ZyXEL Communications ZYWALL USG 20 User Manual Download

Page: 1 / 88

ZyWALL USG 20/20W/50

ZLD 2.21 Support Notes

Revision 1.00
August, 2010

Written by CSO

Summary of Contents for ZYWALL USG 20

Page 1: ...ZyWALL USG 20 20W 50 ZLD 2 21 Support Notes Revision 1 00 August 2010 Written by CSO...

Page 2: ...5 2 4 Configuration Guide 16 Scenario 3 How to configure NAT if you have Internet facing public servers 22 3 1 Application Scenario 22 3 2 Configuration Guide 23 Scenario 4 Secure site to site connect...

Page 3: ...2 Scenario 9 Using ZyWALL to Control Popular P2P Applications USG 50 only 71 9 1 Application Scenario 71 9 2 Configuration Guide 72 Scenario 10 Deploying Content Filtering to Manage Employee Browsing...

Page 4: ...h enables you to link your network with up to two ISPs or other networks via Ethernet PPPoE or 3G connections User can either use trunks for WAN traffic load balancing to increase overall network thro...

Page 5: ...ZyWALL 5 UTM WAN1 PPP over Ethernet WAN2 3G Goal to achieve Use the PPPoE interface as device s primary WAN connection and switch to the 3G interface automatically when the PPPoE interface s connectio...

Page 6: ...PoE user name and password Step 3 Click CONFIGURATION Network Interface PPP to open the configuration page User can click the system default rule and edit it Step 2 Fill in the PPPoE parameters Select...

Page 7: ...figured ISP account to activate the PPPoE rule Step 5 When the configuration is done click the Connect button to enable the PPPoE link Once the connection is established the connected icon will be dis...

Page 8: ...and check the IP address part for the information Step 7 Click CONFIGURATION Network Interface Cellular to open the configuration page Step 6 Fill in the 3G connection parameters The card information...

Page 9: ...ode Step 9 After the configuration is done click Activate to enable the rule And then click Connect button to enable the 3G connection Step 7 Go to the dashboard and click the Dial button to trigger t...

Page 10: ...10 Step 10 User can check the 3G connection status on MONITOR System Status Cellular Status screen Step 11 Now both the PPPoE and 3G connection are UP Click on CONFIGURATION Network Interface Trunk t...

Page 11: ...munications Corporation 11 Step 13 Configure the trunk name and add the two interfaces PPPoE for Active and 3G for Passive mode Step 14 Select the User Configured Trunk rule as the default WAN trunk T...

Page 12: ...can get passed through the USG ZyWALL smoothly improving your service quality and ensuring the Internet connections get effectively utilized 2 1 1 Load Balancing Algorithm WRR Weighted Round Robin We...

Page 13: ...ble bandwidth Then it will use each interface s traffic utilization ratio as the index to decide via which WAN interface it will send the next new session The interface with the least outbound traffic...

Page 14: ...s load balancing algorithm to reduce Internet fees while avoiding congestion on the first WAN connection See the example below WAN1 free connection bandwidth 1M WAN2 billing connection bandwidth 800K...

Page 15: ...company s VoIP provider the network administrator wants VoIP traffic primarily sent out over WAN1 In case WAN1 is down the VoIP traffic can still go out over WAN2 PPPoE connection Network administrat...

Page 16: ...rily through WAN2 PPPoE connection In case WAN2 PPPoE is down it will go out via WAN1 3 All other traffic goes out via WAN trunk performing Load Balancing with Least Load Balancing algorithm ZLD confi...

Page 17: ...o CONFIGURATION Network Interface Trunk Add WAN Trunks a Add WAN trunk for VoIP traffic Set WAN1 as Active mode while setting WAN2_ppp as Passive mode Choose WAN interface WAN1 and enable Use another...

Page 18: ...affic Step 2 Go to Advanced Policy Route add a policy route to route HTTP traffic out primarily through WAN2 leaving WAN1 as backup Criteria IP Protocol TCP 6 Application Custom Source IP Choose inter...

Page 19: ...enable SIP ALG Go to Configuration Network ALG enable SIP ALG Step 3 For all other traffic we use the two WAN connections to perform load balancing Go to Network WAN General Choose Active Active Mode...

Page 20: ...ort Notes All contents copyright c 2010 ZyXEL Communications Corporation 20 b Add a policy route for HTTP traffic Source LAN1_subnet Destination Any Service HTTP Next Hop Select the newly created WAN...

Page 21: ...ommunications Corporation 21 c For all other traffic use SYSTEM_DEFAULT_WAN_TRUNK to do load balancing Go to Configuration Network Interface Trunk Click Show Advanced Settings Make sure Default SNAT i...

Page 22: ...rotection while at the same time letting WAN side clients servers access the intranet servers To give an example the company may have an internal FTP server which needs to be accessible from the Inter...

Page 23: ...erver IP 192 168 50 33 ZyWALL 5 UTM WAN IP 10 59 1 50 FTP server IP 192 168 5 33 Goal to achieve User Tom can access the internal FTP server by accessing the Internet facing WAN IP address ZLD configu...

Page 24: ...le User needs to select the WAN interface for the incoming access choosing the WAN IP for users to access Step 3 Then configure the incoming ports translation ports and the internal FTP server IP addr...

Page 25: ...WAN to LAN1 Step 6 User can create an address object for the internal FTP server for further configuration usage Click Create new Object for this function Step 5 Click Rule Summary to customize the s...

Page 26: ...7 Configure the rule to Allow access from WAN to LAN1 Source IP address is not specific Destination IP address is the FTP server s address Select FTP service with port 20 21 to be enabled Select the a...

Page 27: ...rios for secure data communications across a public network like the Internet An IPSec VPN tunnel is usually established in two phases Each phase establishes a security association SA a contract indic...

Page 28: ...et 192 168 5 0 24 IPSec VPN Conditions Phase 1 Authentication 1234567890 Local Peer ID type IP 0 0 0 0 Phase 2 Encapsulation Mode Tunnel Active Protocol ESP Negotiation Main mode Encryption Algorithm...

Page 29: ...GW Address Authentication setting Pre Shared Key ID Type setting Local and Peer side Phase 1 setting Negotiation mode Encryption algorithm Authentication algorithm Key Group Step 1 Click SECURITY VPN...

Page 30: ...ZyXEL ZyWALL USG Support Notes All contents copyright c 2010 ZyXEL Communications Corporation 30...

Page 31: ...cal network side Remote network side Phase 2 settings Active protocol Encapsulation mode Encryption algorithm Authentication algorithm Perfect Forward Secrecy Step 4 Go back to the previous page to se...

Page 32: ...ZyXEL ZyWALL USG Support Notes All contents copyright c 2010 ZyXEL Communications Corporation 32...

Page 33: ...unications Corporation 33 Step 6 After saving the network policy user can see the IPSec VPN configuration is complete Click the Connect button to enable the VPN tunnel Step 7 After the VPN tunnel is e...

Page 34: ...tep 7 After setting the rule user can select the rule and click the Connect button to establish the VPN link Once the tunnel is established a connected icon will be displayedin front of the rule Step...

Page 35: ...rporate resources through the Internet for organizations of any size Using IPSec VPN companies can secure connections to branch offices partners and headquarters Road warriors and telecommuters can us...

Page 36: ...24 IPSec VPN Conditions Phase 1 Authentication 1234567890 Local Peer ID type IP 0 0 0 0 Phase 2 Encapsulation Mode Tunnel Active Protocol ESP Negotiation Main mode Encryption Algorithm DES Encryption...

Page 37: ...ss Authentication setting Pre Shared Key ID Type setting Local and Peer side Phase 1 setting Negotiation mode Encryption algorithm Authentication algorithm Key Group Step 1 Click SECURITY VPN VPN RULE...

Page 38: ...ZyXEL ZyWALL USG Support Notes All contents copyright c 2010 ZyXEL Communications Corporation 38...

Page 39: ...side Phase 2 setting Active protocol Encapsulation mode Encryption algorithm Authentication algorithm Perfect Forward Secrecy Step 4 Go back to the previous page to see the newly created IKE rule with...

Page 40: ...ZyXEL ZyWALL USG Support Notes All contents copyright c 2010 ZyXEL Communications Corporation 40...

Page 41: ...ght c 2010 ZyXEL Communications Corporation 41 Step 6 After setting up the network policy user can see the IPSec VPN configuration is complete Note that the destination is Any Step 7 Start the ZyXEL I...

Page 42: ...Corporation 42 Step 7 Start the ZyXEL IPSec VPN Client Fill in the Phase 1 configuration Note that the USG series does not support the Config Mode in phase 1 advanced setting thus users must avoid se...

Page 43: ...ht c 2010 ZyXEL Communications Corporation 43 Step 8 Configure the phase 2 parameters Step 9 Because it is a dynamic rule user MUST enable it from the VPN client Click Open Tunnel to enable it The ico...

Page 44: ...orporation 44 Step 9 Because it is a dynamic rule user MUST enable it from the VPN client Click Open Tunnel to enable it The icon will change to green if established successfully Step 10 When the VPN...

Page 45: ...sources through a secured VPN tunnel with little effort All they need on their PC is a browser Besides in SSL VPN the network administrator can define different access rules to allow different users t...

Page 46: ...Guide Network Conditions WAN IP 172 25 27 62 LAN subnet 192 168 1 0 24 VNC server IP 192 168 1 5 Goals to achieve 1 Tom in tele admin group can VNC to the internal server 192 168 1 5 by SSL VPN appli...

Page 47: ...ZyXEL Communications Corporation 47 ZLD configuration ZyNOS configuration Step 1 Create two local user accounts for Tom and Chris on USG50 Go to Configuration Object User Group add two local user acco...

Page 48: ...ZyXEL Communications Corporation 48 Step 2 Go to Configuration Object Address Add an IP address pool for the SSL VPN full tunnel mode access Security Extender Step3 Go to Configuration Object SSL App...

Page 49: ...tes All contents copyright c 2010 ZyXEL Communications Corporation 49 Step4 Go to Configuration VPN SSL VPN Add an SSL VPN rule for Tom to access Allow the user Tom to access this rule Add the VNC app...

Page 50: ...ons Corporation 50 Step5 Go to Configuration VPN SSL VPN Add an SSL VPN rule for Chris to access Allow the user Chris to access this rule Enable Network Extension assign the address pool for SSL VPN c...

Page 51: ...cations Corporation 51 Check the created policies as below Scenario Verification a Log in with user Tom Open the USG login page Make sure Java is installed and enabled in your browser Use user Tom to...

Page 52: ...XEL Communications Corporation 52 SSL VPN is established You can see the VNC server on the VPN portal User can just click on the VNC application and access the VNC server Input the correct password fo...

Page 53: ...yright c 2010 ZyXEL Communications Corporation 53 b Log in with user Chris Open the USG login page Make sure Java is installed and enabled in your browser Use user Chris to log into SSL VPN Full tunne...

Page 54: ...oration 54 You can check the client s routing table after the full tunnel is established The client can access the LAN resources by their private IP s as if he were in the same local network with the...

Page 55: ...to use the limited bandwidth which may result in some important traffic for example VoIP traffic getting slow or even starved Therefore intelligent bandwidth management for improved productivity beco...

Page 56: ...dwidth 2M WAN upload bandwidth 1M Goal to achieve Make sure VoIP traffic has the highest priority over all other traffic ZLD configuration ZyNOS configuration ZyWALL USG50 configuration steps Step 1 G...

Page 57: ...led the system ignores the bandwidth management settings of all application patrol rules for SIP traffic and does not record SIP traffic bandwidth usage statistics NOTE You need to register IDP App Pa...

Page 58: ...ation 58 ZyWALL USG20 20W configuration steps Step 1 Go to Configuration Network ALG enable SIP ALG Step 2 Go to Configuration BWM enable BWM Upload bandwidth budget 300kbps Priority 7 Priority order...

Page 59: ...to WAN Select the UDP protocol Allocate 300kbps for both inbound outbound bandwidths Add Sub Class under interface LAN to manage download traffic To guarantee voice quality the bandwidth for VoIP tra...

Page 60: ...port Notes All contents copyright c 2010 ZyXEL Communications Corporation 60 Step4 Create a bandwidth management rule and configure Configure the rule as from WAN to LAN1 Configure the rest identicall...

Page 61: ...y to some superior users to keep their important work going on smoothly For example the general manager needs to surf Internet smoothly to conduct his daily important work Therefore the network admini...

Page 62: ...ers to prevent any user from using up too many sessions ZLD configuration ZyNOS configuration ZyWALL USG50 configuration steps Step 1 Go to Configuration Object Address add an address object for the m...

Page 63: ...ep 2 Go to ADVANCED BW MGMT Class Setup Choose WAN1 to configure upload bandwidth management Add a Sub Class Bandwidth Budget Allocate 100kbps for the manager s http upload traffic Priority Assign the...

Page 64: ...http Step3 Go to ADVANCED BW MGMT Class Setup Choose LAN to configure download bandwidth management Add a Sub Class Bandwidth Budget Allocate 300kbps for the manager s http download traffic Priority...

Page 65: ...traffic download and assign a bandwidth of 100kbps for outbound traffic upload For the definition of Inbound and Outbound please refer to the App Patrol BWM Direction NOTE below Set priority as the hi...

Page 66: ...OTE To use App Patrol to manage bandwidth correctly users must understand the direction Inbound and Outbound The direction Inbound and Outbound are determined with the traffic session initiation direc...

Page 67: ...er s session number To prevent any user from using up too many sessions we can limit each user s sessions to a specific number Go to Configuration Firewall Session Limit Enable Session Limit and set D...

Page 68: ...010 ZyXEL Communications Corporation 68 ZyWALL USG20 20W configuration steps Step 1 Go to Configuration Object Address Add an address object for the manager manager_IP 192 168 1 50 Step 2 Go to Config...

Page 69: ...ort Notes All contents copyright c 2010 ZyXEL Communications Corporation 69 Input Start Time and Stop Time and choose the weekdays Step3 Go to Configuration BWM Add a policy to manage the manager s ht...

Page 70: ...configured in step2 Direction from LAN1 to WAN Source manager_IP Destination any Protocol TCP Bandwidth Management To guarantee the manager can surf internet smoothly we can assign a bandwidth of 300k...

Page 71: ...mpany s limited bandwidth This will slow down other normal productive traffic speed and affect productivity lowering company productivity profit USG ZyWALL s Application Patrol function can examine pa...

Page 72: ...ndwidth to 100kbps ZLD configuration ZyNOS configuration Step 1 Go to Configuration Object Schedule add a Recurring schedule object for the office hours Step 1 IDP Common Setting a In IDP General chec...

Page 73: ...o to Configuration App Patrol General First of all please make sure you have activated your IDP App Patrol license Enable Application Patrol and enable BWM Step 2 Control Thunder application a In IDP...

Page 74: ...EL Communications Corporation 74 Step3 Switch to Configuration App Patrol Peer to Peer Edit the P2P services you need to control In this example we will edit the thunder application b Use the Thunder...

Page 75: ...imit its bandwidth to 100kbps for both inbound and outbound traffic Assign the lowest priority 7 for it c IT staff can log all Thunder traffic by checking the Log check box and blocking the Thunder pa...

Page 76: ...n from Any to Any Access Reject We can enable Log to check which user tries to violate the rule Check the created policies Make sure their order lists as below Step 3 IDP signature update To keep the...

Page 77: ...their jobs Browsing websites that are irrelevant to work is a waste of human resources as well as a waste of company network resources There re also some unsafe websites which may contain phishing or...

Page 78: ...es may contain malware intended to infect the visitor s PC with viruses or even to corrupt the visitor s PC Additionally some web pages may contain spyware sources ZSB has been added to ZyWALL to help...

Page 79: ...vant to their work 3 All employees may access any websites outside of office hours ZLD configuration ZyNOS configuration Step 1 Go to Configuration Object User Group Add an address object for the mana...

Page 80: ...EL Communications Corporation 80 Step 2 Go to Configuration Object Schedule Add a Recurring schedule for office hours Step 3 Go to Configuration Anti X Content Filter Filter Profile Add a profile Step...

Page 81: ...Pages to Warn and Log Set action When Category Server is Unavailable to Warn and Log Check all the unsafe categories and leave all the managed categories as unchecked Add a policy to meet the requirem...

Page 82: ...arn and Log Set action for Managed Web Pages to Block and Log Set action for Unrated Web Pages to Warn and Log Set action When Category Server is Unavailable to Warn and Log Check all the unsafe categ...

Page 83: ...t the Denied Access Message Make sure the Content Filter service is licensed Add an access policy for all the crew outside of office hours Schedule none Address select the address object LAN subnet Fi...

Page 84: ...hours Schedule select the office_hour object Address select the LAN subnet address object Filter Profile select the for_employee profile created in the Profile page User Group Any Add an access policy...

Page 85: ...ZyXEL ZyWALL USG Support Notes All contents copyright c 2010 ZyXEL Communications Corporation 85 Check the created policies Make sure their order lists as below...

Page 86: ...r to present the message However due to the security protection design WLAN users cannot access the server on LAN side by default To enable this the system administrator needs to configure the firewal...

Page 87: ...uration Guide Goal to achieve A quick setup to allow users connected by WLAN access the service in the LAN zone ZLD configuration ZyNOS configuration Step 1 Click CONFIGURATION Network Interface WLAN...

Page 88: ...by clicking the Edit button Step 3 Configure this SSID to belong to the LAN zone With both the WLAN users and the LAN server belonging to the same security zone the WLAN users will be able to access t...

Search results

Summary of Contents for ZYWALL USG 20

Reviews:

Related manuals for ZYWALL USG 20

Brands by name

Popular brands

ZyXEL Communications ZYWALL USG 20, User Manual

Search results

Summary of Contents for ZYWALL USG 20

Reviews:

Related manuals for ZYWALL USG 20

Brands by name

Popular brands