manualshive.com logo in svg

ZyXEL Communications USG-300 - V2.20 ED 2, Manual

Download the free ZyXEL Communications USG-300 - V2.20 ED 2 manual from our website. This comprehensive user manual provides detailed instructions for efficiently setting up and maximizing the potential of your ZyXEL USG-300. Get all the information you need to make the most of your product!

Share
Download
background image

 Chapter 35 ADP

ZyWALL USG 300 User’s Guide

653

UDP Flood Attack

UDP is a connection-less protocol and it does not require any connection setup 
procedure to transfer data. A UDP flood attack is possible when an attacker sends 
a UDP packet to a random port on the victim system. When the victim system 
receives a UDP packet, it will determine what application is waiting on the 
destination port. When it realizes that there is no application that is waiting on the 
port, it will generate an ICMP packet of destination unreachable to the forged 
source address. If enough UDP packets are delivered to ports on victim, the 
system will go down.

Protocol Anomaly Background Information

The following sections may help you configure the protocol anomaly profile screen 
(see 

Section 35.3.5 on page 645

)

HTTP Inspection and TCP/UDP/ICMP Decoders

The following table gives some information on the HTTP inspection, TCP decoder, 
UDP decoder and ICMP decoder ZyWALL protocol anomaly rules. 

Table 176   

HTTP Inspection and TCP/UDP/ICMP Decoders

LABEL

DESCRIPTION

HTTP Inspection

APACHE-WHITESPACE 

ATTACK

This rule deals with non-RFC standard of tab for a space 
delimiter. Apache uses this, so if you have an Apache 
server, you need to enable this option.

ASCII-ENCODING 

ATTACK

This rule can detect attacks where malicious attackers use 
ASCII-encoding to encode attack strings. Attackers may 
use this method to bypass system parameter checks in 
order to get information or privileges from a web server.

BARE-BYTE-

UNICODING-ENCODING 

ATTACK

Bare byte encoding uses non-ASCII characters as valid 
values in decoding UTF-8 values. This is NOT in the HTTP 
standard, as all non-ASCII values have to be encoded with 
a %. Bare byte encoding allows the user to emulate an IIS 
server and interpret non-standard encodings correctly.

BASE36-ENCODING 

ATTACK

This is a rule to decode base36-encoded characters. This 
rule can detect attacks where malicious attackers use 
base36-encoding to encode attack strings. Attackers may 
use this method to bypass system parameter checks in 
order to get information or privileges from a web server.

DIRECTORY-TRAVERSAL 

ATTACK

This rule normalizes directory traversals and self-referential 
directories. So, “/abc/this_is_not_a_real_dir/../xyz” get 
normalized to “/abc/xyz”. Also, “/abc/./xyz” gets 
normalized to “/abc/xyz”. If a user wants to configure an 
alert, then specify “yes”, otherwise “no”. This alert may give 
false positives since some web sites refer to files using 
directory traversals.

Summary of Contents for USG-300 - V2.20 ED 2

Page 1: ... com ZyWALL USG 300 Unified Security Gateway Copyright 2010 ZyXEL Communications Corporation Firmware Version 2 20 Edition 2 9 2010 Default Login Details LAN Port P1 IP Address https 192 168 1 1 User Name admin Password 1234 ...

Page 2: ......

Page 3: ...ssential terms used in the ZyWALL what prerequisites are needed to configure a feature and how to use that feature It is highly recommended you read Chapter 7 on page 117 for ZyWALL application examples Subsequent chapters are arranged by menu item as defined in the Web Configurator Read each chapter carefully for detailed information on that menu item To find specific information in this guide us...

Page 4: ...tion from this link Read the Tech Doc Overview to find out how to efficiently use the User Guide Quick Start Guide and Command Line Interface Reference Guide in order to better understand how to use your product Knowledge Base If you have a specific question about your product the answer may be here This is a collection of answers to previously asked questions about ZyXEL products Forum This conta...

Page 5: ...l number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Disclaimer Graphics in this book may differ slightly from the product due to differences in operating systems operating system versions or if you installed updated firmware software for your device Every effort has been made to ensure that the information in this man...

Page 6: ... key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click...

Page 7: ...User s Guide 7 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ...

Page 8: ...d and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make su...

Page 9: ...ical Reference 223 Dashboard 225 Monitor 239 Registration 283 Signature Update 289 Interfaces 295 Trunks 369 Policy and Static Routes 379 Routing Protocols 395 Zones 409 DDNS 413 NAT 419 HTTP Redirect 429 ALG 435 IP MAC Binding 443 Authentication Policy 449 Firewall 457 IPSec VPN 475 SSL VPN 517 SSL User Screens 531 SSL User Application Screens 541 SSL User File Sharing 543 ZyWALL SecuExtender 551...

Page 10: ...ice HA 709 User Group 731 Addresses 747 Services 753 Schedules 759 AAA Server 765 Authentication Method 775 Certificates 781 ISP Accounts 803 SSL Application 807 Endpoint Security 815 System 825 Log and Report 877 File Manager 893 Diagnostics 905 Reboot 915 Shutdown 917 Troubleshooting 919 Product Specifications 939 ...

Page 11: ...ounted Installation Procedure 34 1 3 Front Panel 35 1 3 1 Front Panel LEDs 35 1 4 Management Overview 35 1 5 Starting and Stopping the ZyWALL 37 Chapter 2 Features and Applications 39 2 1 Features 39 2 2 Applications 41 2 2 1 VPN Connectivity 42 2 2 2 SSL VPN Network Access 42 2 2 3 User Aware Access Control 44 2 2 4 Multiple WAN Interfaces 44 2 2 5 Device HA 45 Chapter 3 Web Configurator 47 3 1 W...

Page 12: ...2 1 Choose an Ethernet Interface 76 5 2 2 Select WAN Type 76 5 2 3 Configure WAN Settings 77 5 2 4 WAN and ISP Connection Settings 78 5 2 5 Quick Setup Interface Wizard Summary 80 5 3 VPN Quick Setup 81 5 4 VPN Setup Wizard Wizard Type 82 5 5 VPN Express Wizard Scenario 83 5 5 1 VPN Express Wizard Configuration 84 5 5 2 VPN Express Wizard Summary 85 5 5 3 VPN Express Wizard Finish 86 5 5 4 VPN Adv...

Page 13: ... DDNS 105 6 5 10 NAT 105 6 5 11 HTTP Redirect 106 6 5 12 ALG 107 6 5 13 Auth Policy 107 6 5 14 Firewall 107 6 5 15 IPSec VPN 108 6 5 16 SSL VPN 108 6 5 17 L2TP VPN 109 6 5 18 Application Patrol 109 6 5 19 Anti Virus 110 6 5 20 IDP 110 6 5 21 ADP 110 6 5 22 Content Filter 110 6 5 23 Anti Spam 111 6 5 24 Device HA 111 6 6 Objects 112 6 6 1 User Group 112 6 7 System 113 6 7 1 DNS WWW SSH TELNET FTP S...

Page 14: ...cies With Bandwidth Restrictions 150 7 7 5 Set Up MSN Policies 153 7 7 6 Set Up Firewall Rules 154 7 8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 155 7 9 How to Use Endpoint Security and Authentication Policies 157 7 9 1 Configure the Endpoint Security Objects 157 7 9 2 Configure the Authentication Policy 159 7 10 How to Configure Service Control 160 7 10 1 Allow HTTP...

Page 15: ... the L2TP VPN Settings Example 188 8 5 Configuring L2TP VPN in Windows Vista XP or 2000 189 8 5 1 Configuring L2TP in Windows Vista 189 8 5 2 Configuring L2TP in Windows XP 199 8 5 3 Configuring L2TP in Windows 2000 205 Part II Technical Reference 223 Chapter 9 Dashboard 225 9 1 Overview 225 9 1 1 What You Can Do in this Chapter 225 9 2 The Dashboard Screen 225 9 2 1 The CPU Usage Screen 232 9 2 2...

Page 16: ...10 13 1 Regular Expressions in Searching IPSec SAs 265 10 14 The SSL Connection Monitor Screen 266 10 15 L2TP over IPSec Session Monitor Screen 267 10 16 The Anti Virus Statistics Screen 268 10 17 The IDP Statistics Screen 270 10 18 The Content Filter Statistics Screen 272 10 19 Content Filter Cache Screen 273 10 20 The Anti Spam Statistics Screen 276 10 21 The Anti Spam Status Screen 278 10 22 Lo...

Page 17: ...2 WLAN Add Edit WEP Security 335 13 6 3 WLAN Add Edit WPA PSK WPA2 PSK Security 336 13 6 4 WLAN Add Edit WPA WPA2 Security 337 13 7 WLAN Interface MAC Filter 339 13 8 VLAN Interfaces 341 13 8 1 VLAN Summary Screen 343 13 8 2 VLAN Add Edit 344 13 9 Bridge Interfaces 351 13 9 1 Bridge Summary 353 13 9 2 Bridge Add Edit 354 13 10 Auxiliary Interface 360 13 10 1 Auxiliary Interface Overview 360 13 10 ...

Page 18: ... The RIP Screen 396 16 3 The OSPF Screen 397 16 3 1 Configuring the OSPF Screen 401 16 3 2 OSPF Area Add Edit Screen 404 16 3 3 Virtual Link Add Edit Screen 405 16 4 Routing Protocol Technical Reference 406 Chapter 17 Zones 409 17 1 Zones Overview 409 17 1 1 What You Can Do in this Chapter 409 17 1 2 What You Need to Know 410 17 2 The Zone Screen 411 17 3 Zone Edit 412 Chapter 18 DDNS 413 18 1 DDN...

Page 19: ...2 The ALG Screen 439 21 3 ALG Technical Reference 441 Chapter 22 IP MAC Binding 443 22 1 IP MAC Binding Overview 443 22 1 1 What You Can Do in this Chapter 443 22 1 2 What You Need to Know 444 22 2 IP MAC Binding Summary 444 22 2 1 IP MAC Binding Edit 445 22 2 2 Static DHCP Edit 446 22 3 IP MAC Binding Exempt List 447 Chapter 23 Authentication Policy 449 23 1 Overview 449 23 1 1 What You Can Do in...

Page 20: ...n 480 25 2 2 The VPN Connection Add Edit Manual Key Screen 487 25 3 The VPN Gateway Screen 490 25 3 1 The VPN Gateway Add Edit Screen 491 25 4 VPN Concentrator 499 25 4 1 IPSec VPN Concentrator Example 499 25 4 2 VPN Concentrator Screen 502 25 4 3 The VPN Concentrator Add Edit Screen 502 25 5 IPSec VPN Background Information 503 Chapter 26 SSL VPN 517 26 1 Overview 517 26 1 1 What You Can Do in th...

Page 21: ...ating a New Folder 547 29 5 Renaming a File or Folder 548 29 6 Deleting a File or Folder 548 29 7 Uploading a File 549 Chapter 30 ZyWALL SecuExtender 551 30 1 The ZyWALL SecuExtender Icon 551 30 2 Statistics 552 30 3 View Log 553 30 4 Suspend and Resume the Connection 553 30 5 Stop the Connection 554 30 6 Uninstalling the ZyWALL SecuExtender 554 Chapter 31 L2TP VPN 555 31 1 Overview 555 31 1 1 Wha...

Page 22: ...hite List Add Edit 594 33 5 Anti Virus White List 595 33 6 Signature Searching 596 33 7 Anti Virus Technical Reference 599 Chapter 34 IDP 601 34 1 Overview 601 34 1 1 What You Can Do in this Chapter 601 34 1 2 What You Need To Know 601 34 1 3 Before You Begin 602 34 2 The IDP General Screen 603 34 3 Introducing IDP Profiles 605 34 3 1 Base Profiles 606 34 4 The Profile Summary Screen 607 34 5 Crea...

Page 23: ...iles 642 35 3 4 Traffic Anomaly Profiles 642 35 3 5 Protocol Anomaly Profiles 645 35 3 6 Protocol Anomaly Configuration 645 35 4 ADP Technical Reference 649 Chapter 36 Content Filtering 659 36 1 Overview 659 36 1 1 What You Can Do in this Chapter 659 36 1 2 What You Need to Know 659 36 1 3 Before You Begin 661 36 2 Content Filter General Screen 661 36 3 Content Filter Policy Add or Edit Screen 664...

Page 24: ...er 709 39 1 2 What You Need to Know 709 39 1 3 Before You Begin 710 39 2 Device HA General 711 39 3 The Active Passive Mode Screen 712 39 3 1 Configuring Active Passive Mode Device HA 714 39 4 Configuring an Active Passive Mode Monitored Interface 717 39 5 The Legacy Mode Screen 719 39 6 Configuring the Legacy Mode Screen 720 39 7 Device HA Technical Reference 724 Chapter 40 User Group 731 40 1 Ov...

Page 25: ...56 42 3 1 The Service Group Add Edit Screen 758 Chapter 43 Schedules 759 43 1 Overview 759 43 1 1 What You Can Do in this Chapter 759 43 1 2 What You Need to Know 759 43 2 The Schedule Summary Screen 760 43 2 1 The One Time Schedule Add Edit Screen 761 43 2 2 The Recurring Schedule Add Edit Screen 762 Chapter 44 AAA Server 765 44 1 Overview 765 44 1 1 Directory Service AD LDAP 765 44 1 2 RADIUS Se...

Page 26: ...6 3 The Trusted Certificates Screen 795 46 3 1 The Trusted Certificates Edit Screen 796 46 3 2 The Trusted Certificates Import Screen 800 46 4 Certificates Technical Reference 801 Chapter 47 ISP Accounts 803 47 1 Overview 803 47 1 1 What You Can Do in this Chapter 803 47 2 ISP Account Summary 803 47 2 1 ISP Account Edit 804 Chapter 48 SSL Application 807 48 1 Overview 807 48 1 1 What You Can Do in...

Page 27: ...g an Address PTR Record 836 50 6 6 Domain Zone Forwarder 837 50 6 7 Adding a Domain Zone Forwarder 837 50 6 8 MX Record 838 50 6 9 Adding a MX Record 839 50 6 10 Adding a DNS Service Control Rule 839 50 7 WWW Overview 840 50 7 1 Service Access Limitations 841 50 7 2 System Timeout 841 50 7 3 HTTPS 841 50 7 4 Configuring WWW Service Control 842 50 7 5 Service Control Rules 846 50 7 6 Customizing th...

Page 28: ...USB Storage Setting 886 51 3 4 Edit Remote Server Log Settings 888 51 3 5 Active Log Summary Screen 890 Chapter 52 File Manager 893 52 1 Overview 893 52 1 1 What You Can Do in this Chapter 893 52 1 2 What you Need to Know 893 52 2 The Configuration File Screen 896 52 3 The Firmware Package Screen 900 52 4 The Shell Script Screen 902 Chapter 53 Diagnostics 905 53 1 Overview 905 53 1 1 What You Can ...

Page 29: ...er 56 Troubleshooting 919 56 1 Resetting the ZyWALL 936 56 2 Getting More Troubleshooting Help 937 Chapter 57 Product Specifications 939 57 1 3G PCMCIA Card Installation 945 Appendix A Log Descriptions 947 Appendix B Common Services 1009 Appendix C Displaying Anti Virus Alert Messages in Windows 1013 Appendix D Importing Certificates 1019 Appendix E Wireless LANs 1045 Appendix F Open Software Anno...

Page 30: ...Table of Contents ZyWALL USG 300 User s Guide 30 ...

Page 31: ...31 PART I User s Guide ...

Page 32: ...32 ...

Page 33: ...r P2P control NAT port forwarding policy routing DHCP server and many other powerful features Flexible configuration helps you set up the network and enforce security policies efficiently See Chapter 2 on page 39 for a more detailed overview of the ZyWALL s features The front panel physical Gigabit Ethernet ports labeled 1 2 3 and so on are mapped to Gigabit Ethernet ge interfaces By default 1 is ...

Page 34: ...holes on one side of the ZyWALL and secure it with the included bracket screws smaller than the rack mounting screws 2 Attach the other bracket in a similar fashion Figure 1 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack Secure the ZyWALL to the rack with t...

Page 35: ...tes and then restart the device see Section 1 5 on page 37 If the LED turns red again then please contact your vendor SYS Green Off The ZyWALL is not ready or has failed On The ZyWALL is ready and running Flashing The ZyWALL is restarting AUX Green Off The AUX port is not connected Flashing The AUX port is sending or receiving packets On The AUX port is connected P1 P2 Green Off There is no traffi...

Page 36: ...se text based commands to configure the ZyWALL You can access it using remote management for example SSH or Telnet or via the console port See the Command Reference Guide for more information about the CLI Console Port You can use the console port to manage the ZyWALL using CLI commands See the Command Reference Guide for more information about the CLI The default settings for the console port are...

Page 37: ...ebooting the ZyWALL A warm start without powering down and powering up again occurs when you use the Reboot button in the Reboot screen or when you use the reboot command The ZyWALL writes all cached data to the local storage stops the system processes and then does a warm start Using the RESET button If you press the RESET button the ZyWALL sets the configuration to its default values and then re...

Page 38: ...Chapter 1 Introducing the ZyWALL ZyWALL USG 300 User s Guide 38 ...

Page 39: ...es reliable secure Internet access set up one or more of the following Multiple WAN ports and configure load balancing between these ports One or more 3G cellular connections An auxiliary backup Internet connection A backup ZyWALL in the event the master ZyWALL fails device HA Virtual Private Networks VPN Use IPSec SSL or L2TP VPN to provide secure communication between two sites over the Internet...

Page 40: ... violations of protocol standards RFCs Requests for Comments Abnormal flows such as port scans The ZyWALL s ADP protects against network based intrusions See Section 35 3 4 on page 642 and Section 35 3 5 on page 645 for more on the kinds of attacks that the ZyWALL can protect against You can also create your own custom ADP rules Bandwidth Management Bandwidth management allows you to allocate netw...

Page 41: ...ted of being used by spammers Application Patrol Application patrol App Patrol manages instant messenger IM peer to peer P2P applications like MSN and BitTorrent You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol has powerful bandwidth management including traffic prioritization to enhanc...

Page 42: ...gure the ZyWALL to provide SSL VPN network access to remote users There are two SSL VPN network access modes reverse proxy and full tunnel 2 2 2 1 Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the final destination the ZyWALL appears to be the server to remote users This provides an added layer o...

Page 43: ...el mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This allows them to access network resources in the same way as if they were part of the internal network Figure 7 Network Access Mode Full Tunnel Mode Web Mail File Share Web based Application LAN 192 168 1 X https Web Mail File Share Web based Application https Application S...

Page 44: ...ormation and shared resources based on the user who is trying to access it Figure 8 Applications User Aware Access Control 2 2 4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port or set up multiple connections on different ports In either case you can balance the loads between them Figure 9 Applications Multiple WAN Interfaces ...

Page 45: ...ures and Applications ZyWALL USG 300 User s Guide 45 2 2 5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network Figure 10 Applications Device HA ...

Page 46: ...Chapter 2 Features and Applications ZyWALL USG 300 User s Guide 46 ...

Page 47: ...eb Configurator you must Use Internet Explorer 7 or later or Firefox 1 5 or later Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScript enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution is 1024 x 768 pixels 3 2 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connected See the Quick St...

Page 48: ... password default 1234 If your account is configured to use an ASAS authentication server use the OTP One Time Password token to generate a number Enter it in the One Time Password field The number is only good for one login You must use the token to generate a new number the next time you log in 4 Click Login If you logged in using the default user name and password the Update Admin Info screen F...

Page 49: ...n If you change the default password the Login screen Figure 11 on page 48 appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default configuration see Chapter 4 on page 65 otherwise the dashboard appears as shown next Figure 13 Dashboard 3 3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts as il...

Page 50: ...e Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the ZyWALL Site Map Click this to see an overview of links to the Web Configurator screens Object Reference Click this to open a screen where you can check which configuration items reference an object Console Click this to open the console in which you can use the co...

Page 51: ...menus and their screens Figure 16 Navigation Panel 3 3 2 1 Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs See Chapter 9 on page 225 for details on the dashboard Table 5 About LABEL DESCRIPTION Boot Module This shows the version number of the software t...

Page 52: ...clients Cellular Status Displays details about the ZyWALL s 3G connection status USB Storage Displays information about a connected USB storage device AppPatrol Statistics Displays bandwidth and protocol statistics VPN Monitor IPSec Displays and manages the active IPSec SAs SSL Lists users currently logged into the VPN SSL client portal You can also log out individual users and delete related sess...

Page 53: ...anage Ethernet interfaces and virtual Ethernet interfaces PPP Create and manage PPPoE and PPTP interfaces Cellular Configure a cellular Internet connection for an installed 3G card WLAN Configure settings for an installed wireless LAN card VLAN Create and manage VLAN interfaces and virtual VLAN interfaces Bridge Create and manage bridges and virtual bridge interfaces Auxiliary Manage the AUX port ...

Page 54: ...P VPN L2TP VPN Configure L2TP Over IPSec VPN settings AppPatrol General Enable or disable traffic management by application and see registration and signature information Common Manage traffic of the most commonly used web file transfer and e mail protocols IM Manage instant messenger traffic Peer to Peer Manage peer to peer traffic VoIP Manage VoIP traffic Streaming Manage streaming traffic Other...

Page 55: ... Group Create and manage groups of users Setting Manage default settings for all users general settings for user sessions and rules to force user authentication Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create and manage TCP and UDP services Service Group Create and manage groups of services Schedul...

Page 56: ...HTTPS and general authentication Login Page Configure how the login and access user screens look SSH Configure SSH server and SSH service settings TELNET Configure telnet server settings for the ZyWALL FTP Configure FTP server settings SNMP Configure SNMP communities and services Dial in Mgmt Configure settings for an out of band management connection through a modem connected to the AUX port Vant...

Page 57: ...ages such as those resulting from misconfiguration display in a popup window Figure 17 Warning Message Table 8 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the ZyWALL Firmware Package View the current firmware version and to upload firmware Shell Script Manage and run shell script files for the ZyWALL Diagnos...

Page 58: ...en Figure 18 Site Map 3 3 3 3 Object Reference Click Object Reference to open the Object Reference screen Select the type of object and the individual object and click Refresh to show which configuration settings reference the object The following example shows which configuration settings reference the ldap users user object in this case the first firewall rule Figure 19 Object Reference ...

Page 59: ...L DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s con...

Page 60: ... a Column s Criteria 2 Click the down arrow next to a column heading for more options about how to display the entries The options available vary depending on the type of fields in the column Here are some examples of what you can do Sort in ascending alphabetical order Sort in descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filte...

Page 61: ...mn heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new location Figure 24 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time Figure 25 Navigating Pages of Table Entries ...

Page 62: ...ck Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an en...

Page 63: ...r 3 Web Configurator ZyWALL USG 300 User s Guide 63 you can also use the Shift or Ctrl key to select multiple entries and then use the arrow button to move them to the other list Figure 27 Working with Lists ...

Page 64: ...Chapter 3 Web Configurator ZyWALL USG 300 User s Guide 64 ...

Page 65: ...ure Internet connection settings and activate subscription services This chapter provides information on configuring the Web Configurator s installation setup wizard See the feature specific chapters in this User s Guide for background information Figure 28 Installation Setup Wizard Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the insta...

Page 66: ... Internet connections Leave it cleared to configure just one This option appears when you are configuring the first WAN interface Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP WAN Interface This is the interface you are configuring for Internet access Zone S...

Page 67: ...een The following fields display if you selected static IP address assignment IP Subnet Mask Enter the subnet mask for this WAN connection s IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps ...

Page 68: ... outgoing connection requests Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by the remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only MSCHAP Your ZyWALL accepts MSCHAP only MSCHAP V2 Your ZyWALL accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long...

Page 69: ...in name to an IP address and vice versa Enter a DNS server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses these in the order you specify here to resolve domain names for VPN DDNS and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not config...

Page 70: ...SP if given Server IP Type the IP address of the PPTP server Type a Connection ID or connection name It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router You can use alphanumeric and _ characters and it can be up to 31 characters long 4 1 5 2 WAN IP Address Assignments First WAN Interface Thi...

Page 71: ...cond WAN Interface The screens for configuring the second WAN interface are similar to the first see Section 4 1 1 on page 66 Figure 33 Internet Access Step 3 Second WAN Interface 4 1 7 Internet Access Finish You have set up your ZyWALL to access the Internet After configuring the WAN interface s a screen displays with your settings If they are not correct click Back Figure 34 Internet Access Ethe...

Page 72: ...n Use this screen to register your ZyWALL with myZXEL com and activate trial periods of subscription security features if you have not already done so If the ZyWALL is already registered this screen displays your user name and which trial services are activated if any You can still activate any un activated trial services Note You must be connected to the Internet to register Use the Registration ...

Page 73: ...rd Use six to 20 alphanumeric characters and the underscore Spaces are not allowed Type it again in the Confirm Password field E Mail Address Enter your e mail address Use up to 80 alphanumeric characters periods and the underscore are also allowed without spaces Country Code Select your country from the drop down box list Trial Service Activation You can try a trial service subscription The trial...

Page 74: ...Chapter 4 Installation Setup Wizard ZyWALL USG 300 User s Guide 74 ...

Page 75: ...his User s Guide for background information In the Web Configurator click Configuration Quick Setup to open the first Quick Setup screen Figure 37 Quick Setup WAN Interface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP See Section 5 2 on page 76 VPN SETUP Use VPN SETUP to configure a VPN...

Page 76: ... an interface to connect to the internet Click Next Figure 38 WAN Interface Quick Setup Wizard 5 2 1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next Figure 39 Choose an Ethernet Interface 5 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection is to use Choose Ethernet when the WAN port is u...

Page 77: ...ion provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access information exactly as your ISP gave it to you 5 2 3 Configure WAN Settings Use this screen to select to which zone the interface belongs and whether the interface should use a fixed or dynamic IP address Figure 41 WAN Interface Setup Step 2 WAN Interfa...

Page 78: ...s This screen is read only if you set the IP Address Assignment to Static Note Enter the Internet access information exactly as your ISP gave it to you Figure 42 WAN and ISP Connection Settings PPTP Shown The following table describes the labels in this screen Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Interne...

Page 79: ...P Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection Base Interface This displays the identity of the Ethernet interface you configure to connect with a modem or router Base IP Address Type the static IP address assigned to you by your ISP IP Subnet Mask Type the subnet mask assigned to you by your ISP if given Server IP Type the IP address of the PPT...

Page 80: ...to access it DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for VPN DDNS and the time server Back Click Back to return to the previou...

Page 81: ...ection will not time out Yes means the ZyWALL uses the idle timeout Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which s...

Page 82: ...lect which type of VPN connection you want to configure Figure 45 VPN Setup Wizard Wizard Type Express Use this wizard to create a VPN connection with another ZLD based ZyWALL using a pre shared key and default security settings Advanced Use this wizard to configure detailed VPN security settings such as using certificates The VPN connection can be to another ZLD based ZyWALL or other IPSec device...

Page 83: ...igure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote Access Server Role Choose this to a...

Page 84: ... use the same password Use 8 to 31 case sensitive ASCII characters or 8 to 31 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP addres...

Page 85: ...iation Local Policy Static IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy Static IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gate...

Page 86: ...Express Wizard Finish Now you can use the VPN tunnel Figure 49 VPN Express Wizard Step 6 Note If you have not already done so use the myZyXEL com link and register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 87: ...elect the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSec devi...

Page 88: ...e gateway to identify the remote IPSec device by its IP address or a domain name Use 0 0 0 0 if the remote IPSec device has a dynamic WAN IP address My Address interface Select an interface from the drop down list box to use on your ZyWALL Negotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords No...

Page 89: ...an Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit random number SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel NAT Traversal Select this if the VPN tunnel must pass through NAT there is a NAT router between the IPSec devices Note The remote IPSec dev...

Page 90: ...r SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit ...

Page 91: ...nd the VPN gateway Secure Gateway IP address or domain name of the remote IPSec device Pre Shared Key VPN tunnel password Certificate The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy IP address and subnet mask of the computers on the netw...

Page 92: ...5 5 8 VPN Advanced Wizard Finish Now you can use the VPN tunnel Figure 54 VPN Wizard Step 6 Advanced Note If you have not already done so you can register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 93: ...u configure the trunk you should configure a policy route for it as well You might also have to configure criteria for the policy route Section 6 6 on page 112 identifies the objects that store information used by other features Section 6 7 on page 113 introduces some of the tools available for system management 6 1 Object based Configuration The ZyWALL stores information or settings as objects Yo...

Page 94: ...Zones groups of interfaces and VPN tunnels simplify security settings Here is an overview of zones interfaces and physical ports in the ZyWALL Figure 55 Zones Interfaces and Physical Ethernet Ports Table 13 Zones Interfaces and Physical Ethernet Ports Zones WAN LAN DMZ A zone is a group of interfaces and VPN tunnels Use zones to apply security settings such as firewall IDP remote management anti v...

Page 95: ... tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Then you can configure the IP address and subnet mask of the bridge It is also possible to configure zone level security between the membe...

Page 96: ...iguration The LAN zone contains the ge1 interface The LAN zone is a protected zone The ge1 interface uses 192 168 1 1 PORT INTERFACE ZONE IP ADDRESS AND DHCP SETTINGS SUGGESTED USE WITH DEFAULT SETTINGS 1 ge1 LAN 192 168 1 1 DHCP server enabled Protected LAN 2 3 ge2 ge3 WAN DHCP clients Connections to the Internet 4 5 ge4 ge5 DMZ 192 168 2 1 ge4 and 192 168 3 1 ge5 DHCP server disabled Public serv...

Page 97: ... This section highlights some differences in terminology or organization between the ZLD based ZyWALL and other routers particularly ZyNOS routers Table 15 ZLD ZyWALL Terminology That is Different Than ZyNOS ZYNOS FEATURE TERM ZLD ZYWALL FEATURE TERM IP alias Virtual interface Gateway policy VPN gateway Network policy IPSec SA VPN connection Hub and spoke VPN VPN concentrator Table 16 ZLD ZyWALL T...

Page 98: ... interfaces you don t need to configure anything to all LAN to WAN or WLAN to WAN traffic The ZyWALL automatically adds all of the external interfaces to the default WAN trunk External interfaces include ppp cellular and AUX interfaces as well as any Ethernet interfaces that are set as external interfaces Examples of internal interfaces are WLAN interfaces and any Ethernet interfaces that you conf...

Page 99: ...how to route them The following figure shows how the ZLD 2 20 firmware s routing table compares with the earlier 2 1x firmware s routing table The checking flow is from top to bottom As soon as the packets match an entry in one of the sections the ZyWALL stops checking the packets against the routing table and moves on to the other checks for example the firewall check Figure 58 Routing Table Chec...

Page 100: ...dynamic IPSec rules option moves the routes for dynamic IPSec rules up above the policy routes see Section 25 2 on page 478 5 Static and Dynamic Routes This section contains the user configured static routes and the dynamic routing information learned from other routers through RIP and OSPF See Chapter 15 on page 379 for more information 6 Default WAN Trunk For any traffic coming in through an int...

Page 101: ...uding Many 1 to 1 is also included in the NAT table 3 NAT loopback is now included in the NAT table instead of requiring a separate policy route 4 SNAT is also now performed by default and included in the NAT table 6 5 Feature Configuration Overview This section provides information about configuring the main features in the ZyWALL The features are listed in the same sequence as the menu item s in...

Page 102: ...quence of menu items and tabs you should click to find the main screen s for this feature See the web help or the related User s Guide chapter for information about each screen PREREQUISITES These are other features you should configure before you configure the main screen s for this feature If you did not configure one of the prerequisites first you can often select an option to create a new obje...

Page 103: ...nks to set up load balancing using two or more interfaces Example See Chapter 7 on page 117 6 5 6 Policy Routes Use policy routes to override the ZyWALL s default routing behavior in order to send packets through the appropriate interface or VPN tunnel You can also use policy routes for bandwidth management out of the ZyWALL port triggering MENU ITEM S Configuration Licensing Update PREREQUISITES ...

Page 104: ...For the Next Hop fields select Interface as the Type if you have a single WAN connection or Trunk if you have multiple WAN connections 9 Select the interface that you are using for your WAN connection ge2 and ge3 are the default WAN interfaces If you have multiple WAN connections select the trunk 10 Specify the amount of bandwidth FTP traffic can use You may also want to set a low priority for FTP...

Page 105: ...ou create a zone the ZyWALL does not create any firewall rules assign an IDP profile or configure remote management for the new zone Example For example to create the DMZ 2 zone and add an interface click Network Zone and then the Add icon 6 5 9 DDNS Dynamic DNS maps a domain name to a dynamic IP address The ZyWALL helps maintain this mapping 6 5 10 NAT Use Network Address Translation NAT to make ...

Page 106: ...ets received for the original IP address 6 In Mapping Type select Port 7 Enter 21 in both the Original and the Mapped Port fields 6 5 11 HTTP Redirect Configure this feature to have the ZyWALL transparently forward HTTP web traffic to a proxy server This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next t...

Page 107: ...ss the network 6 5 14 Firewall The firewall controls the travel of traffic between or within zones You can also configure the firewall to control traffic for NAT DNAT and policy routes SNAT You can configure firewall rules based on schedules specific users or user groups source or destination addresses or address groups and services or service groups Each of these objects must be configured in a d...

Page 108: ...ss Leave the Access field set to Allow and the Log field set to No Note The ZyWALL checks the firewall rules in order Make sure each rule is in the correct place in the sequence 6 5 15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP IP for communication The ZyWALL also offers hub and spoke VPN Example See Chapter 7 o...

Page 109: ... user account for Bob User Group 2 Click AppPatrol Peer to Peer to go to the application patrol configuration screen Click the BitTorrent application patrol entry s Edit icon Set the default policy s access to Drop Add another policy Select the user account that you created for Bob You can leave the source destination and log settings at the default WHERE USED Policy routes zones MENU ITEM S Confi...

Page 110: ... anomalies 6 5 22 Content Filter Use content filtering to block or allow access to specific categories of web site content individual web sites and web features such as cookies You can define which user accounts or groups can access what content and at what times You must have a subscription in order to use the category based content filtering You can subscribe using the menu item or one of the wi...

Page 111: ... the category based content filtering service is not available 7 Select the Arts Entertainment category you need to click Advanced to display it and click OK 8 Click General to go to the content filter general configuration screen 9 Enable the content filter 10 Add a policy that uses the schedule the filtering profile and the user that you created 6 5 23 Anti Spam Use anti spam to detect and take ...

Page 112: ... groups address VPN connections local remote network NAT policy routes criteria next hop HOST NAT authentication policies firewall application patrol source destination content filter NAT HOST user settings force user authentication address groups remote management System address group Policy routes criteria firewall application patrol source destination content filter user settings force user aut...

Page 113: ...management connection through an external serial modem connected to the AUX port Example Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN 1 Create an administrator account Configuration Object User Group guest Access network services ext user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication server If ...

Page 114: ...n manage Configuration files Use configuration files to back up and restore the complete configuration of the ZyWALL You can store multiple configuration files in the ZyWALL and switch between them without restarting Shell scripts Use shell scripts to run a series of CLI commands These are useful for large repetitive configuration changes for example creating a lot of VPN tunnels and for troublesh...

Page 115: ...yWALL USG 300 User s Guide 115 Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the ZyWALL or remove the power Not doing so can cause the firmware to become corrupt MENU ITEM S Maintenance Shutdown ...

Page 116: ...Chapter 6 Configuration Basics ZyWALL USG 300 User s Guide 116 ...

Page 117: ...ptions of individual screens see Technical Reference on page 223 7 1 How to Configure Interfaces Port Grouping and Zones This tutorial shows how to configure Ethernet interfaces port grouping and zones for the following example configuration see Section 6 2 2 on page 96 for the default configuration Interface ge2 uses a static IP address of 1 2 3 4 and is in the WAN zone DMZ servers are connected ...

Page 118: ... 1 1 Configure a WAN Ethernet Interface You need to assign the ZyWALL s ge2 interface a static IP address of 1 2 3 4 Click Configuration Network Interface Ethernet and double click the ge2 interface s entry Select Use Fixed IP Address and configure the IP address subnet mask and default gateway settings and click OK Figure 61 Configuration Network Interface Ethernet Edit ge2 7 1 2 Configure Zones ...

Page 119: ... Enter VPN as the name select Default_L2TP_VPN_Connection and move it to the Member box and click OK Figure 62 Configuration Network Zone WAN Edit 7 1 3 Configure Port Grouping Here is how to combine physical ports P4 and P5 into the ge4 interface port group 1 Click Configuration Network Interface Port Grouping ...

Page 120: ... Ethernet interfaces ge5 has a Status of Port Group Inactive Figure 64 Dashboard Interface Status Summary After Port Grouping 7 2 How to Configure a Cellular Interface Use 3G cards for cellular WAN Internet connections Table 272 on page 939 lists the compatible 3G devices In this example you install or connect the 3G card before you configure the cellular interfaces but is also possible to reverse...

Page 121: ...r 4 Enable the interface and add it to a zone It is highly recommended that you set the Zone to WAN to apply your WAN zone security settings to this 3G connection Leaving Zone set to none has the ZyWALL not apply any security settings to the 3G connection Enter the PIN Code provided by the cellular 3G service provider 0000 in this example Figure 66 Configuration Network Interface Cellular Edit ...

Page 122: ...work throughput Plus if a WAN connection goes down the ZyWALL still sends traffic through the remaining WAN connections For a simple test disconnect all of the ZyWALL s wired WAN connections If you can still access the Internet your cellular interface is properly configured and your cellular device is working To fine tune the load balancing configuration see Chapter 14 on page 369 See also Section...

Page 123: ... balancing settings 7 3 1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface 1 Click Configuration Network Interface Ethernet and double click the ge2 entry Enter the available bandwidth 1000 kbps in the Egress Bandwidth field Click OK Figure 69 Configuration Network Interface Ethernet Edit ge2 2 ...

Page 124: ...ick Configuration Network Interface Trunk Click the Add icon 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin Add ge2 and enter 2 in the Weight column Add ge3 and enter 1 in the Weight column Click OK Figure 70 Configuration Network Interface Trunk Add ...

Page 125: ... have different wireless LAN networks using different SSIDs You can configure the WLAN interfaces before or after you install the wireless LAN card This example shows how to create a WLAN interface that uses WPA or WPA2 security and the ZyWALL s local user database for authentication 7 4 1 Set Up User Accounts The ZyWALL supports TTLS using PAP so you can use the ZyWALL s local user database with ...

Page 126: ...n_user Enter and re enter the user s password Click OK Figure 72 Configuration Object User Group User Add 3 Use the Add icon in the Configuration Object User Group User screen to set up the remaining user accounts in similar fashion 7 4 2 Create the WLAN Interface 1 Click Configuration Network Interface WLAN Add to open the WLAN Add screen ...

Page 127: ...s example This determines which security settings the ZyWALL applies to the WLAN interface Configure the SSID ZYXEL_WPA in this example If all of your wireless clients support WPA2 select WPA2 Enterprise as the Security Type otherwise select WPA WPA 2 Enterprise Set the Authentication Type to Auth Method The ZyWALL can use its default authentication method the local user database and its default c...

Page 128: ...Chapter 7 Tutorials ZyWALL USG 300 User s Guide 128 Figure 73 Configuration Network Interface WLAN Add ...

Page 129: ...s client not included with the ZyWALL use the wireless network 7 4 3 1 Configure the ZyXEL Wireless Client Utility This example covers how to configure ZyXEL s wireless client utility not included with the ZyWALL to use the WLAN interface See Section 7 4 3 2 on page 133 instead for how to use Funk Odyssey s wireless client software if you want the wireless client to validate the ZyWALL s certifica...

Page 130: ...he wireless client utility and click Profile Figure 75 ZyXEL Wireless Client 2 Add a new profile This example uses ZYXEL_WPA as the name It is also the SSID name of the wireless network Select Infrastructure and click Next Figure 76 ZyXEL Wireless Client Profile ...

Page 131: ...re 77 ZyXEL Wireless Client Profile Security Type 4 Set the encryption type to TKIP and the EAP type to TTLS Configure wlan_user as the Login Name and enter the account s password also wlan_user in this example In TTLS Protocol select PAP Click Next Figure 78 ZyXEL Wireless Client Profile Security Settings ...

Page 132: ...apter 7 Tutorials ZyWALL USG 300 User s Guide 132 5 Confirm your settings and click Save Figure 79 ZyXEL Wireless Client Profile Save 6 Click Activate Now Figure 80 ZyXEL Wireless Client Profile Activate ...

Page 133: ...less client validate the ZyWALL s certificate you can go to Section 7 4 3 4 on page 141 7 4 3 2 Configure the Funk Odyssey Wireless Client This example shows how to configure Funk s Odyssey Access Client Manager wireless client software not included with the ZyWALL to use the WLAN interface 1 Open the Odyssey wireless client software and click Profiles Add Figure 82 Odyssey Access Client Manager P...

Page 134: ...ser Info tab configure wlan_user as the Login name In the Password sub tab select Prompt for long name and password Figure 83 Odyssey Access Client Manager Profiles User Info 3 Click the Authentication tab and select Validate server certificate Figure 84 Odyssey Access Client Manager Profiles Authentication ...

Page 135: ...ls ZyWALL USG 300 User s Guide 135 4 Click the TTLS tab and select PAP Then click OK Figure 85 Odyssey Access Client Manager Profiles Authentication 5 Click Networks Add Figure 86 Odyssey Access Client Manager Networks ...

Page 136: ...Networks Add Use the next section to import the ZyWALL s certificate into the wireless client 7 4 3 3 Wireless Clients Import the ZyWALL s Certificate You must import the ZyWALL s certificate into the wireless clients if they are to validate the ZyWALL s certificate Use the Configuration Object Certificate Edit screen see Section 46 2 2 on page 791 to export the certificate the ZyWALL is using for...

Page 137: ...de 137 1 In Internet Explorer click Tools Internet Options Content and click the Certificates button Figure 88 Internet Explorer Tools Internet Options Content 2 Click Import Figure 89 Internet Explorer Tools Internet Options Content Certificates ...

Page 138: ...ting to All Files in order to see the certificate file Figure 90 Internet Explorer Certificate Import Wizard File Open Screen 4 When you get to the Certificate Store screen select the option to automatically select the certificate store based on the type of certificate Figure 91 Internet Explorer Certificate Import Wizard Certificate Store Screen ...

Page 139: ...Chapter 7 Tutorials ZyWALL USG 300 User s Guide 139 5 If you get a security warning screen click Yes to proceed Figure 92 Internet Explorer Certificate Import Certificate Warning Screen ...

Page 140: ...e ZyWALL s My Certificates screen s Subject and Issuer fields respectively Figure 93 Internet Explorer Trusted Root Certification Authorities The My Certificates screen indicates what type of information is being displayed such as Common Name CN Organizational Unit OU Organization O and Country C Figure 94 Configuration Object Certificate My Certificates Repeat the steps to import the certificate ...

Page 141: ... 5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel see Section 5 4 on page 82 for details on the VPN quick setup wizard Figure 96 VPN Example In this example the ZyWALL is router X 1 2 3 4 and the remote IPSec router is router Y 2 2 2 2 Create the VPN tunnel between ZyWALL X s LAN subnet 192 168 1 0 24 and the L...

Page 142: ...nd then click the Add icon 2 Enable the VPN gateway and name it VPN_GW_EXAMPLE For My Address select Interface and ge2 For the Peer Gateway Address select Static Address and enter 2 2 2 2 in the Primary field For the Authentication Select Pre Shared Key and enter 12345678 Click OK Figure 97 Configuration VPN IPSec VPN VPN Gateway Add 7 5 2 Set Up the VPN Connection The VPN connection manages the I...

Page 143: ...ck the Add icon 4 Enable the VPN connection and name it VPN_CONN_EXAMPLE Under VPN Gateway select Site to site and the VPN gateway VPN_GW_EXAMPLE Under Policy select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote Click OK Figure 99 Configuration VPN IPSec VPN VPN Connection Add 5 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel To trig...

Page 144: ... Concentrator A hub and spoke IPSec VPN connects IPSec VPN tunnels to form one secure network This reduces the number of VPN connections that you have to set up and maintain in the network Here is an example of a hub and spoke VPN that does not use the ZyWALL s VPN concentrator feature Here branch office A has a ZyNOS based ZyWALL and headquarters HQ and branch office B have USG ZyWALLs or ZyWALL ...

Page 145: ... Local Policy 192 168 168 0 192 168 169 255 Remote Policy 192 168 167 0 255 255 255 0 Disable Policy Enforcement VPN Gateway VPN Tunnel2 My Address 10 0 0 1 Peer Gateway Address 10 0 0 3 VPN Connection VPN Tunnel 2 Local Policy 192 168 167 0 192 168 168 255 Remote Policy 192 168 169 0 255 255 255 0 Disable Policy Enforcement Branch Office B USG ZyWALL or ZyWALL 1050 VPN Gateway My Address 10 0 0 3...

Page 146: ...olicy routes so the only way to get traffic destined for another spoke router to go through the ZyNOS ZyWALL s VPN tunnel is to make the remote policy cover both tunnels Since the USG ZyWALLs or ZyWALL 1050s automatically handle the routing for VPN tunnels if a USG ZyWALL or ZyWALL 1050 is a hub router and the local policy covers both tunnels the automatic routing takes care of it without needing ...

Page 147: ...er names from the RADIUS server to a text file then you might create a script to create the user accounts instead This example uses the Web Configurator 1 Click Configuration Object User Group User Click the Add icon 2 Enter the same user name that is used in the RADIUS server and set the User Type to ext user because this user account is authenticated by an external server Click OK Figure 101 Con...

Page 148: ... Member list This example only has one member in this group so click OK Of course you could add more members later Figure 102 Configuration Object User Group Group Add 3 Repeat this process to set up the remaining user groups 7 7 3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server First configure the settings for the RADIUS server Then...

Page 149: ...default entry Click the Add icon Select group radius because the ZyWALL should use the specified RADIUS server for authentication Click OK Figure 104 Configuration Object Auth method Add 3 Click Configuration Auth Policy In the Authentication Policy Summary section click the Add icon 4 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them ...

Page 150: ...ers try to browse the web or use any HTTP HTTPS application the Login screen appears They have to log in using the user name and password in the RADIUS server 7 7 4 Web Surfing Policies With Bandwidth Restrictions Use application patrol AppPatrol to enforce the web surfing and MSN policies You must have already subscribed for the application patrol service You can subscribe using the Configuration...

Page 151: ...ick Configuration AppPatrol If application patrol and bandwidth management are not enabled enable them and click Apply Figure 106 Configuration AppPatrol General 2 Click the Common tab and double click the http entry Figure 107 Configuration AppPatrol Common ...

Page 152: ... Double click the Default policy Figure 108 Configuration AppPatrol Common http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web Click OK Figure 109 Configuration AppPatrol Common http Edit Default ...

Page 153: ...n the Inbound and Outbound fields Click OK Repeat this process to add exceptions for all the other user groups that are allowed to browse the web Figure 110 Configuration AppPatrol Common http Edit Default 7 7 5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days 1 Click Configuration Object Schedule Click the Add ico...

Page 154: ... the steps in Section 7 7 4 on page 150 to set up the appropriate policies for MSN in application patrol Make sure to specify the schedule when you configure the policy for the Sales group s MSN access 7 7 6 Set Up Firewall Rules Use the firewall to control access from LAN to the DMZ 1 Click Configuration Firewall Add Set the From field as LAN and the To field as DMZ Set the Access field to deny a...

Page 155: ...that are allowed to access the DMZ 7 8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts If the RADIUS server has different user groups distinguished by the value of a specific attribute you can configure the make a couple of slight changes in the configuration to have the RADIUS se...

Page 156: ...ication port and key set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs This example uses Class This attribute s value is called a group identifier it determines to which group a user belongs In this example the values are Finance Engineer Sales and Boss Figure 114 Configuration Object AAA Server RADIUS Add ...

Page 157: ...up User Add 3 Repeat this process to set up the remaining groups of user accounts 7 9 How to Use Endpoint Security and Authentication Policies Here is how to use endpoint security to make sure that users computers meet specific security requirements before they are allowed to access the network This example requires users to have Kaspersky Internet security or anti virus software on their computer...

Page 158: ...tries to the allowed list you can double click an entry to move it Select Endpoint must have Anti Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti Virus anti virus software entries to the allowed list The following figure shows the configuration screen example Figure 116 Configuration Object Endpoint Security Add ...

Page 159: ...an authentication policy to use endpoint security objects Enable the policy and name it Set the Source Address to LAN and the Destination Address to any the Schedule set to none and Authentication set to required to apply this policy to all users Select Force User Authentication to redirect the HTTP traffic of users who are not yet logged in to the ZyWALL s login screen Enable EPS checking and mov...

Page 160: ...ge example when a user s computer does not meet an endpoint security object s requirements Click Close to return to the login screen Figure 119 Example Endpoint Security Error Message 7 10 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access to the Web Configurator and separate rules that control HTTP and HTTPS ...

Page 161: ... configure service control to allow management or user HTTP or HTTPS access make sure the firewall is not configured to block that access 7 10 1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to block administrator HTTPS access from all zones except the LAN 1 Click Configuration System WWW 2 In HTTPS Admin Service Control click the Add icon Figure 120 Co...

Page 162: ...4 Select the new rule and click the Add icon Figure 122 Configuration System WWW First Example Admin Service Rule Configured 5 In the Zone field select ALL and set the Action to Deny Click OK Figure 123 Configuration System WWW Service Control Rule Edit ...

Page 163: ...he LAN zone Non admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL s zones to use SSL VPN for example 7 11 How to Allow Incoming H 323 Peer to peer Calls Suppose you have a H 323 device on the LAN for VoIP calls and you want it to be able to receive peer to peer calls from the WAN Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H 32...

Page 164: ...Calls Example 7 11 1 Turn On the ALG Click Configuration Network ALG Select Enable H 323 ALG and Enable H 323 transformations and click Apply Figure 126 Configuration Network ALG 7 11 2 Set Up a NAT Policy For H 323 In this example you need a NAT policy to forward H 323 TCP port 1720 traffic received on the ZyWALL s 10 0 0 8 WAN IP address to LAN IP address 192 168 1 56 10 0 0 8 192 168 1 56 ...

Page 165: ...figuration Object Address Add to create an address object for the public WAN IP address called WAN_IP for H323 here Then use it again to create an address object for the H 323 device s private LAN IP address called LAN_H323 here Figure 127 Create Address Objects ...

Page 166: ... Original IP to the WAN address object WAN_IP for H323 Set the Mapped IP to the H 323 device s LAN IP address object LAN_H323 Set the Port Mapping Type to Port the Protocol Type to TCP and the original and mapped ports to 1720 Click OK Figure 128 Configuration Network NAT Add 7 11 3 Set Up a Firewall Rule For H 323 The default firewall rule for WAN to LAN traffic drops all traffic Here is how to c...

Page 167: ...LL applies NAT to traffic before applying the firewall rule Set the Service to H 323 Click OK Figure 129 Configuration Firewall Add 7 12 How to Allow Public Access to a Web Server This is an example of making an HTTP web server in the DMZ zone accessible from the Internet the WAN zone In this example you have public IP address 1 1 1 1 that you will use on the ge3 interface and map to the HTTP serv...

Page 168: ...1 1 1 Figure 132 Creating the Address Object for the Public IP Address 7 12 2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1 1 1 1 on ge3 to the HTTP server s private IP address of 192 168 3 7 In the Configuration Network NAT screen click the Add icon and create a new NAT entry as follows Set the Incoming Interface to ge3 Set the Original IP to the Public_HTTP_Server...

Page 169: ...tails Figure 133 Creating the NAT Entry 7 12 3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1 1 1 1 in order to access the HTTP server If a domain name is registered for IP address 1 1 1 1 users can just go to the domain name to access the web server ...

Page 170: ... DMZ_HTTP DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and the Service to HTTP and click OK Figure 134 Configuration Firewall Add 7 13 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet the WAN zone In this example you have public I...

Page 171: ...ZyWALL USG 300 User s Guide 171 address 1 1 1 2 that you will use on the ge3 interface and map to the IPPBX s private IP address of 192 168 3 7 The local SIP clients are on the LAN Figure 135 IPPBX Example Network Topology ...

Page 172: ... Transformations and click Apply Figure 136 Configuration Network ALG 7 13 2 Create the Address Objects Use Configuration Object Address Add to create the address objects 1 Create a host address object named IPPBX DMZ for the IPPBX s private DMZ IP address of 192 168 3 9 Figure 137 Creating the Address Object for the IPPBX s Private IP Address ...

Page 173: ... and also be able to send calls to the WAN so you set the Classification to NAT 1 1 Set the Incoming Interface to ge2 Set the Original IP to the WAN address object IPPBX Public If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls Set the Mapped IP to the IPPBX s DMZ IP address object IPPBX DMZ Set the Port Mapping Type to Port the Protocol Type ...

Page 174: ...Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls ...

Page 175: ..._DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and click OK Figure 140 Configuration Firewall Add 7 13 5 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients o...

Page 176: ...ultiple Static Public WAN IP Addresses for LAN to WAN Traffic If your ISP gave you a range of static public IP addresses here is how to configure a policy route to have the ZyWALL use them for traffic it sends out from the LAN 7 14 1 Create the Public IP Address Range Object Click Configuration Object Address Add to create the address object that represents the range of static public IP addresses ...

Page 177: ...tional it is recommended This example uses LAN to WAN Range Specifying a Source Address is also optional although recommended This example uses LAN_SUBNET Set the Source Network Address Translation to Public IPs and click OK Figure 143 Configuring the Policy Route 7 15 How to Use Active Passive Device HA Here is an example of using device HA High Availability to backup ZyWALL A the master with ZyW...

Page 178: ...Takes Over Each ZyWALL s ge1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup ZyWALL A s management IP address is 192 168 1 3 and ZyWALL B s is 192 168 1 5 Figure 145 Device HA Management IP Addresses 7 15 1 Before You Start ZyWALL A should already be configured You will use device HA to copy ZyWALL A s settings to B lat...

Page 179: ...WALL 1 Log into ZyWALL A the master and click Configuration Device HA Active Passive Mode Double click ge1 s entry 2 Configure 192 168 1 3 as the Management IP and 255 255 255 0 as the Manage IP Subnet Mask Click OK Figure 146 Configuration Device HA Active Passive Mode Edit Master ZyWALL Example ...

Page 180: ...rough the ge2 interface so select the ge1 and ge2 interfaces and click Activate Enter a Synchronization Password mySyncPassword in this example and click Apply Figure 147 Configuration Device HA Active Passive Mode Master ZyWALL Example 4 Click the General tab Turn on device HA and click Apply Figure 148 Configuration Device HA General Master ZyWALL Example ...

Page 181: ...the same subscription services like content filtering and anti virus to which ZyWALL A is subscribed See Chapter 11 on page 283 for more on the subscription services 2 In ZyWALL B click Configuration Device HA Active Passive Mode Click ge1 s Edit icon 3 Configure 192 168 1 5 as the Management IP and 255 255 255 0 as the Subnet Mask Click OK Figure 149 Configuration Device HA Active Passive Mode Ed...

Page 182: ...nization Server Address to 192 168 1 1 the Port to 21 and the Password to mySyncPassword Select Auto Synchronize and set the Interval to 60 Click Apply Figure 150 Configuration Device HA Active Passive Mode Backup ZyWALL Example 5 Click the General tab Turn on device HA and click Apply Figure 151 Configuration Device HA General Master ZyWALL Example ...

Page 183: ...B s management IP address 192 168 1 5 and check the configuration You can use the Maintenance File Manager Configuration File screen to save copies of the ZyWALLs configuration files that you can compare 2 To test your device HA configuration disconnect ZyWALL A s ge1 or ge2 interface Computers on LAN should still be able to access the Internet If they cannot check your connections and device HA c...

Page 184: ...Chapter 7 Tutorials ZyWALL USG 300 User s Guide 184 ...

Page 185: ...nnects through the Internet You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192 168 1 x subnet 8 2 Configuring the Default L2TP VPN Gateway Example 1 Click Configuration VPN Network IPSec VPN VPN Gateway to ...

Page 186: ...bnet as the specified My Address click Configure Network Routing Policy Route Show Advanced Settings and select Use Policy Route to Override Direct Route Select Pre Shared Key and configure a password This example uses top secret Click OK Figure 153 Configuration VPN IPSec VPN VPN Gateway Edit 2 Select the Default_L2TP_VPN_GW entry and click Activate and click Apply to turn on the entry Figure 154...

Page 187: ...Advanced Settings button Configure and enforce the local and remote policies Create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses the ge2 interface s IP address 172 16 1 2 and is named L2TP_IFACE Set the Application Scenario to Remote Access Server Role Set the Local Policy to use ...

Page 188: ...ck Configuration VPN L2TP VPN and configure the following Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 It is called L2TP_POOL here Enable the connection Set the VPN Connection to the Default_L2TP_VPN_Connection Set the IP Address Pool to L2TP_POOL This example uses the default authentication method the ZyWALL s local user data base Select a user or group of users th...

Page 189: ... sections go along with the L2TP VPN configuration example in Section 8 1 on page 185 Before you configure the client issue one of the following commands from the Windows command prompt to make sure the computer is running the Microsoft IPSec service Make sure you include the quotes For Windows XP use net start ipsec services For Windows 2000 use net start ipsec policy agent 8 5 1 Configuring L2TP...

Page 190: ...SG 300 User s Guide 190 2 Select Connect to a workplace and click Next Figure 158 Set up a connection or network Chose a connection type 3 Select Use my Internet connection VPN Figure 159 Connect to a workplace How do you want to connect ...

Page 191: ...PN 172 16 1 2 in this example For the Destination Name enter L2TP to ZyWALL Select Don t connect now just set it up so I can connect later and click Next Figure 160 Connect to a workplace Type the Internet address to connect to 5 Enter the user name and password of a user account that can use the L2TP VPN connection and click Next Figure 161 Connect to a workplace Type your user name and password ...

Page 192: ...Guide 192 6 Click Close Figure 162 Connect to a workplace The connection is ready to use 7 In the Network and Sharing Center screen click Connect to a network Right click the L2TP VPN connection and select Properties Figure 163 Connect L2TP to ZyWALL ...

Page 193: ...ncryption to Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 165 Connect ZyWALL L2TP Security Advanced 10 Click Yes When you use L2TP VPN to connect to the ZyWALL the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel ...

Page 194: ...Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings Figure 167 L2TP to ZyWALL Properties Networking 12 Select Use preshared key for authentication and enter the pre shared key of the VPN gateway configuration that the ZyWALL is using for L2TP VPN top secret in this example Click OK to close the IPSec Settings window and then click OK again to close the Properties window Figure 168 L2TP ...

Page 195: ...USG 300 User s Guide 195 13 Select the L2TP VPN connection and click Connect Figure 169 L2TP to ZyWALL Properties Networking 14 Enter the user name and password of your ZyWALL user account Click Connect Figure 170 Connect L2TP to ZyWALL ...

Page 196: ...word are verified and notifies you when the connection is established Figure 171 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network you can select Work if you want your computer to be discoverable by computers behind the ZyWALL Figure 172 Set Network Location ...

Page 197: ...r the network location has been set click Close Figure 173 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray Click it and then the L2TP connection to open a status screen Figure 174 Connection System Tray Icon ...

Page 198: ... status screen Figure 175 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 176 ZyWALL L2TP Status Details 21 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 199: ...VPN connection 1 Click Start Control Panel Network Connections New Connection Wizard 2 Click Next in the Welcome screen 3 Select Connect to the network at my workplace and click Next Figure 177 New Connection Wizard Network Connection Type 4 Select Virtual Private Network connection and click Next Figure 178 New Connection Wizard Network Connection ...

Page 200: ...ZyWALL USG 300 User s Guide 200 5 Type L2TP to ZyWALL as the Company Name Figure 179 New Connection Wizard Connection Name 6 Select Do not dial the initial connection and click Next Figure 180 New Connection Wizard Public Network ...

Page 201: ...igured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN 172 16 1 2 in this example Figure 181 New Connection Wizard VPN Server Selection 8 Click Finish 9 The Connect L2TP to ZyWALL screen appears Click Properties Security Figure 182 Connect L2TP to ZyWALL 172 16 1 2 ...

Page 202: ...settings and click Settings Figure 183 Connect L2TP to ZyWALL Security 11 Select Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 184 Connect ZyWALL L2TP Security Advanced ...

Page 203: ... Figure 185 L2TP to ZyWALL Properties Security 13 Select the Use pre shared key for authentication check box and enter the pre shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click OK Figure 186 L2TP to ZyWALL Properties Security IPSec Settings ...

Page 204: ... L2TP to ZyWALL Properties Networking 15 Enter the user name and password of your ZyWALL account Click Connect Figure 188 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified 17 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 189 ZyWALL L2TP System Tray Icon ...

Page 205: ...00 Windows 2000 does not support using pre shared keys by default Use the following procedures to edit the registry and then configure the computer to use the L2TP client 8 5 3 1 Editing the Windows 2000 Registry In Windows 2000 you need to create a registry entry and restart the computer to have it use pre shared keys 1 Click Start Run Type regedit and click OK Figure 191 Starting the Registry Ed...

Page 206: ...trolSet Services Rasman P arameters Figure 192 Registry Key 4 Right click Parameters and select New DWORD Value Figure 193 New DWORD Value 5 Enter ProhibitIpSec as the name And make sure the Data displays as 0 s Figure 194 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section ...

Page 207: ...000 IPSec Policy After you have created the registry entry and restarted the computer use these directions to configure an IPSec policy for the computer to use 1 Click Start Run Type mmc and click OK Figure 195 Run mmc 2 Click Console Add Remove Snap in Figure 196 Console Add Remove Snap in ...

Page 208: ...Add IP Security Policy Management Add Finish Click Close OK Figure 197 Add IP Security Policy Management Finish 4 Right click IP Security Policies on Local Machine and click Create IP Security Policy Click Next in the welcome screen Figure 198 Create IP Security Policy ...

Page 209: ...ser s Guide 209 5 Name the IP security policy L2TP to ZyWALL and click Next Figure 199 IP Security Policy Name 6 Clear the Activate the default response rule check box and click Next Figure 200 IP Security Policy Request for Secure Communication ...

Page 210: ... User s Guide 210 7 Leave the Edit Properties check box selected and click Finish Figure 201 IP Security Policy Completing the IP Security Policy Wizard 8 In the properties dialog box click Add Next Figure 202 IP Security Policy Properties Add ...

Page 211: ...300 User s Guide 211 9 Select This rule does not specify a tunnel and click Next Figure 203 IP Security Policy Properties Tunnel Endpoint 10 Select All network connections and click Next Figure 204 IP Security Policy Properties Network Type ...

Page 212: ...ide 212 11 Select Use this string to protect the key exchange preshared key type password in the text box and click Next Figure 205 IP Security Policy Properties Authentication Method 12 Click Add Figure 206 IP Security Policy Properties IP Filter List ...

Page 213: ...in the Addressing tab Select My IP Address in the Source address drop down list box Select A specific IP Address in the Destination address drop down list box and type the ZyWALL s WAN IP address 172 16 1 2 in this example in the IP Address field Make certain the Mirrored Also match packets with the exact opposite source and destination addresses check box is selected and click Apply Figure 208 Fi...

Page 214: ...llowing in the Filter Properties window s Protocol tab Set the protocol type to UDP from port 1701 Select To any port Click Apply OK and then Close Figure 209 Filter Properties Protocol 16 Select ZyWALL WAN_IP and click Next Figure 210 IP Security Policy Properties IP Filter List ...

Page 215: ...d Close Figure 211 IP Security Policy Properties IP Filter List 18 In the Console window right click L2TP to ZyWALL and select Assign Figure 212 Console L2TP to ZyWALL Assign 8 5 3 3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy use these directions to create a network connection ...

Page 216: ...e 213 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next Figure 214 New Connection Wizard Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click Next Figure 215 New Connection Wizard Destination Address 172 16 1 2 ...

Page 217: ...7 4 Select For all users and click Next Figure 216 New Connection Wizard Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish Figure 217 New Connection Wizard Naming the Connection 6 Click Properties Figure 218 Connect L2TP to ZyWALL ...

Page 218: ...Settings Figure 219 Connect L2TP to ZyWALL Security 8 Select Optional encryption allowed connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Click Yes if a screen pops up Figure 220 Connect L2TP to ZyWALL Security Advanced ...

Page 219: ...k OK Figure 221 Connect L2TP to ZyWALL Networking 10 Enter your user name and password and click Connect It may take up to one minute to establish the connection and register on the network Figure 222 Connect L2TP to ZyWALL 11 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 223 ZyWALL L2TP System Tray Icon ...

Page 220: ...tails and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 224 L2TP to ZyWALL Status Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 221: ...Chapter 8 L2TP VPN Example ZyWALL USG 300 User s Guide 221 ...

Page 222: ...Chapter 8 L2TP VPN Example ZyWALL USG 300 User s Guide 222 ...

Page 223: ...223 PART II Technical Reference ...

Page 224: ...224 ...

Page 225: ...rmation Use the VPN status screen see Section 9 2 1 on page 232 to look at the VPN tunnels that are currently established Use the DHCP Table screen see Section 9 2 5 on page 235 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Current Users screen see Section 9 2 6 on page 236 to look at a list of the users currently lo...

Page 226: ... widget Refresh Time Setting C Set the interval for refreshing the information displayed in the widget Refresh Now D Click this to update the widget s information immediately Close this Module E Click this to close the widget Use Widget Setting to re open it Virtual Device Rear Panel Click this to view details about the ZyWALL s rear panel Hover your cursor over a connected interface or slot to di...

Page 227: ...part of a port group and is not connected The status for an installed WLAN card is none For cellular 3G interfaces see Section 13 5 on page 317 for the status that can appear For the auxiliary interface Inactive The auxiliary interface is disabled Connected The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected HA Status This field displays the statu...

Page 228: ... to display the Show CPU Usage icon that takes you to a chart of the ZyWALL s recent CPU usage Memory Usage This field displays what percentage of the ZyWALL s RAM is currently being used Hover your cursor over this field to display the Show Memory Usage icon that takes you to a chart of the ZyWALL s recent memory usage Flash Usage This field displays what percentage of the ZyWALL s onboard flash ...

Page 229: ...appear For the auxiliary interface Inactive The auxiliary interface is disabled Connected The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If the PPP interface is disabled it does not appear in the list For WLAN interfaces Up The WLAN int...

Page 230: ...ndicates a connected USB storage device and the drive s storage capacity Status The status for an installed WLAN card is none For cellular 3G interfaces see Section 10 11 on page 258 for the status that can appear Ready A USB storage device connected to the ZyWALL is ready for the ZyWALL to use Unused The ZyWALL is unable to mount a USB storage device connected to the ZyWALL System Status System U...

Page 231: ...lying the system configuration Licensed Service Status This shows how many licensed services there are Status This is the current status of the license Name This identifies the licensed service Version This is the version number of the anti virus or IDP signatures anti virus and IDP Expiration If the service license is valid this shows when it will expire N A displays if the service license does n...

Page 232: ...y Signature Name It shows the categories of intrusions See Table 164 on page 612 for more information Severity This is the level of threat that the intrusions may pose Occurrence This is how many times the ZyWALL has detected the event described in the entry Table 22 Dashboard continued LABEL DESCRIPTION Table 23 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usa...

Page 233: ...ard Figure 227 Dashboard Memory Usage The following table describes the labels in this screen Table 24 Dashboard Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in the windo...

Page 234: ...rd Figure 228 Dashboard Session Usage The following table describes the labels in this screen Table 25 Dashboard Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in t...

Page 235: ...s reserved for specific MAC addresses To access this screen click the icon beside DHCP Table in the dashboard Figure 230 Dashboard DHCP Table Table 26 Dashboard VPN Status LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec SA is encapsulated Algorithm This f...

Page 236: ...sort order Host Name This field displays the name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries by...

Page 237: ...ield displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user See Chapter 40 on page 731 Type This field displays the way the user logged in to the ZyWALL IP address This field displays the IP address of the computer used to log in to the ZyWALL ...

Page 238: ...Chapter 9 Dashboard ZyWALL USG 300 User s Guide 238 ...

Page 239: ...age 250 to view sessions by user or service Use the System Status DDNS Status screen see Section 10 6 on page 252 to view the status of the ZyWALL s DDNS domain names The System Status IP MAC Binding screen Section 10 7 on page 253 lists the devices that have received an IP address from ZyWALL interfaces with IP MAC binding enabled Use the System Status Login Users screen Section 10 8 on page 254 ...

Page 240: ... Statistics Content Filter screen Section 10 18 on page 272 to start or stop data collection and view content filter statistics Use the Anti X Statistics Content Filter Cache screen Section 10 19 on page 273 to view and configure your ZyWALL s URL caching Use the Anti X Statistics Anti Spam screen Section 10 20 on page 276 to start or stop data collection and view spam statistics Use the Anti X St...

Page 241: ... is not connected Speed Duplex The physical port is connected This field displays the port speed and duplex setting Full or Half TxPkts This field displays the number of packets transmitted from the ZyWALL on the physical port since it was last connected RxPkts This field displays the number of packets received by the ZyWALL on the physical port since it was last connected Collisions This field di...

Page 242: ...TION Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table bps The y axis represents the speed of transmission or reception time The...

Page 243: ...atus Interface Status to access this screen Figure 234 Monitor System Status Interface Status Last Update This field displays the date and time the information in the window was last updated System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on Table 30 Monitor System Status Port Statistics Switch to Graphic View LABEL DESCRIPTION ...

Page 244: ...ical ports associated with it its entry is displayed in light gray text Expand Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces Name This field displays the name of each interface If there is a Expand icon plus sign next to the name click this to look at the status of virtual interfaces on top of this interface Port This field disp...

Page 245: ...interface is enabled and connected Disconnected The auxiliary interface is not connected For virtual interfaces this field always displays Up If the virtual interface is disabled it does not appear in the list For VLAN and bridge interfaces this field always displays Up If the VLAN or bridge interface is disabled it does not appear in the list For PPP interfaces Connected The PPP interface is conn...

Page 246: ...uxiliary interface or a PPPoE PPTP interface If the interface cannot use one of these ways to get or to update its IP address this field displays n a Interface Statistics This table provides packet statistics for each interface Refresh Click this button to update the information in the screen Expand Close Click this button to show or hide statistics for all the virtual interfaces on top of the Eth...

Page 247: ...e cases because the ZyWALL counts HTTP GET packets Please see Table 32 on page 248 for more information Most used protocols or service ports and the amount of traffic on each one LAN IP with heaviest traffic and how much traffic has been sent to and from each one You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting information for these reports You can...

Page 248: ...ic for each one Web Site Hits displays the most visited Web sites and how many times each one has been visited Each type of report has different information in the report below Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display These fields are available when the Traffic Type is Host IP Address...

Page 249: ...ed The unit of measure is bytes Kbytes Mbytes Gbytes or Tbytes depending on the amount of traffic for the particular protocol or service port The count starts over at zero if the number of bytes passes the byte count limit See Table 33 on page 249 These fields are available when the Traffic Type is Web Site Hits This field is the rank of each record The domain names are sorted by the number of hit...

Page 250: ... Protocol or service port used Source address Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all the active sessions by user service source IP address or destination IP address You can also filter the information by user protocol service or service group source address and or destination address and view it by user Click Monit...

Page 251: ... part of the user name or use wildcards in this field you must enter the whole user name Service This field displays when View is set to all sessions Select the service or service group whose sessions you want to view The ZyWALL identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined See Chapter 42 on page 753 f...

Page 252: ...s the destination IP address and port in each active session If you are looking at the sessions by destination IP report click or to display or hide details about a destination IP address s sessions Rx This field displays the amount of information received by the source in the active session Tx This field displays the amount of information transmitted by the source in the active session Duration T...

Page 253: ...s the ZyWALL is currently attempting to resolve the IP address for the domain name Last Update Time This shows when the last attempt to resolve the IP address for the domain name occurred in year month day hour minute second format Table 35 Monitor System Status DDNS Status continued LABEL DESCRIPTION Table 36 Monitor System Status IP MAC Binding LABEL DESCRIPTION Interface Select a ZyWALL interfa...

Page 254: ... Status IP MAC Binding continued LABEL DESCRIPTION Table 37 Monitor System Status Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry User ID This field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining fo...

Page 255: ...the index number of the MAC address MAC Address This displays the MAC address in XX XX XX XX XX XX format of a connected wireless station Strength This displays the strength of the wireless client s radio signal The signal strength mainly depends on the antenna output power and the wireless client s distance from the ZyWALL Connect Rate This displays what data transfer rate of the wireless client ...

Page 256: ...ellular Status The following table describes the labels in this screen Table 39 Monitor System Status Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen This field is a sequential value and it is not associated with any interface Extension Slot This field displays where the entry s cellular card is located Connected Device This field displays the mo...

Page 257: ...e is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is applying your configuration to the 3G device Inactive The 3G interface is disabled Active The 3G interface is enabled Incorrect device The connected 3G device is not compatible with the ZyWALL Correct device The ZyWALL detected a compa...

Page 258: ...en your ZyWALL and the service provider s base station More Info This field displays other details about the 3G connection Table 39 Monitor System Status Cellular Status continued LABEL DESCRIPTION Table 40 Monitor System Status USB Storage LABEL DESCRIPTION Device description This is a basic description of the type of USB device Usage This field displays how much of the USB storage device s capac...

Page 259: ...cted USB storage device was manually unmounted by using the Remove Now button or for some reason the ZyWALL cannot mount it Click Use It to have the ZyWALL mount a connected USB storage device none no USB storage device is connected Detail This field displays any other information the ZyWALL retrieves from the USB storage device Deactivated the use of a USB storage device is disabled turned off on...

Page 260: ...usage This is the protocol s traffic that the ZyWALL sends to the initiator of the connection A dotted line represents a protocol s outgoing bandwidth usage This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection Different colors represent different protocols Table 41 Monitor AppPatrol Statistics General Settings LABEL DESCRIPTION Refresh Interval Select how o...

Page 261: ... application s traffic the ZyWALL has sent in kilobytes Dropped Data KB This is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Data KB This is how much of the application s traffic the ZyWALL has discarded and notified the client that the traffic was reje...

Page 262: ...und traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN to the WAN is the outbound traffic Forwarded Data KB This is how much of the application s t...

Page 263: ...tion initiated from the LAN to the WAN the traffic sent from the WAN to the LAN is the inbound traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN t...

Page 264: ...licies for an IPSec SA and click Search to find it You can use a keyword or regular expression Use up to 30 alphanumeric and _ characters See Section 10 13 1 on page 265 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Disconnect Select an IPSec SA and click this button to disconnect it Total Connection This field displays the tot...

Page 265: ...e VPN connection or policy name has to match if you do not use a question mark or asterisk Encapsulation This field displays how the IPSec SA is encapsulated Policy This field displays the content of the local and remote policies for this IPSec SA The IP addresses not the address objects are displayed Algorithm This field displays the encryption and authentication algorithms used in the SA Up Time...

Page 266: ...L LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user s connection and delete corresponding session information from the ZyWALL This field displays the index number User This field displays the account user name used to establish this SSL VPN connection Access This field displays the name of the SSL VPN application the user is accessing Login Address This f...

Page 267: ...onitor L2TP over IPSec LABEL DESCRIPTION Disconnect Select a connection and click this button to disconnect it This is the index number of a current L2TP VPN session User Name This field displays the remote user s user name Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL Assigned IP This field displays the IP address that the ZyWALL assigned ...

Page 268: ... in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refre...

Page 269: ... the most virus infected files Select Destination IP to list the most common destination IP addresses for virus infected files that ZyWALL has detected This field displays the entry s rank in the list of the top entries Virus name This column displays when you display the entries by Virus Name This displays the name of a detected virus Source IP This column displays when you display the entries by...

Page 270: ...ute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statist...

Page 271: ... top entries Signature Name This column displays when you display the entries by Signature Name The signature name identifies a specific intrusion pattern Click the hyperlink for more detailed information on the intrusion Type This column displays when you display the entries by Signature Name It shows the categories of intrusions See Table 164 on page 612 for more information Severity This column...

Page 272: ...isplays after you click Apply All of the statistics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to...

Page 273: ...ation Restricted Web Features This is the number of web pages to which the ZyWALL did not allow access due to the content filtering custom service s restricted web features configuration Forbidden Web Sites This is the number of web pages to which the ZyWALL did not allow access because they matched the content filtering custom service s forbidden web sites list URL Keywords This is the number of ...

Page 274: ...s by that column s criteria Click the heading cell again to reverse the sort order Figure 257 Anti X Content Filter Cache The following table describes the labels in this screen Table 50 Anti X Content Filter Cache LABEL DESCRIPTION URL Cache Entry Refresh Click this button to reload the list of content filter cache entries Flush Click this button to clear all web site addresses from the cache man...

Page 275: ...tes left before the URL entry is discarded from the cache URL Cache Setup Maximum TTL Type the maximum time to live TTL 1 to 720 hours This sets how long the ZyWALL is to keep an entry in the URL cache before discarding it The external content filtering database frequently adds previously un categorized web sites and sometimes changes a web site s category Setting this limit higher will speed up t...

Page 276: ...his screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refresh Cl...

Page 277: ...hreshold Mail Sessions Dropped This is how many e mail sessions the ZyWALL dropped because they exceeded the maximum number of e mail sessions that the anti spam feature can check at a time You can see the ZyWALL s threshold of concurrent e mail sessions in the Anti Spam Status screen Use the Anti Spam General screen to set whether the ZyWALL forwards or drops sessions that exceed this threshold T...

Page 278: ...he lighter shaded part of the bar and the pop up show the historical high The first number to the right of the bar is how many e mail sessions the ZyWALL is presently checking for spam The second number is the maximum number of e mail sessions that the ZyWALL can check at once An e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL DNSBL Statis...

Page 279: ...ss this screen click Monitor Log The log is displayed in the following screen Note When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first For individual log descriptions see Appendix A on page 947 For the maximum number of log messages in the ZyWALL see Chapter 57 on page 939 Events th...

Page 280: ...Interface This displays when you show the filter Select the source interface of the packet that generated the log message Destination Interface This displays when you show the filter Select the destination interface of the packet that generated the log message Service This displays when you show the filter Select the service whose log messages you would like to see The Web Configurator uses the pr...

Page 281: ... displays the reason the log message was generated The text count x where x is a number appears at the end of the Message field if log consolidation is turned on see Log Consolidation in Table 256 on page 883 and multiple entries were aggregated to generate into this one Source This field displays the source IP address and the port number in the event that generated the log message Destination Thi...

Page 282: ...Chapter 10 Monitor ZyWALL USG 300 User s Guide 282 ...

Page 283: ...L com myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL To update signature files or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL Note You need to create a myZyXEL com account before you can register your device and activate...

Page 284: ...not a separate trial period for each anti virus engine After the trial expires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using an iCard...

Page 285: ...lds are available new myZyXEL com account If you haven t created an account at myZyXEL com select this option and configure the following fields to create an account and register your ZyWALL existing myZyXEL com account If you already have an account at myZyXEL com select this option and enter your user name and password in the fields below to register your ZyWALL UserName Enter a user name for yo...

Page 286: ... from the update server http myupdate zywall zyxel com IDP AppPatrol Signature Service The IDP and application patrol features use the IDP AppPatrol signature files on the ZyWALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the ZyWALL can download the up to ...

Page 287: ... update your service subscription status Figure 262 Configuration Licensing Registration Registered Device 11 3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key in this screen Click Configuration Licensing Registration Servi...

Page 288: ...nti virus service subscription this field also displays the type of anti virus engine Expiration date This field displays the date your service expires You can continue to use IDP AppPatrol or Anti Virus after the registration expires you just won t receive updated signatures Count This field displays how many VPN tunnels you can use with your current license This field does not apply to the other...

Page 289: ...n page 601 for details on IDP See Chapter 32 on page 559 for details on application patrol Use the Configuration Licensing Update System Protect screen Section 12 4 on page 293 to update the system protection signatures 12 1 2 What you Need to Know You need a valid service registration to update the anti virus signatures and the IDP AppPatrol signatures You do not need a service registration to up...

Page 290: ...rsion 2 11 and updating the anti virus signatures automatically upgrades the ZyXEL anti virus engine to v2 0 v2 0 has more virus signatures and offers improved non executable file scan throughput Current Version This field displays the anti virus signatures version number currently used by the ZyWALL This number is defined by the ZyXEL Security Response Team ZSRT who maintain and update them This ...

Page 291: ...re found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and day specified You should select a time when your network is not busy for minimal interruptio...

Page 292: ...mber of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date This field displays the date and time the set was released Signature Update Use these fields to have the ZyWALL check for new IDP signatures at myZyXEL com If new signatures are found...

Page 293: ...ystem protection feature is enabled by default and can only be disabled via the commands You do not need an IDP subscription to use the system protection feature or to download updated system protection signatures Figure 266 Configuration Licensing Update System Protect Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time The time format is the 24...

Page 294: ... these fields to have the ZyWALL check for new signatures at myZyXEL com If new signatures are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and ...

Page 295: ...gure the Ethernet interfaces Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces Use the PPP screens Section 13 4 on page 310 for PPPoE or PPTP Internet connections Use the Cellular screens Section 13 5 on page 317 to configure settings for interfaces for Internet connections through an installed 3G card Use...

Page 296: ...ysical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a softwa...

Page 297: ...e vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the Web Configurator it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual interface Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the ph...

Page 298: ... Section 7 1 on page 117 for an example of configuring Ethernet interfaces port grouping and zones See Section 7 2 on page 120 for an example of configuring a cellular 3G interface See Section 7 4 on page 125 for an example of setting up a wireless LAN See Chapter 14 on page 369 to configure load balancing using trunks VLAN interface Ethernet interface bridge interface Ethernet interface VLAN inte...

Page 299: ...rfaces If you assign more than one physical port to a representative interface you create a port group Port groups have the following characteristics There is a layer 2 Ethernet switch between physical ports in the port group This provides wire speed throughput but no security It can increase the bandwidth between the port group and other interfaces 13 2 2 Port Grouping Screen Define the relations...

Page 300: ...s exchange routing information with other routers and how much information is exchanged through each one The more routing information is exchanged the more efficient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management The ZyWALL supports two routing protocols RIP and OSPF See Chapter 16...

Page 301: ...click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the...

Page 302: ... interfaces to do the following things Enable and disable RIP in the underlying physical port or port group Select which direction s routing information is exchanged The ZyWALL can receive routing information send routing information or do both Select which version of RIP to support in each direction The ZyWALL supports RIP 1 RIP 2 and both versions Select the broadcasting method used by RIP 2 pac...

Page 303: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 303 Figure 269 Configuration Network Interface Ethernet Edit ...

Page 304: ...ou must manually configure a policy route to add routing and SNAT settings for the interface Interface Name Specify a name for the interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long Port This is the name of the Ethernet interface s physical port Zone Select the zone to which this interface is to belong You use zones to apply security setting...

Page 305: ...lowed values are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into s...

Page 306: ...re is already a DHCP server on the network DHCP Relay the ZyWALL routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the ZyWALL assigns IP addresses and provides subnet mask gateway and DNS server information to the network The ZyWALL is the DHCP server for the network These fields appear if the ZyWALL is a DHCP Relay Relay Server 1 ...

Page 307: ...the computer names on your network and the IP addresses that they are currently using Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid Enable IP MAC Binding Select this opt...

Page 308: ...packets using subnet broadcasting otherwise the ZyWALL uses multicasting OSPF Setting See Section 16 3 on page 397 for more information about OSPF Area Select the area in which this interface belongs Select None to disable OSPF in this interface Priority Enter the priority between 0 and 255 of this interface when the area is looking for a Designated Router DR or Backup Designated Router BDR The hi...

Page 309: ...ry assigned default MAC address By default the ZyWALL uses the factory assigned MAC address to identify itself Overwrite Default MAC Address Select this option to have the interface use a different MAC address Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning Once it is successfully configured the address ...

Page 310: ...display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list ot...

Page 311: ...the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP interfaces are interfaces between the ZyWALL and only one computer Therefore the subnet mask is always 255 255 255 255 In additi...

Page 312: ... a user configured PPP interface select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Dem...

Page 313: ...is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the interface Base Interface This field displays the interface on the top of which the PPPoE PPTP interface is Account Profile This field displays the ISP account used by this PPPoE PPTP interface Apply Click Apply to save y...

Page 314: ...Network Interface PPP Add Each field is explained in the following table Table 65 Configuration Network Interface PPP Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields General Settings ...

Page 315: ...ection available ISP Setting Account Profile Select the ISP account that this PPPoE PPTP interface uses The drop down box lists ISP accounts by name Use Create new Object if you need to configure a new ISP account see Chapter 47 on page 803 for details Protocol This field is read only It displays the protocol specified in the ISP account User Name This field is read only It displays the user name ...

Page 316: ...ct this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attemp...

Page 317: ...o users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices Note The actual data rate you obtain varies depending on the 3G card you use the signal strength to the service provider s base station and so on OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 65 C...

Page 318: ...a hybrid 2 5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS EGPRS...

Page 319: ...elect it and click Connect You might use this in testing the interface or to manually establish the connection Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field ...

Page 320: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 320 Figure 275 Configuration Network Interface Cellular Add ...

Page 321: ...y Nailed Up Select this if the connection should always be up Clear this to have the ZyWALL to establish the connection only when there is traffic You might not nail up the connection if there is little traffic through the interface or if it costs money to keep the connection available Idle timeout This value specifies the time in seconds 0 360 that elapses before the ZyWALL automatically disconne...

Page 322: ...s are not allowed Password This field displays when you select an authentication type other than None This field is read only if you selected Device in the profile selection and the password is included in the 3G card s profile If this field is configurable enter the password for this SIM card exactly as the service provider gave it to you You can use 0 63 alphanumeric and _ characters Spaces are ...

Page 323: ...n on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeo...

Page 324: ...fy the type of network to use if you are charged differently for different types of network or you only have one type of network available to you Select GPRS EDGE GSM only to have this interface only use a 2 5G or 2 75G network respectively If you only have a GSM network available to you you may want to select this so the ZyWALL does not spend time looking for a WCDMA network Select UMTS HSDPA WCD...

Page 325: ... time or data limit is exceeded Log Select None to not create a log Log to create a log or Log alert to create an alert log If you select Log or Log alert you can also select recurring every to have the ZyWALL send a log or alert for this event periodically Specify how often from 1 to 65535 minutes to send the log or alert New 3G connection Select Allow to permit new 3G connections or Disallow to ...

Page 326: ... the name of the wireless network It stands for Service Set IDentity Different wireless networks in the same area should use different channels Like radio stations or television channels each wireless network uses a specific channel or frequency to send and receive information Every wireless client in a wireless network must use security compatible with the AP Security stops unauthorized devices f...

Page 327: ...een Table 69 Configuration Network Interface WLAN LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields WLAN Device Settings Extension Slot Select the slot for which you want to configure wireless device settings Enable WLAN Device Select this to turn on the wireless LAN card It is recommended that you configur...

Page 328: ...e Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Fragmentation Threshold This is the threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent Output Power Select the percentage of output power that this WLAN card is to use If there is a high density of APs in the area decrease the o...

Page 329: ... according to the security features you select It displays as shown next when you set the Security Type to none IP Address This field displays the current IP address of the WLAN interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynamically assigned DHCP IP addresses are always static i...

Page 330: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 330 Figure 278 Configuration Network Interface WLAN Add No Security ...

Page 331: ...omething that is difficult to guess Hide SSID Broadcast Select to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning Block Intra BSS Traffic Select this to prevent wireless clients in this profile s BSS from communicating with one another Maximum Associations Specify the highest number of wireless clients that are allowed to connect to the wireless inte...

Page 332: ...500 DHCP Settings DHCP Select what type of DHCP service the ZyWALL provides to the wireless network Choices are None the ZyWALL does not provide any DHCP services There is already a DHCP server on the network DHCP Relay the ZyWALL routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the ZyWALL assigns IP addresses and provides subnet ...

Page 333: ...P clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addres...

Page 334: ...ty to zero if the interface can not be the DR or BDR Link Cost Enter the cost between 1 and 65 535 to route packets through this interface Passive Interface Select this to stop forwarding OSPF routing information from the selected interface As a result this interface only receives routing information Authentication Select an authentication method or disable authentication To exchange OSPF routing ...

Page 335: ...echanism Use the strongest security mechanism that all the wireless devices in your network support For example use WPA PSK or WPA2 PSK or WPA or WPA2 if your wireless devices support it If your wireless devices support nothing stronger than WEP use the highest encryption level available To configure and enable WEP encryption click Configuration Network Interface WLAN Add or Edit to open the WLAN ...

Page 336: ...rface WLAN Add WPA PSK WPA2 PSK or WPA WPA2 PSK Security Table 72 Configuration Network Interface WLAN Add WEP Security LABEL DESCRIPTION WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stations from accessing data transmitted over the wireless network Select 64 bit WEP or 128 bit WEP to enable data encryption Key 1 to Key 4 If you chose 64 bit...

Page 337: ...ncryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Timer Specify how often wireless stations have to resend usernames and passwords in order to stay connected N...

Page 338: ...you set the Authentication Type field to Auth Method Select an authentication method object that defines how the ZyWALL authenticates a wireless user The ZyWALL s default configuration also includes an authentication method object named default that you can use You can configure the default authentication method object but it s default configuration uses the ZyWALL s local database for authenticat...

Page 339: ...US server s listening port number the default is 1812 Radius Server Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyWALL The key is not sent over the network This key must be the same on the external authentication server and ZyWALL ReAuthentication Timer Specify how often wireless stations have to resend user na...

Page 340: ...listed will be denied access to the router Add Click this to add an entry to the table Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This is the index number of the MAC address MAC Address This displays the MAC address in XX XX XX XX XX X...

Page 341: ...onnected to hubs and the hubs are connected to the router Alternatively you can divide the physical networks into three VLANs Figure 284 Example After VLAN Each VLAN is a separate network with separate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the swit...

Page 342: ... example you can create different content filtering rules for each VLAN each department in the example above and you can set different bandwidth limits for each VLAN These rules are also independent of the physical network so you can change the physical network without changing policies In this example the new switch handles the following types of traffic Inside VLAN 2 Between the router and VLAN ...

Page 343: ...ace To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry ...

Page 344: ...s screen click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen The following screen appears Mask This field displays the interface s subnet mask in dot decimal notation Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 76 Configuration Network Interfac...

Page 345: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 345 Figure 286 Configuration Network Interface VLAN Edit ...

Page 346: ...095 are reserved Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment Get Automatically Select this if this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically You should not select this if the interface is ...

Page 347: ...a failure and how many consecutive failures are required before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to...

Page 348: ...ress broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the ZyWALL can allocate 10 10 10 10 to 10 10 10 254 or 245 IP addresses If this field is blank the IP Pool Start Address mu...

Page 349: ... able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Address Enter the MAC address to which to assign this entry s IP address Description Enter a description to help identify this static DHCP entry You can use alpha...

Page 350: ...method in the area None disable authentication Text authenticate OSPF routing information using a plain text password MD5 authenticate OSPF routing information using MD5 encryption Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to eight charact...

Page 351: ...table It also looks up the destination MAC address in the table If the bridge knows on which port the destination MAC address is located it sends the packet to that port If the destination MAC address is not in the table the bridge broadcasts the packet on every port except the one on which it was received In the example above computer A sends a packet to computer B Bridge X records the source add...

Page 352: ...aces Any number of Ethernet interfaces and any associated virtual Ethernet interfaces When you create a bridge interface the ZyWALL removes the members entries from the routing table and adds the bridge interface s entries to the routing table For example this table shows the routing table before and after you create bridge interface br0 250 250 250 0 23 between ge1 and vlan1 In this example virtu...

Page 353: ...where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed wh...

Page 354: ...nfigure IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each bridge interface To access this screen click the Add icon at the top of the Add column in the Bridge Summary screen or click an Edit icon in the Bridge Summary screen The following screen appears ...

Page 355: ...Chapter 13 Interfaces ZyWALL USG 300 User s Guide 355 Figure 288 Configuration Network Interface Bridge Add ...

Page 356: ...f the bridge interface An interface is not available in the following situations There is a virtual interface on top of it It is already used in a different bridge interface Select one and click the arrow to add it to the bridge interface Each bridge interface can only have one VLAN interface Member This field displays the interfaces that are part of the bridge interface Select one and click the a...

Page 357: ... Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into smaller fragments Allowed v...

Page 358: ...that another interface received from its DHCP server ZyWALL the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses tha...

Page 359: ...nnectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the nu...

Page 360: ... use the auxiliary interface Note You have to connect an external modem to the auxiliary port The ZyWALL uses the auxiliary interface to dial out in two situations 1 You click the Connect icon on the ZyWALL Status screen 2 The load auxiliary interface must connect to satisfy load balancing requirements You have to add the auxiliary interface to a trunk first When the ZyWALL hangs up the call it dr...

Page 361: ... is read only and displays the zone to which the auxiliary interface belongs Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Port Speed Select the speed of the connection between the ZyWALL and external computer Dialing Type Tone select this if the telephone uses tone based dialing Pulse sel...

Page 362: ... comma to pause during dialing Use a plus sign to tell the external modem to make an international call User Name Enter the user name required for authentication Password Enter the password required for authentication Retype to confirm Enter the password again to make sure you have not typed it incorrectly Authentication Type Select the authentication protocol to use for outgoing calls Choices are...

Page 363: ...ration Network Interface Add LABEL DESCRIPTION Interface Properties Interface Name This field is read only It displays the name of the virtual interface which is automatically derived from the underlying Ethernet interface VLAN interface or bridge interface Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 ch...

Page 364: ...ways have the same priority the ZyWALL uses the one that was configured first Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the ZyWALL can send through the interface to the network Allowed values are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from th...

Page 365: ...t with a destination address of 5 5 5 5 it might not find any entries in the routing table In this case the packet is dropped However if there is a default router to which the ZyWALL should send this packet you can specify it as a gateway in one of the interfaces For example if there is a default router at 200 200 200 100 you can create a gateway at 200 200 200 100 on ge2 In this case the ZyWALL c...

Page 366: ...ddresses subnet masks gateways and some network information such as the IP addresses of DNS servers on computers in the network This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently In DHCP every network has at least one DHCP server When a computer a DHCP client joins the network it submits a DHCP request The DHCP servers get the re...

Page 367: ...ce provides the same gateway you specify for the interface See IP Address Assignment on page 364 DNS servers The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients You can specify each IP address manually for example a company s own DNS server or you can refer to DNS servers that other interfaces received from DHCP servers for example a DNS serve...

Page 368: ... systems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuration of the modem PPTP is used to set up virtual private networks VPN in unsecure TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the second on...

Page 369: ...a You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B Or maybe one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP...

Page 370: ...es through the best WAN interface for that type of traffic If that interface s connection goes down the ZyWALL can still send its traffic through another interface You can define multiple trunks for the same physical interfaces Link Sticking You can have the ZyWALL send each local computer s traffic that is going to the same destination through a single WAN interface for a specified period of time...

Page 371: ...d bandwidth refers to the bandwidth an interface is currently using Least Load First The least load first algorithm uses the current or recent outbound bandwidth utilization of each trunk member interface as the load balancing index es when making decisions about to which interface a new session is to be distributed The outbound bandwidth utilization is defined as the measured outbound throughput ...

Page 372: ...distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively The ZyWALL assigns the traffic of two sessions to ge2 for every session s traffic assigned to ge3 Figure 294 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the inte...

Page 373: ...old of the first interface is set to 800K The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface Figure 295 Spillover Algorithm Example Finding Out More See Section 6 5 5 on page 103 for related information on the Trunk screens See Section 7 3 on page 122 for an example of how to configure load balancing See Section 14 4 on page 377 for more backgrou...

Page 374: ... this button to display a greater or lesser number of configuration fields Enable Link Sticking Enable link sticking to have the ZyWALL route sessions from one source to the same destination through the same link for a period of time This is useful for accessing servers that are incompatible with a user s sessions coming from different links For example this is useful when a server requires authen...

Page 375: ...dds all external interfaces into the pre configured system default SYSTEM_DEFAULT_WAN_TRUNK You cannot delete it You can create your own User Configuration trunks Add Click this to create a new user configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove Th...

Page 376: ...lick Add to add a new member interface after the selected member interface Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a member interface select it and click Remove The ZyWALL confirms you want to remove it before doing so Move To move an interface to a different number in the list click the Move icon In the fie...

Page 377: ...e traffic the ZyWALL sends through that interface Ingress Bandwidth This field displays with the least load first load balancing algorithm It displays the maximum number of kilobits of data the ZyWALL is to allow to come in through the interface per second Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm It displays the maximum number of kilobits...

Page 378: ...Chapter 14 Trunks ZyWALL USG 300 User s Guide 378 ...

Page 379: ... default gateway R1 You create one policy route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 298 Example of Policy Routing Topology Note You can generally just use policy routes You only need to use static routes if you have a large network with multiple router...

Page 380: ... policy routes to manage other types of traffic like ICMP traffic and send traffic through VPN tunnels Note Bandwidth management in policy routes has priority over application patrol bandwidth management Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use ...

Page 381: ...ng the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to ...

Page 382: ...red policy routes and turn policy routing based bandwidth management on or off A policy route defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria can include the user name source address and incoming interface destination address schedule IP protocol ICMP UDP TCP etc and port The actions that can ...

Page 383: ...it Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change a rule s position in the numbered list se...

Page 384: ...SCP value of the outgoing packets that match this route If this field displays a DSCP value the ZyWALL applies that DSCP value to the route s outgoing packets preserve means the ZyWALL does not modify the DSCP value of the route s outgoing packets default means the ZyWALL sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following the a...

Page 385: ...onfiguration Network Routing Policy Route Add The following table describes the labels in this screen Table 92 Configuration Network Routing Policy Route Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Configuration Enable Select this to activate the policy Description Enter a descriptive name of up to 31 printable ASCII c...

Page 386: ...e of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 391 for more details User Defined DSCP Code Use this field to specify a custom DSCP code point Schedule Select a schedule to control when the policy route is active none means the route is active at all times if enabled Service Select a service or service group to identify the type of traffic to which this policy route ...

Page 387: ...gh the specified interface Auto Disable This field displays when you select Interface or Trunk in the Type field Select this to have the ZyWALL automatically disable this policy route when the next hop s connection is down DSCP Marking DSCP Marking Set how the ZyWALL handles the DSCP value of the outgoing packets that match this route Select one of the pre defined DSCP values to apply or select Us...

Page 388: ...before using a port triggering rule Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it You can also just double click an entry to be able to modify it Remove Select an entry and click this to delete it Move The ordering of your rules is important as they are applied in order o...

Page 389: ...andwidth unbudgeted and do not enable Maximize Bandwidth Usage Bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic The smaller the number the higher the priority If you set the maximum bandwidth to 0 the bandwidth priority will be changed to 0 after you click OK That means the route has the highest priority and will get all the bandwidth it needs up to the maximum ava...

Page 390: ...to remove it before doing so This is the number of an individual static route Destination This is the destination IP address Subnet Mask This is the IP subnet mask Next Hop This is the IP address of the next hop gateway or the interface through which the traffic is routed The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to their d...

Page 391: ... If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the Gateway IP Select the radio button and enter the IP address of the next hop gateway The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to their destinations I...

Page 392: ...computer Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service The ZyWALL records the IP address of a client computer that sends traffic to a remote server to request a service incoming service When the ZyWALL receives a new connection trigger service from the remote server the ZyWALL forwards the traf...

Page 393: ...route is not using among the policy routes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their priority...

Page 394: ...Chapter 15 Policy and Static Routes ZyWALL USG 300 User s Guide 394 ...

Page 395: ... in this Chapter Use the RIP screen see Section 16 2 on page 396 to configure the ZyWALL to use RIP to receive and or send routing information Use the OSPF screen see Section 16 3 on page 397 to configure general OSPF settings and manage OSPF areas Use the OSPF Area Add Edit screen see Section 16 3 2 on page 404 to create or edit an OSPF area 16 1 2 What You Need to Know The ZyWALL supports two st...

Page 396: ...gs before you can use it in an interface First the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent This is discussed in more detail in Authentication Types on page 407 Second the ZyWALL can also redistribute routing information from non RIP networks specifically OSPF networks and static routes to the RIP networ...

Page 397: ...d 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of alphanumeric characters and the underscore and it can be up to 16 characters long Redistribute Active OSPF Select this to use RIP to advertise routes that were learned through OSPF Metric Type the cost for routes provided by OSPF The metric represen...

Page 398: ...ents a group of adjacent networks and is identified by a 32 bit ID In OSPF this number may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal area has routing information about the OSPF AS any netw...

Page 399: ...o confirm which neighbor layer 3 devices exist and then they exchange database descriptions DDs to create a synchronized link state database The link state database contains records of router IDs their associated links and path costs The link state database is then constantly updated through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to comput...

Page 400: ...DR All of the routers only exchange information with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR and BDR are selected by priority if two routers have the same priority the highest router ID is used The DR and BDR are selected in each group of routers that are directly connected to each other If a router is directly connected to several gro...

Page 401: ...the backbone You cannot create a virtual link to a router in a different area OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 13 3 1 on page 302 4 Set up virtual links as needed 16 3 1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL uses i...

Page 402: ...istribute Active RIP Select this to advertise routes that were learned from RIP The ZyWALL advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas Type Select how OSPF calculates the cost associated with routing information from RIP Choices are Type 1 and Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS cost is ignored Metr...

Page 403: ...eas in the ZyWALL Add Click this to create a new OSPF area Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This field is a sequential value and it is not associated with a specific area Area This field displays the 32 bit I...

Page 404: ... information about the OSPF AS and about networks outside the OSPF AS Stub This area is an stub area It has routing information about the OSPF AS but not about networks outside the OSPF AS It depends on a default route to send information outside the OSPF AS NSSA This area is a Not So Stubby Area NSSA per RFC 1587 It has routing information about the OSPF AS and networks that are outside the OSPF ...

Page 405: ...hould set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone Add Click this to create a new virtual link Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This ...

Page 406: ...entication Text uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Same as Area has the virtual link also use the Authentication settings above Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the ...

Page 407: ...ord and authentication ID MD5 is an authentication method that produces a 128 bit checksum called a message digest for each packet It also includes an authentication ID which can be set to any value between 1 and 255 The ZyWALL only accepts packets if these conditions are satisfied The packet s authentication ID is the same as the authentication ID of the interface that received it The packet s me...

Page 408: ...Chapter 16 Routing Protocols ZyWALL USG 300 User s Guide 408 ...

Page 409: ... settings such as firewall rules Anti X and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 311 Example Zones 17 1 1 What You Can Do in this Chapter Use the...

Page 410: ...ple DMZ to DMZ but many other types of zone based security and policy settings do not affect intra zone traffic Inter zone Traffic Inter zone traffic is traffic between interfaces or VPN tunnels in different zones For example in Figure 311 on page 409 traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone ...

Page 411: ...his to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry ...

Page 412: ...ters underscores _ or dashes but the first character cannot be a number This value is case sensitive Block Intra zone Traffic Select this check box to block network traffic between members in the zone Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces and VPN tunnels that you want to add to the zone you are editing and click the right ar...

Page 413: ...he domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the ZyWALL When registration is complete the DNS service provider gives you a pass...

Page 414: ... Figure 314 Configuration Network DDNS The following table describes the labels in this screen Table 105 Configuration Network DDNS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it befo...

Page 415: ...ernate interface to use for updating the IP address mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name The ZyWALL uses the backup interface and IP address when the primary interface is disabled its link is down or its connectivity check fails from interface The IP address comes from the specified interface auto detected The DDNS server checks the sou...

Page 416: ...able 106 Configuration Network DDNS Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Enable DDNS Profile Select this check box to use this DDNS entry Profile Name When you are adding a DDNS entry type a descriptive name for this DDNS entry in the ZyWALL You may use 1 31 alphanumeric characters undersco...

Page 417: ...ace The ZyWALL uses the IP address of the specified interface This option appears when you select a specific interface in the Primary Binding Address Interface field Auto If the interface has a dynamic IP address the DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name You may want to use this if there are one or more NAT routers bet...

Page 418: ...feature to alias subdomains to be aliased to the same IP address as your dynamic domain name This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname Mail Exchanger This option is only available with a DynDNS account DynDNS can route e mail for your domain name to a mail server called a mail exchanger For example DynDNS routes e mail fo...

Page 419: ... the private network available by using ports to forward packets to the appropriate private IP address Suppose you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network a...

Page 420: ...13 3 on page 173 for an example of how to configure NAT to allow SIP traffic from the WAN to an IPPBX or SIP server on the DMZ 19 2 The NAT Screen The NAT summary screen provides a summary of all NAT rules and their configuration In addition this screen allows you to create new NAT rules and edit and delete existing NAT rules To access this screen login to the Web Configurator and click Configurat...

Page 421: ...splays the original destination IP address or address object of traffic that matches this NAT entry It displays any if there is no restriction on the original destination IP address Mapped IP This field displays the new destination IP address for the packet Protocol This field displays the service used by the packets for this NAT entry It displays any if there is no restriction on the services Ori...

Page 422: ...iguration Network NAT Add The following table describes the labels in this screen Table 108 Configuration Network NAT Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Enable Rule Use this option to turn the NAT rule on or off Rule Name Type in the name of the NAT rule The name is used to refer to the NAT rule You may use 1 31 alp...

Page 423: ...ing interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User Defined Select this to manually enter an IP address in the User Defined field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Host address select a host address object to use the IP address...

Page 424: ...destination ports this NAT rule supports Original End Port This field is available if Mapping Type is Ports Enter the end of the range of original destination ports this NAT rule supports Mapped Start Port This field is available if Mapping Type is Ports Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is available if ...

Page 425: ...fter you configure your NAT rule settings click the Firewall link to configure a firewall rule to allow the NAT rule s traffic to come in The ZyWALL checks NAT rules before it applies To ZyWALL firewall rules so To ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules The ZyWALL still checks other firewall rules according to the source IP address and mapped IP address OK Cli...

Page 426: ... 1 NAT loopback uses the IP address of the ZyWALL s LAN interface 192 168 1 1 as the source address of the traffic going from the LAN users to the LAN SMTP server Figure 320 LAN to LAN Traffic The LAN SMTP server replies to the ZyWALL s LAN IP address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the original destination ...

Page 427: ...N user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 321 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 1 1 1 1 SMTP NAT Source 192 168 1 21 SMTP ...

Page 428: ...Chapter 19 NAT ZyWALL USG 300 User s Guide 428 ...

Page 429: ...t connected to the LAN zone wants to open a web page its HTTP request is redirected to proxy server A first If proxy server A cannot find the web page in its cache a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 322 HTTP Redirect Example 20 1 1 What You Can Do in this Chapter Use the HTTP Redirect screens see ...

Page 430: ... 1 Firewall 2 Application Patrol 3 HTTP Redirect 4 Policy Route Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule the ZyWALL checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched You need to make sure there is no firewall rule s blocking the HTTP requests from the client to the proxy server You also need to manua...

Page 431: ...table describes the labels in this screen Table 109 Configuration Network HTTP Redirect LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry sel...

Page 432: ...d settings Table 109 Configuration Network HTTP Redirect continued LABEL DESCRIPTION Table 110 Network HTTP Redirect Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off Name Enter a name to identify this rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select th...

Page 433: ...Chapter 20 HTTP Redirect ZyWALL USG 300 User s Guide 433 ...

Page 434: ...Chapter 20 HTTP Redirect ZyWALL USG 300 User s Guide 434 ...

Page 435: ...er Internet H 323 A teleconferencing protocol suite that provides audio data and video conferencing FTP File Transfer Protocol an Internet file transfer service The following example shows SIP signaling 1 and audio 2 sessions between SIP clients A and B and the SIP server Figure 325 SIP ALG Example The ALG feature is only needed for traffic that goes through the ZyWALL s NAT 21 1 1 What You Can Do...

Page 436: ...rver from the WAN H 323 ALG The H 323 ALG supports peer to peer H 323 calls The H 323 ALG handles H 323 calls that go through NAT or that the ZyWALL routes You can also make other H 323 calls that do not go through NAT or routing Examples would be calls between LAN IP addresses that are on the same subnet The H 323 ALG allows calls to go out through NAT For example you could make a call from a pri...

Page 437: ...es the application patrol see Chapter 32 on page 559 to use the same port numbers for SIP traffic Likewise configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic Peer to Peer Calls and the ZyWALL The ZyWALL ALG can allow peer to peer VoIP calls for both H 323 and SIP You must configure the firewall and NAT ...

Page 438: ...return traffic for the calls initiated from the LAN IP addresses For example you configure firewall and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1 You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2 You configure corresponding policy routes to have calls from LAN IP address A...

Page 439: ...to allow sessions initiated from the WAN 21 2 The ALG Screen Click Configuration Network ALG to open the ALG screen Use this screen to turn ALGs off or on configure the port numbers to which they apply and configure SIP ALG time outs Note If the ZyWALL provides an ALG for a service you must enable the ALG in order to use the application patrol on that service s traffic Figure 329 Configuration Net...

Page 440: ...out Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout the ZyWALL deletes the signaling session after the timeout period Enter the SIP signaling ses...

Page 441: ...could also have a trunk with one interface set to active and a second interface set to passive The ZyWALL does not automatically change ALG managed Enable FTP ALG Turn on the FTP ALG to detect FTP File Transfer Program traffic and help build FTP sessions through the ZyWALL s NAT Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic s ba...

Page 442: ...ard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service NetMeeting uses H 323 SIP The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up ...

Page 443: ...WALL Suppose you configure access privileges for IP address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 330 IP MAC Binding Example 22 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 22 2 on page 444 ...

Page 444: ...MAC Binding Summary Click Configuration Network IP MAC Binding to open the IP MAC Binding Summary screen This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface Figure 331 Configuration Network IP MAC Binding Summary The following table describes the labels in this screen Table 112 Configuration Network IP MAC Binding Summary LABEL DESCRIP...

Page 445: ...nding This field displays the interface s total number of IP MAC bindings and IP addresses that the interface has assigned by DHCP Apply Click Apply to save your changes back to the ZyWALL Table 112 Configuration Network IP MAC Binding Summary continued LABEL DESCRIPTION Table 113 Configuration Network IP MAC Binding Edit LABEL DESCRIPTION IP MAC Binding Settings Interface Name This field displays...

Page 446: ...mputer s MAC address is in the table the ZyWALL assigns the corresponding IP address You can also access this table from the interface s edit screen Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it befor...

Page 447: ...s to assign to a device with the entry s MAC address MAC Address Enter the MAC address of the device to which the ZyWALL assigns the entry s IP address Description Enter up to 64 printable ASCII characters to help identify the entry For example you may want to list the computer s owner OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table ...

Page 448: ...yWALL does not apply IP MAC binding Add icon Click the Add icon to add a new entry Click the Remove icon to delete an entry A window displays asking you to confirm that you want to delete it Apply Click Apply to save your changes back to the ZyWALL Table 115 Configuration Network IP MAC Binding Exempt List continued LABEL DESCRIPTION ...

Page 449: ...ystem OS option and security requirements to gain access See Chapter 49 on page 815 for how to configure endpoint security objects to use with authentication policies In the following figure the ZyWALL s authentication policy requires endpoint security checking on local user A A passes authentication and the endpoint security check and is given access Local user B passes authentication but fails t...

Page 450: ...tch one of the authentication policy s endpoint security objects in order to gain access Forced User Authentication Instead of making users for which user aware policies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet Note This works with HTTP traf...

Page 451: ...ck Remove to delete it or them Authentication Policy Summary Use this table to manage the ZyWALL s list of authentication policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and c...

Page 452: ...he source address object to which this policy applies Destination This displays the destination address object to which this policy applies Schedule This field displays the schedule object that dictates when the policy applies none means the policy is active at all times if enabled Authentication This field displays the authentication requirement for users when their traffic matches this policy Th...

Page 453: ...e from the member list and click the left arrow button to remove them Figure 337 Configuration Auth Policy Add Exceptional Service 23 2 2 Creating Editing an Authentication Policy Click Configuration Auth Policy and then the Add or Edit icon to open the Endpoint Security Edit screen Use this screen to configure an authentication policy ...

Page 454: ... up to 60 printable ASCII characters for the policy Spaces are allowed This field is available for user configured policies User Authentication Policy Use this section of the screen to determine which traffic requires or does not require the senders to be authenticated in order to be routed Source Address Select a source address or address group for whom this policy applies Select any if the polic...

Page 455: ...ation Enable EPS Checking Select this to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the policy s selected endpoint security objects before granting access Periodical checking time Select this and specify a number of minutes to have the ZyWALL repeat the endpoint security check at a regular interval Available EPS Object Selected EPS O...

Page 456: ...Chapter 23 Authentication Policy ZyWALL USG 300 User s Guide 456 ...

Page 457: ...n from within the LAN zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Figure 339 Default Firewall Action 24 1 1 What You Can Do in this Chapter Use the Firewall screens Sectio...

Page 458: ... allowed for certain default services described in To ZyWALL Rules on page 459 All other WAN to ZyWALL traffic is dropped From WAN to any other than the ZyWALL Traffic from the WAN to any of the networks behind the ZyWALL is dropped From DMZ to ZyWALL Traffic from the DMZ to the ZyWALL itself is allowed for certain default services described in To ZyWALL Rules on page 459 All other DMZ to ZyWALL t...

Page 459: ...ich is not in a zone Global Firewall Rules Firewall rules with from any and or to any as the packet direction are called global firewall rules The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface Firewall...

Page 460: ...s such as file sharing applications may use a large number of NAT sessions A single client could use all of the available NAT sessions and prevent others from connecting to or through the ZyWALL The ZyWALL lets you limit the number of concurrent NAT firewall sessions a client can use Finding Out More See Section 6 5 14 on page 107 for related information on the Firewall screens See Section 7 7 6 o...

Page 461: ...rules Any traffic that does not match the first firewall rule will match the second rule and the ZyWALL forwards it Now suppose that your company wants to let the CEO use IRC You can configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO logs into...

Page 462: ...rvice on the WAN The second row blocks LAN access to the IRC service on the WAN The third row is the firewall s default policy of allowing all traffic from the LAN to go to the WAN Alternatively you configure a LAN to WAN rule with the CEO s user name say CEO to allow IRC traffic from any source IP address to go to any destination address Your firewall would have the following configuration Table ...

Page 463: ...e ZyWALL would drop it and not check any other firewall rules 24 1 4 Firewall Rule Configuration Example The following Internet firewall rule example allows Doom players from the WAN to IP addresses 192 168 1 10 through 192 168 1 15 Dest_1 on the LAN 1 Click Configuration Firewall In the summary of firewall rules click Add in the heading row to configure a new first entry Remember the sequence pri...

Page 464: ...gure 344 Firewall Example Create a Service Object 6 Select From WAN and To LAN1 7 Enter the name of the firewall rule 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service Enter a description and configure the rest of the screen as follows Click OK when you are done Figure 345 Firewall Example Edit a Firewall Rule ...

Page 465: ...wever allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets Virtual interfaces allow you to partition your network into logical sections over the same interface See the chapter about interfaces for more information By putting LAN ...

Page 466: ...to the selected direction Note the following If you enable intra zone traffic blocking see the chapter about zones the firewall automatically creates implicit rules to deny packet passage between the interfaces in the specified zone Besides configuring the firewall you also need to configure NAT rules to allow computers on the WAN to access LAN devices See Chapter 19 on page 419 for more informati...

Page 467: ...If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL s LAN IP address return traffic may not go through the ZyWALL This is called an asymmetrical or triangle route This causes the ZyWALL to reset the connection as the connection has not been acknowledged Select this check box to have the ZyWALL permit the use of asymmetrical route topology on the network not reset ...

Page 468: ...nactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering The following read only fields summarize the rules you have created that apply to t...

Page 469: ...e passage of packets allow Log This field shows you whether a log and alert is created when packets match this rule or not Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 122 Configuration Firewall continued LABEL DESCRIPTION Table 123 Configuration Firewall Add LABEL DESCRIPTION Create new Object Use to configure an...

Page 470: ... address should be within the IP address range Source Select a source address or address group for whom this rule applies Select any if the policy is effective for every source Destination Select a destination address or address group for whom this rule applies Select any if the policy is effective for every destination Service Select a service or service group from the drop down list box Access U...

Page 471: ... Create rules below to apply other limits for specific users or addresses Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts can have Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s setti...

Page 472: ...to which this session limit rule applies Address This is the address object to which this session limit rule applies Limit This is how many concurrent sessions this user or address is allowed to have Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 124 Configuration Firewall Session Limit continued LABEL DESCRIPTION T...

Page 473: ...ddress range Address Select a source address or address group for whom this rule applies Select any if the policy is effective for every source address Session Limit per Host Use this field to set a limit to the number of concurrent NAT firewall sessions this rule s users or addresses can have For this rule s users and addresses this setting overrides the Default Session per Host setting in the ge...

Page 474: ...Chapter 24 Firewall ZyWALL USG 300 User s Guide 474 ...

Page 475: ...k like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is an example of an IPSec VPN tunnel Figure 352 IPSec VPN Example The VPN tunnel connects the ZyWALL X and the remote peer IPSec router Y These routers then connect the local network A and remote network B 25 1...

Page 476: ...meters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Figure 353...

Page 477: ...e IPSec router s address but you specify the remote policy the addresses of the devices behind the remote IPSec router This ZyWALL must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the addr...

Page 478: ...virtual Ethernet interface VLAN interface or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA You should set up the interface first See Chapter 13 on page 295 In a VPN gateway you can enable extended authentication If the ZyWALL is in server mode you should set up the authentication method AAA server first The authentication method spe...

Page 479: ...his to have the ZyWALL automatically obtain source and destination addresses for all dynamic IPSec rules See Section 6 4 2 on page 99 for how this option affects the routing table Ignore Don t Fragment setting in packet header Select this to fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the IP header turned on When you clear this the ZyWALL drop...

Page 480: ... bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the IPSec SA VPN Gateway This field displays the associated VPN gateway s If there is no VPN gateway this field displays manual key Encapsulation This field displays what encapsulation the IP...

Page 481: ...Chapter 25 IPSec VPN ZyWALL USG 300 User s Guide 481 Figure 355 Configuration VPN IPSec VPN VPN Connection Edit IKE ...

Page 482: ...BIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa VPN Gateway Application Scenario Select the scenario that best describes your intended VPN connection Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose...

Page 483: ...e Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryption If you select AH you must select an Authentication algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an E...

Page 484: ...SHA1 and MD5 SHA1 is generally considered stronger than MD5 but it is also slower The ZyWALL and the remote IPSec router must both have a proposal that uses the same authentication algorithm Perfect Forward Secrecy PFS Select whether or not you want to enable Perfect Forward Secrecy PFS and if you do which Diffie Hellman key group to use for encryption Choices are none disable PFS DH1 enable PFS a...

Page 485: ...t and Last IP Address in the Remote Policy Select this to have the ZyWALL check the connection to the first and last IP addresses in the connection s remote policy Make sure one of these is the peer gateway s LAN IP address Log Select this to have the ZyWALL generate a log every time it checks this VPN connection Inbound Outbound traffic NAT Outbound Traffic Source NAT This translation hides the s...

Page 486: ...click this to delete it Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed This field is a sequential value and it is not associated with a specific NAT record However the order of records is the sequence in which conditions are check...

Page 487: ... either the Add icon or an existing manual key entry s Edit icon In the VPN Gateway section of the screen select Manual Key Note Only use manual key as a temporary solution because it is not as secure as a regular IPSec SA Figure 356 Configuration VPN IPSec VPN VPN Connection Add Manual Key This table describes labels specific to manual key configuration See Section 25 2 on page 478 for descriptio...

Page 488: ...ot encryption If you select AH you must select an Authentication Algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an Encryption Algorithm and Authentication Algorithm The ZyWALL and remote IPSec router must use the same protocol Encryption Algorithm This field is applicable when the Active Protocol is ...

Page 489: ...r 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key Authentication Key Enter the authentication key which depends on the authentication algorithm MD5 type a unique key 16 20 characters long SHA1 type a unique key 20 characters long You can use any alphanumeric characters or _ If you want to enter the key in hexadecimal type 0x at the beginn...

Page 490: ... to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object References Select an entry and click Object References to open a screen that shows which settings use...

Page 491: ...olicy or edit an existing one To access this screen go to the VPN Gateway summary screen see Section 25 3 on page 490 and click either the Add icon or an Edit icon Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 130 Configuration VPN IPSec VPN VPN Gateway continued LABEL DESCRIPTION ...

Page 492: ...Chapter 25 IPSec VPN ZyWALL USG 300 User s Guide 492 Figure 358 Configuration VPN IPSec VPN VPN Gateway Edit ...

Page 493: ...ess or the IP address corresponding to the domain name 0 0 0 0 is invalid Peer Gateway Address Select how the IP address of the remote IPSec router in the IKE SA is defined Select Static Address to enter the domain name or the IP address of the remote IPSec router You can provide a second IP address or domain name for the ZyWALL to try if it cannot establish an IKE SA with the first one Fall back ...

Page 494: ...KE SA Then select the certificate the ZyWALL uses to identify itself to the remote IPsec router This certificate is one of the certificates in My Certificates If this certificate is self signed import it into the remote IPsec router If this certificate is signed by a CA the remote IPsec router must trust that CA Note The IPSec routers must trust each other s certificates The ZyWALL uses one of its...

Page 495: ...rs including spaces although trailing spaces are truncated This value is only used for identification and can be any string E mail the ZyWALL is identified by an e mail address you can use up to 31 ASCII characters including spaces although trailing spaces are truncated This value is only used for identification and can be any string Peer ID Type Select which type of identification is used to iden...

Page 496: ...ct alternative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the ZyWALL uses the IP address specified in the Secure Gateway Address field This is not recommended ...

Page 497: ...DES encryption algorithm AES128 a 128 bit key with the AES encryption algorithm AES192 a 192 bit key with the AES encryption algorithm AES256 a 256 bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same key size and encryption algorithm Longer keys require more processing power resulting in increased latency and decreased throughput Authentication Select...

Page 498: ...unnel for example use extended authentication to enforce a user name and password check This way even though they all know the VPN tunnel s security settings each still has to provide a unique user name and password Enable Extended Authentication Select this if one of the routers the ZyWALL or the remote IPSec router verifies a user name and password from the other router using the local user data...

Page 499: ...lidate the policy routes in each spoke router depending on the IP addresses and subnets of each spoke However a VPN concentrator is not for every situation The hub router is a single failure point so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic...

Page 500: ...IPSec VPN Concentrator Example This IPSec VPN concentrator example uses the following settings Branch Office A ZyNOS based ZyWALL VPN Gateway VPN Tunnel 1 My Address 10 0 0 2 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 1 Local Policy 192 168 11 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enforcement Policy Route Source 192 168 11 0 Destination 192 168 12 0 Ne...

Page 501: ...orcement Concentrator Add VPN tunnel 1 and VPN tunnel 2 to an IPSec VPN concentrator Firewall Block traffic from VPN tunnel 2 from accessing the LAN Branch Office B USG ZyWALL or ZyWALL 1050 VPN Gateway VPN Tunnel 2 My Address 10 0 0 3 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 2 Local Policy 192 168 12 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enforcement...

Page 502: ...The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL To access this screen click Configuration VPN IPSec VPN Concentrator The following screen appears Figure 361 Configuration VPN IPSec VPN Concentrator Each field is discussed in the following table See Section 25 4 3 on page 502 for more information 25 4 3 The VPN Concentrator Add Edit Screen The VPN Concentrator Add E...

Page 503: ...the first character cannot be a number This value is case sensitive Member Select the concentrator s IPSec VPN connection policies Note You must disable policy enforcement in each member See Section 25 2 1 on page 480 IPSec VPN connection policies that do not belong to a VPN concentrator appear under Available Select any VPN connection policies that you want to add to the VPN concentrator and clic...

Page 504: ... IP address or a domain name for either or both IP addresses Sometimes your ZyWALL might offer another alternative such as using the IP address of a port or interface as well You can also specify the IP address of the remote IPSec router as 0 0 0 0 This means that the remote IPSec router can have any IP address In this case only the remote IPSec router can initiate an IKE SA because the ZyWALL doe...

Page 505: ...th of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data It is faster than 3DES Some ZyWALLs also offer stronger forms of AES that apply 192 bit or 256 bit keys to 128 bit blocks of data In most ZyWALLs you can select one of the following authentication algorithms for each proposal The algorithms...

Page 506: ...her in steps 5 and 6 as illustrated below The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps Figure 365 IKE SA Main Negotiation Mode Steps 5 6 Authentication continued You have to create and distribute a pre shared key The ZyWALL and remote IPSec router use it in the authentication process though it is n...

Page 507: ...page 507 the ZyWALL and the remote IPSec router authenticate each other successfully In contrast in Table 135 on page 507 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router In this case you usually set the peer ID type to Any This is less secure ...

Page 508: ...t aggressive mode only takes three steps to establish an IKE SA Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted It is usually used in remote access situations where the address of the initiator is not known by the responder and both parties want to use pre shared keys for authentication For example t...

Page 509: ... same VPN tunnel to connect to a single IPSec router For example this might be used with telecommuters In extended authentication one of the routers the ZyWALL or the remote IPSec router provides a user name and password to the other router which uses a local user database and or an external server to verify the user name and password If the user name or password is wrong the routers do not establ...

Page 510: ... to the remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols AH Authentication Header RFC 2402 and ESP Encapsulating Security Payload RFC 2406 Note The ZyWALL and remote IPSec router must...

Page 511: ...nd Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see IKE SA Proposal on page 504 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the ZyWALL and remote IPSec router perform a DH key exchange every time...

Page 512: ...y several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use Note The ZyWALL and remote IPSec router must use the same encryption key and authentication key Authentication and the Security Parameter Index SPI For authentication the ZyWALL and remote IPSec router use the SPI instead of pre shared keys ID ...

Page 513: ...twork B If you do not configure it the remote IPSec router may not route messages for computer M through the IPSec SA because computer M s IP address is not part of its local policy To set up this NAT you have to specify the following information Source the original source address most likely computer M s network Destination the original destination address the remote network B SNAT the translated...

Page 514: ... this kind of NAT The ZyWALL checks these rules similar to the way it checks rules for a firewall The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination ports in...

Page 515: ...Chapter 25 IPSec VPN ZyWALL USG 300 User s Guide 515 ...

Page 516: ...Chapter 25 IPSec VPN ZyWALL USG 300 User s Guide 516 ...

Page 517: ...vice on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen 26 1 2 What You Need to Know There are two SSL VPN network access modes reverse proxy and full tunnel Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the final de...

Page 518: ...work Access Mode Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks apply Endpoint Security EPS checking to require users computers to comply with defined corporate policies before they can access the SSL VPN tunnel limit user access to specific applications or files on the network allow user access to specific networks assign private IP addres...

Page 519: ...Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Endpoint Security Endpoint Security Endpoint Security EPS checking makes sure users computers comply with defined corporate policies before they can access the SSL VPN tunnel Application SSL Application Configure an SSL application object to specify the type of application and ...

Page 520: ...it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for ...

Page 521: ...Chapter 26 SSL VPN ZyWALL USG 300 User s Guide 521 Apply Click Apply to save the settings Reset Click Reset to discard all changes Table 137 VPN SSL VPN Access Privilege LABEL DESCRIPTION ...

Page 522: ...SG 300 User s Guide 522 26 2 1 The SSL Access Policy Add Edit Screen To create a new or edit an existing SSL access policy click the Add or Edit icon in the Access Privilege screen Figure 372 VPN SSL VPN Access Privilege Add Edit ...

Page 523: ...e fields to make sure users computers meet an endpoint security object s Operating System OS and security requirements before granting access Enable EPS Checking Select this to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the SSL access policy s selected endpoint security objects before granting access Periodical checking time Select t...

Page 524: ...applications as defined by the selected SSL application settings and the remote user computers are not made to be a part of the local network Assign IP Pool Define a separate pool of IP addresses to assign to the SSL users Select it here The SSL VPN IP pool cannot overlap with IP addresses on the ZyWALL s local networks LAN and DMZ for example the SSL user s network or the networks you specify in ...

Page 525: ...PN Login Domain Name SSL VPN Login Domain Name 1 2 Specify a domain name for users to use for SSL VPN login The domain name must be registered to one of the ZyWALL s IP addresses or be one of the ZyWALL s DDNS entries You can specify up to two domain names so you could use one domain name for each of two WAN ports Do not include the host For example www zyxel com is a fully qualified domain name w...

Page 526: ...eb browser on the remote user computer The ZyXEL company logo is the default logo Specify the location and file name of the logo graphic or click Browse to locate it Note The logo graphic must be GIF JPG or PNG format The graphic should use a resolution of 127 x 57 pixels to avoid distortion when displayed The ZyWALL automatically resizes a graphic of a different resolution to 127 x 57 pixels The ...

Page 527: ... Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL use the ZyWALL login screen s SSL VPN button to establish an SSL VPN connection See Section 27 2 on page 532 for details 1 Display the ZyWALL s login screen and enter your user account information the user name and password Click SSL VPN Figure 375 Login Screen ...

Page 528: ...ould see the client portal screen The following shows an example Figure 376 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access an SSL VPN connection is not activated message displays in the Login screen Clear the Login to SSL VPN check box and try logging in again For more information on user portal screens refer to Chapter 27 on page 531 ...

Page 529: ...Chapter 26 SSL VPN ZyWALL USG 300 User s Guide 529 ...

Page 530: ...Chapter 26 SSL VPN ZyWALL USG 300 User s Guide 530 ...

Page 531: ...k Web Access OWA Network Resource Access Methods As a remote user you can access resources on the local network using one of the following methods Using a supported web browser Once you have successfully logged in through the ZyWALL you can access intranet sites web based applications or web based e mails using one of the supported web browsers Using the ZyWALL SecuExtender client Once you have su...

Page 532: ...nd access network resources the domain name or IP address of the ZyWALL the login account user name and password if also required the user name and or password to access the network resource Certificates The remote user s computer establishes an HTTPS connection to the ZyWALL to access the login screen If instructed by your network administrator you must install or import a certificate provided by...

Page 533: ...the Address in a Web Browser 2 Click OK or Yes if a security screen displays Figure 379 Login Security Screen 3 A login screen displays Enter the user name and password of your login account If a token password is also required enter it in the One Time Password field 4 Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources Figure 380 Login Screen ...

Page 534: ...et a message about needing Java download and install it and restart your browser and re login If a certificate warning screen displays click OK Yes or Continue Figure 381 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client As shown next you may have to click some pop ups to get your browser to allow the installation Figure 382 ActiveX Object Installation Blocked by Browser ...

Page 535: ...nternet Explorer click Install Figure 383 SecuExtender Blocked by Internet Explorer 8 The ZyWALL tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click Run Figure 384 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer Figure 385 SecuExtender Progress ...

Page 536: ... finish installing the SecuExtender client on your computer Figure 386 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you See Figure 387 on page 537 for a screen example Note Available resource links vary depending on the configuration your network administrator made ...

Page 537: ...o to the Application or File Sharing screen 2 Click this icon to create a bookmark to the SSL VPN user screen in your web browser 3 Click this icon to display the on line help window 4 Click this icon to log out and terminate the secure connection 5 Select your preferred language for the interface 6 This part of the screen displays a list of the resources available to you In the Application screen...

Page 538: ... user screen click the Add to Favorite icon 2 A screen displays Accept the default name in the Name field or enter a descriptive name to identify this link 3 Click OK to create a bookmark in your web browser Figure 388 Add Favorite 27 5 Logging Out of the SSL VPN User Screens To properly terminate a connection click on the Logout icon in any remote user screen 1 Click the Logout icon in any remote...

Page 539: ...hapter 27 SSL User Screens ZyWALL USG 300 User s Guide 539 3 An information screen displays to indicate that the SSL VPN connection is about to terminate Figure 390 Logout Connection Termination Progress ...

Page 540: ...Chapter 27 SSL User Screens ZyWALL USG 300 User s Guide 540 ...

Page 541: ...an access depends on the ZyWALL s configuration 28 2 The Application Screen Click the Application tab to display the screen The Name field displays the descriptive name for an application The Type field displays wether the application is a web site Web Server or web based e mail using Microsoft Outlook Web Access OWA To access a web based application simply click a link in the Application screen t...

Page 542: ...Chapter 28 SSL User Application Screens ZyWALL USG 300 User s Guide 542 ...

Page 543: ...play and access shared files folders on a file server You can also perform the following actions Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folder Upload a file Note Available actions you can perform in the File Sharing screen vary depending on the rig...

Page 544: ...hared folder s available The following figure shows an example with one file share Figure 392 File Sharing 29 3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon ...

Page 545: ...SG 300 User s Guide 545 3 If an access user name and password are required a screen displays as shown in the following figure Enter the account information and click Login to continue Figure 393 File Sharing Enter Access User Name and Password ...

Page 546: ...lick a folder to access it For this example click on a doc file to open the Word document Figure 394 File Sharing Open a Word File 29 3 1 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the on screen instructions to download and save the file to your computer Then launch the associated application to open the file ...

Page 547: ... the on screen instructions Figure 395 File Sharing Save a Word File 29 4 Creating a New Folder To create a new folder in the file share location click the New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the file server Figure 396 File Sharing Save a Word ...

Page 548: ...dow displays Specify the new name and or file extension in the field provided You can enter up to 356 characters Then click Apply Note Make sure the length of the name does not exceed the maximum allowed on the file server You may not be able to open a file if you change the file extension Figure 398 File Sharing Rename 29 6 Deleting a File or Folder Click the Delete icon next to a file or folder ...

Page 549: ...ify the location and or name of the file you want to upload Or click Browse to locate it 3 Click Upload to send the file to the file server 4 After the file is uploaded successfully you should see the name of the file and a message in the screen Figure 399 File Sharing File Upload Note Uploading a file with the same name and file extension replaces the existing file on the file server No warning m...

Page 550: ...Chapter 29 SSL User File Sharing ZyWALL USG 300 User s Guide 550 ...

Page 551: ...ications must be installed on your computer For example to use the VNC remote desktop program you must have the VNC client installed on your computer 30 1 The ZyWALL SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 400 ZyWALL SecuExtender Icon Red the SSL VPN tunnel is not connected You cannot connect to the SSL application and network re...

Page 552: ...e SSL VPN connection DNS Domain Name System maps a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are the IP add...

Page 553: ...ESCRIPTION 2009 03 12 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG SecuExtender log C Documents and Settings 11746 SecuExtender log 2009 03 12 13 35 50 SecuExtender Agent DETAIL Check Parameters 2009 03 12 13 35 50 SecuExtender...

Page 554: ...d select Stop Connection to disconnect the SSL VPN tunnel 30 6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender 1 Click start All Programs ZyXEL ZyWALL SecuExtender Uninstall 2 In the confirmation screen click Yes Figure 403 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 404 ZyWALL SecuExtende...

Page 555: ...reen see Section 31 2 on page 557 to configure the ZyWALL s L2TP VPN settings 31 1 2 What You Need to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it See Chapter 25 on page 475 for informatio...

Page 556: ...address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key Policy Route You must configure a policy route to let remote users a...

Page 557: ...ettings Note Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings The remote users must make any needed matching configuration changes and re establish the sessions using the new settings Figure 407 Configuration VPN L2TP VPN The following table describes the fields in this screen Table 142 Configuration VPN IPSec VPN VPN Connection LABEL DESCRIPTION Create new Object Use t...

Page 558: ...r user group that can use the L2TP VPN tunnel Use Create new Object if you need to configure a new user account see Section 40 2 1 on page 734 for details Otherwise select any to allow any user with a valid account and password on the ZyWALL to log in Keep Alive Timer The ZyWALL sends a Hello message after waiting this long without receiving any traffic from the remote user The ZyWALL disconnects ...

Page 559: ...VoIP call sound quality 32 1 1 What You Can Do in this Chapter Use the General summary screen see Section 32 2 on page 569 to enable and disable application patrol Use the Common Instant Messenger Peer to Peer VoIP and Streaming see Section 32 3 on page 570 screens to look at the applications the ZyWALL can recognize and review the settings for each one You can also enable and disable the rules fo...

Page 560: ...hedule user source and destination information Your custom policies take priority over the policy s default settings Classification of Applications There are two ways the ZyWALL can identify the application The first is called auto The ZyWALL looks at the IP payload OSI level 7 inspection and attempts to match it with known patterns for specific applications Usually this occurs at the beginning of...

Page 561: ...for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Use application patrol to set a DSCP value for an application s traffic that the ZyWALL sends out Bandwidth Management When you allow an application you can restrict the bandwidth it uses or even the bandwidth that particular features in the application like voi...

Page 562: ...ore sending the traffic out a LAN zone interface Figure 408 LAN to WAN Connection and Packet Directions Outbound and Inbound Bandwidth Limits You can limit an application s outbound or inbound bandwidth This limit keeps the traffic from using up too much of the out going interface s bandwidth This way you can make sure there is bandwidth for other applications When you apply a bandwidth limit to o...

Page 563: ...e lowest priority Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL uses the fairness based scheduler to divide any unused bandwidth on the out going interface amongst applications that need more bandwidth and have ...

Page 564: ... for server B Maximize Bandwidth Usage Effect With maximize bandwidth usage enabled after each server gets its configured rate the rest of the available bandwidth is divided equally between the two So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kbps for...

Page 565: ...for a description of DSCP marking 32 1 3 Application Patrol Bandwidth Management Examples Bandwidth management is very useful when applications are competing for limited bandwidth For example say you have a WAN zone interface connected to an ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection The following sections give some simplified examples of using application patrol poli...

Page 566: ...32 1 3 2 SIP Any to WAN Bandwidth Management Example Manage SIP traffic going to the WAN zone from a VIP user on the LAN or DMZ Outbound traffic to the WAN from the LAN and DMZ is limited to 200 kbps The ZyWALL applies this limit before sending the traffic to the WAN Inbound traffic to the LAN and DMZ from the WAN is also limited to 200 kbps The ZyWALL applies this limit before sending the traffic...

Page 567: ...WAN to Any instead of Any to WAN 32 1 3 4 HTTP Any to WAN Bandwidth Management Example Inbound traffic gets more bandwidth as the local users will probably download more than they upload and the ADSL connection supports this Second highest priority 2 Set policies for other applications except SIP to lower priorities so the local users HTTP traffic gets sent before non SIP traffic Enable maximize b...

Page 568: ... you do not want to give FTP more bandwidth Figure 414 FTP WAN to DMZ Bandwidth Management Example 32 1 3 6 FTP LAN to DMZ Bandwidth Management Example The LAN and DMZ zone interfaces are connected to Ethernet networks not an ADSL device so you limit both outbound and inbound traffic to 50 Mbps Fourth highest priority 4 Disable maximize bandwidth usage since you do not want to give FTP more bandwi...

Page 569: ... 416 Configuration App Patrol General The following table describes the labels in this screen See Section 32 3 1 on page 571 for more information as well Table 147 Configuration App Patrol General LABEL DESCRIPTION Enable Application Patrol Select this check box to turn on application patrol Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL You must e...

Page 570: ...ion Status This field displays whether a service is activated Licensed or not Not Licensed or expired Expired Registration Type This field displays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard None displays when the service is not activated Apply new Registration This link appears if you have not registered for the service or only ...

Page 571: ...PTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific application Status The activate light bulb icon is lit when the entry is active and d...

Page 572: ...s field displays the name of the application Classification Specify how the ZyWALL should identify this application Choices are Auto the ZyWALL identifies this application by matching the IP payload with the application s pattern s Service Ports the ZyWALL identifies this application by looking at the destination port in the IP header Service Port This is available if the Classification is Service...

Page 573: ...Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWALL by putting more common conditions at ...

Page 574: ...s show the amount of bandwidth the application s traffic that matches the policy can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the application to use Inbound refers to the traffic the ZyWALL sends to a connection s initiator If no displays here this policy does not apply bandwidth management for the app...

Page 575: ...instant messenger service Figure 419 Application Policy Edit The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 149 Application Edit continued LABEL DESCRIPTION Table 150 Application Policy Edit LABEL DESCRIPTION Create new Object Use to configure any new settings obje...

Page 576: ...ffective for every destination Access This field controls what the ZyWALL does with packets for this application that match this policy Choices are forward the ZyWALL routes the packets for this application Drop the ZyWALL does not route the packets for this application and does not notify the client of its decision Reject the ZyWALL does not route the packets for this application and notifies the...

Page 577: ... the traffic the ZyWALL sends to a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the application s traffic that the ZyWALL sends to the initiator Traffic with bandwidth management disabled inbound and outbound are both set to 0 is automatically treated as the lowest priority 7 If the sum of the bandwidths for routes using the same next hop is higher...

Page 578: ...gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority The ZyWALL uses a fairness based round robin scheduler to divide bandwidth between applications with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowes...

Page 579: ...entry to the number that you typed Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWALL by...

Page 580: ...r Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 391 for more details BWM These fields show the amount of bandwidth the traffic can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the matching t...

Page 581: ...e ZyWALL generate a log log log and alert log alert or neither no when traffic matches this policy See Chapter 51 on page 877 for more on logs Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 151 AppPatrol Other continued LABEL DESCRIPTION Table 152 AppPatrol Other Edit LABEL DESCRIPTION Create new Object Use to confi...

Page 582: ...CP and UDP Select any to apply the policy to both TCP and UDP traffic Access This field controls what the ZyWALL does with packets that match this policy Choices are forward the ZyWALL routes the packets Drop the ZyWALL does not route the packets and does not notify the client of its decision Reject the ZyWALL does not route the packets and notifies the client of its decision DSCP Marking Set how ...

Page 583: ...y traffic uses all of the actual bandwidth Priority This field displays when the inbound or outbound bandwidth management is not set to 0 Enter a number between 1 and 7 to set the priority for traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic with a lower priority The ZyWALL uses a fairness based round r...

Page 584: ...ion Patrol ZyWALL USG 300 User s Guide 584 OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 152 AppPatrol Other Edit continued LABEL DESCRIPTION ...

Page 585: ...es two interfaces to the LAN zone Figure 422 ZyWALL Anti Virus Example 33 1 1 What You Can Do in this Chapter Use the General screens Section 33 2 on page 588 to turn anti virus on or off set up anti virus policies and check the anti virus engine type and the anti virus license and signature status Use the Black White List screen Section 33 3 on page 593 to set up anti virus black blocked and whit...

Page 586: ...elf The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable ZyWALL Anti Virus Scanner The ZyWALL has a built in signature database Setting up the ZyWALL between your local network and the Internet allows the ZyWALL to scan files transmitting through the ena...

Page 587: ...an detect polymorphic viruses 2 When a virus is detected an alert message is displayed in Microsoft Windows computers Refer to Appendix C on page 1013 if your Windows computer does not display the alert messages 3 Changes to the ZyWALL s anti virus settings affect new sessions not the sessions that already existed before you applied the changed settings 4 The ZyWALL does not scan the following fil...

Page 588: ...age 283 for how to register for the anti virus service You may need to customize the zones in the Network Zone used for the anti virus scanning direction 33 2 Anti Virus Summary Screen Click Configuration Anti X Anti Virus to display the configuration screen as shown next Figure 423 Configuration Anti X Anti Virus General ...

Page 589: ...ble ASCII characters X5O P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H Policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off ...

Page 590: ...ick this link to go to the screen where you can register for the service Signature Information The following fields display information on the current signature set that the ZyWALL is using Anti Virus Engine Type This field displays whether the ZyWALL is set to use ZyXEL s anti virus engine or the one powered by Kaspersky Upgrading the ZyWALL to firmware version 2 11 and updating the anti virus si...

Page 591: ... Select this check box to have the ZyWALL apply this anti virus policy to check traffic for viruses From To Select source and destination zones for traffic to scan for viruses The anti virus policy has the ZyWALL scan traffic coming from the From zone and going to the To zone Protocols to Scan Select which protocols of traffic to scan for viruses HTTP applies to traffic using TCP ports 80 8080 and...

Page 592: ...ature s log Create a log on the ZyWALL when a packet matches a signature s log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert when a packet matches a signature s White List Black List Checking Check White List Select this check box to check files against the white list Check Black List Select this...

Page 593: ...ord encryption Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip Note The ZyWALL s firmware package cannot go through the ZyWALL with this option enabled The ZyWALL classifies the ...

Page 594: ...LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns Use the black list to log and delete files with names that match the black list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select...

Page 595: ... for viruses Use up to 80 characters Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends wit...

Page 596: ...irus check on files with names that match the white list patterns Use the white list to have the ZyWALL not perform the anti virus check on files with names that match the white list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate In...

Page 597: ...making Internet Explorer run slowly and the computer maybe becoming unresponsive just click No to continue Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 428 Configuration Anti X Anti Virus Signature Search by Severity ...

Page 598: ...yWALL search the signatures based on your specified criteria Query all signatures and export Click Export to have the ZyWALL save all of the anti virus signatures to your computer in a txt file Query Result This is the entry s index number in the list Name This is the name of the anti virus signature Click the Name column heading to sort your search results in ascending or descending order accordi...

Page 599: ...TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able to copy and attach itself to other programs that are executed on an infected computer Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executes during startup The virus causes computer crashes and to some extend renders the infecte...

Page 600: ... share the resources such as CPU time on the computer for file inspection You have to update the virus signatures and or perform virus scans on all computers in the network regularly A network based anti virus NAV scanner is often deployed as a dedicated security device such as your ZyWALL on the network edge NAV scanners inspect real time data traffic such as E mail messages or web that tends to ...

Page 601: ...ge 605 to add a new profile edit an existing profile or delete an existing profile Use the Anti X IDP Custom Signature screens Section 34 8 on page 620 to create a new signature edit an existing signature delete existing signatures or save signatures to your computer 34 1 2 What You Need To Know Packet Inspection Signatures A signature identifies a malicious or suspicious packet and specifies an a...

Page 602: ...uration Changes to the ZyWALL s IDP settings affect new sessions not the sessions that already existed before you applied the changed settings Finding Out More See Section 6 5 20 on page 110 for IDP prerequisite information See Chapter 35 on page 637 for anomaly detection and protection See Section 34 9 on page 632 for more information on network based intrusions See Section 34 6 2 on page 612 for...

Page 603: ...ys and IDP is not enabled Figure 429 Configuration Anti X IDP General The following table describes the screens in this screen Table 160 Configuration Anti X IDP General LABEL DESCRIPTION General Settings Enable Signature Detection You must register for IDP service in order to use packet inspection signatures If you don t have a standard license you can register for a once off trial one Policies U...

Page 604: ...her LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone IDP Profile This field shows which IDP profile is bound to which traffic direction Select an IDP profile to apply to the entry s...

Page 605: ...n anomaly detection Current Version This field displays the IDP signature set version number This number gets larger as the set is enhanced Signature Number This field displays the number of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date ...

Page 606: ...not log alerts and no action is taken on packets that trigger them wan Signatures for all services are enabled Signatures with a medium high or severe severity level greater than two generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low or low severity level less than or equal to two are disabled lan This profile is most suitable for common LAN...

Page 607: ...SMTP SNMP SQL TELNET Oracle MySQL are enabled Signatures with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Signatures with a low or medium severity level two or three generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low severity level one are disabled OK Click OK to sa...

Page 608: ...he false alarms When you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 34 5 1 Procedure To Create a New Profile To create a new profile 1 Click the Add icon in the Configuration Anti X IDP Profile screen to display a pop up screen allowing you to choose ...

Page 609: ...figuration Anti X IDP Profile and then add a new or edit an existing profile select Packet inspection signatures examine the contents of a packet for malicious data It operates at layer 4 to layer 7 34 6 1 Profile Group View Screen Figure 432 Configuration Anti X IDP Profile Edit Group View ...

Page 610: ...by criteria such as name ID severity attack type vulnerable attack platforms service category log options or actions Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon These are the log options no Select this option on an individual signature or a complete service g...

Page 611: ... the ZyWALL send a reset to both the sender and receiver when a packet matches the signature If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index number in the list Status The activate light bulb icon is lit when the entry is active and di...

Page 612: ...n the final profile screen to complete the profile Table 163 Configuration Anti X IDP Profile Group View continued LABEL DESCRIPTION Table 164 Policy Types POLICY TYPE DESCRIPTION P2P Peer to peer P2P is where computing devices link directly to each other and can directly initiate communication with each other they do not need an intermediary A device can be both the client and the server In the Z...

Page 613: ...e overflow buffer region to obtain control of the system install a backdoor or use the victim to launch attacks on other devices Virus Worm A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a program that is designed to copy itself from one computer to another on a network A worm s uncontrolled replication consumes system reso...

Page 614: ...n that group If you select original setting for service group logs and or actions all signatures within that group are returned to their last saved settings Figure 433 Configuration Anti X IDP Profile Edit IDP Service Group 34 6 4 Profile Query View Screen Click Switch to query view in the screen as shown in Figure 432 on page 609 to go to a signature query screen In the query view screen you can ...

Page 615: ...up View screen Switch to group view Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation logs and or actions Query Signatures Select the criteria on which to perform the search Search all custom signatures Select this check box to search for signatures you created or imported in the Custom Signatures screen You ca...

Page 616: ...rl key if you want to make multiple selections Action Search for signatures by the response the ZyWALL takes when a packet matches a signature See Table 163 on page 610 for action details Hold down the Ctrl key if you want to make multiple selections Activation Search for activated and or inactivated signatures here Log Search for signatures by log option here See Table 163 on page 610 for option ...

Page 617: ... 34 IDP ZyWALL USG 300 User s Guide 617 34 6 5 Query Example This example shows a search with these criteria Severity severe and high Attack Type DDoS Platform Windows 2000 and Windows XP computers Service Any ...

Page 618: ...Chapter 34 IDP ZyWALL USG 300 User s Guide 618 Actions Any Figure 435 Query Example Search Criteria Figure 436 Query Example Search Results ...

Page 619: ...ates IP version 4 IHL IP Header Length is the number of 32 bit words forming the total length of the header usually five Type of Service The Type of Service also known as Differentiated Services Code Point DSCP is usually set to 0 but may indicate particular quality of service needs from the network Total Length This is the size of the datagram in bytes It is the combined length of the header and ...

Page 620: ... router or bridge where the packet is not protected by a link layer cyclic redundancy check Packets with an invalid checksum are discarded by all nodes in an IP network Source IP Address This is the IP address of the original sender of the packet Destination IP Address This is the IP address of the final destination of the packet Options IP options is a variable length list of IP options for a dat...

Page 621: ... entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Export To save an entry or entries as a file on your computer select them and click Export Click Save in the file download dialog box and then select a location and name for the file Custom signatures must end with the rules file name extension ...

Page 622: ...mport custom signatures previously saved to your computer to the ZyWALL Note The name of the complete custom signature file on the ZyWALL is custom rules If you import a file named custom rules then all custom signatures on the ZyWALL are overwritten with the new file If this is not your intention make sure that the files you import are not named custom rules File Path Type the file path and name ...

Page 623: ...0 User s Guide 623 Try to write signatures that target a vulnerability for example a certain type of traffic on certain operating systems instead of a specific exploit Figure 439 Configuration Anti X IDP Custom Signatures Add Edit ...

Page 624: ... that is the operating systems you want to protect from this intrusion SGI refers to Silicon Graphics Incorporated who manufactures multi user Unix workstations that run the IRIX operating system SGI s version of UNIX A router is an example of a network device Service Select the IDP service group that the intrusion exploits or targets See Table 165 on page 613 for a list of IDP service groups The ...

Page 625: ...ual Smaller or Greater and then type in a number IP Options IP options is a variable length list of IP options for a datagram that define IP Security Option IP Stream Identifier security and handling restrictions for the military Record Route have each router record its IP address Loose Source Routing specifies a list of IP addresses that must be traversed by the datagram Strict Source Routing spe...

Page 626: ...ence Number Use this field to check for a specific TCP sequence number Ack Number Use this field to check for a specific TCP acknowledgement number Window Size Use this field to check for a specific TCP window size Transport Protocol UDP Port Select the check box and then enter the source and destination UDP port numbers that will trigger this signature Transport Protocol ICMP Type Use this field ...

Page 627: ...r Decode as URI A Uniform Resource Identifier URI is a string of characters for identifying an abstract or physical resource RFC 2396 A resource can be anything that has identity for example an electronic document an image a service today s weather report for Taiwan a collection of other resources An identifier is an object that can act as a reference to something that has identity Example URIs ar...

Page 628: ...mation about the attack as you can The more specific your signature the less chance it will cause false positives As an example say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic OK Click this button to save your changes to the ZyWALL and return to the summary screen Cancel Click this button to return to the summary scree...

Page 629: ...yzer also known as a network or protocol analyzer such as Wireshark or Ethereal to investigate some more Figure 440 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53 The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2 Therefore enter 010 as the first pattern ...

Page 630: ...own in the following figure Figure 441 Example Custom Signature 34 8 3 Applying Custom Signatures After you create your custom signature it becomes available in the IDP service group category in the Configuration Anti X IDP Profile Edit screen Custom signatures have an SID from 9000000 to 9999999 ...

Page 631: ... may also want to configure an alert if it is for a serious attack and needs immediate attention After you apply the signature to a zone you can see if it works by checking the logs Monitor Log The Priority column shows warn for signatures that are configured to generate a log only It shows critical for signatures that are configured to generate a log and alert All IDP signatures come under the ID...

Page 632: ...ver in with the goal of accessing confidential information or destroying information on a computer You must install a host IDP directly on the system being protected It works closely with the operating system monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them Disadvantages of host IDPs are that you have to install them on each device that...

Page 633: ...nort rules are divided into two logical sections the rule header and the rule options as shown in the following example alert tcp any any 192 168 1 0 24 111 content 00 01 a5 msg mountd access The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options The words before the colons in the rule options section are the option keywords The ru...

Page 634: ...dow Size window Transport Protocol UDP In Snort rule header Port In Snort rule header Transport Protocol ICMP Type itype Code icode ID icmp_id Sequence Number icmp_seq Payload Options Snort rule options Payload Size dsize Offset relative to start of payload offset Relative to end of last match distance Content content Case insensitive nocase Decode as URI uricontent Table 170 ZyWALL Snort Equivale...

Page 635: ...Chapter 34 IDP ZyWALL USG 300 User s Guide 635 ...

Page 636: ...Chapter 34 IDP ZyWALL USG 300 User s Guide 636 ...

Page 637: ...t inspection 2 ADP traffic and anomaly rules are updated when you upload new firmware This is different from the IDP packet inspection signatures and the system protect signatures you download from myZyXEL com 35 1 2 What You Can Do in this Chapter Use Anti X ADP General Section 35 2 on page 639 to turn anomaly detection on or off and apply anomaly profiles to traffic directions Use Anti X ADP Pro...

Page 638: ...apply ADP profiles to traffic flowing from one zone to another Base ADP Profiles Base ADP profiles are templates that you use to create new ADP profiles The ZyWALL comes with several base profiles See Table 172 on page 641 for details on ADP base profiles ADP Policy An ADP policy refers to application of an ADP profile to a traffic flow Finding Out More See Section 6 5 21 on page 110 for ADP prere...

Page 639: ...ctly in the table Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change an entry s position i...

Page 640: ... subnet to a computer on another LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone Note Depending on your network topology and traffic load applying every packet direction to an anom...

Page 641: ...on Anti X ADP Profile Table 172 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled No logs are generated nor actions are taken all All traffic anomaly and protocol anomaly rules are enabled Rules with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Rules with a very low low...

Page 642: ... could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a rule ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles To create a new profile select a base profile see Table 172 on page 641 and then click OK to go to the profile details screen Type a new profile name enable or disable individual rules and then edit th...

Page 643: ...pter 35 ADP ZyWALL USG 300 User s Guide 643 belonging to this profile make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab Figure 447 Profiles Traffic Anomaly ...

Page 644: ...lds and sample times are set high so most traffic anomaly attacks will be detected however you will have more logs and false positives Block Period Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate L...

Page 645: ...ab Name This is the name of the traffic anomaly rule Click the Name column heading to sort in ascending or descending order according to the rule name Log These are the log options To edit this select an item and use the Log icon Action This is the action the ZyWALL should take when a packet matches a rule To edit this select an item and use the Action icon Threshold For flood detection you can se...

Page 646: ...Chapter 35 ADP ZyWALL USG 300 User s Guide 646 Figure 448 Profiles Protocol Anomaly ...

Page 647: ...id unique profile names MyProfile mYProfile Mymy12_3 4 These are invalid profile names 1mYProfile My Profile MyProfile Whatalongprofilename123456789012 HTTP Inspection TCP Decoder UDP Decoder ICMP Decoder Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon Select whe...

Page 648: ...t both Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to both the sender and receiver when a packet matches the rule If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index number in ...

Page 649: ... Portscan IP Portscan An IP port scan searches not only for TCP UDP and ICMP protocols in use by the remote computer but also additional IP protocols such as EGP Exterior Gateway Protocol or IGP Interior Gateway Protocol Determining these additional protocols can help reveal if the destination device is a workstation a printer or a router OK Click OK to save your settings to the ZyWALL complete th...

Page 650: ...that is they are one to many port scans One host scans a single port on multiple hosts This may occur when a new exploit comes out and the attacker is looking for a specific service These are some port sweep types TCP Portsweep UDP Portsweep IP Portsweep ICMP Portsweep Filtered Port Scans A filtered port scan may indicate that there were no network errors ICMP unreachables or TCP RSTs or responses...

Page 651: ... address of the network The router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If an attacker A spoofs the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only saturate the receiving network B but the network of the spoofed source I...

Page 652: ...all outstanding SYN ACK responses on a backlog queue SYN ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for other users Figure 451 SYN Flood LAND Attack In a LAND attack hackers flood SYN packets into a network with a spoofed source ...

Page 653: ...r a space delimiter Apache uses this so if you have an Apache server you need to enable this option ASCII ENCODING ATTACK This rule can detect attacks where malicious attackers use ASCII encoding to encode attack strings Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server BARE BYTE UNICODING ENCODING ATTACK Bare byte encoding ...

Page 654: ...ted by both Apache and IIS web servers OVERSIZE CHUNK ENCODING ATTACK This rule is an anomaly detector for abnormally large chunk sizes This picks up the apache chunk encoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding OVERSIZE REQUEST URI DIRECTORY ATTACK This rule takes a non zero positive integer as an argument The argument specifies the max character director...

Page 655: ...ean the packet was truncated TTCP DETECTED ATTACK T TCP provides a way of bypassing the standard three way handshake found in TCP thus speeding up transactions However this could lead to unauthorized access to the system by spoofing connections UNDERSIZE LEN ATTACK This is when a TCP packet is sent which has a TCP datagram length of less than 20 bytes This may cause some applications to crash UNDE...

Page 656: ...ess than the ICMP header length This may cause some applications to crash TRUNCATED TIMESTAMP HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length This may cause some applications to crash Table 176 HTTP Inspection and TCP UDP ICMP Decoders continued LABEL DESCRIPTION ...

Page 657: ...Chapter 35 ADP ZyWALL USG 300 User s Guide 657 ...

Page 658: ...Chapter 35 ADP ZyWALL USG 300 User s Guide 658 ...

Page 659: ...n web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and an...

Page 660: ...bers When a matching policy is found the content filter allows or blocks the request depending on the settings of the filtering profile specified by the policy Some requests may not match any policy The ZyWALL allows the request if the default policy is not set to block The ZyWALL blocks the request if the default policy is set to block External Web Filtering Service When you register for and enab...

Page 661: ...ding Out More See Section 6 5 22 on page 110 for related information on these screens See Section 36 7 on page 681 for content filtering background technical information 36 1 3 Before You Begin You must configure an address object a schedule object and a filtering profile before you can set up a content filter policy You must subscribe to use the external database content filtering see the Licensi...

Page 662: ... Filter Report Service Select this check box to have the ZyWALL collect category based content filtering statistics Policies This is a list of the configured content filter policies Block web access when no policy is applied Select this check box to stop users from accessing the Internet by default when their attempted access does not match a content filter policy Add Click this to create a new en...

Page 663: ...tent filter policy You can define different policies for different time periods none means the content filter policy applies all of the time User This column displays the individual or group to which this policy applies any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user Filter Profile This column displays the name of the content fil...

Page 664: ...er is not active You can view content filter reports after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 683 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you...

Page 665: ... access to certain categories after the work day is over Select none to have the content filter policy apply all of the time Address Select the address or address group for which you want to use this policy Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any IP address Filter Profile Use the drop down list box to select the content...

Page 666: ... X Content Filter Filter Profile Add or Edit to open the Categories screen Use this screen to enable external database content filtering and select which web site categories to block and or log Note You must register for external content filtering before you can use it See Section 11 2 on page 285 for how to register Table 179 Configuration Anti X Content Filter Filter Profile LABEL DESCRIPTION Ad...

Page 667: ...Chapter 36 Content Filtering ZyWALL USG 300 User s Guide 667 See Chapter 37 on page 683 for how to view content filtering reports Figure 455 Configuration Anti X Content Filter Filter Profile Add ...

Page 668: ...after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 683 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you have successfully registered the ZyWALL and activate...

Page 669: ...at match the other categories that you select below When external database content filtering blocks access to a web page it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page Select Log to record attempts to access web pages that match the other categories that you select below Action for Unrated Web Pages Sel...

Page 670: ...tent filtering s license key is invalid Select Log to record attempts to access web pages that occur when the external content filtering database is unavailable Content Filter Category Service Timeout Specify a number of seconds 1 to 60 for the ZyWALL to wait for a response from the external content filtering server If there is still no response by the time this period expires the ZyWALL blocks or...

Page 671: ...onnect and send user info sites that make extensive use of tracking cookies without a posted privacy statement and sites to which browser hijackers redirect users Usually does not include sites that can be marked as Spyware Malware Note Sites rated as spyware effects typically have a second category assigned with them Managed Categories These are categories of web pages based on their content Sele...

Page 672: ... not include pages that sell gambling related products or machines It also does not include pages for offline casinos and hotels as long as those pages do not meet one of the above requirements Violence Hate Racism This category includes pages that depict extreme physical harm to people or property or that advocate or provide instructions on how to cause such harm It also includes pages that advoc...

Page 673: ...hat offer educational information distance learning and trade school information or programs It also includes pages that are sponsored by schools educational facilities faculty or alumni groups Cultural Charitable Organization This category includes pages that nurture cultural understanding and foster volunteerism such as 4H the Lions and Rotary Clubs Also encompasses non profit associations that ...

Page 674: ...at provide assistance in finding employment and tools for locating prospective employers News Media This category includes pages that primarily report information or comments on current events or contemporary issues of the day It also includes radio stations and magazines It does not include pages that can be rated in other categories Personals Dating This category includes pages that promote inte...

Page 675: ...ntially act as your personal hard drive on the Internet Remote Access Tools This category includes pages that primarily focus on providing information about and or methods that enables authorized access to and use of a desktop computer or private network remotely Shopping This category includes pages that provide or advertise the means to obtain goods or services It does not include pages that can...

Page 676: ... and sharing across a network without dependence on a central server Streaming Media MP3s This category includes pages that sell deliver or stream music or video content in any format including sites that provide downloads for such viewers Proxy Avoidance This category includes pages that provide information on how to bypass proxy server appliance features or gain access to URLs in any way that by...

Page 677: ...s sites that are part of the Web and email spam ecosystem Sites that are determined to be clearly malicious or benign will be placed in a different category Alternative Sexuality Lifestyles This category includes pages that provide information promote or cater to alternative sexual expressions in their myriad forms It includes but is not limited to the full range of non traditional sexual practice...

Page 678: ...st You can check which category a web page belongs to Enter a web site URL in the text box Test Against Local Cache Click this button to see the category recorded in the ZyWALL s content filtering database for the web page you specified if the database has an entry for it Test Against Content Filter Category Server Click this button to see the category recorded in the external content filter serve...

Page 679: ...keywords from the filter list Figure 457 Configuration Anti X Content Filter Filter Profile Customization The following table describes the labels in this screen Table 181 Configuration Anti X Content Filter Filter Profile Customization LABEL DESCRIPTION Name Enter a descriptive name for this content filtering profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the fi...

Page 680: ... pointing to this proxy server Allow Java ActiveX Cookies Web proxy to trusted web sites When this box is selected the ZyWALL will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to allow Java ActiveX or Cookies from sites that are known and trusted Trusted Web Sites These are sites that you want to allow access to regardless...

Page 681: ...This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Blocked URL Keywords This list displays the keywords already added Enter a keyword or a numerical IP address to block You can also enter...

Page 682: ...onfiguration 3 Use the Content Filter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses see Section 10 19 on page 273 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 4 If the ZyWALL has no record of the web site it queries the external content filter database and simultaneously send...

Page 683: ... register your device and activate the subscription services 37 2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen You need to register your iCard before you can view content filtering reports Alternatively you can also view content filtering rep...

Page 684: ...Chapter 37 Content Filter Reports ZyWALL USG 300 User s Guide 684 2 Fill in your myZyXEL com account information and click Login Figure 459 myZyXEL com Login ...

Page 685: ...ys Click your ZyWALL s model name and or MAC address under Registered ZyXEL Products the ZyWALL 70 is shown as an example here You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 461 on page 686 Figure 460 myZyXEL com Welcome ...

Page 686: ...4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens Figure 461 myZyXEL com Service Management 5 In the Web Filter Home screen click the Reports tab Figure 462 Content Filter Reports Main Screen ...

Page 687: ...orts Figure 463 Content Filter Reports Report Home 7 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen ...

Page 688: ...Chapter 37 Content Filter Reports ZyWALL USG 300 User s Guide 688 8 A chart and or list of requested web site categories display in the lower half of the screen Figure 464 Global Report Screen Example ...

Page 689: ...ntent Filter Reports ZyWALL USG 300 User s Guide 689 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested Figure 465 Requested URLs Example ...

Page 690: ...Chapter 37 Content Filter Reports ZyWALL USG 300 User s Guide 690 ...

Page 691: ... to have the ZyWALL check e mail against DNS Black Lists 38 1 2 What You Need to Know White list Configure white list entries to identify legitimate e mail The white list entries have the ZyWALL classify any e mail that is from a specified sender or uses a specified header field and header value as being legitimate see E mail Headers on page 692 for more on mail headers The anti spam feature check...

Page 692: ...use SMTP to send messages to a mail server The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it This is why many e mail applications require you to specify both the SMTP server and the POP or IMAP server even though they may actually be the same server The ZyWALL s anti spam feature checks SMTP TCP port 25 and POP3 TCP port 110 e mails The anti spam...

Page 693: ...is also known as a DNS spam blocking list The ZyWALL can check the routing addresses of e mail against DNSBLs and classify an e mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL Finding Out More See Section 38 7 on page 704 for more background information on anti spam 38 2 Before You Begin Configure your zones before you configure anti spam 38 3 The Anti Spam G...

Page 694: ...e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL Select how to handle concurrent e mail sessions that exceed the maximum number of concurrent e mail sessions that the anti spam feature can handle See the chapter of product specifications for the threshold Select Forward Session to have the ZyWALL allow the excess e mail sessions without any...

Page 695: ...vate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Priority This is the position of an anti spam policy in the list The ordering of your anti spam policies is important as the ZyWALL applies them in sequence Once traffic matches an anti spam policy the ZyWALL applies that policy and does not check the traffic against any more policies From The anti spam poli...

Page 696: ...elect how the ZyWALL is to log the event when the DNSBL times out or an e mail matches the white list black list or DNSBL no Do not create a log log Create a log on the ZyWALL log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert From To Select source and destination zones for traffic to scan for spa...

Page 697: ...k list entry as spam Check DNSBL Select this check box to check e mail against the ZyWALL s configured DNSBL domains The ZyWALL classifies e mail that matches a DNS black list as spam Actions for Spam Mail Use this section to set how the ZyWALL is to handle spam mail SMTP Select how the ZyWALL is to handle spam SMTP mail Select drop to discard spam SMTP mail Select forward to allow spam SMTP mail ...

Page 698: ...ails that match the ZyWALL s spam black list Rule Summary Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active and d...

Page 699: ...ding list screen enable the anti spam feature in the anti spam general screen and configure an anti spam policy to use the list Type Use this field to base the entry on the e mail s subject source or relay IP address source e mail address or header Select Subject to have the ZyWALL check e mail for specific content in the subject line Select IP Address to have the ZyWALL check e mail for a specifi...

Page 700: ...notation Netmask This field displays when you select the IP type Enter the subnet mask here if applicable Sender E Mail Address This field displays when you select the E Mail type Enter a keyword up to 63 ASCII characters See Section 38 4 2 on page 700 for more details Mail Header Field Name This field displays when you select the Mail Header type Type the name part of an e mail header the part th...

Page 701: ...6 Configuration Anti X Anti Spam Black White List White List LABEL DESCRIPTION General Settings Enable White List Checking Select this check box to have the ZyWALL forward e mail that matches an active white list entry without doing any more anti spam checking on that individual e mail Rule Summary Add Click this to create a new entry See Section 38 4 1 on page 699 for details Edit Select an entry...

Page 702: ...BLs Figure 471 Configuration Anti X Anti Spam DNSBL Type This field displays whether the entry is based on the e mail s subject source or relay IP address source e mail address or a header Content This field displays the subject content source or relay IP address source e mail address or header value for which the entry checks OK Click OK to save your changes Cancel Click Cancel to exit this scree...

Page 703: ...ddress in the mail header This is the IP of the sender or the first server that forwarded the mail Select last N IPs to have the ZyWALL start checking from the last IP address in the mail header This is the IP of the last server that forwarded the mail Query Timeout Setting SMTP Select how the ZyWALL is to handle SMTP mail mail going to an e mail server if the queries to the DNSBL domains time out...

Page 704: ... one non spam reply for each of an e mail s routing IP addresses the ZyWALL immediately classifies the e mail as legitimate and forwards it Any further DNSBL replies that come after the ZyWALL classifies an e mail as spam or legitimate have no effect The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours The ZyWALL checks an e mail s sender and relay IP addresses against...

Page 705: ...te query to each of its DNSBL domains for IP address b b b b 2 DNSBL A replies that IP address a a a a does not match any entries in its list not spam 3 DNSBL C replies that IP address b b b b matches an entry in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail and the defined ...

Page 706: ...er separate query to each of its DNSBL domains for IP address d d d d 2 DNSBL B replies that IP address d d d d does not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its list not spam 4 Now that the ZyWALL has received at least one non spam reply for each of the e mail s routing IP addresses the ZyWALL immediately classifies the e m...

Page 707: ...rate query to each of its DNSBL domains for IP address w x y z 2 DNSBL A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the ZyWALL receives a reply from DNSBL B saying IP address a b c d is in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in t...

Page 708: ...Chapter 38 Anti Spam ZyWALL USG 300 User s Guide 708 ...

Page 709: ...Active Passive Mode screens Section 39 3 on page 712 to use active passive mode device HA You can configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs Use the Legacy Mode screens Section 39 5 on page 719 to use legacy mode device HA You can configure general legacy mode HA settings including link monitoring configu...

Page 710: ...virus IDP application patrol and system protect and certificates Note Only ZyWALLs of the same model and firmware version can synchronize Otherwise you must manually configure the master ZyWALL s settings on the backup by editing copies of the configuration files in a text editor for example Finding Out More See Section 6 5 24 on page 111 for related information on these screens See Section 39 7 o...

Page 711: ...p between the master and backup ZyWALLs such as active active or using different ZyWALLs as the master for individual interfaces The master and its backups must all use the same device HA mode Click the link to go to the screen where you can configure the ZyWALL to use the device HA mode that it is not currently using Monitored Interface Summary This table shows the status of the interfaces that y...

Page 712: ...monitored interface s status in the virtual router Active This interface is up and using the virtual IP address and subnet mask Stand By This interface is a backup interface in the virtual router It is not using the virtual IP address and subnet mask Fault This interface is not functioning in the virtual router right now In active passive mode or in legacy mode with link monitoring enabled if one ...

Page 713: ...d backup ZyWALLs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can also have a management IP address...

Page 714: ...es 39 3 1 Configuring Active Passive Mode Device HA The Device HA Active Passive Mode screen lets you configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs To access this screen click Configuration Device HA Active Passive Mode Figure 480 Configuration Device HA Active Passive Mode A 192 168 1 1 B 192 168 1 1 192 16...

Page 715: ...This field is available for a backup ZyWALL Select this if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this one is enabled If the role is master the ZyWALL preempts by default Cluster Settings Cluster ID Type the cluster ID number A virtual router consists of a master ZyWALL and all of its backup ZyWALLs If you have multiple ZyWALL virtual routers on y...

Page 716: ...ynchronization to have a backup ZyWALL copy the master ZyWALL s configuration certificates AV signatures IDP and application patrol signatures and system protect signatures Every interface s management IP address must be in the same subnet as the interface s IP address the virtual router IP address Server Address If this ZyWALL is set to backup role enter the IP address or Fully Qualified Domain N...

Page 717: ...e same password If you leave this field blank in the master ZyWALL no backup ZyWALLs can synchronize from it If you leave this field blank in a backup ZyWALL it cannot synchronize from the master ZyWALL Auto Synchronize Select this to get the updated configuration automatically from the specified ZyWALL according to the specified Interval The first synchronization begins after the specified Interv...

Page 718: ...interfaces or disable the bridge interfaces connect the bridge interfaces activate device HA and finally reactivate the bridge interfaces Virtual Router IP VRIP Subnet Mask This is the interface s static IP address and subnet mask in the virtual router Whichever ZyWALL is currently serving as the master uses this virtual router IP address and subnet mask These fields are blank if the interface is ...

Page 719: ...s that have static IP addresses You can only enable one VRRP group for each interface and you can only have one active VRRP group for each virtual router If you create a VRRP group for an Ethernet interface that has a VLAN interface configured on it make sure you create a separate VRRP group for the VLAN interface This will avoid an IP conflict if the backup ZyWALL takes over for the master When t...

Page 720: ...evice HA Legacy Mode LABEL DESCRIPTION General Settings Link Monitoring Enable link monitoring to have the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down This way the backup ZyWALL takes over all of the master ZyWALL s functions Stop Cellular WLAN interfaces while one of monitored interface is fault Select this to have the master ZyWALL shut down an...

Page 721: ...tual Router IP Netmask This is the interface s IP address and subnet mask in the virtual router Management IP Netmask This field displays the management IP address and subnet mask of an interface Synchronization Server Address Enter the IP address or Fully Qualified Domain Name FQDN of the ZyWALL from which to get configuration and subscription service updates for services to which the backup ZyWA...

Page 722: ...t configuration and subscription service updates automatically from the specified ZyWALL according to the specified Interval The first synchronization begins after the specified Interval the ZyWALL does not synchronize immediately Interval This field is only available if Auto Synchronize is checked Type the number of minutes to wait between synchronizations Apply switch to Legacy Mode This appears...

Page 723: ...ace s IP address for management access You can use this IP address to access the ZyWALL whether it is the master or a backup This management IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface Manage IP Subnet Mask Enter the subnet mask of the interface s management IP address Role Select the role that ...

Page 724: ...thod and password Choices are None this virtual router does not use any authentication method Text this virtual router uses a plain text password for authentication Type the password in the field next to the radio button The password can consist of alphanumeric characters the underscore and some punctuation marks and it can be up to eight characters long IP AH MD5 this virtual router uses an encry...

Page 725: ...yWALL B are not connected 2 Configure the bridge interface on the master ZyWALL set the bridge interface as a monitored interface and activate device HA 3 Configure the bridge interface on the backup ZyWALL set the bridge interface as a monitored interface and activate device HA B A B A Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 726: ...interfaces activate device HA and finally reactivate the bridge interfaces as shown in the following example 1 In this case the ZyWALLs are already connected but the bridge faces have not been configured yet Configure a disabled bridge interface on the master ZyWALL but disable it Then set the bridge interface as a monitored interface and activate device HA B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br0 ge4 ...

Page 727: ...ce on the backup ZyWALL Then set the bridge interface as a monitored interface and activate device HA 3 Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL 4 Connect the ZyWALLs B A Br0 ge4 ge5 Br0 ge4 ge5 Disabled Disabled B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 728: ... address as the default gateway and forwards traffic for the network ZyWALL B is a backup It is using its management IP address 192 168 10 112 ZyWALL A sends regular messages to ZyWALL B to let ZyWALL B know that ZyWALL A is available If ZyWALL A becomes unavailable it stops sending messages to ZyWALL B ZyWALL B detects this and assumes the role of the master This is illustrated below Figure 485 E...

Page 729: ...still recommended that the backup ZyWALL synchronize with a master ZyWALL on a secure network The backup ZyWALL gets the configuration from the master ZyWALL The backup ZyWALL cannot become the master or be managed while it applies the new configuration This usually takes two or three minutes or longer depending on the configuration complexity The following restrictions apply with active passive m...

Page 730: ...Chapter 39 Device HA ZyWALL USG 300 User s Guide 730 ...

Page 731: ... users and other user groups You cannot put admin users in user groups The Setting screen see Section 40 4 on page 739 controls default settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them 40 1 2 What You Need To Know User Account A user account defines the priv...

Page 732: ...respectively Note If the ZyWALL tries to authenticate an ext user using the local database the attempt always fails Once an ext user user has been authenticated the ZyWALL tries to get the user type see Table 193 on page 731 from the external server If the external server does not have the information the ZyWALL sets the user type for this session to User For the rest of the user attributes such a...

Page 733: ...have to log into the ZyWALL to use the network services it provides The ZyWALL automatically routes packets for everyone If you want to restrict network services that certain users can use via the ZyWALL you can require them to log in to the ZyWALL first The ZyWALL is then aware of the user who is logged in and you can create user aware policies that define what services they can use See Section 4...

Page 734: ...ng characters Alphanumeric A z 0 9 there is no unicode support _ underscores Table 194 Configuration Object User Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so O...

Page 735: ...S or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 40 2 on page 734 and click either the Add icon or an Edit icon Figure 487 Configuration User Group User Add adm admin any bin daemon debug devicehaecived ftp games halt ldap users lp mail news n...

Page 736: ... alphanumeric characters Retype This field is not available if you select the ext user or ext group user type Group Identifier This field is available for a ext group user type user account Specify the value of the AD or LDAP server s Group Membership Attribute that identifies the group to which this user belongs Associated AAA Server Object This field is available for a ext group user type user a...

Page 737: ...umber of minutes unlimited Unlike Lease Time the user has no opportunity to renew the session without logging out Configuration Validation Use a user account from the group specified above to test if the configuration is correct Enter the account s user name in the User Name field and click Test OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without sav...

Page 738: ...is field displays the name of each user group Description This field displays the description for each user group Member This field lists the members in the user group Each member is separated by a comma Table 196 Configuration Object User Group Group continued LABEL DESCRIPTION Table 197 Configuration User Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 a...

Page 739: ... been added to the user group The order of members is not important Select users and groups from the Available list that you want to be members of this group and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them Move any members you do not want included to the Available list OK C...

Page 740: ...entication Timeout Settings Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Ed...

Page 741: ...cally see Section 40 4 on page 739 the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires Reauthentication Time This is the default reauthentication time in minutes for each type of user account It defines the number of minutes the user can be logged into the ZyWALL in one session before having to log in again Unl...

Page 742: ... on the number of simultaneous logins by non admin users If you do not select this access users can login as many times as they want as long as they use different IP addresses Maximum number per access account This field is effective when Limit for access account is checked Type the maximum number of simultaneous logins by each access user User Lockout Settings Enable logon retry limit Select this...

Page 743: ...tained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 733 for more information about this type Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main screen...

Page 744: ...ically logs them out The ZyWALL sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 40 2 1 on page 734 Lease time field in the Setting screen see Section 40 4 on page 739 Updating lease time automatically This box appears if you checked the Allow renewing lease time automatically box in the Setting screen S...

Page 745: ...ge number of Ext User accounts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts See Chapter 52 on page 893 for more information about shell scripts Table 201 LDAP RADIUS Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR type ...

Page 746: ...Chapter 40 User Group ZyWALL USG 300 User s Guide 746 ...

Page 747: ... dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of memb...

Page 748: ...ck this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an examp...

Page 749: ...s subnet or gateway if the interface s IP address settings change For example if you change ge1 s IP address the ZyWALL automatically updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only availab...

Page 750: ...presents OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 203 Configuration Object Address Address Edit continued LABEL DESCRIPTION Table 204 Configuration Object Address Address Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the ent...

Page 751: ...ashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items fro...

Page 752: ...Chapter 41 Addresses ZyWALL USG 300 User s Guide 752 ...

Page 753: ...level protocol that is sent in this packet This section discusses three of the most common IP protocols Computers use Transmission Control Protocol TCP IP protocol 6 and User Datagram Protocol UDP IP protocol 17 to exchange data with each other TCP guarantees reliable delivery but is slower and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some ...

Page 754: ...P protocols TCP applications UDP applications ICMP messages user defined services for other types of IP protocols These objects are used in policy routes firewall rules and IDP profiles Use service groups when you want to create the same rule for several services instead of creating separate rules for each service Service groups may consist of services and other service groups The sequence of memb...

Page 755: ...uble click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value a...

Page 756: ...may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP and User Defined Starting Port Ending Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the service uses...

Page 757: ...ck Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with a specific ...

Page 758: ...underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Availa...

Page 759: ...f all schedules in the ZyWALL Use the One Time Schedule Add Edit screen Section 43 2 1 on page 761 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 43 2 2 on page 762 to create or edit a recurring schedule 43 1 2 What You Need to Know One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time One ti...

Page 760: ...figuration Object Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which setti...

Page 761: ... confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Time This...

Page 762: ... dates such as February 31 Hour 0 23 Minute 0 59 StartTime Specify the hour and minute when the schedule begins Hour 0 23 Minute 0 59 StopDate Specify the year month and day when the schedule ends Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends Hour 0 23 Minute 0 59 ...

Page 763: ...ing LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begins each day Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends each...

Page 764: ...Chapter 43 Schedules ZyWALL USG 300 User s Guide 764 ...

Page 765: ...see Chapter 45 on page 775 44 1 1 Directory Service AD LDAP LDAP AD allows a client the ZyWALL to connect to a server to retrieve information from a directory A network example is shown next Figure 506 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWALL tries to ...

Page 766: ...feature Purchase a ZyWALL OTP package in order to use this feature The package contains server software and physical OTP tokens PIN generators Do the following to use OTP See the documentation included on the ASAS CD for details 1 Install the ASAS server software on a computer 2 Create user accounts on the ZyWALL and in the ASAS server 3 Import each token s database file located on the included CD...

Page 767: ...ticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADI...

Page 768: ...any c JP Base DN A base DN specifies a directory A base DN usually contains information such as the name of an organization a domain name and or country For example o MyCompany c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zywallAdmin allows the ZyWALL to log into the LDAP AD server using the user na...

Page 769: ...erver Click Object AAA Server Active Directory or LDAP to display the Active Directory or LDAP screen Click the Add icon or an Edit icon to display the Table 213 Configuration Object AAA Server Active Directory or LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To re...

Page 770: ... Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD or LDAP server Backup Server Address If the AD or LDAP server has a backup server enter its address here Port Specify the port number on the AD or LDAP server ...

Page 771: ...gin Name Attribute Enter the type of identifier the users are to use to log in For example name or e mail address Alternative Login Name Attribute If there is a second type of identifier that the users can use to log in enter it here For example name or e mail address Group Membership Attribute An AD or LDAP server defines attributes for its accounts Enter the name of the attribute that the ZyWALL...

Page 772: ...e address of the AD or LDAP server Base DN This specifies a directory For example o ZyXEL c US Host Enter the IP address in dotted decimal notation or the domain name up to 63 alphanumeric characters of a RADIUS server Authentication Port The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with add...

Page 773: ... LABEL DESCRIPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the RADIUS server Authentication Port Specify the port number on the RADIUS server to which the ZyWALL sends authentication requests Enter a number ...

Page 774: ...es attributes for its accounts Select the name and number of the attribute that the ZyWALL is to check to determine to which group a user belongs If it does not display select user defined and specify the attribute s number This attribute s value is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group ...

Page 775: ... Auth Method screens Section 45 2 on page 776 to create and manage authentication method objects Finding Out More See Section 7 7 3 on page 148 for an example of how to set up user authentication using a radius server 45 1 2 Before You Begin Configure AAA server objects see Chapter 44 on page 765 before you configure authentication method objects 45 1 3 Example Selecting a VPN Authentication Metho...

Page 776: ...create up to 16 authentication method objects Figure 514 Configuration Object Auth Method The following table describes the labels in this screen Table 217 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and cl...

Page 777: ...lumn is important The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specify the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn t match...

Page 778: ...WALL confirms you want to remove it before doing so Move To change a method s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as ZyWALL authenticates the users using the authentication methods in the order they appea...

Page 779: ...9 Add icon Click Add to add a new entry Click Edit to edit the settings of an entry Click Delete to delete an entry OK Click OK to save the changes Cancel Click Cancel to discard the changes Table 218 Configuration Object Auth Method Add continued LABEL DESCRIPTION ...

Page 780: ...Chapter 45 Authentication Method ZyWALL USG 300 User s Guide 780 ...

Page 781: ...d certificate It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate 46 1 2 What You Need to Know When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificat...

Page 782: ...gorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked Certification authorities mai...

Page 783: ...s and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt t...

Page 784: ...en the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 517 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS conn...

Page 785: ...ate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The ZyWALL keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an entry select it and click Remove The ZyWALL confirm...

Page 786: ...uch as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates ...

Page 787: ... ZyWALL USG 300 User s Guide 787 ZyWALL create a self signed certificate enroll a certificate with a certification authority or generate a certification request Figure 519 Configuration Object Certificate My Certificates Add ...

Page 788: ...ich the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Organization Identify the company or group to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Town City Identify the town or city where the certificate owner is located You can use u...

Page 789: ...en you select Create a certification request and enroll for a certificate immediately online Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Publi...

Page 790: ...ou select Create a certification request and enroll for a certificate immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol Just the Key field displays if your certification authority ...

Page 791: ... Screen Click Configuration Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 520 Configuration Object Certificate My Certificates Edit ...

Page 792: ...rtificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generate...

Page 793: ...icate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text edi...

Page 794: ...reen You must remove any spaces from the certificate s filename before you can import it Figure 521 Configuration Object Certificate My Certificates Import The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL You can only change the name Cancel Click Cancel to quit and return to the My Certificates screen Table 221 Configuration Object Certifi...

Page 795: ...rtificate on the ZyWALL Cancel Click Cancel to quit and return to the My Certificates screen Table 222 Configuration Object Certificate My Certificates Import continued LABEL DESCRIPTION Table 223 Configuration Object Certificate Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL s PKI storage space that is currently in use When the stora...

Page 796: ...ying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or co...

Page 797: ...ficates ZyWALL USG 300 User s Guide 797 authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 523 Configuration Object Certificate Trusted Certificates Edit ...

Page 798: ...SCP or LDAP server details OCSP Server Select this check box if the directory server uses OCSP Online Certificate Status Protocol URL Type the protocol IP address and pathname of the OCSP server ID The ZyWALL may need to authenticate itself in order to assess the OCSP server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification authority Passw...

Page 799: ...hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expir...

Page 800: ...ate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate int...

Page 801: ...network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a huge list When the ZyWALL requests certificate status information the OCSP server returns a expired current or unknown response Table 225 Configuration Object Certificate Trusted Certificates Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or...

Page 802: ...Chapter 46 Certificates ZyWALL USG 300 User s Guide 802 ...

Page 803: ...Section 13 4 on page 310 for information about PPPoE PPTP interfaces See Section 6 6 on page 112 for related information on these screens 47 1 1 What You Can Do in this Chapter Use the Object ISP Account screens Section 47 2 on page 803 to create and manage ISP accounts in the ZyWALL 47 2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL To access this screen click C...

Page 804: ...to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 309 for an example This ...

Page 805: ...yWALL accepts MSCHAP V2 only Encryption Method This field is available if this ISP account uses the PPTP protocol Use the drop down list box to select the type of Microsoft Point to Point Encryption MPPE Options are nomppe This ISP account does not use MPPE mppe 40 This ISP account uses 40 bit MPPE mppe 128 This ISP account uses 128 bit MMPE User Name Type the user name given to you by your ISP Pa...

Page 806: ...disconnects from the PPPoE PPTP server This value must be an integer between 0 and 360 If this value is zero this timeout is disabled OK Click OK to save your changes back to the ZyWALL If there are no errors the program returns to the ISP Account screen If there are errors a message box explains the error and the program stays in the ISP Account Edit screen Cancel Click Cancel to return to the IS...

Page 807: ...mote users to access an application via standard web browsers Section 48 2 1 on page 810 You can also use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser Section 48 2 2 on page 812 48 1 2 What You Need to Know Application Types You can configure the following types of SSL applications on th...

Page 808: ...ter does not use VNC or RDP client software The ZyWALL works with the following remote desktop connection software RDP Windows Remote Desktop supported in Internet Explorer VNC RealVNC TightVNC UltraVNC For example user A uses an SSL VPN connection to log into the ZyWALL Then he manages LAN computer B which has RealVNC server software installed Figure 527 SSL protected Remote Management Weblinks Y...

Page 809: ...info Select Web Page Encryption to prevent users from saving the web content Click Apply to save the settings The configuration screen should look similar to the following figure Figure 528 Example SSL Application Specifying a Web Site for Access 48 2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects Click Configuration Object SSL ...

Page 810: ...LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object Reference s Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 ...

Page 811: ... Virtual Network Computing remote desktop server software installed Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Select Weblink to create a link to a web site that you expect the SSL VPN users to commonly use Name Enter a descriptive name to identify this object You can enter up to 31 characters 0 9 a z A Z and _ Space...

Page 812: ... set to RDP or VNC Specify the IP address or Fully Qualified Domain Name FQDN of the computer s that you want to allow the remote users to manage Starting Port Ending Port This field displays if the Server Type is set to RDP or VNC Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to send traffic to the LAN comput...

Page 813: ... 31 characters 0 9 a z A Z and _ Spaces are not allowed Shared Path Specify the IP address domain name or NetBIOS name computer name of the file server and the name of the share to which you want to allow user access Enter the path in one of the following formats IP address share name domain name share name computer name share name For example if you enter my server Tmp this allows remote users to...

Page 814: ...Chapter 48 SSL Application ZyWALL USG 300 User s Guide 814 ...

Page 815: ...dpoint security objects to use with the authentication policy and SSL VPN features For example an authentication policy could use an endpoint security object that requires a LAN user s computer to pass all of the object s checking items in order to access the network LAN user A passes all of the checks and is given access An SSL VPN tunnel could use a different endpoint security profile that only ...

Page 816: ...tion Windows registry settings Processes that the endpoint must execute Processes that the endpoint cannot execute The size and version of specific files Multiple Endpoint Security Objects You can configure an authentication policy or SSL VPN policy to use multiple endpoint security objects This allows checking of computers with different OSs or security settings When a client attempts to log in t...

Page 817: ...y s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the object See Section 13 3 2 on page 309 for an example Object Name This field displays the descriptive name that identifies this object Description If the entry has ...

Page 818: ...LL USG 300 User s Guide 818 Apply Click this button to save your changes to the ZyWALL Reset Click this button to return the screen to its last saved settings Table 231 Configuration Object Endpoint Security continued LABEL DESCRIPTION ...

Page 819: ...ALL USG 300 User s Guide 819 49 3 Endpoint Security Add Edit Click Configuration Object Endpoint Security and then the Add or Edit icon to open the Endpoint Security Edit screen Use this screen to configure an endpoint security object ...

Page 820: ...Chapter 49 Endpoint Security ZyWALL USG 300 User s Guide 820 Figure 534 Configuration Object Endpoint Security Add ...

Page 821: ...rs allows access for computers not using Windows Linux or Mac OSX operating systems For example you create Windows Linux and Mac OSX endpoint security objects to apply to your LAN users An others object allows access for LAN computers using Solaris HP Android or other operating systems Windows Version If you selected Windows as the operating system select the version of Windows here Endpoint must ...

Page 822: ... Registry If you selected Windows as the operating system you can use the table to list Windows registry values to check on the user s computer Use the Operation field to set whether the value for the registry item in the user s computer has to be equal to greater than less than greater than or equal to less than or equal to or not equal to the value listed in the entry Click Add to create a new e...

Page 823: ...be equal to greater than less than greater than or equal to less than or equal to or not equal to the size or version of the file listed in the entry Click Add to create a new entry Select one or more entries and click Remove to delete it or them The user s computer must pass one of the listed file information checks to pass this checking item OK Click OK to save your changes back to the ZyWALL Ca...

Page 824: ...Chapter 49 Endpoint Security ZyWALL USG 300 User s Guide 824 ...

Page 825: ...omain name to its corresponding IP address and vice versa Use the System WWW screens see Section 50 7 on page 840 to configure settings for HTTP or HTTPS access to the ZyWALL and how the login and access user screens look Use the System SSH screen see Section 50 8 on page 857 to configure SSH Secure SHell used to securely access the ZyWALL s command line interface You can specify which zones allow...

Page 826: ...ge 872 to allow your ZyWALL to be managed by the Vantage CNM server Use the System Language screen see Section 50 14 on page 875 to set a language for the ZyWALL s Web Configurator screens Note See each section for related background information and term definitions 50 2 Host Name A host name is the unique name by which a device is known on a network Click Configuration System Host Name to open th...

Page 827: ... Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 233 Configuration System Host Name continued LABEL DESCRIPTION Table 234 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Turn USB storage on or off You need to enable USB storage both here and for a specific feature such as system logs or diagnostic...

Page 828: ...time based on your local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get the date and time from a time server Figure 537 Configuration System Date and Time The following table describes the labels in this screen Table 235 Configuration System Date and Time LABEL DESCRIPTION Current Time and ...

Page 829: ...ck this button to have the ZyWALL get the time and date from a time server see the Time Server Address field This also saves your changes except the daylight saving settings Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to early ...

Page 830: ...ng Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time a...

Page 831: ...nfiguring the Date Time screen To manually set the ZyWALL date and time 1 Click System Date Time 2 Select Manual under Time and Date Setup 3 Enter the ZyWALL s time in the New Time field 4 Enter the ZyWALL s date in the New Date field 5 Under Time Zone Setup select your Time Zone from the list 6 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for dayligh...

Page 832: ... Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it Table 237 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the console port Your ZyWALL suppor...

Page 833: ...WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 50 6 2 Configuring the DNS Screen Click Configuration System DNS to change your ZyWALL s DNS settings Use the DNS screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN DDNS and the time server You c...

Page 834: ...e forwarder entries in the order that they appear in this list Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subse...

Page 835: ...lect an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbe...

Page 836: ...n The ZyWALL allows you to configure address records about the ZyWALL itself or another device This way you can keep a record of DNS names and addresses that people on your network may use frequently If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record the ZyWALL can send the IP address in a DNS response without having to query a DNS name server 50 6 4 PTR Reco...

Page 837: ...orwarder record Figure 542 Configuration System DNS Domain Zone Forwarder Add Table 239 Configuration System DNS Address PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the t...

Page 838: ...fied DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A displays for any DNS server IP address ...

Page 839: ...ice Control table to add a service control rule Figure 544 Configuration System DNS Service Control Rule Add Table 241 Configuration System DNS MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for IP Address FQDN Enter the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field above OK ...

Page 840: ...uration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL Zone...

Page 841: ...re is a lease timeout for administrators The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires You can change the timeout settings in the User Group scree...

Page 842: ...ificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 443 by default on the ZyWALL s web server 2 HTTP connection requests from a web browser go to port 80 by ...

Page 843: ...PN for example Figure 547 Configuration System WWW Service Control The following table describes the labels in this screen Table 243 Configuration System WWW Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs con...

Page 844: ...HTTPS to log into the ZyWALL to log into SSL VPN for example You can also specify the IP addresses from which the users can access the ZyWALL Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click R...

Page 845: ...emove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control ru...

Page 846: ...Table 244 Configuration System Service Control Rule Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access...

Page 847: ... 847 also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 40 on page 731 for more on access user accounts Figure 549 Configuration System WWW Login Page ...

Page 848: ...he login and access pages Figure 550 Login Page Customization Figure 551 Access Page Customization You can specify colors in one of the following ways Logo Title Message Note Message Background last line of text color of all text Logo Title Message Note Message Window last line of text color of all text Background ...

Page 849: ...nd file name of the logo graphic or click Browse to locate it Note Use a GIF JPG or PNG of 100 kilobytes or less Click Upload to transfer the specified graphic file from your computer to the ZyWALL Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Title...

Page 850: ...een in Internet Explorer Select Yes to proceed to the Web Configurator login screen if you select No then Web Configurator access is blocked Figure 552 Security Alert Dialog Box Internet Explorer Note Message Enter a note to display below the title Use up to 64 printable ASCII characters Spaces are allowed Window Background Set how the window s background looks To use a graphic select Picture and ...

Page 851: ...tificate is from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 553 Security Certificate 1 Netscape Figure 554 Security Certificate 2 Netscape 50 7 7 3 Avoiding Browser Warning Messages Here are the main reasons your browser ...

Page 852: ...es issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix D on page 1019 for details 50 7 7 4 Login Screen After you accept the certificate the ZyWALL login screen appears The lock displayed in the bottom of the browser status bar denotes a secure connection Figure 555 Login Screen Internet Explorer 50 ...

Page 853: ...d CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 50 7 7 5 1 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next Figure 557 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier ...

Page 854: ...Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 558 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 559 Personal Certificate ...

Page 855: ... you by the CA Figure 560 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 561 Personal Certificate Import Wizard 4 ...

Page 856: ...u should see the following screen when the certificate is correctly installed on your computer Figure 563 Personal Certificate Import Wizard 6 50 7 7 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 564 Access the ZyWALL Via HTTPS ...

Page 857: ...yWALL This screen displays even if you only have a single certificate as in the example Figure 565 SSL Client Authentication 3 You next see the Web Configurator login screen Figure 566 Secure Web Configurator Login Screen 50 8 SSH You can use SSH Secure SHell to securely access the ZyWALL s command line interface Specify which zones allow SSH access and from which IP address the access can come ...

Page 858: ...N Example 50 8 1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1 Figure 568 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and s...

Page 859: ...50 8 2 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for management using port 22 by default 50 8 3 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connec...

Page 860: ... needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 781 for details Service Control This specif...

Page 861: ...e the host key in you computer Click Yes to continue Figure 570 SSH Example 1 Store Host Key Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule Zone This is the zone on the ZyWALL the u...

Page 862: ...L using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER Then enter the password to log in to the ZyWALL Figure 572 SSH Example 2 Log in 3 The CLI screen displays next 50 9 Telnet You can use Telnet to access the ZyWALL s command line interface Specify which zones ...

Page 863: ...rt number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which ZyWALL zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 244 on page 846 for details on the screen that opens Edit ...

Page 864: ...n configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of the IP address es with which the...

Page 865: ... if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for FTP connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 781 for details Service Control This spe...

Page 866: ...h a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is th...

Page 867: ...work management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager a...

Page 868: ...al throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zyxel com 50 11 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs 50 11 3 Configuring SNMP To change your ZyWALL s SNMP settings click Configuration System SNMP tab The screen appea...

Page 869: ...mber for a service if needed however you must use the same port number in order to use that service for remote management Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the managem...

Page 870: ...select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the ...

Page 871: ...t connections Figure 577 Configuration System Dial in Mgmt The following table describes the labels in this screen Table 251 Configuration System Dial in Mgmt LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Dial in Server Properties Click Advanced to display more configuration fields and edit the details ...

Page 872: ...notifying the Vantage CNM administrator Port Speed Use the drop down list box to select the speed of the connection between the ZyWALL s auxiliary port and the external modem Available speeds are 9600 19200 38400 57600 or 115200 bps Initial String Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL s auxiliary port during connection initializatio...

Page 873: ...ntage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields Enable Select this check box to allow Vantage CNM to manage your ZyWALL Server IP Address FQDN Enter the IP address or fully qualified domain name of the Vantage server If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router enter the WAN IP address of the NAT ro...

Page 874: ...ustom in the Device Management IP field Keepalive Interval Set how often the ZyWALL sends a keep alive packet to the Vantage CNM server if there is no other traffic The keep alive packets maintain the Vantage CNM server s control session Periodic Inform Interval Select this option to have the ZyWALL periodically send Inform messages to the Vantage CNM server HTTPS Authentication When you are using...

Page 875: ...onfiguration System Language The following table describes the labels in this screen Table 253 Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL s Web Configurator screens You also need to open a new browser session to display the screens in the new language Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return...

Page 876: ...Chapter 50 System ZyWALL USG 300 User s Guide 876 ...

Page 877: ...re and how to send daily reports and what reports to send Use the Maintenance Log Setting screens Section 51 3 on page 879 to specify settings for recording log messages e mailing them and sending them to a remote server 51 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your ZyWALL Note Data collecti...

Page 878: ... 300 User s Guide 878 Click Configuration Log Report Email Daily Report to display the following screen Configure this screen to have the ZyWALL e mail you system statistics every day Figure 580 Configuration Log Report Email Daily Report ...

Page 879: ...WALL s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you sel...

Page 880: ...ngs tab controls which events generate alerts and where alerts are e mailed The Log Settings Summary screen provides a summary of all the settings You can use the Log Settings Edit screen to maintain the detailed settings such as log categories e mail addresses server names etc for any log Alternatively if you want to edit what events is included in each log you can also use the Active Log Summary...

Page 881: ...ivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific log Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the ZyWALL or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the View Log...

Page 882: ...Chapter 51 Log and Report ZyWALL USG 300 User s Guide 882 Figure 582 Configuration Log Report Log Setting Edit System Log ...

Page 883: ... day of the week the log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notation SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication chec...

Page 884: ...ory fields in the View Log tab The Default category includes debugging messages generated by open source software System log Select which events you want to log by Log Category There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark create log messages and alerts from this category enable normal logs and debug logs yellow che...

Page 885: ...hen multiple log messages were aggregated Log Consolidation Interval Type how often in seconds to consolidate log information If the same log message appears multiple times it is aggregated into one log message with the text count x where x is the number of original log messages appended at the end of the Message field OK Click this to save your changes and return to the previous screen Cancel Cli...

Page 886: ...ng The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device Go to the Log Setting Summary screen see Section 51 3 1 on page 880 and click the USB storage Edit icon Figure 583 Configuration Log Report Log Setting Edit USB Storage ...

Page 887: ...e normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not associated with a specific entry Log Category This field displays each category of messages The Default category includes debugging messages generated by open source software Selection Select what information you w...

Page 888: ...Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server syslog Go to the Log Settings Summary screen see Section 51 3 1 on page 880 and click a remote server Edit icon Figure 584 Configuration Log Report Log Setting Edit Remote Server ...

Page 889: ...or all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is...

Page 890: ...where and how often log information is e mailed or remote server names To access this screen go to the Log Settings Summary screen see Section 51 3 1 on page 880 and click the Active Log Summary button Figure 585 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 51 3 2 on page 881 whe...

Page 891: ...on for any category to a connected USB storage device enable normal logs green check mark create log messages and alerts for all categories and save them to a connected USB storage device enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories and save them to a connected USB storage device E mail Server 1 Use the E Mail Server 1 ...

Page 892: ... the ZyWALL does not e mail debugging information however even if this setting is selected E mail Server 1 E mail Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The ZyWALL does not e mail debugging information even if it is recorded in the ...

Page 893: ...the Configuration File screen see Section 52 2 on page 896 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL Use the Firmware Package screen see Section 52 3 on page 900 to check your current firmware version and upload firmware to the ZyWALL Use the Shell Script screen se...

Page 894: ...Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote managemen...

Page 895: ...onfiguration file or run a shell script the ZyWALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on ...

Page 896: ... and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file as a back up file If there is an error the ZyWALL generates a log and copies the startup config conf configuration f...

Page 897: ...ance File Manager Configuration File Rename Specify the new name for the configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the ZyWALL You can only delete manually saved configur...

Page 898: ...Copy to open the Copy File screen Figure 589 Maintenance File Manager Configuration File Copy Specify a name for the duplicate configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Table 261 Maintenance File Manager Configuration File continued LABEL DESCRIPTION ...

Page 899: ...his gets the ZyWALL started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the ZyWALL apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish applyi...

Page 900: ...t recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration Size This column displays the size in KB of a configuration file Last Modified This column displays the date and time that the individual configuration files were last changed or saved Upload...

Page 901: ...not be decompressed option while you download the firmware package See Section 33 2 1 on page 591 for more on the anti virus Destroy compressed files that could not be decompressed option The firmware update can take up to five minutes Do not turn off or reset the ZyWALL while the firmware update is in progress Figure 591 Maintenance File Manager Firmware Package The following table describes the ...

Page 902: ... After five minutes log in again and check your new firmware version in the HOME screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Figure 594 Firmware Upload Error 52 4 The Shell Script Screen Use shell script files to have the ZyWALL use commands that you specify Use a text editor to create the shell script files They must use a zy...

Page 903: ...k a shell script s row to select it and click Rename to open the Rename File screen Figure 596 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a shell script file s row to selec...

Page 904: ...ed to wait awhile for the ZyWALL to finish applying the commands This column displays the number for each shell script file entry File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last Modified This column displays the date and time that the individual shell script files were last changed or saved Upload She...

Page 905: ...hrough the ZyWALL Use the Maintenance Diagnostics Core Dump screens see Section 53 4 on page 912 to have the ZyWALL save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer support for troubleshooting Use the Maintenance Diagnostics System Log screens see Section 53 5 on page 913 to download files of system logs ...

Page 906: ...bleshooting Figure 599 Maintenance Diagnostics Files Table 264 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB storage i...

Page 907: ...N Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the ava...

Page 908: ...row button to move them to the Capture Interfaces list Use the Shift and or Ctrl key to select multiple objects IP Type Select the protocol of traffic for which to capture packets Select any to capture packets for all types of traffic Host IP Select a host IP address object for which to capture packets Select any to capture packets for all hosts Select User Defined to be able to enter an IP addres...

Page 909: ... The ZyWALL stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individual packet capture files After a packet capture file reaches this size the ZyWALL starts another packet capture file Duration Set a time limit in seconds for the capture Th...

Page 910: ...LL s throughput or performance may be affected while a packet capture is in progress After the ZyWALL finishes the capture it saves a separate capture file for each selected interface The total number of packet capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding more packet captures will fail Stop Click this bu...

Page 911: ...s set to 1500 bytes Figure 602 Packet Capture File Example This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is interface name file suffix cap Size This column displays the ...

Page 912: ... following table describes the labels in this screen 53 4 1 Core Dump Files Screen Click Maintenance Diagnostics Core Dump Files to open the core dump files screen This screen lists the core dump files stored on the ZyWALL or a Table 268 Maintenance Diagnostics Core Dump LABEL DESCRIPTION Save core dump to USB storage if ready Select this to have the ZyWALL save a process s core dump to an attache...

Page 913: ...es LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that y...

Page 914: ...k Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space File Name...

Page 915: ...command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 56 1 on page 936 reset returns the device to its default configuration 54 2 The Reboot Screen The Reboot screen is part of the Web configurator so that remote users can restart the device To access this screen click Maintenance Reboot Figure 606 Maintenance Re...

Page 916: ...Chapter 54 Reboot ZyWALL USG 300 User s Guide 916 ...

Page 917: ...ZyWALL or remove the power Not doing so can cause the firmware to become corrupt 55 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 55 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 607 Maintenance Shutdown Click the Shutdown button to shut down the ZyWALL Wait for the device to shut down before you manual...

Page 918: ...Chapter 55 Shutdown ZyWALL USG 300 User s Guide 918 ...

Page 919: ...ntact your local vendor Cannot access the ZyWALL from the LAN Check the cable connection between the ZyWALL and your computer or switch Ping the ZyWALL from a LAN computer Make sure your computer s Ethernet card is installed and functioning properly Also make sure that its IP address is in the same subnet as the ZyWALL s In the computer click Start All Programs Accessories and then Command Prompt ...

Page 920: ...more noticeable with a large browser window You can try shrinking the browser window if this is an issue I cannot access the Internet Check the ZyWALL s connection to the Ethernet jack with Internet access Make sure the Internet gateway device such as a DSL modem is working properly Check the WAN interface s status in the Dashboard Use the installation setup wizard again and make sure that you ent...

Page 921: ...em for certain interfaces Many security settings are usually applied to zones Make sure you assign the interfaces to the appropriate zones When you create an interface there is no security applied on it until you assign it to a zone The ZyWALL is not applying the custom policy route I configured The ZyWALL checks the policy routes in the order that they are listed So make sure that your custom pol...

Page 922: ...ace You cannot set up a PPP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it My rules and settings that apply to a particular interface no longer work The interface s IP address may ha...

Page 923: ...nded that you use a more effective security mechanism Use the strongest security mechanism that all the wireless devices in your network support WPA2 or WPA2 PSK is recommended The wireless security is not following the re authentication timer setting I specified If a RADIUS server authenticates wireless stations the re authentication timer on the RADIUS server has priority Change the RADIUS serve...

Page 924: ...s not affect the functionality you might improve the performance of the ZyWALL by putting more commonly used ports at the top of the list The ZyWALL s anti virus scanner cleaned an infected file but now I cannot use the file The scanning engine checks the contents of the packets for virus If a virus pattern is matched the ZyWALL removes the infected portion of the file along with the rest of the f...

Page 925: ...tion should be taken The ZyWALL checks all signatures and continues searching even after a match is found If two or more rules have conflicting actions for the same packet then the ZyWALL applies the more restrictive action reject both reject receiver or reject sender drop none in this order If a packet matches a rule for reject receiver and it also matches a rule for reject sender then the ZyWALL...

Page 926: ...g and SNAT behavior for an interface with the Interface Type set to Internal or External The ZyWALL is not applying a policy route s port triggering settings You also need to create a firewall rule to allow an incoming service I cannot get Dynamic DNS to work You must have a public WAN IP address to use Dynamic DNS Make sure you recorded your DDNS account s user name password and domain name and h...

Page 927: ...ZyWALL s firewall to permit the use of asymmetrical route topology on the network so it does not reset the connection although this is not recommended since allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets See Asymmetrical Ro...

Page 928: ...ces from the network before testing your new VPN connection The old route may have been learnt by RIP and would take priority over the new VPN connection To test whether or not a tunnel is working ping from a computer at one site to a computer at the other Before doing so ensure that both computers have Internet access via the IPSec routers It is also helpful to have a way to look at the packets t...

Page 929: ...gured L2TP correctly on the remote user computers See Section 8 5 on page 189 for examples Make sure you configured an appropriate policy route on the ZyWALL Make sure there is not a firewall between the ZyWALL and the remote users If it is possible that the remote user s public IP address could be in the same subnet as the specified My Address click Configure Network Routing Policy Route Show Adv...

Page 930: ...ckground is recommended I logged into the SSL VPN but cannot see some of the resource links Available resource links vary depending on the SSL application object s configuration I logged into the SSL VPN but cannot perform some actions in the File Sharing screen The actions that you can perform in the File Sharing screen vary depending on the rights granted to you in the SSL application object s c...

Page 931: ...s for your LAN that are not based on the interface I configured application patrol to allow and manage access to a specific service but access is blocked If you want to use a service make sure both the firewall and application patrol allow the service s packets to go through the ZyWALL The ZyWALL checks firewall rules before it checks application patrol rules for traffic going through the ZyWALL I...

Page 932: ...iple ZyWALL virtual routers on your network use a different cluster ID to identify each virtual router There can only be one master ZyWALL in each virtual router same cluster ID A broadcast storm results when I turn on Device HA Do not connect the bridge interfaces on two ZyWALLs without device HA activated on both Either activate device HA before connecting the bridge interfaces or disable the br...

Page 933: ...o work Only ZyWALLs of the same model and firmware version can synchronize Device HA synchronization is not working for subscription services Subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL Synchronization includes updates for services to which the master and backup ZyWALLs are both subscribed For example a backup subscribed to IDP AppPatrol but not anti v...

Page 934: ... is not included The ZyWALL currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses lowercase letters uppercase letters and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in ...

Page 935: ... When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first The commands in my configuration file or shell script are not working properly In a configuration file or shell script use or as the first character of a command line to have the ZyWALL treat the line as a comment Your configurati...

Page 936: ...L stops the capture and generates the capture file when either the capture files reach the File Size or the time period specified in the Duration field expires My earlier packet capture files are missing New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this 56 1 Resetting the ZyWALL If you cannot access the ZyWALL by any method try restart...

Page 937: ...and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the ZyWALL to restart You should be able to access the ZyWALL using the default settings 56 2 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 938: ...Chapter 56 Troubleshooting ZyWALL USG 300 User s Guide 938 ...

Page 939: ...f MAC addresses 7 Ethernet Interfaces Number of Ethernet interfaces 7 All Ethernet interfaces are Gigabit Ethernet full duplex RJ 45 connectors auto negotiation auto MDI MDIX auto crossover Management interface RS 232 DB9F connector AUX port RS 232 DB9M connector USB Slots 2 2 0 plug and play Compatible USB Cards 3G Huawei E220 E270 E160 E169 E800 and E180 Extension Card Slot Slot for optional har...

Page 940: ...l alias 4 per interface 4 per interface 4 per interface PPP system default NA NA 7 PPP user created 8 8 8 Bridge 8 8 8 ROUTING Static Routes 128 128 128 Policy Routes 1 000 1 000 1 000 Sessions 60 000 60 000 60 000 ARP Table Size 1024 1024 1024 MAC Table Size For Bridge Mode only 8K 8K 8K NAT NAT Entries Port Forwarding up to 1 024 up to 1 024 up to 1 024 Trigger Port Rules up to 8 per PR rule up ...

Page 941: ...rvice Groups 200 200 200 Maximum service object in one group 128 128 128 Schedule Objects 128 128 128 ISP Accounts 16 16 32 Maximum Number of LDAP Groups 8 8 8 Maximum Number of LDAP Servers for Each LDAP Group 2 2 2 Maximum Number of RADIUS Groups 8 8 8 Maximum Number of RADIUS Servers for Each RADIUS Group 2 2 2 Maximum AD server for each AD group 4 4 4 Maximum AD group number 16 16 16 Maximum N...

Page 942: ...ntries 1024 1024 1024 Admin E mail Addresses 2 2 2 Syslog Servers 4 4 4 IDP Maximum Number of IDP Profiles 8 8 8 Custom Signatures 128 128 128 Maximum Number of IDP Rules 32 32 32 CONTENT FILTER Maximum Number of Content Filter Policies 16 16 16 Maximum Number of Content Filter Profiles 16 16 16 Maximum Number of Forbidden Domain Entries 128 per profile 128 per profile 128 per profile Maximum Numb...

Page 943: ... or 1 RAR PPM 50 ZIP files 8 RAR LZSS or 1 RAR PPM 50 ZIP files 8 RAR LZSS or 1 RAR PPM Maximum Number of Anti Virus Rules 32 32 32 Maxi mum Number of Anti Virus White List Entries 256 256 256 Maximum Number of Anti Virus Black List Entries 256 256 256 Maximum Number of Anti Virus Statistics 500 500 500 Maximum Anti Virus Statistics Ranking 10 10 10 SSL VPN Maximum SSL VPN Connections 2 without a ...

Page 944: ...12 1750 1876 1982 1995 1996 2136 2163 2181 2230 2308 2535 2536 2537 2538 2539 2671 2672 2673 2782 3007 3090 Built in service DHCP server RFCs 1542 2131 2132 2485 2489 Built in service HTTP server RFCs 1945 2616 2965 2732 2295 Built in service SNMP agent RFCs 1067 1213 2576 2578 2579 2580 2741 2667 2981 3371 Login LDAP support RFCs 2251 2252 2253 2254 2255 2256 2589 2829 2830 Used by Apache RFCs 24...

Page 945: ... Product Specifications ZyWALL USG 300 User s Guide 945 57 1 3G PCMCIA Card Installation Only insert a compatible 3G card Slide the connector end of the card into the slot Note Do not force bend or twist the card ...

Page 946: ...Chapter 57 Product Specifications ZyWALL USG 300 User s Guide 946 ...

Page 947: ...ort to 80 The content filtering checking for unsafe web sites has been changed to use port 80 due to a configuration change Content filter has been changed zsb port to 23 The content filtering checking for unsafe web sites has been changed to use port 23 due to a configuration change Table 276 Forward Web Site Logs LOG MESSAGE DESCRIPTION s Trusted Web site The device allowed access to a web site ...

Page 948: ...lid service license 4 Rating service is restarting 5 Can t connect to rating server 6 Query failed 7 Query timeout 8 Too many queries 9 Unknown reason s website host s s cache hit The web site s category exists in the device s local cache and access was blocked according to a content filter profile 1st s website host 2nd s website category s Not in trusted web list The web site is not a trusted ho...

Page 949: ...icy with the specified index number d has been added to the end of the list Anti Spam policy d has been deleted The anti spam policy with the specified index number d has been removed Anti Spam policy d has been moved to d The anti spam policy with the specified index number first d was moved to the specified index number second d White List checking has been activated The anti spam white list has...

Page 950: ...een added DNSBL domain s has been modified to s The specified DNSBL domain name first s has been changed to the second s DNSBL domain s has been deleted The specified DNSBL domain name s has been removed DNSBL domain s has been activated The specified DNSBL domain name s has been turned on DNSBL domain s has been deactivated The specified DNSBL domain name s has been turned off Match White List d ...

Page 951: ...e IP address given to the SSL user The s address object is invalid IP in SSL Policy s The listed address object first s is not an allowed IP for the listed SSL policy second s The s address object does not has assignable IP in SSL Policy s There are no more assignable IP addresses in the listed address object first s The address object is used by the listed SSL policy second s The s address object...

Page 952: ...n SSL VPN policy s So s will not be injected to client side The IP pool is in the same subnet as the specified address object first s in the listed SSL VPN policy second s so the listed address third s will not be given to an SSL VPN client The s is same subnet with IP pool in SSL VPN policy s So s will not be injected to client side The specified address object first s is in the same subnet as th...

Page 953: ...er is using HTTP or HTTPS s s from s has been logged out SSLVPN idle timeout The specified user was signed out by the device due to an idle timeout The first s is the type of user account The second s is the user s user name The third s is the name of the service the user is using HTTP or HTTPS Failed login attempt to SSLVPN from s login on a lockout address An SSL VPN login attempt from the liste...

Page 954: ...ecause the user name does not exist User s has been denied from L2TP service Disallowed User A user with the specified user name s was denied access to the L2TP over IPSec service because the user name is not specified in the L2TP over IPSec configuration User s has been denied from L2TP service Incorrect Password A user with the specified user name s was denied access to the L2TP over IPSec servi...

Page 955: ...roup name cannot create too many groups d 1st max group num s cannot find entry s 1st zysh group name 2st zysh entry name s cannot remove entry s 1st zysh group name 2st zysh entry name List OPS can t alloc entry s 1st zysh entry name can t retrieve entry s 1st zysh entry name can t get entry s 1st zysh entry name can t print entry s 1st zysh entry name s cannot retrieve entries from list 1st zysh...

Page 956: ...zysh table name Unable to move entry d 1st zysh entry num s invalid index 1st zysh table name Unable to delete entry d 1st zysh entry num Unable to change entry d 1st zysh entry num s cannot retrieve entries from table 1st zysh table name s invalid old new index 1st zysh table name Unable to move entry d 1st zysh entry num s apply failed at initial stage 1st zysh table name s apply failed at main ...

Page 957: ...er first num was moved to the specified index number second num New ADP rule has been appended An ADP rule has been added to the end of the list ADP rule num has been inserted An ADP rule has been inserted num is the number of the new rule ADP rule num has been modified The ADP rule of the specified number has been changed ADP profile name has been deleted The ADP rule with the specified name has ...

Page 958: ... compressed file because there were too many compressed files at the same time 1st s The protocol of the packet 2nd s The filename of the related file s due to more than one layer compressed file s could not be decompressed The ZyWALL could not decompress a compressed file because it contained other compressed files 1st s The protocol of the packet 2nd s The filename of the related file s due to p...

Page 959: ...was too large AV signature update has failed An anti virus signatures update failed for unknown reasons Anti Virus signatures missing refer to your user documentation to recover the default database file When the ZyWALL started it could not find the anti virus signature file See the CLI reference guide for how to restore the default system database Update signature version has failed An attempt to...

Page 960: ...file pattern was deleted from the white or black list 1st s The file pattern 2nd s The white list or black list File pattern s has been added in s An anti virus file pattern was added to the white or black list 1st s The file pattern 2nd s The white list or black list s has been s An anti virus file pattern white list or black list was turned on or off 1st s The white list or black list 2nd s Acti...

Page 961: ...sing HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL lease timeout The ZyWALL is signing the specified user out due to a lease timeout 1st s The type of user account 2nd s The user s user name 3rd s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL idle timeout The ZyWALL is signing the specified user out...

Page 962: ...able 285 myZyXEL com Logs LOG MESSAGE DESCRIPTION Send registration message to MyZyXEL com server has failed The device was not able to send a registration message to MyZyXEL com Get server response has failed The device sent packets to the MyZyXEL com server but did not receive a response The root cause may be that the connection is abnormal Timeout for get server response zysh need to catch MyZy...

Page 963: ...ervice activation has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device Service expiration check has failed s The service expiration day check failed this log will append an error message returned by the MyZyXEL com server s error message returned by myZyXEL com server Service expiration check has ...

Page 964: ...te has stopped because the device couldn t resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Verify server s certificate has failed Update stop The device could not process an HTTPS connection because it could not verify the myZyXEL com server s certificate The update has stopped Send download request to update server has failed The device s attempt to send a download me...

Page 965: ...nti Virus signature download has succeeded The device successfully downloaded an anti virus signature file Anti Virus signature update has succeeded The device successfully downloaded and applied an anti virus signature file Anti Virus signature download has failed The device still cannot download the anti virus signature after 3 retries System protect signature download has succeeded The device s...

Page 966: ... check The device processes a service expiration day check immediately after it starts up After register Do expiration daily check immediately The device processes a service expiration day check immediately after device registration Time is up Do expiration daily check The processes a service expiration day check every 24 hrs Read MyZyXEL com storage has failed Read data from EEPROM has failed Ope...

Page 967: ... get server response After the device sent packets to a server the device did not receive any response from the server The root cause may be a network delay issue Download file size is wrong The file size downloaded for AS is not identical with content length Parse HTTP header has failed Device can t parse the HTTP header in a response returned by a server Maybe some HTTP headers are missing Table...

Page 968: ...tom IDP signature failed The error sid and message are displayed Custom signature import error line line sid sid error_message An attempt to import a custom IDP signature failed The errored line number in the file the error sid and error message are displayed Custom signature replace error line line sid sid error_message Custom IDP signature replacing failed Error line number of file sid and messa...

Page 969: ...ast signature file update failed IDP signature update failed Can not update synchronized file An attempt to update the IDP signatures failed Rebuilding of the IDP device HA synchronized file failed IDP signature update from version version to version version has succeeded An IDP signature update succeeded The previous and updated IDP signature versions are listed IDP system protect signature updat...

Page 970: ...update the IDP signatures failed due to an internal system error System internal error Create IDP traffic anomaly entry failed There was an internal system error Query signature version failed The device could not get the signature version from the new signature package it downloaded from the update server Can not get signature version The device could not get the signature version from the new si...

Page 971: ...ame has been modified IDP profile has been modified name is profile name IDP signatures missing please refer to your user documentation to recover the default database file When the ZyWALL started it could not find the IDP signature file See the CLI reference guide for how to restore the default system database IDP signature size is over system limitation The IDP signature set is too large exceeds...

Page 972: ... the listed protocol s traffic Default port s of protocol s has been added The listed default port first s has been added for the listed protocol second s Default port s of protocol s has been removed The listed default port first s has been deleted for the listed protocol second s Rule s s has been moved to index s An application patrol rule has been moved 1st s Protocol name 2nd s From rule inde...

Page 973: ...he tunnel name When negotiating Phase 1 and selecting matched proposal My IP Address could not be resolved ID Tunnel s Phase 1 ID mismatch s is the tunnel name When negotiating Phase 1 the peer ID did not match ID Tunnel s Phase 2 Local ID mismatch s is the tunnel name When negotiating Phase 2 and checking IPsec SAs or the ID is IPv6 ID ID Tunnel s Phase 2 Remote ID mismatch s is the tunnel name W...

Page 974: ...ch SA Tunnel s Phase 2 pfs unsupported d s is the tunnel name When negotiating Phase 2 this device does not support the PFS specified SA Tunnel s Phase 2 SA encapsulation mismatch s is the tunnel name When negotiating Phase 2 the SA encapsulation did not match SA Tunnel s Phase 2 SA protocol mismatch s is the tunnel name When negotiating Phase 2 the SA protocol did not match SA Tunnel s SA sequenc...

Page 975: ...mote name The device sent a request to enter Aggressive Mode Send SA KE ID CER T CR HASH SIG NON CE DEL VID ATTR N OTFY s This is a combined message for outgoing IKE packets Start Phase 2 Quick Mode Indicates the beginning of phase 2 using quick mode The cookie pair is 0x 08x 08x 0x 08x 08x Indicates the initiator responder cookie pair The IPSec tunnel s is already established s is the tunnel name...

Page 976: ...s 0x x 0x x s rekeyed successfully The variables represent the phase 1 name tunnel name old SPI new SPI and the xauth name optional The tunnel was rekeyed successfully Tunnel s s Phase 1 pre shared key mismatch The variables represent the phase 1 name and tunnel name When negotiating phase 1 the pre shared keys did not match Tunnel s s Recving IKE request The variables represent the phase 1 name a...

Page 977: ... SEQ 0x x Packet Anti Replay detected The variables represent the SPI and the sequence number The device received a packet again that it had already received VPN connection s was disabled s is the VPN connection name An administrator disabled the VPN connection VPN connection s was enabled s is the VPN connection name An administrator enabled the VPN connection Due to active connection allowed exc...

Page 978: ...disabled Asymmetrical Route has been turned off Table 291 Sessions Limit Logs LOG MESSAGE DESCRIPTION Maximum sessions per host d was exceeded d is maximum sessions per host Table 292 Policy Route Logs LOG MESSAGE DESCRIPTION Can t open bwm_entries Policy routing can t activate BWM feature Can t open link_down Policy routing can t detect link up down status Cannot get handle from UAM user aware PR...

Page 979: ...rule number Policy route rule d was moved to d Rule is moved 1st d the original policy route rule number 2nd d the new policy route rule number Policy route rule d was deleted Rule is deleted d the policy route rule number Policy route rules were flushed Policy routing rules are cleared BWM has been activated The global setting for bandwidth management on the ZyWALL has been turned on BWM has been...

Page 980: ...n administrator assigns a certificate for SSH the device needs to convert it to a key used for SSH s is certificate name assigned by user TELNET port has been changed to port s An administrator changed the port number for TELNET s is port number assigned by user TELNET port has been changed to default port An administrator changed the port number for TELNET back to the default 23 FTP certificate s...

Page 981: ...ieved from it Set timezone to s An administrator changed the time zone s is time zone value Set timezone to default An administrator changed the time zone back to the default 0 Enable daylight saving An administrator turned on daylight saving Disable daylight saving An administrator turned off daylight saving DNS access control rules have been reached the maximum number An administrator tried to a...

Page 982: ...led Wizard adds DNS server s failed because DNS zone setting has conflictd Wizard apply DNS server failed because DNS zone conflicted s is the IP address of the DNS server Wizard adds DNS server s failed because Zone Forwarder numbers have reached the maximum number of 32 Wizard apply DNS server fail because the device already has the maximum number of DNS records configured s is IP address of the...

Page 983: ...t d is down When LINK is down d is the port number s is dead at s A daemon process is gone was killed by the operating system 1st s Daemon Name 2nd s date and time s process count is incorrect at s The count of the listed process is incorrect 1st s Daemon Name 2nd s date and time s becomes Zombie at s A process is present but not functioning 1st s Daemon Name 2nd s date and time When memory usage ...

Page 984: ...sponse from an unknown client In total received d arp response packets for the requested IP address The device received the specified total number of ARP response packets for the requested IP address Clear arp cache successfully The ARP cache was cleared successfully Client MAC address is not an Ethernet address A client MAC address is not an Ethernet address DHCP request received via interface s ...

Page 985: ...formed for DynDNS server 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s is not under your control The owner of this FQDN is not the user 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s was blocked for abuse The FQDN is blocked by DynDNS 1st s is the profile name 2nd s is the...

Page 986: ...ame Update the profile s has failed because Custom IP was empty The DDNS profile s IP select type is custom and a custom IP was not defined s is the profile name Update the profile s has failed because WAN interface was empty If the DDNS profile s IP select type is iface it needs a WAN iface s is the profile name The profile s has been paused because the VRRP status of WAN interface was standby Th...

Page 987: ...S profile cannot be updated because the fail of ping check for HA iface s is the profile name DDNS has been disabled by Device HA DDNS is disabled by Device HA because all VRRP groups are standby DDNS has been enabled by Device HA DDNS is enabled by Device HA because one of VRRP groups is active Disable DDNS has succeeded Disable DDNS Enable DDNS has succeeded Enable DDNS DDNS profile s has been r...

Page 988: ...n t get memory from OS Can t load s module The connectivity check process can t load module for check link status s the connectivity module currently only ICMP available Can t handle isalive function of s module The connectivity check process can t execute isalive function from module for check link status s the connectivity module currently only ICMP available Create socket error The connectivity...

Page 989: ...s been created s the name of VRRP group Device HA VRRP group s has been modified An VRRP group has been modified s the name of VRRP group Device HA VRRP group s has been deleted An VRRP group has been deleted s the name of VRRP group Device HA VRRP interface s for VRRP Group s has changed Configuration of an interface that belonged to a VRRP group has been changed 1st s VRRP interface name 2ed s s...

Page 990: ... s Synchronization failed because the Backup could not connect to the Master The object to be synchronized 2ed s The feature name for the object to be synchronized Backup firmware version can not be recognized Stop syncing from Master The firmware version on the Backup cannot be resolved to check if it is the same as on the Master A Backup device only synchronizes from the Master if the Master and...

Page 991: ...ized d the retry count Recovring to Backup original state for s has failed An update failed The device will try to recover the failed update feature to the original state before Device HA synchronizes the specified object Recovering to Backup original state for s has succeeded Recovery succeeded when an update for the specified object failed One of VRRP groups has became avtive Device HA Sync has ...

Page 992: ... interface s has been changed to Out Only RIP direction on interface s has been changed to Out Only s Interface Name RIP authentication mode has been changed to s RIP authentication mode has been changed to text or md5 RIP text authentication key has been changed RIP text authentication key has been changed RIP md5 authentication id and key have been changed RIP md5 authentication id and key have ...

Page 993: ... s RIP Version RIP receive version on interface s has been reset to current global version s RIP receive version on interface s has been reset to current global version s 1st s Interface Name 2nd s RIP RIP v2 broadcast on interface s has been disabled RIP v2 broadcast on interface s has been disabled s Interface Name OSPF on interface s has been stopped because Device HA binds this interface Devic...

Page 994: ...erface Name Table 298 NAT Logs LOG MESSAGE DESCRIPTION The NAT range is full The NAT mapping table is full s FTP ALG has succeeded The FTP Application Layer Gateway ALG has been turned on or off s Enable or Disable Extra signal port of FTP ALG has been modified Extra FTP ALG port has been changed Signal port of FTP ALG has been modified Default FTP ALG port has been changed s H 323 ALG has succeed...

Page 995: ...cessfully The router created a certificate request with the specified name Generate certificate request s failed errno d The router was not able to create a certificate request with the specified name See Table 292 on page 997 for details about the error number Generate PKCS 12 certificate s successfully The router created a PKCS 12 format certificate with the specified name Generate PKCS 12 certi...

Page 996: ...request name Import PKCS 7 certificate s into Trusted Certificate successfully The device imported a PKCS 7 format certificate into Trusted Certificates s is the certificate request name Decode imported certificate s failed The device was not able to decode an imported certificate s is certificate the request name Export PKCS 12 certificate s from My Certificate successfully The device exported a ...

Page 997: ...cate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Certificate was not found anywhere 11 Certificate...

Page 998: ...t and a user tried to use the disconnect aux command Interface s will reapply because Device HA become active status Device ha became active and is using a PPP base interface the PPP interface must reapply s is the interface name Interface s will reapply because Device HA is not running Device ha was deleted and free PPP base interface PPP interface must reapply s is the interface name Interface s...

Page 999: ...tatus s TxP kts u RxPkts u Colli u T xB s u RxB s u UpTime s Port statistics log This log will be sent to the VRPT server 1st s physical port name 2nd s physical port status 1st u physical port Tx packets 2nd u physical port Rx packets 3rd u physical port packets collisions 4th u physical port Tx Bytes s 5th u physical port Rx Bytes s 3rd s physical port up time name s status s TxP kts u RxPkts u ...

Page 1000: ...ection timed out due to a lack of response from the PPPOE server s PPP interface name Interface s create failed because has no member A bridge interface has no member s bridge interface name Interface cellular Application Error Code d n The listed error code d was generated due to an internal cellular interface error An error d occurred while negotiating with the device in s Please try to remove t...

Page 1001: ... PIN code setting The listed cellular interface d does has the wrong PIN code configured Unable to query the signal quality from the device in s Please try to remove then insert the device The ZyWALL could not check the signal strength for the listed cellular interface d This could be due to an error or being out of range of the ISP s cellular station Interface cellular d cannot connect to the ser...

Page 1002: ...been configured The configuration of the specified WLAN interface s has been changed Interface s has been deleted The specified WLAN interface s has been removed Create interface s has failed Wlan device does not exist The wireless device failed to create the specified WLAN interface s Remove the wireless device and reinstall it System internal error No 802 1X or WPA enabled IEEE 802 1x or WPA is ...

Page 1003: ... wireless client is listed second s Incorrect username or password for WPA or WPA2 enterprise internal authentication Interface s MAC s A wireless client used an incorrect WPA or WPA2 user name or user password and failed authentication by the ZyWALL s local user database while trying to connect to the specified WLAN interface first s The MAC address of the wireless client is listed second s Syste...

Page 1004: ...nd this representative interface is set to DHCP client and has more than one member in its group In this case the DHCP client will renew s interface name Port Grouping s has been changed An administrator configured port grouping s interface name Table 304 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled Force user authenticat...

Page 1005: ...pool are already assigned to DHCP clients so there is no IP address to give to the listed DHCP client DHCP server offered s to s s The DHCP server feature gave the listed IP address to the computer with the listed hostname and MAC address Requested s from s s The ZyWALL received a DHCP request for the specified IP address from the computer with the listed hostname and MAC address No applicable lea...

Page 1006: ...rver are correct but the listed sender e mail address does not match the listed SMTP e mail account Failed to connect to mail server s The ZyWALL could not connect to the SMTP e mail server s The address configured for the server may be incorrect or there may be a problem with the ZyWALL s or the server s network connection Table 308 IP MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet s u u u ...

Page 1007: ...l in s The Windows automatic update setting on a user s computer did not match the specified EPS object Windows security patch check fail in s The Windows security patch on a user s computer did not match the specified EPS object Antivirus check fail in s A user s computer did not match the anti virus software check in the specified EPS object Personal firewall check fail in s A user s computer di...

Page 1008: ...User s Guide 1008 Windows version check fail in s A user s computer did not match the Windows version check in the specified EPS object EPS checking result is pass A user s computer passed the EPS check Table 310 EPS Logs LOG MESSAGE DESCRIPTION ...

Page 1009: ...ther information about port numbers If the Protocol is TCP UDP or TCP UDP this is the IP port number If the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 311 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Aut...

Page 1010: ... Internet Group Management Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for ne...

Page 1011: ...is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems an...

Page 1012: ... Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Table 311 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION ...

Page 1013: ... message on Miscrosoft Windows based computers If the log shows that virus files are being detected but your Miscrosoft Windows based computer is not displaying an alert message use one of the following procedures to make sure your computer is set to display the messages Windows XP 1 Click Start Control Panel Administrative Tools Services Figure 608 Windows XP Opening the Services Window ...

Page 1014: ...s Guide 1014 2 Select the Messenger service and click Start Figure 609 Windows XP Starting the Messenger Service 3 Close the window when you are done Windows 2000 1 Click Start Settings Control Panel Administrative Tools Services Figure 610 Windows 2000 Opening the Services Window ...

Page 1015: ...the window when you are done Windows 98 SE Me For Windows 98 SE Me you must open the WinPopup window in order to view real time alert messages Click Start Run and enter winpopup in the field provided and click OK The WinPopup window displays as shown Figure 612 Windows 98 SE WinPopup If you want to display the WinPopup window at startup follow the steps below for Windows 98 SE steps are similar fo...

Page 1016: ...USG 300 User s Guide 1016 1 Right click on the program task bar and click Properties Figure 613 WIndows 98 SE Program Task Bar 2 Click the Start Menu Programs tab and click Advanced Figure 614 Windows 98 SE Task Bar Properties 3 Double click Programs and click StartUp ...

Page 1017: ...yWALL USG 300 User s Guide 1017 4 Right click in the StartUp pane and click New Shortcut Figure 615 Windows 98 SE StartUp 5 A Create Shortcut window displays Enter winpopup in the Command line field and click Next Figure 616 Windows 98 SE Startup Create Shortcut ...

Page 1018: ...accept the default and click Finish Figure 617 Windows 98 SE Startup Select a Title for the Program 7 A shortcut is created in the StartUp pane Restart the computer when prompted Figure 618 Windows 98 SE Startup Shortcut Note The WinPopup window displays after the computer finishes the startup process see Figure 612 on page 1015 ...

Page 1019: ...es These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate as a tr...

Page 1020: ... the first time you browse to it you are presented with a certification error Figure 619 Internet Explorer 7 Certification Error 2 Click Continue to this website not recommended Figure 620 Internet Explorer 7 Certification Error 3 In the Address Bar click Certificate Error View certificates Figure 621 Internet Explorer 7 Certificate Error ...

Page 1021: ...ZyWALL USG 300 User s Guide 1021 4 In the Certificate dialog box click Install Certificate Figure 622 Internet Explorer 7 Certificate 5 In the Certificate Import Wizard click Next Figure 623 Internet Explorer 7 Certificate Import Wizard ...

Page 1022: ...matically select certificate store based on the type of certificate click Next again and then go to step 9 Figure 624 Internet Explorer 7 Certificate Import Wizard 7 Otherwise select Place all certificates in the following store and then click Browse Figure 625 Internet Explorer 7 Certificate Import Wizard ...

Page 1023: ...t Certificate Store dialog box choose a location in which to save the certificate and then click OK Figure 626 Internet Explorer 7 Select Certificate Store 9 In the Completing the Certificate Import Wizard screen click Finish Figure 627 Internet Explorer 7 Certificate Import Wizard ...

Page 1024: ...lly click OK when presented with the successful certificate installation message Figure 629 Internet Explorer 7 Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information Figure 630 Internet Explorer 7 Website Identification ...

Page 1025: ...one has been issued to you 1 Double click the public key certificate file Figure 631 Internet Explorer 7 Public Key Certificate File 2 In the security warning dialog box click Open Figure 632 Internet Explorer 7 Open File Security Warning 3 Refer to steps 4 12 in the Internet Explorer procedure beginning on page 1019 to complete the installation process Removing a Certificate in Internet Explorer ...

Page 1026: ...LL USG 300 User s Guide 1026 1 Open Internet Explorer and click Tools Internet Options Figure 633 Internet Explorer 7 Tools Menu 2 In the Internet Options dialog box click Content Certificates Figure 634 Internet Explorer 7 Internet Options ...

Page 1027: ...icates Authorities tab select the certificate that you want to delete and then click Remove Figure 635 Internet Explorer 7 Certificates 4 In the Certificates confirmation click Yes Figure 636 Internet Explorer 7 Certificates 5 In the Root Certificate Store dialog box click Yes Figure 637 Internet Explorer 7 Root Certificate Store ...

Page 1028: ... following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Figure 638 Firefox 2 Website Certified by an Unknown Autho...

Page 1029: ...the address bar which you can click to open the Page Info Security window to view the web page s security information Figure 639 Firefox 2 Page Info Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you ...

Page 1030: ...ng Certificates ZyWALL USG 300 User s Guide 1030 1 Open Firefox and click Tools Options Figure 640 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 641 Firefox 2 Options ...

Page 1031: ...tes Import Figure 642 Firefox 2 Certificate Manager 4 Use the Select File dialog box to locate the certificate and then click Open Figure 643 Firefox 2 Select File 5 The next time you visit the web site click the padlock in the address bar to open the Page Info Security window to see the web page s security information ...

Page 1032: ...ng a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools Options Figure 644 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 645 Firefox 2 Options ...

Page 1033: ...e Figure 646 Firefox 2 Certificate Manager 4 In the Delete Web Site Certificates dialog box click OK Figure 647 Firefox 2 Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Opera The following example uses Opera 9 on Windows XP Professional however the screens can apply to Opera 9 on all platform...

Page 1034: ...time you browse to it you are presented with a certification error 2 Click Install to accept the certificate Figure 648 Opera 9 Certificate signer not found 3 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Figure 649 Opera 9 Security information ...

Page 1035: ...nd Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Opera and click Tools Preferences Figure 650 Opera 9 Tools Menu ...

Page 1036: ...Appendix D Importing Certificates ZyWALL USG 300 User s Guide 1036 2 In Preferences click Advanced Security Manage certificates Figure 651 Opera 9 Preferences ...

Page 1037: ...USG 300 User s Guide 1037 3 In the Certificates Manager click Authorities Import Figure 652 Opera 9 Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open Figure 653 Opera 9 Import certificate ...

Page 1038: ...stall authority certificate 6 Next click OK Figure 655 Opera 9 Install authority certificate 7 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9 ...

Page 1039: ...Importing Certificates ZyWALL USG 300 User s Guide 1039 1 Open Opera and click Tools Preferences Figure 656 Opera 9 Tools Menu 2 In Preferences Advanced Security Manage certificates Figure 657 Opera 9 Preferences ...

Page 1040: ...ificate you just removed a certification error appears Note There is no confirmation when you delete a certificate authority so be absolutely certain that you want to go through with it before clicking the button Konqueror The following example uses Konqueror 3 5 on openSUSE 10 3 however the screens apply to Konqueror 3 5 on all Linux KDE distributions 1 If your device s Web Configurator is set to...

Page 1041: ...queror 3 5 Server Authentication 3 Click Forever when prompted to accept the certificate Figure 660 Konqueror 3 5 Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details Figure 661 Konqueror 3 5 KDE SSL Information ...

Page 1042: ...en prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 662 Konqueror 3 5 Public Key Certificate File 2 In the Certificate Import Result Kleopatra dialog box click OK Figure 663 Konqueror 3 5 Certificate Import Result The public key certificate appears in the KDE certificate manager Kleopatra Figure 664 Konquero...

Page 1043: ... security details Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3 5 1 Open Konqueror and click Settings Configure Konqueror Figure 665 Konqueror 3 5 Settings Menu 2 In the Configure dialog box select Crypto 3 On the Peer SSL Certificates tab select the certificate you want to delete and then click Remove Figure 666 Konqueror 3 5 Conf...

Page 1044: ...e next time you go to the web site that issued the public key certificate you just removed a certification error appears Note There is no confirmation when you remove a certificate authority so be absolutely certain you want to go through with it before clicking the button ...

Page 1045: ...endent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 667 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wi...

Page 1046: ...xtended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network...

Page 1047: ...djacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and...

Page 1048: ...u set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission S...

Page 1049: ...Type Preamble is used to signal that data is coming to the receiver Short and long refer to the length of the synchronization field in a packet Short preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11 compliant wireless adapters support long preamble but not all support short preamble Use long preamble if you are unsure what preamble mode ...

Page 1050: ...reless security methods available on your ZyWALL Note You must enable the same wireless security settings on the ZyWALL and on all wireless clients that you want to associate with it IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional Table 312 IEEE 802 11g DATA RATE MBPS MODULATION ...

Page 1051: ...ADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the ne...

Page 1052: ...with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certificate als...

Page 1053: ... authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and pa...

Page 1054: ...ve an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS ser...

Page 1055: ...rovides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi n...

Page 1056: ...nt how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it WPA 2 with RADIUS Application Example To set up WPA 2 you need the IP address of the RADIUS ...

Page 1057: ...ith RADIUS Application Example WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and allows it to join the network only if the pa...

Page 1058: ...r each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 315 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynam...

Page 1059: ...tenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 5 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of appr...

Page 1060: ...grees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications Positioning Antennas In general antennas should be mounted as high as practically possible and free of obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best performanc...

Page 1061: ...ISTED IN THE NOTICE OR APPENDIX BELOW ZYXEL MAY HAVE DISTRIBUTED TO YOU HARDWARE AND OR SOFTWARE OR MADE AVAILABLE FOR ELECTRONIC DOWNLOADS THESE FREE SOFTWARE PROGRAMS OF THRID PARTIES AND YOU ARE LICENSED TO FREELY COPY MODIFY AND REDISTIBUTE THAT SOFTWARE UNDER THE APPLICABLE LICENSE TERMS OF SUCH THIRD PARTY NONE OF THE STATEMENTS OR DOCUMENTATION FROM ZYXEL INCLUDING ANY RESTRICTIONS OR CONDI...

Page 1062: ...ntenance technical or other support for the resultant modified Software You may not copy reverse engineer decompile reverse compile translate adapt or disassemble the Software or any part thereof nor shall you attempt to create the source code from the object code for the Software Except as and only to the extent expressly permitted in this License you may not market co brand and private label or ...

Page 1063: ...EE OR IN AN UNINTERUPTED FASHION OR THAT ANY DEFECTS OR ERRORS IN THE SOFTWARE WILL BE CORRECTED OR THAT THE SOFTWARE IS COMPATIBLE WITH ANY PARTICULAR PLATFORM SOME JURISDICTIONS DO NOT ALLOW THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY TO YOU IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION THEN ALL EXPRESS AND IMPLIED WARRANTIES SHALL BE ...

Page 1064: ...ate this License Agreement for any reason including but not limited to if ZyXEL finds that you have violated any of the terms of this License Agreement Upon notification of termination you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies including backup copies have been destroyed All provisions relating to confidentia...

Page 1065: ...ce Companies names and data used in examples herein are fictitious unless otherwise noted No part may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose except the express written permission of ZyXEL Communications Corporation This Product includes ppp software under the PPP License PPP License Copyright c 1993 The Australian National University All r...

Page 1066: ...ense Netkit Telnet License Copyright c 1989 Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary for...

Page 1067: ...ies and that both the copyright notice and this permission notice appear in supporting documentation and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission The University of Delaware makes no representations about the suitability this software for any purpose It is provided as is without ...

Page 1068: ... under the an X11 style License an X11 style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is just like a Simple Permissive license but it requires that a copyright notice be maintained ________________________________________ Permission is hereby granted...

Page 1069: ...urce licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright c 1998 2008 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this li...

Page 1070: ...erived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software develop...

Page 1071: ... USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by T...

Page 1072: ...s Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and ...

Page 1073: ...ctory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY ...

Page 1074: ...are under the a 3 clause BSD License a 3 clause BSD style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is the BSD license without the obnoxious advertising clause It s also known as the modified BSD license Note that the University of California now pref...

Page 1075: ...erived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTA...

Page 1076: ...EQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Id COPYRIGHT v 1 6 2 2 2002 02 12 06 05 48 marka Exp Portions Copyright C 1996 2001 Nominum Inc Permission to use copy modify and distribute this software for any purp...

Page 1077: ... granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DAT...

Page 1078: ...anagement of such entity whether by contract or otherwise or ii ownership of fifty percent 50 or more of the outstanding shares or iii beneficial ownership of such entity You or Your shall mean an individual or Legal Entity exercising permissions granted by this License Source form shall mean the preferred form for making modifications including but not limited to software source code documentatio...

Page 1079: ... 2 Grant of Copyright License Subject to the terms and conditions of this License each Contributor hereby grants to You a perpetual worldwide non exclusive no charge royalty free irrevocable copyright license to reproduce prepare Derivative Works of publicly display publicly perform sublicense and distribute the Work and such Derivative Works in Source or Object form 3 Grant of Patent License Subj...

Page 1080: ...atement to Your modifications and may provide additional or different license terms and conditions for use reproduction or distribution of Your modifications or for any such Derivative Works as a whole provided Your use reproduction and distribution of the Work otherwise complies with the conditions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any Cont...

Page 1081: ...ntributor and only if You agree to indemnify defend and hold each Contributor harmless for any liability incurred by or claims asserted against such Contributor by reason of your accepting any such warranty or additional liability END OF TERMS AND CONDITIONS Version 1 1 Copyright c 1999 2003 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with o...

Page 1082: ...PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation For more information o...

Page 1083: ... of use not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software and use pieces of it in new free programs and that you are informed that you can do these things To protect your rights we need to ma...

Page 1084: ...al Public License therefore permits such linking only if the entire combination fits its criteria of freedom The Lesser General Public License permits more lax criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It also provides other free software develop...

Page 1085: ...r any derivative work under copyright law that is to say a work containing the Library or a portion of it either verbatim or with modifications and or translated straightforwardly into another language Hereinafter translation is included without limitation in the term modification Source code for a work means the preferred form of the work for making modifications to it For a library complete sour...

Page 1086: ...ntifiable sections of that work are not derived from the Library and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Library the distribution of the whole must be on the terms of...

Page 1087: ...be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline functions ...

Page 1088: ...ived a copy of these materials or that you have already sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either source or binary form with the majo...

Page 1089: ... contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Library at all For example if a patent license would not permit royalty free redistribution of the Library by all those ...

Page 1090: ...Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED ...

Page 1091: ...designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public License applies to most of the Free Software Foundation s software and to any other program whose authors commit to using it Some other Free Software Found...

Page 1092: ...ar that any patent must be licensed for everyone s free use or not licensed at all The precise terms and conditions for copying distribution and modification follow TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Publ...

Page 1093: ...uch an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate wo...

Page 1094: ...ent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatical...

Page 1095: ...n is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that dis...

Page 1096: ... OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTH...

Page 1097: ...tified as the Initial Developer in the Source Code notice required by Exhibit A 1 7 Larger Work means a work which combines Covered Code or portions thereof with code not governed by the terms of this License 1 8 License means this document 1 8 1 Licensable means having the right to grant to the maximum extent possible whether at the time of the initial grant or subsequently acquired any and all o...

Page 1098: ... 12 You or Your means an individual or a legal entity exercising rights under and complying with all of the terms of this License or a future version of this License issued under Section 6 1 For legal entities You includes any entity which controls is controlled by or is under common control with You For purposes of this definition control means a the power direct or indirect to cause the directio...

Page 1099: ...herwise dispose of 1 Modifications made by that Contributor or portions thereof and 2 the combination of Modifications made by that Contributor with its Contributor Version or portions of such combination the licenses granted in Sections 2 2 a and 2 2 b are effective on the date Contributor first makes Commercial Use of the Covered Code Notwithstanding Section 2 2 b above no patent license is gran...

Page 1100: ...rived directly or indirectly from Original Code provided by the Initial Developer and including the name of the Initial Developer in a the Source Code and b in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code 3 4 Intellectual Property Matters a Third Party Claims If Contributor has knowledge that a license under a third ...

Page 1101: ...tor as a result of warranty support indemnity or liability terms You offer 3 6 Distribution of Executable Versions You may distribute Covered Code in Executable form only if the requirements of Sections 3 1 3 2 3 3 3 4 and 3 5 have been met for that Covered Code and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License includi...

Page 1102: ...etscape may publish revised and or new versions of the License from time to time Each version will be given a distinguishing version number 6 2 Effect of New Versions Once Covered Code has been published under a particular version of the License You may always continue to use it under the terms of that version You may also choose to use such Covered Code under the terms of any subsequent version o...

Page 1103: ...oper or a Contributor the Initial Developer or Contributor against whom You file such action is referred to as Participant alleging that such Participant s Contributor Version directly or indirectly infringes any patent then any and all rights granted by such Participant to You under Sections 2 1 and or 2 2 of this License shall upon 60 days notice from Participant terminate prospectively unless i...

Page 1104: ...s negligence to the extent applicable law prohibits such limitation Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages so this exclusion and limitation may not apply to you 10 U S government end users The Covered Code is a commercial item as that term is defined in 48 C F R 2 101 Oct 1995 consisting of commercial computer software and commercial comp...

Page 1105: ...vered Code under Your choice of the MPL or the alternative licenses if any specified by the Initial Developer in the file described in Exhibit A Exhibit A Mozilla Public License The contents of this file are subject to the Mozilla Public License Version 1 1 the License you may not use this file except in compliance with the License You may obtain a copy of the License at http www mozilla org MPL S...

Page 1106: ...ppropriate to package The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the a...

Page 1107: ...e Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of t...

Page 1108: ...n of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S OF THE SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCI...

Page 1109: ...g to PNG copyright 1999 2000 2001 2002 Greg Roelofs Portions relating to gdttf c copyright 1999 2000 2001 2002 John Ellson ellson lucent com Portions relating to gdft c copyright 2001 2002 John Ellson ellson lucent com Portions copyright 2000 2001 2002 2003 2004 2005 2006 2007Pierre Alain Joye pierre libgd org Portions relating to JPEG and to color quantization copyright 2000 2001 2002 Doug Becker...

Page 1110: ...oftwarehttp www millstream com au view code tablekit Version 1 2 1 2007 03 11 Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to p...

Page 1111: ... required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution L Peter Deutschghost aladdin com This Product includes libpng software under the below License Copyright c year copyright holders This software is provided as is without any express or implied warra...

Page 1112: ...gust 15 2004 through 1 2 12 June 27 2006 are Copyright c 2004 2006 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 1 2 5 with the following individual added to the list of Contributing Authors Cosmin Truta libpng versions 1 0 7 July 1 2000 through 1 2 5 October 3 2002 are Copyright c 2000 2002 Glenn Randers Pehrson and are distributed according to t...

Page 1113: ...th the user libpng versions 0 97 January 1998 through 1 0 6 March 20 2000 are Copyright c 1998 1999 2000 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 0 96 with the following individuals added to the list of Contributing Authors Tom Lane Glenn Randers Pehrson Willem van Schaik libpng versions 0 89 June 1996 through 0 96 May 1997 are Copyright c 19...

Page 1114: ...Eric Schalnat Paul Schmidt Tim Wegner The PNG Reference Library is supplied AS IS The Contributing Authors and Group 42 Inc disclaim all warranties expressed or implied including without limitation the warranties of merchantability and of fitness for any purpose The Contributing Authors and Group 42 Inc assume no liability for direct indirect incidental special exemplary or consequential damages w...

Page 1115: ...g Authors and Group 42 Inc specifically permit without fee and encourage the use of this source code as a component to supporting the PNG file format in commercial products If you use this source code in a product acknowledgment is not required but would be appreciated This Product includes ftp tls software under the below License Copyright C 1997 and 1998 WIDE Project All rights reserved Redistri...

Page 1116: ...WISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 1985 1989 1993 1994 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above cop...

Page 1117: ...copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the NetBSD Foundation Inc and its contributors 4 Neither the name of The NetBSD Foundation nor t...

Page 1118: ...Appendix F Open Software Announcements ZyWALL USG 300 User s Guide 1118 ...

Page 1119: ...on or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Your use of the ZyWALL is subject to the terms and conditions of any related service providers Trademark...

Page 1120: ...ll not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the e...

Page 1121: ...y Period of this product During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating co...

Page 1122: ...s warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com ...

Page 1123: ...users 732 733 custom page 846 forcing login 450 idle timeout 741 logging in 450 multiple logins 742 see also users 732 Web Configurator 744 access users see also force user authentication policies account myZyXEL com 285 user 731 accounting server 765 Active Directory see AD active protocol 510 AH 510 and encapsulation 511 ESP 510 active sessions 228 234 250 ActiveX 680 AD 765 768 769 771 772 dire...

Page 1124: ...107 FTP 436 H 323 436 442 IPPBX on DMZ tutorial 170 peer to peer calls 437 RTP 442 see also VoIP pass through 436 SIP 436 tutorial 163 Anomaly Detection and Prevention see ADP answer rings 871 antenna directional 1060 gain 1059 omni directional 1060 anti spam 691 697 action for spam mails 697 alerts 696 black list 692 697 concurrent e mail sessions 277 694 configuration overview 111 DNSBL 693 697 ...

Page 1125: ...ty 565 priority effect 564 protocol statistics 261 262 registration status 570 service ports 560 statistics 259 trial service activation 286 troubleshooting 921 927 931 troubleshooting signatures update 920 unidentified applications 578 updating signatures 291 vs firewall 457 460 applications 41 AppPatrol see application patrol 291 ASAS Authenex Strong Authentication System 766 ASCII encoding 653 ...

Page 1126: ...765 auto VPN policy 100 AUX port 870 see also auxiliary interface 870 auxiliary interface 296 360 870 troubleshooting 923 when used 360 B backdoor attacks 613 backing up configuration files 896 backslashes 654 bad length options attack 655 bandwidth egress 323 ingress 323 usage statistics 260 bandwidth limit troubleshooting 924 bandwidth management 559 and policy routes 389 behavior 563 configured...

Page 1127: ...ocol CMP 789 Certificate Revocation List CRL 782 vs OCSP 801 certificates 781 advantages of 782 and CA 782 and FTP 865 and HTTPS 842 and IKE SA 509 and SSH 860 and synchronization device HA 729 and VPN gateways 478 and WWW 844 certification path 782 792 798 expired 782 factory default 783 file formats 783 fingerprints 793 799 importing 786 in IPSec 494 not used for encryption 782 revoked 782 self ...

Page 1128: ...ent filtering 659 660 and address groups 659 660 665 and address objects 659 660 665 and registration 664 666 668 and schedules 659 660 and user groups 659 and users 659 by category 660 670 by keyword in URL 660 681 by URL 660 680 by web feature 660 680 cache 273 682 categories 670 category service 668 configuration overview 110 default policy 660 662 external web filtering service 668 682 filter ...

Page 1129: ...e 709 719 link monitoring 719 management access 710 management IP address 710 modes 709 monitored interfaces 713 717 password 717 prerequisites 111 role 721 synchronization 710 729 synchronization password 717 721 synchronization port number 716 721 troubleshooting 932 933 tutorial 177 virtual router 712 virtual router and management IP addresses 713 VRID 721 device High Availability see device HA...

Page 1130: ...Dynamic Host Configuration Protocol see DHCP dynamic peers in IPSec 482 dynamic routes 100 dynamic WEP key exchange 1053 DynDNS 413 DynDNS see also DDNS 413 Dynu 413 E EAP Authentication 1052 e Donkey 612 EGP Exterior Gateway Protocol 649 egress bandwidth 323 EICAR 589 e mail 691 daily statistics report 878 header buffer 693 headers 692 virus 599 e Mule 612 Encapsulating Security Payload see ESP e...

Page 1131: ...0 934 file sharing SSL application 807 create 812 filter MAC address 339 filtered port scan 650 Firefox 47 firewall 457 458 actions 470 and address groups 454 470 and address objects 454 470 and ALG 435 438 and application patrol 560 and H 323 ALG 436 and HTTP redirect 430 and IPSec SA 460 and IPSec VPN 928 and logs 455 470 and NAT 466 and port triggering 388 926 and schedules 455 470 576 579 582 ...

Page 1132: ...tal logo 526 GRE 368 GSM 322 Guide CLI Reference 3 Quick Start 3 H H 323 163 442 additional signaling port 440 ALG 435 442 and firewall 436 and RTP 442 signaling port 440 troubleshooting 927 HA status see device HA 712 header checksum 620 hidden node 1047 host based intrusions 632 HSDPA 322 HTTP inspection 645 653 over SSL see HTTPS redirect to HTTPS 844 vs HTTPS 842 HTTP redirect 429 and applicat...

Page 1133: ...evice HA 729 Snort signatures 633 statistics 270 traffic directions 601 trial service activation 286 troubleshooting 921 925 troubleshooting signatures update 920 updating signatures 291 verifying custom signatures 631 IEEE 802 11g 1049 IEEE 802 1q VLAN IGP Interior Gateway Protocol 649 IHL IP Header Length 619 IIS backslash evasion attack 654 emulation 654 encoding 654 server 653 unicode 654 unic...

Page 1134: ...mask 365 port groups see also port groups PPPoE PPTP see also PPPoE PPTP interfaces prerequisites 103 297 relationships between 297 static DHCP 367 subnet mask 364 trunks see also trunks types 296 virtual see also virtual interfaces VLAN see also VLAN interfaces where used 103 internal interface 98 304 Internet access troubleshooting 920 931 Internet Control Message Protocol see ICMP Internet Expl...

Page 1135: ... firewall 460 928 and to device firewall 928 authentication algorithms 504 505 authentication key manual keys 512 destination NAT for inbound traffic 514 encapsulation 510 encryption algorithms 505 encryption key manual keys 512 local policy 510 manual keys 512 NAT for inbound traffic 512 NAT for outbound traffic 512 Perfect Forward Secrecy PFS 511 proposal 511 remote policy 510 search by name 264...

Page 1136: ...h time limit 771 SSL 771 user attributes 745 least load first load balancing 371 LED troubleshooting 919 LEDs 35 legitimate e mail 691 level 4 inspection 560 level 7 inspection 560 license key 288 upgrading 288 licensing 283 Lightweight Directory Access Protocol see LDAP link sticking 370 374 lists 59 load balancing 369 algorithms 371 376 least load first 371 round robin 377 see also trunks 369 se...

Page 1137: ... MSCHAP V2 362 805 Point to Point Encryption MPPE 805 model name 228 monitor 266 SA 263 monitor menu 52 monitor profile ADP 642 IDP 608 monitor screens 239 monitored interfaces 713 device HA 717 MPPE Microsoft Point to Point Encryption 805 MSCHAP Microsoft Challenge Handshake Authentication Protocol 362 805 MSCHAP V2 Microsoft Challenge Handshake Authentication Protocol Version 2 362 805 MTU 323 m...

Page 1138: ...figuration 93 objects 93 112 518 AAA server 765 addresses and address groups 747 authentication method 775 certificates 781 for configuration 93 introduction to 93 schedules 759 services and service groups 753 SSL application 807 users user groups 731 obsolete options attack 655 offset patterns 627 One Time Password OTP 766 Online Certificate Status Protocol OCSP 801 vs CRL 801 Open Shortest Path ...

Page 1139: ... 437 managing 559 Perfect Forward Secrecy PFS 484 Diffie Hellman key group 511 performance troubleshooting 924 925 926 Personal Identification Number code see PIN code PFS Perfect Forward Secrecy 484 511 phishing 670 physical ports 33 and interfaces 94 packet statistics 240 packet statistics graph 242 PIN code 322 PIN generator 766 pointer record 836 Point to Point Protocol over Ethernet see PPPoE...

Page 1140: ...subnet mask 311 PPTP 368 and GRE 368 as VPN 368 preamble mode 1049 privacy concerns 671 problems 919 product overview 33 registration 1122 profiles packet inspection 609 protocol usage statistics 261 262 protocol anomaly 638 653 detection 645 proxy servers 430 web see web proxy servers PSK 1055 PTR record 836 public server tutorial 167 Public Key Infrastructure PKI 782 public private key pairs 781...

Page 1141: ...us 268 collecting data 247 configuration overview 114 content filtering 272 daily 878 daily e mail 878 IDP 270 specifications 249 traffic statistics 247 reset 936 vs reboot 915 RESET button 37 936 response strings 871 reverse proxy mode 42 517 RFC 1058 RIP 396 1389 RIP 396 1587 OSPF areas 398 1631 NAT 391 1889 RTP 442 2131 DHCP 366 2132 DHCP 366 2328 OSPF 397 2338 VRRP 719 2402 AH 483 510 2406 ESP...

Page 1142: ...ups 754 and firewall 470 and port triggering 388 in IDP 613 where used 112 service objects 753 service set 331 Service Set IDentity See SSID 326 328 service subscription status 288 service trials 286 services 753 754 1009 and device HA 710 and firewall 470 754 and IDP 754 and policy routes 754 and port triggering 388 subscription 284 where used 112 Session Initiation Protocol see SIP session limit...

Page 1143: ...9 spillover for load balancing 372 spyware 671 SQL slammer 633 SSH 857 and address groups 861 and address objects 861 and certificates 860 and zones 861 client requirements 859 encryption methods 859 for secure Telnet 861 how connection is established 858 versions 859 with Linux 862 with Microsoft Windows 861 SSID 326 328 SSL 517 524 841 access policy 518 and AAA 771 and AD 771 and LDAP 771 certif...

Page 1144: ... virus 268 application patrol 259 bandwidth 260 content filtering 272 daily e mail report 878 IDP 270 protocol 261 262 traffic 247 status bar 57 warning message popup 57 stopping the device 37 streaming protocols management 559 strict source routing 620 stub area 398 STUN 437 and ALG 437 subscription services 284 and synchronization device HA 710 AppPatrol 286 content filtering 286 IDP 286 new IDP...

Page 1145: ...VRRP groups 719 global rules 459 token 766 trademarks 1119 traffic anomaly 638 642 traffic statistics 247 Transmission Control Protocol see TCP transport encapsulation 483 Transport Layer Security TLS 865 trapdoor attacks 613 trial subscription services 286 triangle routes 465 allowing through the firewall 467 vs virtual interfaces 465 Triple Data Encryption Standard see 3DES trojan attacks 613 tr...

Page 1146: ...used 103 Trusted Certificates see also certificates 795 TTCP detected attack 655 tunnel encapsulation 483 tutorials 117 U UDP 753 attack packet 611 648 decoder 645 653 decoy portscan 650 distributed portscan 650 flood attack 653 messages 753 port numbers 754 portscan 649 portsweep 650 u encoding attack 654 UltraVNC 808 undersize len attack 655 undersize offset attack 655 unreachables ICMP 650 unsa...

Page 1147: ...LDAP 745 attributes for RADIUS 745 attributes in AAA servers 745 configuration overview 112 currently logged in 230 236 default lease time 741 743 default reauthentication time 741 743 default type for Ext User 732 ext group user type 732 Ext User type 732 ext user type 732 groups see user groups Guest type 732 lease time 736 limited admin type 732 lockout 742 logged in 254 prerequisites for force...

Page 1148: ...s 478 and to device firewall 928 VRID 721 VRPT Vantage Report 881 889 VRRP 719 advertisement interval 728 backup router 728 management IP 728 master router 728 router priority 728 virtual router ID VR ID 728 VRRP groups 719 and interfaces 719 and to device firewall 719 authentication 719 role desired 723 see also VRRP W WAN multiple IP addresses 176 WAN trunk 100 WAN_TRUNK 33 warm start 37 warning...

Page 1149: ... vs WPA PSK 1055 wireless client supplicant 1056 with RADIUS application example 1056 WPA2 1054 user authentication 1055 vs WPA2 PSK 1055 wireless client supplicant 1056 with RADIUS application example 1056 WPA2 Pre Shared Key WPA2 PSK 1054 WPA2 PSK 1054 1055 application example 1057 WPA PSK 1054 1055 application example 1057 WWW 842 and address groups 846 and address objects 846 and authenticatio...

Reviews:

No comments

Related manuals for USG-300 - V2.20 ED 2

Ubisys G1 Assembly And Commissioning Instructions preview
G1
Brand: Ubisys Pages: 51
Banner SureCross DX80 Reference Manual preview
SureCross DX80
Brand: Banner Pages: 96
Yeastar Technology TB200 Installation Manual preview
TB200
Brand: Yeastar Technology Pages: 11
NBN Fibre to the Curb Setup Manual preview
Fibre to the Curb
Brand: NBN Pages: 9
WAGO 758-918 Manual preview
758-918
Brand: WAGO Pages: 76
Anybus AB7702 Installation Manual preview
AB7702
Brand: Anybus Pages: 2
Nitgen Fingkey Access User Manual preview
Fingkey Access
Brand: Nitgen Pages: 36
ProSoft ProLinx 104S Protocol Manual preview
ProLinx 104S
Brand: ProSoft Pages: 157
Ubee DVW32CB Installation Manual preview
DVW32CB
Brand: Ubee Pages: 7
Microhard Systems IPn3Gii Operating Manual preview
IPn3Gii
Brand: Microhard Systems Pages: 186
RTA 460ECETC-NNA1 Product User Manual preview
460ECETC-NNA1
Brand: RTA Pages: 74
Huawei HG635 Quick Start Manual preview
HG635
Brand: Huawei Pages: 28
Huawei HG633 Quick Start Manual preview
HG633
Brand: Huawei Pages: 12
Cooper Lighting Solutions EG-2 Installation Manual preview
EG-2
Brand: Cooper Lighting Solutions Pages: 8
Allied Telesis AT-iMG626MOD Datasheet preview
AT-iMG626MOD
Brand: Allied Telesis Pages: 3
4IPNET HSG326 Quick Installation Manual preview
HSG326
Brand: 4IPNET Pages: 24
Hitron CODA D3.1 Quick Start Manual preview
CODA D3.1
Brand: Hitron Pages: 2
Peripheral Electronics iSimple PGHNI2 Owner'S Manual preview
iSimple PGHNI2
Brand: Peripheral Electronics Pages: 34

Brands by name

Popular brands

Load more brands