can not get signature version The device could not get the signature version from the new si...

Page 973: ...ame has been modified IDP profile has been modified name is profile name IDP signatures missing please refer to your user documentation to recover the default database file When the ZyWALL started it could not find the IDP signature file See the CLI reference guide for how to restore the default system database IDP signature size is over system limitation The IDP signature set is too large exceeds...

Page 974: ... port s of protocol s has been added The listed default port first s has been added for the listed protocol second s Default port s of protocol s has been removed The listed default port first s has been deleted for the listed protocol second s Rule s s has been moved to index s An application patrol rule has been moved 1st s Protocol name 2nd s From rule index number 3rd s To rule index number Ru...

Page 975: ...he tunnel name When negotiating Phase 1 and selecting matched proposal My IP Address could not be resolved ID Tunnel s Phase 1 ID mismatch s is the tunnel name When negotiating Phase 1 the peer ID did not match ID Tunnel s Phase 2 Local ID mismatch s is the tunnel name When negotiating Phase 2 and checking IPsec SAs or the ID is IPv6 ID ID Tunnel s Phase 2 Remote ID mismatch s is the tunnel name W...

Page 976: ...ch SA Tunnel s Phase 2 pfs unsupported d s is the tunnel name When negotiating Phase 2 this device does not support the PFS specified SA Tunnel s Phase 2 SA encapsulation mismatch s is the tunnel name When negotiating Phase 2 the SA encapsulation did not match SA Tunnel s Phase 2 SA protocol mismatch s is the tunnel name When negotiating Phase 2 the SA protocol did not match SA Tunnel s SA sequenc...

Page 977: ...mote name The device sent a request to enter Aggressive Mode Send SA KE ID CER T CR HASH SIG NON CE DEL VID ATTR N OTFY s This is a combined message for outgoing IKE packets Start Phase 2 Quick Mode Indicates the beginning of phase 2 using quick mode The cookie pair is 0x 08x 08x 0x 08x 08x Indicates the initiator responder cookie pair The IPSec tunnel s is already established s is the tunnel name...

Page 978: ...variables represent the phase 1 name tunnel name old SPI new SPI and the xauth name optional The tunnel was rekeyed successfully Tunnel s s Phase 1 pre shared key mismatch The variables represent the phase 1 name and tunnel name When negotiating phase 1 the pre shared keys did not match Tunnel s s Recving IKE request The variables represent the phase 1 name and tunnel name The device received an I...

Page 979: ...a packet resource shortage corrupt packet invalid MAC and so on Outbound transform operation fail After encryption or hardware accelerated processing the hardware accelerator dropped a packet e g resource overflow corrupt packet and so on Packet too big with Fragment Off An outgoing packet needed to be transformed but the fragment flag was off and the packet was too big SPI 0x x SEQ 0x x Execute t...

Page 980: ...x of rule s is appended inserted modified Firewall s s rule d was s 1st s is from zone 2nd s is to zone d is the index of the rule 3rd s is appended inserted modified Firewall s s rule d has been moved to d 1st s is from zone 2nd s is to zone 1st d is the old index of the rule 2nd d is the new index of the rule Firewall s s rule d has been deleted 1st s is from zone 2nd s is to zone d is the index...

Page 981: ...y object group d the policy route rule number The policy route d uses empty source address group Use an empty object group d the policy route rule number The policy route d uses empty destination address group Use an empty object group d the policy route rule number The policy route d uses empty service group Use an empty object group d the policy route rule number Policy route rule d was inserted...

Page 982: ...IP address s is HTTP HTTPS SSH SNMP FTP TELNET HTTPS certificate s does not exist HTTPS service will not work An administrator assigned a nonexistent certificate to HTTPS s is certificate name assigned by user HTTPS port has been changed to port s An administrator changed the port number for HTTPS s is port number HTTPS port has been changed to default port An administrator changed the port number...

Page 983: ...ber assigned by user SNMP port has been changed to default port An administrator changed the port number for SNMP back to the default 161 Console baud has been changed to s An administrator changed the console port baud rate s is baud rate assigned by user Console baud has been reset to d An administrator changed the console port baud rate back to the default 115200 d is default baud rate DHCP Ser...

Page 984: ...rol rule u has been modified An administrator modified the rule u u is rule number DNS access control rule u has been deleted An administrator removed the rule u u is rule number DNS access control rule u has been moved to d An administrator moved the rule u to index d u is previous index d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS se...

Page 985: ...cess control rule s is HTTP HTTPS SSH SNMP FTP TELNET Access control rule u of s was inserted An access control rule was inserted successfully u is the index of the access control rule s is HTTP HTTPS SSH SNMP FTP TELNET Access control rule u of s was modified An access control rule was modified successfully u is the index of the access control rule s is HTTP HTTPS SSH SNMP FTP TELNET Access contr...

Page 986: ...low the threshold of d disk threshold min DHCP Server executed with cautious mode enabled DHCP Server executed with cautious mode enabled DHCP Server executed with cautious mode disabled DHCP Server executed with cautious mode disabled Received packet is not an ARP response packet A packet was received but it is not an ARP response packet Receive an ARP response The device received an ARP response...

Page 987: ...iled The device was not able to synchronize with the NTP time server successfully Device is rebooted by administrator An administrator restarted the device Insufficient memory Cannot allocate system memory Connect to dyndns server has failed Cannot connect to members dyndns org to update DDNS Update the profile s has failed because of strange server response Update profile failed because the respo...

Page 988: ...ed because of dyndns internal error Update profile failed because of a dynsdns internal error s is the profile name Update the profile s has failed because the feature requested is only available to donators Update profile failed because the feature requested is only available to donators s is the profile name Update the profile s has failed because of error response Update profile failed because ...

Page 989: ... s is the profile name Update the profile s has failed because ping check of WAN interface has failed DDNS profile cannot be updated because the ping check for WAN iface failed s is the profile name The profile s has been paused because the HA interface of VRRP status was standby The profile is paused by Device HA because the VRRP status of that HA iface is standby s is the profile name Update the...

Page 990: ...ics scripts were executed successfully Port d is up The specified port has it s link up Port d is down The specified port has it s link down Release interface s failed for packet capture Releasing of the specified interface s usage count failed while exiting the packet capture function Release address object s failed for packet capture Releasing of the specified address object s usage count failed...

Page 991: ...n t get memory from OS Can t load s module The connectivity check process can t load module for check link status s the connectivity module currently only ICMP available Can t handle isalive function of s module The connectivity check process can t execute isalive function from module for check link status s the connectivity module currently only ICMP available Create socket error The connectivity...

Page 992: ...s been created s the name of VRRP group Device HA VRRP group s has been modified An VRRP group has been modified s the name of VRRP group Device HA VRRP group s has been deleted An VRRP group has been deleted s the name of VRRP group Device HA VRRP interface s for VRRP Group s has changed Configuration of an interface that belonged to a VRRP group has been changed 1st s VRRP interface name 2ed s s...

Page 993: ... s Synchronization failed because the Backup could not connect to the Master The object to be synchronized 2ed s The feature name for the object to be synchronized Backup firmware version can not be recognized Stop syncing from Master The firmware version on the Backup cannot be resolved to check if it is the same as on the Master A Backup device only synchronizes from the Master if the Master and...

Page 994: ...ized d the retry count Recovring to Backup original state for s has failed An update failed The device will try to recover the failed update feature to the original state before Device HA synchronizes the specified object Recovering to Backup original state for s has succeeded Recovery succeeded when an update for the specified object failed One of VRRP groups has became avtive Device HA Sync has ...

Page 995: ...authentication id and key first Invalid RIP text authentication RIP text authentication has been set without setting authentication key first RIP on interface s has been activated RIP on interface s has been activated s Interface Name RIP direction on interface s has been changed to In Only RIP direction on interface s has been changed to In Only s Interface Name RIP direction on interface s has b...

Page 996: ...s has been changed to s RIP send version on interface s has been changed to version 1 or 2 or both 1 2 s Interface Name RIP receive version on interface s has been changed to s RIP receive version on interface s has been changed to version 1 or 2 or both 1 2 2nd s Interface Name RIP send version on interface s has been reset to current global version s RIP send version on interface s has been rese...

Page 997: ...valid OSPF text authentication is set on interface s s Interface Name Interface s does not belong to any OSPF area Interface s has been set OSPF authentication same as area however the interface does not belong to any OSPF area s Interface Name Invalid OSPF authentication of area s on interface s Interface s has been set OSPF authentication same as area however the area has invalid text authentica...

Page 998: ...ort failed d Port number Table 302 PKI Logs LOG MESSAGE DESCRIPTION Generate X509certifiate s successfully The router created an X509 format certificate with the specified name Generate X509 certificate s failed errno d The router was not able to create an X509 format certificate with the specified name See Table 311 on page 1000 for details about the error number Generate certificate request s su...

Page 999: ...port X509 certificate s into Trusted Certificate successfully The device imported a x509 format certificate into Trusted Certificates s is the certificate request name Import PKCS 12 certificate s into My Certificate successfully The device imported a PKCS 12 format certificate into My Certificates s is the certificate request name Import PKCS 7 certificate s into My Certificate successfully The d...

Page 1000: ...om My Certificates s is the certificate request name Import PKCS 12 certificate s with incorrect password An administrator used the wrong password when trying to import a PKCS 12 format certificate s is the certificate name Cert trusted s s is the subject Due to d cert not trusted s d is an error number see Table 311 on page 1000 s is the certificate subject CODE DESCRIPTION 1 Algorithm mismatch b...

Page 1001: ...d A user tried to dial the AUX interface but the AUX interface is not enabled AUX Interface disconnecting failed This AUX interface is not enabled The AUX interface is not enabled and a user tried to use the disconnect aux command Please type phone number of interface AUX first then dial again A user tried to dial the AUX interface but the AUX interface does not have a phone number set Please type...

Page 1002: ... configured ethernet vlan or bridge and this interface is base interface of PPP interface PPP interface MTU base interface MTU 8 PPP interface may not run correctly because PPP packets will be fragmented by base interface and peer will not receive correct PPP packets 1st s Ethernet interface name 2nd s PPP interface name Interface s links down Default route will not apply until interface s links u...

Page 1003: ...HAP interface name Interface s is connected A PPP or AUX interface connected successfully s interface name Interface s is disconnected A PPP or AUX interface disconnected successfully s interface name Interface s connect failed Peer not responding The interface s connection will be terminated because the server did not send any LCP packets s interface name Interface s connect failed PAP authentica...

Page 1004: ...damaged or not inserted Please remove the device then check the SIM card The SIM card for the cellular device associated with the listed cellular interface d cannot be detected The SIM card may be missing not inserted properly or damaged Remove the device and check its SIM card If it does not appear to be damaged try re inserting the SIM card SIM card of interface cellular d in s is locked Please ...

Page 1005: ...rface d with the listed SIM card IMSI number or IMEI ESN number went over the listed time budget threshold value second d Cellular d IMSI s or ESN s over time budget d budget d seconds The listed cellular interface d with the listed SIM card IMSI number or IMEI ESN number went over the listed percentage of the time budget threshold value second d Cellular d IMSI s or ESN s over time budget budget ...

Page 1006: ...rtual interface is not supported on this type of interface A virtual interface was not created on an interface because the type of interface does not support virtual interfaces Virtual interface need to be removed before changing the interface property An interface property cannot be changed because the interface has a virtual interface on it Virtual interface can not configured at external interf...

Page 1007: ... interface internal system name has been renamed from one name to another Table 304 WLAN Logs LOG MESSAGE DESCRIPTION Wlan s is enabled The WLAN IEEE 802 11 b and or g feature has been turned on s is the slot number where the WLAN card is or can be installed Wlan s is disabled The WLAN IEEE 802 11 b and or g feature has been turned off s is the slot number where the WLAN card is or can be installe...

Page 1008: ... Interface s MAC s A wireless client used an incorrect WPA or WPA2 user password and failed authentication by the ZyWALL s local user database while trying to connect to the specified WLAN interface first s The MAC address of the wireless client is listed second s Incorrect username or password for WPA or WPA2 enterprise internal authentication Interface s MAC s A wireless client used an incorrect...

Page 1009: ...nd this representative interface is set to DHCP client and has more than one member in its group In this case the DHCP client will renew s interface name Port Grouping s has been changed An administrator configured port grouping s interface name Table 307 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled Force user authenticat...

Page 1010: ...ease for this client s DHCP pool full All of the IP addresses in the DHCP pool are already assigned to DHCP clients so there is no IP address to give to the listed DHCP client DHCP server offered s to s s The DHCP server feature gave the listed IP address to the computer with the listed hostname and MAC address Requested s from s s The ZyWALL received a DHCP request for the specified IP address fr...

Page 1011: ...rver are correct but the listed sender e mail address does not match the listed SMTP e mail account Failed to connect to mail server s The ZyWALL could not connect to the SMTP e mail server s The address configured for the server may be incorrect or there may be a problem with the ZyWALL s or the server s network connection Table 311 IP MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet s u u u ...

Page 1012: ...l in s The Windows automatic update setting on a user s computer did not match the specified EPS object Windows security patch check fail in s The Windows security patch on a user s computer did not match the specified EPS object Antivirus check fail in s A user s computer did not match the anti virus software check in the specified EPS object Personal firewall check fail in s A user s computer di...

Page 1013: ...User s Guide 1013 Windows version check fail in s A user s computer did not match the Windows version check in the specified EPS object EPS checking result is pass A user s computer passed the EPS check Table 313 EPS Logs LOG MESSAGE DESCRIPTION ...

Page 1014: ...Appendix A Log Descriptions ZyWALL USG 300 User s Guide 1014 ...

Page 1015: ...ther information about port numbers If the Protocol is TCP UDP or TCP UDP this is the IP port number If the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 314 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Aut...

Page 1016: ...Internet Group Management Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for new...

Page 1017: ...s the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems and...

Page 1018: ... Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Table 314 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION ...

Page 1019: ... message on Miscrosoft Windows based computers If the log shows that virus files are being detected but your Miscrosoft Windows based computer is not displaying an alert message use one of the following procedures to make sure your computer is set to display the messages Windows XP 1 Click Start Control Panel Administrative Tools Services Figure 620 Windows XP Opening the Services Window ...

Page 1020: ...s Guide 1020 2 Select the Messenger service and click Start Figure 621 Windows XP Starting the Messenger Service 3 Close the window when you are done Windows 2000 1 Click Start Settings Control Panel Administrative Tools Services Figure 622 Windows 2000 Opening the Services Window ...

Page 1021: ...the window when you are done Windows 98 SE Me For Windows 98 SE Me you must open the WinPopup window in order to view real time alert messages Click Start Run and enter winpopup in the field provided and click OK The WinPopup window displays as shown Figure 624 Windows 98 SE WinPopup If you want to display the WinPopup window at startup follow the steps below for Windows 98 SE steps are similar fo...

Page 1022: ...USG 300 User s Guide 1022 1 Right click on the program task bar and click Properties Figure 625 WIndows 98 SE Program Task Bar 2 Click the Start Menu Programs tab and click Advanced Figure 626 Windows 98 SE Task Bar Properties 3 Double click Programs and click StartUp ...

Page 1023: ...yWALL USG 300 User s Guide 1023 4 Right click in the StartUp pane and click New Shortcut Figure 627 Windows 98 SE StartUp 5 A Create Shortcut window displays Enter winpopup in the Command line field and click Next Figure 628 Windows 98 SE Startup Create Shortcut ...

Page 1024: ...accept the default and click Finish Figure 629 Windows 98 SE Startup Select a Title for the Program 7 A shortcut is created in the StartUp pane Restart the computer when prompted Figure 630 Windows 98 SE Startup Shortcut Note The WinPopup window displays after the computer finishes the startup process see Figure 624 on page 1021 ...

Page 1025: ...es These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate as a tr...

Page 1026: ... the first time you browse to it you are presented with a certification error Figure 631 Internet Explorer 7 Certification Error 2 Click Continue to this website not recommended Figure 632 Internet Explorer 7 Certification Error 3 In the Address Bar click Certificate Error View certificates Figure 633 Internet Explorer 7 Certificate Error ...

Page 1027: ...ZyWALL USG 300 User s Guide 1027 4 In the Certificate dialog box click Install Certificate Figure 634 Internet Explorer 7 Certificate 5 In the Certificate Import Wizard click Next Figure 635 Internet Explorer 7 Certificate Import Wizard ...

Page 1028: ...matically select certificate store based on the type of certificate click Next again and then go to step 9 Figure 636 Internet Explorer 7 Certificate Import Wizard 7 Otherwise select Place all certificates in the following store and then click Browse Figure 637 Internet Explorer 7 Certificate Import Wizard ...

Page 1029: ...t Certificate Store dialog box choose a location in which to save the certificate and then click OK Figure 638 Internet Explorer 7 Select Certificate Store 9 In the Completing the Certificate Import Wizard screen click Finish Figure 639 Internet Explorer 7 Certificate Import Wizard ...

Page 1030: ...lly click OK when presented with the successful certificate installation message Figure 641 Internet Explorer 7 Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information Figure 642 Internet Explorer 7 Website Identification ...

Page 1031: ...one has been issued to you 1 Double click the public key certificate file Figure 643 Internet Explorer 7 Public Key Certificate File 2 In the security warning dialog box click Open Figure 644 Internet Explorer 7 Open File Security Warning 3 Refer to steps 4 12 in the Internet Explorer procedure beginning on page 1025 to complete the installation process Removing a Certificate in Internet Explorer ...

Page 1032: ...LL USG 300 User s Guide 1032 1 Open Internet Explorer and click Tools Internet Options Figure 645 Internet Explorer 7 Tools Menu 2 In the Internet Options dialog box click Content Certificates Figure 646 Internet Explorer 7 Internet Options ...

Page 1033: ...icates Authorities tab select the certificate that you want to delete and then click Remove Figure 647 Internet Explorer 7 Certificates 4 In the Certificates confirmation click Yes Figure 648 Internet Explorer 7 Certificates 5 In the Root Certificate Store dialog box click Yes Figure 649 Internet Explorer 7 Root Certificate Store ...

Page 1034: ... following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Figure 650 Firefox 2 Website Certified by an Unknown Autho...

Page 1035: ...the address bar which you can click to open the Page Info Security window to view the web page s security information Figure 651 Firefox 2 Page Info Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you ...

Page 1036: ...ng Certificates ZyWALL USG 300 User s Guide 1036 1 Open Firefox and click Tools Options Figure 652 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 653 Firefox 2 Options ...

Page 1037: ...tes Import Figure 654 Firefox 2 Certificate Manager 4 Use the Select File dialog box to locate the certificate and then click Open Figure 655 Firefox 2 Select File 5 The next time you visit the web site click the padlock in the address bar to open the Page Info Security window to see the web page s security information ...

Page 1038: ...ng a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools Options Figure 656 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 657 Firefox 2 Options ...

Page 1039: ...e Figure 658 Firefox 2 Certificate Manager 4 In the Delete Web Site Certificates dialog box click OK Figure 659 Firefox 2 Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Opera The following example uses Opera 9 on Windows XP Professional however the screens can apply to Opera 9 on all platform...

Page 1040: ...time you browse to it you are presented with a certification error 2 Click Install to accept the certificate Figure 660 Opera 9 Certificate signer not found 3 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Figure 661 Opera 9 Security information ...

Page 1041: ...nd Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Opera and click Tools Preferences Figure 662 Opera 9 Tools Menu ...

Page 1042: ...Appendix D Importing Certificates ZyWALL USG 300 User s Guide 1042 2 In Preferences click Advanced Security Manage certificates Figure 663 Opera 9 Preferences ...

Page 1043: ...USG 300 User s Guide 1043 3 In the Certificates Manager click Authorities Import Figure 664 Opera 9 Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open Figure 665 Opera 9 Import certificate ...

Page 1044: ...stall authority certificate 6 Next click OK Figure 667 Opera 9 Install authority certificate 7 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9 ...

Page 1045: ...Importing Certificates ZyWALL USG 300 User s Guide 1045 1 Open Opera and click Tools Preferences Figure 668 Opera 9 Tools Menu 2 In Preferences Advanced Security Manage certificates Figure 669 Opera 9 Preferences ...

Page 1046: ...ificate you just removed a certification error appears Note There is no confirmation when you delete a certificate authority so be absolutely certain that you want to go through with it before clicking the button Konqueror The following example uses Konqueror 3 5 on openSUSE 10 3 however the screens apply to Konqueror 3 5 on all Linux KDE distributions 1 If your device s Web Configurator is set to...

Page 1047: ...queror 3 5 Server Authentication 3 Click Forever when prompted to accept the certificate Figure 672 Konqueror 3 5 Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details Figure 673 Konqueror 3 5 KDE SSL Information ...

Page 1048: ...en prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 674 Konqueror 3 5 Public Key Certificate File 2 In the Certificate Import Result Kleopatra dialog box click OK Figure 675 Konqueror 3 5 Certificate Import Result The public key certificate appears in the KDE certificate manager Kleopatra Figure 676 Konquero...

Page 1049: ... security details Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3 5 1 Open Konqueror and click Settings Configure Konqueror Figure 677 Konqueror 3 5 Settings Menu 2 In the Configure dialog box select Crypto 3 On the Peer SSL Certificates tab select the certificate you want to delete and then click Remove Figure 678 Konqueror 3 5 Conf...

Page 1050: ...e next time you go to the web site that issued the public key certificate you just removed a certification error appears Note There is no confirmation when you remove a certificate authority so be absolutely certain you want to go through with it before clicking the button ...

Page 1051: ...endent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 679 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wi...

Page 1052: ...xtended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network...

Page 1053: ...djacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and...

Page 1054: ...u set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission S...

Page 1055: ...Type Preamble is used to signal that data is coming to the receiver Short and long refer to the length of the synchronization field in a packet Short preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11 compliant wireless adapters support long preamble but not all support short preamble Use long preamble if you are unsure what preamble mode ...

Page 1056: ...reless security methods available on your ZyWALL Note You must enable the same wireless security settings on the ZyWALL and on all wireless clients that you want to associate with it IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional Table 315 IEEE 802 11g DATA RATE MBPS MODULATION ...

Page 1057: ...RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the n...

Page 1058: ...with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certificate als...

Page 1059: ... authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and pa...

Page 1060: ...ve an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS ser...

Page 1061: ...rovides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi n...

Page 1062: ...nt how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it WPA 2 with RADIUS Application Example To set up WPA 2 you need the IP address of the RADIUS ...

Page 1063: ...ith RADIUS Application Example WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and allows it to join the network only if the pa...

Page 1064: ...r each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 318 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynam...

Page 1065: ...tenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 5 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of appr...

Page 1066: ...grees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications Positioning Antennas In general antennas should be mounted as high as practically possible and free of obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best performanc...

Page 1067: ...ISTED IN THE NOTICE OR APPENDIX BELOW ZYXEL MAY HAVE DISTRIBUTED TO YOU HARDWARE AND OR SOFTWARE OR MADE AVAILABLE FOR ELECTRONIC DOWNLOADS THESE FREE SOFTWARE PROGRAMS OF THRID PARTIES AND YOU ARE LICENSED TO FREELY COPY MODIFY AND REDISTIBUTE THAT SOFTWARE UNDER THE APPLICABLE LICENSE TERMS OF SUCH THIRD PARTY NONE OF THE STATEMENTS OR DOCUMENTATION FROM ZYXEL INCLUDING ANY RESTRICTIONS OR CONDI...

Page 1068: ...ntenance technical or other support for the resultant modified Software You may not copy reverse engineer decompile reverse compile translate adapt or disassemble the Software or any part thereof nor shall you attempt to create the source code from the object code for the Software Except as and only to the extent expressly permitted in this License you may not market co brand and private label or ...

Page 1069: ...EE OR IN AN UNINTERUPTED FASHION OR THAT ANY DEFECTS OR ERRORS IN THE SOFTWARE WILL BE CORRECTED OR THAT THE SOFTWARE IS COMPATIBLE WITH ANY PARTICULAR PLATFORM SOME JURISDICTIONS DO NOT ALLOW THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY TO YOU IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION THEN ALL EXPRESS AND IMPLIED WARRANTIES SHALL BE ...

Page 1070: ...ate this License Agreement for any reason including but not limited to if ZyXEL finds that you have violated any of the terms of this License Agreement Upon notification of termination you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies including backup copies have been destroyed All provisions relating to confidentia...

Page 1071: ...ce Companies names and data used in examples herein are fictitious unless otherwise noted No part may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose except the express written permission of ZyXEL Communications Corporation This Product includes ppp software under the PPP License PPP License Copyright c 1993 The Australian National University All r...

Page 1072: ...ense Netkit Telnet License Copyright c 1989 Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary for...

Page 1073: ...ies and that both the copyright notice and this permission notice appear in supporting documentation and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission The University of Delaware makes no representations about the suitability this software for any purpose It is provided as is without ...

Page 1074: ... under the an X11 style License an X11 style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is just like a Simple Permissive license but it requires that a copyright notice be maintained ________________________________________ Permission is hereby granted...

Page 1075: ...urce licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright c 1998 2008 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this li...

Page 1076: ...erived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software develop...

Page 1077: ... USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by T...

Page 1078: ...s Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and ...

Page 1079: ...ctory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY ...

Page 1080: ...are under the a 3 clause BSD License a 3 clause BSD style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is the BSD license without the obnoxious advertising clause It s also known as the modified BSD license Note that the University of California now pref...

Page 1081: ...erived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTA...

Page 1082: ...EQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Id COPYRIGHT v 1 6 2 2 2002 02 12 06 05 48 marka Exp Portions Copyright C 1996 2001 Nominum Inc Permission to use copy modify and distribute this software for any purp...

Page 1083: ... granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DAT...

Page 1084: ...anagement of such entity whether by contract or otherwise or ii ownership of fifty percent 50 or more of the outstanding shares or iii beneficial ownership of such entity You or Your shall mean an individual or Legal Entity exercising permissions granted by this License Source form shall mean the preferred form for making modifications including but not limited to software source code documentatio...

Page 1085: ... 2 Grant of Copyright License Subject to the terms and conditions of this License each Contributor hereby grants to You a perpetual worldwide non exclusive no charge royalty free irrevocable copyright license to reproduce prepare Derivative Works of publicly display publicly perform sublicense and distribute the Work and such Derivative Works in Source or Object form 3 Grant of Patent License Subj...

Page 1086: ...atement to Your modifications and may provide additional or different license terms and conditions for use reproduction or distribution of Your modifications or for any such Derivative Works as a whole provided Your use reproduction and distribution of the Work otherwise complies with the conditions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any Cont...

Page 1087: ...ntributor and only if You agree to indemnify defend and hold each Contributor harmless for any liability incurred by or claims asserted against such Contributor by reason of your accepting any such warranty or additional liability END OF TERMS AND CONDITIONS Version 1 1 Copyright c 1999 2003 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with o...

Page 1088: ...PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation For more information o...

Page 1089: ... of use not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software and use pieces of it in new free programs and that you are informed that you can do these things To protect your rights we need to ma...

Page 1090: ...al Public License therefore permits such linking only if the entire combination fits its criteria of freedom The Lesser General Public License permits more lax criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It also provides other free software develop...

Page 1091: ...r any derivative work under copyright law that is to say a work containing the Library or a portion of it either verbatim or with modifications and or translated straightforwardly into another language Hereinafter translation is included without limitation in the term modification Source code for a work means the preferred form of the work for making modifications to it For a library complete sour...

Page 1092: ...tifiable sections of that work are not derived from the Library and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Library the distribution of the whole must be on the terms of ...

Page 1093: ...be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline functions ...

Page 1094: ...ived a copy of these materials or that you have already sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either source or binary form with the majo...

Page 1095: ... contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Library at all For example if a patent license would not permit royalty free redistribution of the Library by all those ...

Page 1096: ...Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED ...

Page 1097: ...designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public License applies to most of the Free Software Foundation s software and to any other program whose authors commit to using it Some other Free Software Found...

Page 1098: ...ar that any patent must be licensed for everyone s free use or not licensed at all The precise terms and conditions for copying distribution and modification follow TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Publ...

Page 1099: ...uch an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate wo...

Page 1100: ...ent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatical...

Page 1101: ...n is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that dis...

Page 1102: ... OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTH...

Page 1103: ...tified as the Initial Developer in the Source Code notice required by Exhibit A 1 7 Larger Work means a work which combines Covered Code or portions thereof with code not governed by the terms of this License 1 8 License means this document 1 8 1 Licensable means having the right to grant to the maximum extent possible whether at the time of the initial grant or subsequently acquired any and all o...

Page 1104: ... 12 You or Your means an individual or a legal entity exercising rights under and complying with all of the terms of this License or a future version of this License issued under Section 6 1 For legal entities You includes any entity which controls is controlled by or is under common control with You For purposes of this definition control means a the power direct or indirect to cause the directio...

Page 1105: ...herwise dispose of 1 Modifications made by that Contributor or portions thereof and 2 the combination of Modifications made by that Contributor with its Contributor Version or portions of such combination the licenses granted in Sections 2 2 a and 2 2 b are effective on the date Contributor first makes Commercial Use of the Covered Code Notwithstanding Section 2 2 b above no patent license is gran...

Page 1106: ...rived directly or indirectly from Original Code provided by the Initial Developer and including the name of the Initial Developer in a the Source Code and b in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code 3 4 Intellectual Property Matters a Third Party Claims If Contributor has knowledge that a license under a third ...

Page 1107: ...tor as a result of warranty support indemnity or liability terms You offer 3 6 Distribution of Executable Versions You may distribute Covered Code in Executable form only if the requirements of Sections 3 1 3 2 3 3 3 4 and 3 5 have been met for that Covered Code and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License includi...

Page 1108: ...etscape may publish revised and or new versions of the License from time to time Each version will be given a distinguishing version number 6 2 Effect of New Versions Once Covered Code has been published under a particular version of the License You may always continue to use it under the terms of that version You may also choose to use such Covered Code under the terms of any subsequent version o...

Page 1109: ...oper or a Contributor the Initial Developer or Contributor against whom You file such action is referred to as Participant alleging that such Participant s Contributor Version directly or indirectly infringes any patent then any and all rights granted by such Participant to You under Sections 2 1 and or 2 2 of this License shall upon 60 days notice from Participant terminate prospectively unless i...

Page 1110: ...s negligence to the extent applicable law prohibits such limitation Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages so this exclusion and limitation may not apply to you 10 U S government end users The Covered Code is a commercial item as that term is defined in 48 C F R 2 101 Oct 1995 consisting of commercial computer software and commercial comp...

Page 1111: ...vered Code under Your choice of the MPL or the alternative licenses if any specified by the Initial Developer in the file described in Exhibit A Exhibit A Mozilla Public License The contents of this file are subject to the Mozilla Public License Version 1 1 the License you may not use this file except in compliance with the License You may obtain a copy of the License at http www mozilla org MPL S...

Page 1112: ...ppropriate to package The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the a...

Page 1113: ...e Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of t...

Page 1114: ...n of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S OF THE SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCI...

Page 1115: ...g to PNG copyright 1999 2000 2001 2002 Greg Roelofs Portions relating to gdttf c copyright 1999 2000 2001 2002 John Ellson ellson lucent com Portions relating to gdft c copyright 2001 2002 John Ellson ellson lucent com Portions copyright 2000 2001 2002 2003 2004 2005 2006 2007Pierre Alain Joye pierre libgd org Portions relating to JPEG and to color quantization copyright 2000 2001 2002 Doug Becker...

Page 1116: ...oftwarehttp www millstream com au view code tablekit Version 1 2 1 2007 03 11 Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to p...

Page 1117: ... required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution L Peter Deutschghost aladdin com This Product includes libpng software under the below License Copyright c year copyright holders This software is provided as is without any express or implied warra...

Page 1118: ...gust 15 2004 through 1 2 12 June 27 2006 are Copyright c 2004 2006 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 1 2 5 with the following individual added to the list of Contributing Authors Cosmin Truta libpng versions 1 0 7 July 1 2000 through 1 2 5 October 3 2002 are Copyright c 2000 2002 Glenn Randers Pehrson and are distributed according to t...

Page 1119: ...th the user libpng versions 0 97 January 1998 through 1 0 6 March 20 2000 are Copyright c 1998 1999 2000 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 0 96 with the following individuals added to the list of Contributing Authors Tom Lane Glenn Randers Pehrson Willem van Schaik libpng versions 0 89 June 1996 through 0 96 May 1997 are Copyright c 19...

Page 1120: ...Eric Schalnat Paul Schmidt Tim Wegner The PNG Reference Library is supplied AS IS The Contributing Authors and Group 42 Inc disclaim all warranties expressed or implied including without limitation the warranties of merchantability and of fitness for any purpose The Contributing Authors and Group 42 Inc assume no liability for direct indirect incidental special exemplary or consequential damages w...

Page 1121: ...g Authors and Group 42 Inc specifically permit without fee and encourage the use of this source code as a component to supporting the PNG file format in commercial products If you use this source code in a product acknowledgment is not required but would be appreciated This Product includes ftp tls software under the below License Copyright C 1997 and 1998 WIDE Project All rights reserved Redistri...

Page 1122: ...WISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 1985 1989 1993 1994 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above cop...

Page 1123: ...copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the NetBSD Foundation Inc and its contributors 4 Neither the name of The NetBSD Foundation nor t...

Page 1124: ...Appendix F Open Software Announcements ZyWALL USG 300 User s Guide 1124 ...

Page 1125: ...on or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Your use of the ZyWALL is subject to the terms and conditions of any related service providers Trademark...

Page 1126: ...ll not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the e...

Page 1127: ...y Period of this product During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating co...

Page 1128: ...s warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com ...

Page 1129: ...users 724 725 custom page 836 forcing login 448 idle timeout 733 logging in 448 multiple logins 734 see also users 724 Web Configurator 736 access users see also force user authentication policies account myZyXEL com 284 user 723 accounting server 757 Active Directory see AD active protocol 508 AH 508 and encapsulation 509 ESP 508 active sessions 227 233 248 ActiveX 672 AD 757 760 761 763 764 dire...

Page 1130: ...107 FTP 434 H 323 434 440 IPPBX on DMZ tutorial 170 peer to peer calls 435 RTP 440 see also VoIP pass through 434 SIP 434 tutorial 163 Anomaly Detection and Prevention see ADP answer rings 861 antenna directional 1066 gain 1065 omni directional 1066 anti spam 683 689 action for spam mails 689 alerts 688 black list 684 689 concurrent e mail sessions 276 686 configuration overview 111 DNSBL 685 689 ...

Page 1131: ...riority 559 priority effect 558 protocol statistics 260 261 registration status 564 service ports 554 statistics 258 trial service activation 285 troubleshooting 923 929 933 troubleshooting signatures update 922 unidentified applications 572 updating signatures 291 vs firewall 455 458 applications 41 AppPatrol see application patrol 291 ASAS Authenex Strong Authentication System 758 ASCII encoding...

Page 1132: ... VPN policy 100 AUX port 860 see also auxiliary interface 860 auxiliary interface 296 360 860 troubleshooting 925 when used 360 B backdoor attacks 607 backing up configuration files 890 backslashes 646 bad length options attack 647 bandwidth egress 323 ingress 323 usage statistics 259 bandwidth limit troubleshooting 926 bandwidth management 553 and policy routes 389 behavior 557 configured rate ef...

Page 1133: ...ocol CMP 781 Certificate Revocation List CRL 774 vs OCSP 793 certificates 773 advantages of 774 and CA 774 and FTP 855 and HTTPS 832 and IKE SA 507 and SSH 850 and synchronization device HA 721 and VPN gateways 476 and WWW 834 certification path 774 784 790 expired 774 factory default 775 file formats 775 fingerprints 785 791 importing 778 in IPSec 492 not used for encryption 774 revoked 774 self ...

Page 1134: ...ent filtering 649 650 and address groups 649 650 655 and address objects 649 650 655 and registration 654 656 659 and schedules 649 650 and user groups 649 and users 649 by category 650 661 by keyword in URL 650 673 by URL 650 672 by web feature 650 672 cache 272 674 categories 661 category service 659 configuration overview 110 default policy 650 652 external web filtering service 659 674 filter ...

Page 1135: ...ccess 702 management IP address 702 modes 701 monitored interfaces 705 709 password 709 prerequisites 111 role 713 synchronization 702 721 synchronization password 709 713 synchronization port number 708 713 troubleshooting 934 935 tutorial 177 virtual router 704 virtual router and management IP addresses 705 VRID 713 device High Availability see device HA 701 device introduction 33 DHCP 366 816 a...

Page 1136: ... in IPSec 480 dynamic routes 100 dynamic WEP key exchange 1059 DynDNS 413 DynDNS see also DDNS 413 Dynu 413 E EAP Authentication 1058 e Donkey 606 EGP Exterior Gateway Protocol 641 egress bandwidth 323 EICAR 583 e mail 683 daily statistics report 868 header buffer 685 headers 684 virus 593 e Mule 606 Encapsulating Security Payload see ESP encapsulation and active protocol 509 IPSec 481 transport m...

Page 1137: ...ltered port scan 642 Firefox 47 firewall 455 456 actions 468 and address groups 452 468 and address objects 452 468 and ALG 433 436 and application patrol 554 and H 323 ALG 434 and HTTP redirect 430 and IPSec SA 458 and IPSec VPN 930 and logs 453 468 and NAT 464 and port triggering 388 928 and schedules 453 468 570 573 576 and service groups 468 and services 468 746 and SIP ALG 435 and user groups...

Page 1138: ...ditional signaling port 438 ALG 433 440 and firewall 434 and RTP 440 signaling port 438 troubleshooting 929 HA status see device HA 704 header checksum 614 hidden node 1053 host based intrusions 626 HSDPA 322 HTTP inspection 637 645 over SSL see HTTPS redirect to HTTPS 834 vs HTTPS 832 HTTP redirect 429 and application patrol 430 and firewall 430 and interfaces 432 and policy routes 430 configurat...

Page 1139: ...ubleshooting 923 927 troubleshooting signatures update 922 updating signatures 291 verifying custom signatures 625 IEEE 802 11g 1055 IEEE 802 1q VLAN IGP Interior Gateway Protocol 641 IHL IP Header Length 613 IIS backslash evasion attack 646 emulation 646 encoding 646 server 645 unicode 646 unicode codepoint encoding attack 646 IKE SA aggressive mode 502 506 and certificates 507 and RADIUS 507 and...

Page 1140: ... between 297 static DHCP 367 subnet mask 364 trunks see also trunks types 296 virtual see also virtual interfaces VLAN see also VLAN interfaces where used 103 internal interface 98 304 Internet access troubleshooting 922 933 Internet Control Message Protocol see ICMP Internet Explorer 47 Internet Message Access Protocol see IMAP 684 Internet Protocol IP 613 Internet Protocol Security see IPSec Int...

Page 1141: ...on algorithms 502 503 authentication key manual keys 510 destination NAT for inbound traffic 512 encapsulation 508 encryption algorithms 503 encryption key manual keys 510 local policy 508 manual keys 510 NAT for inbound traffic 510 NAT for outbound traffic 510 Perfect Forward Secrecy PFS 509 proposal 509 remote policy 508 search by name 263 search by policy 263 Security Parameter Index SPI manual...

Page 1142: ...h time limit 763 SSL 763 user attributes 737 least load first load balancing 371 LED troubleshooting 921 LEDs 35 legitimate e mail 683 level 4 inspection 554 level 7 inspection 554 license key 287 upgrading 286 licensing 281 Lightweight Directory Access Protocol see LDAP link sticking 370 374 lists 59 load balancing 369 algorithms 371 376 least load first 371 round robin 377 see also trunks 369 se...

Page 1143: ... MSCHAP V2 362 797 Point to Point Encryption MPPE 797 model name 226 monitor 265 SA 262 monitor menu 52 monitor profile ADP 634 IDP 602 monitor screens 237 monitored interfaces 705 device HA 709 MPPE Microsoft Point to Point Encryption 797 MSCHAP Microsoft Challenge Handshake Authentication Protocol 362 797 MSCHAP V2 Microsoft Challenge Handshake Authentication Protocol Version 2 362 797 MTU 323 m...

Page 1144: ...figuration 93 objects 93 112 514 AAA server 757 addresses and address groups 739 authentication method 767 certificates 773 for configuration 93 introduction to 93 schedules 751 services and service groups 745 SSL application 799 users user groups 723 obsolete options attack 647 offset patterns 621 One Time Password OTP 758 Online Certificate Status Protocol OCSP 793 vs CRL 793 Open Shortest Path ...

Page 1145: ... 435 managing 553 Perfect Forward Secrecy PFS 482 Diffie Hellman key group 509 performance troubleshooting 926 927 928 Personal Identification Number code see PIN code PFS Perfect Forward Secrecy 482 509 phishing 661 physical ports 33 and interfaces 94 packet statistics 238 packet statistics graph 240 PIN code 322 PIN generator 758 pointer record 826 Point to Point Protocol over Ethernet see PPPoE...

Page 1146: ...subnet mask 311 PPTP 368 and GRE 368 as VPN 368 preamble mode 1055 privacy concerns 662 problems 921 product overview 33 registration 1128 profiles packet inspection 603 protocol usage statistics 260 261 protocol anomaly 630 645 detection 637 proxy servers 430 web see web proxy servers PSK 1061 PTR record 826 public server tutorial 167 Public Key Infrastructure PKI 774 public private key pairs 773...

Page 1147: ...us 267 collecting data 245 configuration overview 114 content filtering 271 daily 868 daily e mail 868 IDP 269 specifications 247 traffic statistics 245 reset 939 vs reboot 917 RESET button 37 939 response strings 861 reverse proxy mode 42 513 RFC 1058 RIP 396 1389 RIP 396 1587 OSPF areas 398 1631 NAT 391 1889 RTP 440 2131 DHCP 366 2132 DHCP 366 2328 OSPF 397 2338 VRRP 711 2402 AH 481 508 2406 ESP...

Page 1148: ...ups 746 and firewall 468 and port triggering 388 in IDP 607 where used 112 service objects 745 service set 331 Service Set IDentity See SSID 326 328 service subscription status 286 service trials 284 services 745 746 1015 and device HA 702 and firewall 468 746 and IDP 746 and policy routes 746 and port triggering 388 subscription 282 where used 112 Session Initiation Protocol see SIP session limit...

Page 1149: ...1 spillover for load balancing 372 spyware 661 SQL slammer 627 SSH 847 and address groups 851 and address objects 851 and certificates 850 and zones 851 client requirements 849 encryption methods 849 for secure Telnet 851 how connection is established 848 versions 849 with Linux 852 with Microsoft Windows 851 SSID 326 328 SSL 513 520 831 access policy 514 and AAA 763 and AD 763 and LDAP 763 certif...

Page 1150: ...irus 267 application patrol 258 bandwidth 259 content filtering 271 daily e mail report 868 IDP 269 protocol 260 261 traffic 245 status bar 57 warning message popup 57 stopping the device 37 streaming protocols management 553 strict source routing 614 stub area 398 STUN 435 and ALG 435 subscription services 282 and synchronization device HA 702 AppPatrol 285 content filtering 285 IDP 285 new IDP A...

Page 1151: ...VRRP groups 711 global rules 457 token 758 trademarks 1125 traffic anomaly 630 634 traffic statistics 245 Transmission Control Protocol see TCP transport encapsulation 481 Transport Layer Security TLS 855 trapdoor attacks 607 trial subscription services 284 triangle routes 463 allowing through the firewall 465 vs virtual interfaces 463 Triple Data Encryption Standard see 3DES trojan attacks 607 tr...

Page 1152: ...used 103 Trusted Certificates see also certificates 787 TTCP detected attack 647 tunnel encapsulation 481 tutorials 117 U UDP 745 attack packet 605 640 decoder 637 645 decoy portscan 642 distributed portscan 642 flood attack 645 messages 745 port numbers 746 portscan 641 portsweep 642 u encoding attack 646 UltraVNC 800 undersize len attack 647 undersize offset attack 647 unreachables ICMP 642 unsa...

Page 1153: ...LDAP 737 attributes for RADIUS 737 attributes in AAA servers 737 configuration overview 112 currently logged in 226 235 default lease time 733 735 default reauthentication time 733 735 default type for Ext User 724 ext group user type 724 Ext User type 724 ext user type 724 groups see user groups Guest type 724 lease time 728 limited admin type 724 lockout 734 logged in 252 prerequisites for force...

Page 1154: ...s 476 and to device firewall 930 VRID 713 VRPT Vantage Report 871 882 VRRP 711 advertisement interval 720 backup router 720 management IP 720 master router 720 router priority 720 virtual router ID VR ID 720 VRRP groups 711 and interfaces 711 and to device firewall 711 authentication 711 role desired 715 see also VRRP W WAN multiple IP addresses 176 WAN trunk 100 WAN_TRUNK 33 warm start 37 warning...

Page 1155: ... vs WPA PSK 1061 wireless client supplicant 1062 with RADIUS application example 1062 WPA2 1060 user authentication 1061 vs WPA2 PSK 1061 wireless client supplicant 1062 with RADIUS application example 1062 WPA2 Pre Shared Key WPA2 PSK 1060 WPA2 PSK 1060 1061 application example 1063 WPA PSK 1060 1061 application example 1063 WWW 832 and address groups 836 and address objects 836 and authenticatio...

Page 1156: ...Index ZyWALL USG 300 User s Guide 1156 ...

Search results

Summary of Contents for Unified Security Gateway ZyWALL 300

Reviews:

Related manuals for Unified Security Gateway ZyWALL 300

Brands by name

Popular brands

ZyXEL Communications Unified Security Gateway ZyWALL 300, User Manual

Search results

Summary of Contents for Unified Security Gateway ZyWALL 300

Reviews:

Related manuals for Unified Security Gateway ZyWALL 300

Brands by name

Popular brands