manualshive.com logo in svg

ZyXEL Communications ZyWall USG 50-H Series, User Manual

The ZyXEL Communications ZyWall USG 50-H Series is a high-performance firewall appliance designed to provide robust network security for small businesses. For comprehensive setup and configuration guidance, be sure to download the User Manual for free from our website. Get all the information you need to maximize the capabilities of your device.

Share
Download
background image

Chapter 27 ADP

ZyWALL USG 50-H User’s Guide

438

OVERSIZE-CHUNK-
ENCODING ATTACK

This rule is an anomaly detector for abnormally large chunk sizes. 
This picks up the apache chunk encoding exploits and may also be 
triggered on HTTP tunneling that uses chunk encoding.

OVERSIZE-REQUEST-URI-
DIRECTORY ATTACK

This rule takes a non-zero positive integer as an argument. The 
argument specifies the max character directory length for URL 
directory. If a URL directory is larger than this argument size, an 
alert is generated. A good argument value is 300 characters. This 
should limit the alerts to IDS evasion type attacks, like whisker.

SELF-DIRECTORY-
TRAVERSAL ATTACK

This rule normalizes self-referential directories. So, “/abc/./xyz” gets 
normalized to “/abc/xyz”.

U-ENCODING ATTACK

This rule emulates the IIS %u encoding scheme. The %u encoding 
scheme starts with a %u followed by 4 characters, like %uXXXX. 
The XXXX is a hex encoded value that correlates to an IIS unicode 
codepoint. This is an ASCII value. An ASCII character is encoded 
like, %u002f = /, %u002e = ., etc.

UTF-8-ENCODING 
ATTACK

The UTF-8 decode rule decodes standard UTF-8 unicode 
sequences that are in the URI. This abides by the unicode standard 
and only uses % encoding. Apache uses this standard, so for any 
Apache servers, make sure you have this option turned on. When 
this rule is enabled, ASCII decoding is also enabled to enforce 
correct functioning.

WEBROOT-DIRECTORY-
TRAVERSAL ATTACK

This is when a directory traversal traverses past the web server root 
directory. This generates much fewer false positives than the 
directory option, because it doesn’t alert on directory traversals that 
stay within the web server directory structure. It only alerts when the 
directory traversals go past the web server root directory, which is 
associated with certain web attacks.

TCP Decoder

BAD-LENGTH-OPTIONS 
ATTACK

This is when a TCP packet is sent where the TCP option length field 
is not the same as what it actually is or is 0. This may cause some 
applications to crash.

EXPERIMENTAL-OPTIONS 
ATTACK

This is when a TCP packet is sent which contains non-RFC-
complaint options. This may cause some applications to crash.

OBSOLETE-OPTIONS 
ATTACK

This is when a TCP packet is sent which contains obsolete RFC 
options.

OVERSIZE-OFFSET 
ATTACK

This is when a TCP packet is sent where the TCP data offset is 
larger than the payload. 

TRUNCATED-OPTIONS 
ATTACK

This is when a TCP packet is sent which doesn’t have enough data 
to read. This could mean the packet was truncated.

TTCP-DETECTED ATTACK

T/TCP provides a way of bypassing the standard three-way 
handshake found in TCP, thus speeding up transactions. However, 
this could lead to unauthorized access to the system by spoofing 
connections.

UNDERSIZE-LEN ATTACK

This is when a TCP packet is sent which has a TCP datagram length 
of less than 20 bytes. This may cause some applications to crash.

UNDERSIZE-OFFSET 
ATTACK

This is when a TCP packet is sent which has a TCP header length of 
less than 20 bytes.This may cause some applications to crash.

UDP Decoder

OVERSIZE-LEN ATTACK

This is when a UDP packet is sent which has a UDP length field of 
greater than the actual packet length. This may cause some 
applications to crash.

Table 153   

HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION

Summary of Contents for ZyWall USG 50-H Series

Page 1: ...www zyxel com ZyWALL USG 50 H Series Unified Security Gateway User s Guide Version 2 16 6 2009 Edition 1 DEFAULT LOGIN Port LAN DMZ 1 IP Address https 192 168 1 1 User Name admin Password 1234...

Page 2: ......

Page 3: ...are arranged by menu item as defined in the web configurator Read each chapter carefully for detailed information on that menu item To find specific information in this guide use the Contents Overview...

Page 4: ...ons Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters zyxel com tw Need More Help More help is available at www zyxel com Download Library Search for the la...

Page 5: ...contact your vendor then contact a ZyXEL office for the region in which you bought the device See http www zyxel com web contact_us php for contact information Please have the following information r...

Page 6: ...A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the EN...

Page 7: ...s Guide 7 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server...

Page 8: ...plug and connect it to a power outlet by itself always attach the plug to the power adaptor first before connecting it to a power outlet Do NOT allow anything to rest on the power adaptor or cord and...

Page 9: ...with this symbol which is known as the WEEE mark WEEE stands for Waste Electronics and Electrical Equipment It means that used electrical and electronic products should not be mixed with general waste...

Page 10: ...Safety Warnings ZyWALL USG 50 H User s Guide 10...

Page 11: ...s 93 Status 131 Network 145 Interface 147 Trunks 217 Policy and Static Routes 225 Routing Protocols 237 Zones 247 DDNS 251 Virtual Servers 257 HTTP Redirect 269 ALG 273 IP MAC Binding 281 Firewall 287...

Page 12: ...Services 463 Schedules 469 AAA Server 475 Authentication Method 485 Certificates 489 SSL Application 507 System 511 System 513 Maintenance Troubleshooting Specifications 551 File Manager 553 Logs 563...

Page 13: ...the ZyWALL 33 Chapter 2 Features and Applications 35 2 1 Features 35 2 2 Packet Flow 36 2 2 1 Interface to Interface Through ZyWALL 37 2 2 2 Interface to Interface To From ZyWALL 37 2 2 3 Interface t...

Page 14: ...ignment 60 4 3 9 Step 2 Internet Access PPTP 61 4 3 10 Step 4 Internet Access Finish 63 4 4 Installation Setup Two Internet Service Providers 63 4 4 1 Internet Access Wizard Setup Complete 65 4 5 Wire...

Page 15: ...Accounts 98 6 4 2 How to Create the WLAN Interface 98 6 4 3 How to Set Up the Wireless Clients to Use the WLAN Interface 100 6 5 How to Set Up an IPSec VPN 110 6 5 1 How to Set Up the VPN Gateway 110...

Page 16: ...4 7 2 2 The Memory Usage Screen 135 7 2 3 The Session Usage Screen 136 7 2 4 The VPN Status Screen 137 7 2 5 The DHCP Table Screen 138 7 2 6 The Port Statistics Screen 139 7 2 7 The Port Statistics Gr...

Page 17: ...6 8 13 VLAN Interface Screen 197 8 13 1 Configuring the VLAN Summary Screen 199 8 13 2 Configuring the VLAN Add Edit Screen 200 8 14 Bridge Interface Screen 205 8 14 1 Configuring the Bridge Summary S...

Page 18: ...12 1 1 What You Can Do in the Zones Screens 247 12 1 2 What You Need to Know About Zones 247 12 2 The Zone Screen 248 12 2 1 The Zone Edit Screen 249 Chapter 13 DDNS 251 13 1 DDNS Overview 251 13 1 1...

Page 19: ...7 1 1 What You Can Do in the IP MAC Binding Screens 281 17 1 2 What You Need to Know About IP MAC Binding 282 17 2 IP MAC Binding Summary 282 17 2 1 IP MAC Binding Edit 282 17 2 2 Static DHCP Edit 283...

Page 20: ...en 328 19 6 IPSec VPN Background Information 330 Chapter 20 SSL VPN 341 20 1 Overview 341 20 1 1 What You Can Do in the SSL VPN Screens 341 20 1 2 What You Need to Know About SSL VPN 341 20 2 The SSL...

Page 21: ...25 3 Configuring the Default L2TP VPN Connection Example 370 25 4 Configuring the L2TP VPN Settings Example 372 25 5 Configuring the Policy Route for L2TP Example 372 25 6 Configuring L2TP VPN in Win...

Page 22: ...file Summary Screen 426 27 3 1 Base Profiles 426 27 3 2 Configuring The ADP Profile Summary Screen 427 27 3 3 Creating New ADP Profiles 427 27 3 4 Traffic Anomaly Profiles 428 27 3 5 Protocol Anomaly...

Page 23: ...reen 466 30 3 1 The Service Group Add Edit Screen 467 Chapter 31 Schedules 469 31 1 Overview 469 31 1 1 What You Can Do in the Schedule Screens 469 31 1 2 What You Need to Know About Schedules 469 31...

Page 24: ...icates 489 34 1 3 Verifying a Certificate 491 34 2 The My Certificates Screen 492 34 2 1 The My Certificates Add Screen 493 34 2 2 The My Certificates Edit Screen 496 34 2 3 The My Certificates Import...

Page 25: ...Record 523 36 5 10 Adding a DNS Service Control Rule 524 36 6 WWW Overview 524 36 6 1 Service Access Limitations 525 36 6 2 System Timeout 525 36 6 3 HTTPS 526 36 6 4 Configuring WWW Service Control...

Page 26: ...Screens 565 38 4 1 Log Setting Summary 566 38 4 2 Edit System Log Settings 567 38 4 3 Edit Remote Server Log Settings 570 38 4 4 Active Log Summary Screen 572 Chapter 39 Reports 575 39 1 Overview 575...

Page 27: ...ecifications 591 43 2 Power Adaptor Specifications 595 Part X Appendices and Index 597 Appendix A Log Descriptions 599 Appendix B Common Services 637 Appendix C Importing Certificates 641 Appendix D W...

Page 28: ...Table of Contents ZyWALL USG 50 H User s Guide 28...

Page 29: ...29 PART I Getting Started Introducing the ZyWALL 31 Features and Applications 35 Web Configurator 41 Configuration Basics 79 Tutorials 93 Status 131...

Page 30: ...30...

Page 31: ...r powerful features Flexible configuration helps you set up the network and enforce security policies efficiently See Chapter 2 on page 35 for a more detailed overview of the ZyWALL s features The ZyW...

Page 32: ...information about the CLI Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyWALL is turned off Green On The ZyWALL is turned on Red On There is a hardware component failure Shut dow...

Page 33: ...ETHOD DESCRIPTION Connecting the power A cold start occurs when you turn on the power to the ZyWALL The ZyWALL powers up checks the hardware and starts the system processes Rebooting the ZyWALL A warm...

Page 34: ...Chapter 1 Introducing the ZyWALL ZyWALL USG 50 H User s Guide 34...

Page 35: ...vide secure communication between two sites over the Internet or any insecure network that uses TCP IP for communication The ZyWALL also offers hub and spoke IPSec VPN Security Zones Many security set...

Page 36: ...s individual features like text messaging voice video conferencing and file transfers Application patrol has powerful bandwidth management including traffic prioritization to enhance the performance...

Page 37: ...LG DNAT Routing zFW IPSec D ALG AC DNAT Routing FW AP SNAT BWM Encap VLAN Ethernet 2 2 4 Interface to Interface To VPN Tunnel This example shows the flow to a VPN tunnel from a source other than the Z...

Page 38: ...what is known as full tunnel mode SSL VPN network access In full tunnel mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This all...

Page 39: ...rmation and shared resources based on the user who is trying to access it Figure 5 Applications User Aware Access Control 2 3 4 Multiple WAN Interfaces Set up multiple connections to the Internet on t...

Page 40: ...Chapter 2 Features and Applications ZyWALL USG 50 H User s Guide 40...

Page 41: ...Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScripts enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution...

Page 42: ...ears Otherwise the main screen Figure 9 on page 43 appears Figure 8 Update Admin Info Screen 5 The screen above appears every time you log in using the default user name and default password If you ch...

Page 43: ...Main Screen 3 3 Web Configurator Main Screen As illustrated in Figure 9 on page 43 the main screen is divided into these parts A title bar B navigation panel C main window D status bar 3 3 1 Title Bar...

Page 44: ...tus system resource usage and interface status Network Interface Status Use this screen to see information about all of the ZyWALL s interfaces and their connection status Port Role Use this screen to...

Page 45: ...is screen to monitor current SSL VPN connection Global Setting Use this screen to configure the ZyWALL s SSL VPN settings that apply to all connections L2TP VPN L2TPVPN Use this screen to configure L2...

Page 46: ...ADIUS Group Use this screen to create and manage groups of RADIUS servers Auth Method Use these screens to create and manage ways of authenticating users Certificate My Certificates Use this screen to...

Page 47: ...manage and upload configuration files for the ZyWALL Firmware Package Use this screen to look at the current firmware version and to upload firmware Shell Script Use this screen to manage and run shel...

Page 48: ...configurator These commands appear in a popup window such as the following Figure 12 CLI Messages Click Change Display Style to show or hide the index numbers for the commands the commands are more co...

Page 49: ...TALLATION SETUP ONE ISP Click this link to open a wizard to set up a single Internet connection for Gigabit Ethernet interface wan1 This wizard creates matching ISP account settings in the ZyWALL if y...

Page 50: ...e 13 Wizard Setup Welcome 4 2 Installation Setup One ISP The wizard screens vary depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each fi...

Page 51: ...Assignment Select Auto If your ISP did not assign you a fixed IP address Select Static If the ISP assigned a fixed IP address Table 7 Internet Access Step 1 LABEL DESCRIPTION ISP Parameters Encapsulat...

Page 52: ...the following screen displays Click Next to apply the configuration settings Figure 15 Ethernet Encapsulation Auto Finish You have set up your ZyWALL to access the Internet Click Close to exit the wiz...

Page 53: ...ify here to resolve domain names for VPN DDNS and the time server Table 8 Ethernet Encapsulation Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you...

Page 54: ...PPoE Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen the following screen displays after you click Next Figure 18 PPPoE Encapsulation Auto The followi...

Page 55: ...characters and it can be up to 31 characters long Password Type the password associated with the user name above Use up to 64 ASCII characters except the and This field can be blank Retype to Confirm...

Page 56: ...cept the and This field can be blank Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in...

Page 57: ...n the previous screen WAN Interface This is the number of the interface that will connect with your ISP Zone This is the security zone to which this interface and Internet connection will belong IP Ad...

Page 58: ...ulation Static Finish You have set up your ZyWALL to access the Internet Click Close to exit the wizard 4 3 7 PPTP Auto IP Address Assignment If you select Auto as the IP Address Assignment in the pre...

Page 59: ...ur ISP if given Server IP Type the IP address of the PPTP server Connection ID Enter the connection ID or connection name in this field It must follow the c id and n name format For example C 12 or N...

Page 60: ...TP Encapsulation Auto Finish You have set up your ZyWALL to access the Internet Click Close to exit the wizard 4 3 8 PPTP Static IP Address Assignment If you select Static as the IP Address Assignment...

Page 61: ...ou by your ISP if given Server IP Type the IP address of the PPTP server Connection ID Enter the connection ID or connection name in this field It must follow the c id and n name format For example C...

Page 62: ...pe a Connection ID or connection name It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router 4...

Page 63: ...etup Two Internet Service Providers This wizard allows you to configure two interfaces for Internet access through either two different Internet Service Providers ISPs or two different accounts with t...

Page 64: ...you can configure the Second WAN Interface Click Next to continue Figure 27 Internet Access Step 3 Second WAN Interface After you configure the Second WAN Interface a summary of configuration setting...

Page 65: ...ters for the wireless LAN Channel The ZyWALL automatically scans for and selects an available wireless frequency Security Select the type of wireless security to use for this wireless LAN interface WE...

Page 66: ...DNS server information to the wireless clients The ZyWALL is the DHCP server for the wireless network None has the ZyWALL not be the DHCP server for the wireless network There must be another DHCP se...

Page 67: ...nnection and VPN gateway settings a policy route and address objects that you can use later in configuring more VPN connections or other features Click VPN SETUP in the Wizard Setup Welcome screen Fig...

Page 68: ...ey and default security settings Advanced Use this wizard to configure detailed VPN security settings such as using certificates The VPN connection can be to another ZLD based ZyWALL or other IPSec de...

Page 69: ...zard Step 3 LABEL DESCRIPTION Secure Gateway If Any displays in this field it is not configurable for the chosen scenario If this field is configurable enter the WAN IP address or domain name of the r...

Page 70: ...ses on a network by their subnet mask type the subnet mask of the LAN behind the remote gateway Back Click Back to return to the previous screen Next Click Next to continue Table 16 VPN Express Wizard...

Page 71: ...the matching VPN connection settings for the remote gateway If the remote gateway is a ZLD based ZyWALL you can copy and paste this list into its command line interface in order to configure it for t...

Page 72: ...be a number This value is case sensitive Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic...

Page 73: ...tion mode Encryption Algorithm When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and v...

Page 74: ...message to the remote IPSec server If the remote IPSec server responds the ZyWALL transmits the data If the remote IPSec server does not respond the ZyWALL shuts down the IKE SA Authentication Method...

Page 75: ...ey which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES tha...

Page 76: ...ts encrypted by the remote IPSec router to enter the ZyWALL via this interface Remote Policy IP Mask If Any displays in this field it is not configurable for the chosen scenario If this field is confi...

Page 77: ...ur ZyWALL Remote Policy This is a static IP address and Subnet Mask on the network behind the remote IPSec router If this field displays Any only the remote IPSec router can initiate the VPN connectio...

Page 78: ...p ZyWALL USG 50 H User s Guide 78 Figure 41 VPN Wizard Step 6 Advanced If you have not already done so you can register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Clos...

Page 79: ...available for system management 5 1 Object based Configuration The ZyWALL stores information or settings as objects You use these objects to configure many of the ZyWALL s features and settings Once y...

Page 80: ...ons via a connected 3G device WLAN interfaces are for wireless LAN IEEE 802 11b g n connections VLAN interfaces recognize tagged frames The ZyWALL automatically adds or removes the tags as needed Each...

Page 81: ...d Zone Configuration This section explains the ZyWALL s factory default zone and interface configuration The following figure uses letters to denote public IP addresses or part of a private IP address...

Page 82: ...8 3 254 range The WLAN zone contains the wlan1 1 interface and uses the built in wireless LAN interface This is a second protected zone for connecting wireless access points The wlan interface uses pr...

Page 83: ...OSI level 7 bandwidth management Application patrol General bandwidth management Policy route MENU ITEM S This shows you the sequence of menu items and tabs you should click to find the main screen s...

Page 84: ...on page 93 5 4 5 SSL VPN Use SSL VPN to provide secure network access to remote users MENU ITEM S Network Interface except Network Interface Trunk PREREQUISITES Port groups configured in the Interface...

Page 85: ...Edit icon and add the DMZ interface and click Apply 5 4 8 DDNS Dynamic DNS maps a domain name to a dynamic IP address The ZyWALL helps maintain this mapping 5 4 9 Policy Routes Use policy routes to c...

Page 86: ...width FTP traffic can use You may also want to set a low priority for FTP traffic The ZyWALL checks the policy routes in the order that they are listed So make sure that your custom policy route comes...

Page 87: ...d to specify the destination address Leave the Access field set to Allow and the Log field set to No The ZyWALL checks the firewall rules in order Make sure each rule is in the correct place in the se...

Page 88: ...the virtual server Add an entry 2 Name the entry 3 Select the WAN interface that the FTP traffic is to come in through in this example wan1 or wan2 4 Specify the public WAN IP address where the ZyWALL...

Page 89: ...this table when you want to delete an object because you have to delete references to the object first PREREQUISITES Interfaces MENU ITEM S Network ALG Table 27 Objects Overview OBJECT WHERE USED user...

Page 90: ...se HTTPS to manage the ZyWALL from the WAN 1 Create an administrator account User Group 2 Create an address object for the administrator s computer Object Address 3 Click System WWW to configure the H...

Page 91: ...or large repetitive configuration changes for example creating a lot of VPN tunnels and for troubleshooting You can edit configuration files and shell scripts in any text editor 5 6 3 Logs and Reports...

Page 92: ...Chapter 5 Configuration Basics ZyWALL USG 50 H User s Guide 92...

Page 93: ...ZyWALL See also Chapter 25 on page 369 for an example of configuring L2TP 6 1 How to Configure an Ethernet Interface You need to assign the ZyWALL s WAN1 a static IP address of 1 2 3 4 Click Network...

Page 94: ...an1 6 2 How to Configure Port Roles You can configure to which interface a physical port belongs Here is how to remove the LAN1 DMZ port 4 P6 from the dmz interface and add it to the lan2 interface 1...

Page 95: ...connected to each of the ZyWALL s two USB ports Table 227 on page 591 lists the compatible 3G devices In this example you install or connect the 3G card before you configure the cellular interfaces bu...

Page 96: ...security settings Leaving Zone blank has the ZyWALL not apply any security settings to the 3G connection Enter the PIN Code provided by the cellular 3G service provider 0000 in this example In Relate...

Page 97: ...le test disconnect all of the ZyWALL s wired WAN connections If you can still access the Internet your cellular interface is properly configured and your cellular device is working To fine tune the lo...

Page 98: ...d Click OK Figure 49 Object User Group User Add 3 Use the Add icon in the Object User Group User screen to set up the remaining user accounts in similar fashion 6 4 2 How to Create the WLAN Interface...

Page 99: ...pe otherwise select WPA Enterprise Set the Authentication Type to Auth Method The ZyWALL can use its default authentication method the local user database and its default certificate to authenticate t...

Page 100: ...to configure ZyXEL s wireless client utility not included with the ZyWALL to use the WLAN interface See Section 6 4 3 2 on page 103 instead for how to use Funk Odyssey s wireless client software if y...

Page 101: ...ect WPA2 as the security type and click Next Figure 55 ZyXEL Wireless Client Profile Security Type 4 Set the encryption type to TKIP and the EAP type to TTLS Configure wlan_user as the Login Name and...

Page 102: ...6 ZyXEL Wireless Client Profile Security Settings 5 Confirm your settings and click Save Figure 57 ZyXEL Wireless Client Profile Save 6 Click Activate Now Figure 58 ZyXEL Wireless Client Profile Activ...

Page 103: ...nk Odyssey Wireless Client This example shows how to configure Funk s Odyssey Access Client Manager wireless client software not included with the ZyWALL to use the WLAN interface 1 Open the Odyssey w...

Page 104: ...104 Figure 61 Odyssey Access Client Manager Profiles User Info 3 Click the Authentication tab and select Validate server certificate Figure 62 Odyssey Access Client Manager Profiles Authentication 4...

Page 105: ...iles Authentication 5 Click Networks Add Figure 64 Odyssey Access Client Manager Networks 6 Enter the name of the wireless network ZYXEL_WPA in this example or click Scan to look for it Then select Au...

Page 106: ...4 3 3 How the Wireless Clients Import the ZyWALL s Certificate You must import the ZyWALL s certificate into the wireless clients if they are to validate the ZyWALL s certificate Use the My Certifica...

Page 107: ...k the Certificates button Figure 66 Internet Explorer Tools Internet Options Content 2 Click Import Figure 67 Internet Explorer Tools Internet Options Content Certificates 3 Use the wizard screens to...

Page 108: ...default setting Figure 69 Internet Explorer Certificate Import Wizard Certificate Store Screen 5 If you get a security warning screen click Yes to proceed Figure 70 Internet Explorer Certificate Impo...

Page 109: ...followed by a hyphen to indicate what type of information is being displayed such as Common Name CN Organizational Unit OU Organization O and Country C Figure 72 Object Certificate My Certificates Re...

Page 110: ...peer IPSec router Y 172 16 1 0 24 6 5 1 How to Set Up the VPN Gateway The VPN gateway manages the IKE SA You do not have to set up any other objects before you configure the VPN gateway because this V...

Page 111: ...dress Click the Add icon 2 Give the new address object a name VPN_REMOTE_SUBNET change the Address Type to SUBNET Set up the Network field to 172 16 1 0 and the Netmask to 255 255 255 0 Click OK Figur...

Page 112: ...unnel 1 Click Network Routing Policy Route You want this policy route to have higher priority than the default policy route for the trunk so click the Add icon at the top of the column not the one nex...

Page 113: ...the VPN connection screen s Connect icon 6 5 4 How to Configure Security Policies for the VPN Tunnel You configure security policies based on zones The new VPN connection was assigned to the IPSec_VP...

Page 114: ...unt for each user account in the RADIUS server If it is possible to export user names from the RADIUS server to a text file then you might create a script to create the user accounts instead This exam...

Page 115: ...the RADIUS Server This step sets up user authentication using the RADIUS server First configure the settings for the RADIUS server Then set up the authentication method and configure the ZyWALL to us...

Page 116: ...en select force in the Authentication field Keep the rest of the default settings and click OK The users will have to log in using the web configurator login screen before they can use HTTP or MSN Fig...

Page 117: ...the Common tab and then the Edit icon next to the default http service Figure 87 AppPatrol BWM Common 3 Click the Default policy s Edit icon Figure 88 AppPatrol BWM Common http 4 Change the access to...

Page 118: ...OK Repeat this process to add exceptions for all the other user groups that are allowed to browse the web Figure 90 AppPatrol BWM Common http Edit Default 6 6 5 How to Set Up MSN Policies Set up a re...

Page 119: ...you configure the policy for the Sales group s MSN access 6 6 6 How to Set Up Firewall Rules Use the firewall to control access from LAN1 to the DMZ 1 Click Firewall In From Zone select LAN1 in To Zo...

Page 120: ...e 94 Firewall Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ 6 7 How to Configure Load Balancing The following example shows how to set...

Page 121: ...available bandwidth 1000 kbps in the Egress Bandwidth field Click OK Figure 96 Network Interface Ethernet Edit wan1 2 Click the Edit icon for wan2 and enter the available bandwidth 512 kbps in the Eg...

Page 122: ...to any kind of HTTP or HTTPS connection to the ZyWALL They do not distinguish between administrator management access and user access If you configure service control to allow management or user HTTP...

Page 123: ...99 System WWW Service Control Rule Edit 4 Click the new rule s Add icon Figure 100 System WWW First Example Admin Service Rule Configured 5 Set the Zone to ALL and set the Action to Deny Click OK Fig...

Page 124: ...PN for example 6 9 How to Allow Incoming H 323 Peer to peer Calls Suppose you have a H 323 device on LAN1 for VoIP calls and you want it to be able to receive peer to peer calls from the WAN Here is a...

Page 125: ...323 In this example you need a virtual server policy to forward H 323 TCP port 1720 traffic received on the ZyWALL s 10 0 0 8 WAN IP address to LAN1 IP address 192 168 1 56 1 Use Object Address Add t...

Page 126: ...ss 192 168 1 56 1 Click Firewall In From Zone select WAN in To Zone select LAN1 2 The default rule for WAN to LAN1 traffic drops all traffic You want to allow H 323 access through IP address 10 0 0 8...

Page 127: ...e the screen as follows and click OK Figure 110 Firewall WAN to LAN Add Now people can call the H 323 device through the Internet 6 10 How to Allow Public Access to a Server This is an example of maki...

Page 128: ...ddress 6 10 2 How to Configure a Virtual Server You need a virtual server to send HTTP traffic coming to IP address 1 1 1 2 on wan2 to the HTTP server s private IP address of 192 168 3 7 In the Networ...

Page 129: ...e NAT 1 1 Example on page 261 for details Select Add corresponding Policy Route rule for NAT Loopback to allow local users to use a domain name to access the HTTP server See NAT Loopback Example on pa...

Page 130: ...Chapter 6 Tutorials ZyWALL USG 50 H User s Guide 130...

Page 131: ...7 2 5 on page 138 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Port Statistics screen see Section 7 2 6 on page 139 t...

Page 132: ...where you can change it See Section 36 2 on page 514 Model Name This field displays the model name of this ZyWALL Serial Number This field displays the serial number of this ZyWALL MAC Address Range T...

Page 133: ...firmware upgrade System default configuration The ZyWALL applied the system default configuration Fallback to lastgood configuration The ZyWALL was unable to apply the startup config conf configuratio...

Page 134: ...Table 55 on page 177 for the status that can appear For wireless LAN WLAN interfaces Down The wireless LAN feature or the interface is disabled Up The wireless LAN feature is enabled and the interfac...

Page 135: ...s recent memory RAM usage To access this screen click Memory Usage in the Status screen Table 31 Status CPU Usage LABEL DESCRIPTION 100 The y axis represents the percentage of CPU usage time The x axi...

Page 136: ...ecent traffic session usage To access this screen click Session Usage in the Status screen Table 32 Status Memory Usage LABEL DESCRIPTION 100 The y axis represents the percentage of RAM usage time The...

Page 137: ...e currently established To access this screen click VPN Status in the Status screen Table 33 Status Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session time The x axis...

Page 138: ...Status LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec...

Page 139: ...ntify this device on the network the computer name The ZyWALL learns these from the DHCP client requests You can use CLI commands to set this value for static DHCP entries MAC Address This field displ...

Page 140: ...ets transmitted from the ZyWALL on the physical port since it was last connected RxPkts This field displays the number of packets received by the ZyWALL on the physical port since it was last connecte...

Page 141: ...this to stop the window from updating automatically You can start it again by setting the Poll Interval and clicking Set Interval Table 36 Status Port Statistics continued LABEL DESCRIPTION Table 37...

Page 142: ...d System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on Refresh Interval Enter how often you want this window to be automatically updated Ref...

Page 143: ...of the signal The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider s base station You can see a signal strength indication even...

Page 144: ...SN Electronic Serial Number of the inserted CDMA 3G card The ESN is the serial number of a CDMA 3G card and is similar to the IMEI on a GSM or UMTS 3G card SIM Card IMSI This displays the Internationa...

Page 145: ...145 PART II Network Interface 147 Trunks 217 Policy and Static Routes 225 Routing Protocols 237 Zones 247 DDNS 251 Virtual Servers 257 HTTP Redirect 269 ALG 273...

Page 146: ...146...

Page 147: ...es RIP and OSPF are also configured in these interfaces Use the PPP screens Section 8 6 on page 166 for PPPoE or PPTP Internet connections Use the Cellular screens Section 8 7 on page 171 to configure...

Page 148: ...N interfaces are for wireless LAN IEEE 802 11b g n connections VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associat...

Page 149: ...ing the same port role The relationships between interfaces are explained in the following table You cannot set up a PPPoE PPTP interface virtual Ethernet interface or virtual VLAN interface if the St...

Page 150: ...rface screens See Section 8 16 on page 213 for background information on interfaces See Section 6 1 on page 93 for an example of configuring Ethernet interfaces See Section 6 2 on page 94 for an examp...

Page 151: ...rface is disabled Zone This field displays the zone to which the interface is currently assigned IP Addr Netmask This field displays the current IP address and subnet mask assigned to the interface If...

Page 152: ...e 126 Network Interface Port Role Status This field displays the current status of the interface Down The interface is not connected Speed Duplex The interface is connected This field displays the por...

Page 153: ...icient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management The ZyWALL supports two rout...

Page 154: ...the current IP address of the interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynami...

Page 155: ...on is exchanged The ZyWALL can receive routing information send routing information or do both Select which version of RIP to support in each direction The ZyWALL supports RIP 1 RIP 2 and both version...

Page 156: ...Chapter 8 Interface ZyWALL USG 50 H User s Guide 156 Figure 128 Network Interface Ethernet Edit wan2...

Page 157: ...Chapter 8 Interface ZyWALL USG 50 H User s Guide 157 Figure 129 Network Interface Ethernet Edit lan1...

Page 158: ...on is available for the WAN interfaces The LAN and DMZ interfaces always use static IP addresses Select this if you want to specify the IP address subnet mask and gateway manually Enter the IP address...

Page 159: ...last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For...

Page 160: ...AN interfaces The interface can regularly check the connection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wai...

Page 161: ...face Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interface sends and receives routing information In Only This interface recei...

Page 162: ...ters and the underscore and it can be up to eight characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1...

Page 163: ...rt as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP Back Click Back to return to the previous screen Next Click Next to continue...

Page 164: ...be blank Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before...

Page 165: ...order to access it DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP add...

Page 166: ...the static IP address assigned to you by your ISP IP Subnet Mask This field only appears for a PPTP interface It displays the subnet mask assigned to you by your ISP if you entered one Server IP This...

Page 167: ...screen The PPP interface Edit Configuration screen is shown here as an example You can click the Wizard tab instead to configure just the key settings See Section 8 5 on page 162 for details Table 50...

Page 168: ...to enable this interface Clear this to disable this interface Interface Properties Interface Name This field is read only and displays the name of the PPP interface The format is the name of the phys...

Page 169: ...ISP account Password Retype to Confirm Type your password Then re to make sure that you have entered is correctly Service Name This field is optional It displays the PPPoE service name specified in th...

Page 170: ...the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have...

Page 171: ...EIA 95 Slow Fast 2 5G Packet switched GPRS General Packet Radio Services High Speed Circuit Switched Data HSCSD etc CDMA2000 is a hybrid 2 5G 3G protocol of mobile telecommunications standards that u...

Page 172: ...ys the profile of ISP settings that this cellular interface is set to use Add icon This column lets you create edit remove activate and deactivate cellular interfaces To create an interface click the...

Page 173: ...173 8 7 1 Cellular Add Edit Screen To change your 3G settings click Network Interface Cellular Add or Edit In the pop up window that displays select the slot that you want to configure The following s...

Page 174: ...server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the 3G device s profiles of device settings Then select the profile use Profile 1 unless your ISP instr...

Page 175: ...d before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the...

Page 176: ...lect auto to have the ZyWALL automatically detect the type of card Band Selection This field appears if you selected a 3G device that allows you to select the type of network to use Select the type of...

Page 177: ...Table 55 Interface Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen This field is a sequential value and it is not associated with any interface Exte...

Page 178: ...Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is applying your configuration to the 3G device Inactive The 3G int...

Page 179: ...IPTV server Figure 141 GRE Tunnel Example You can use tunnel interfaces in configuring Static Routes Policy Routes Zones Trunks Connectivity Checking 8 9 1 Configuring the Tunnel Screen This screen li...

Page 180: ...omain name of the remote gateway to which this interface tunnels traffic Add icon This column lets you create edit remove activate and deactivate interfaces To create a tunnel interface click the Add...

Page 181: ...Clear this to disable this interface Interface Properties Interface Name This field is read only and displays the name used to identify the interface within the ZyWALL Zone Use this field to select t...

Page 182: ...ALL divides it into smaller fragments Allowed values are 576 1500 Usually this value is 1500 Connectivity Check The interface can regularly check the connection to the gateway you specified to make su...

Page 183: ...networks in the same area should use different channels Related Setting Add this interface to TRUNK for WAN load balance Select this option to use the interface as part of a WAN trunk for load balanci...

Page 184: ...option to turn on the wireless LAN It is recommended that you configure the wireless security settings before you use this option to turn on the wireless LAN 802 11 Band Select how wireless clients ca...

Page 185: ...units of MSDUs called Aggregate MSDUs A MSDU The resulting larger MAC frames mean fewer frame headers and gaps between frames to deal with This can improve the efficiency of traffic types that send m...

Page 186: ...the Security Type to none Add icon This column lets you create edit remove activate and deactivate WLAN interfaces To create an interface click the Add icon at the top of the column To activate or de...

Page 187: ...ork Interface WLAN Add No Security The following table describes the general wireless LAN labels in this screen Table 60 Network Interface WLAN Add No Security LABEL DESCRIPTION General Settings Enabl...

Page 188: ...ity types 802 1x Authentication server IEEE 802 1x settings are available when you use no security or WEP security and click Advanced Select the check box to enable wireless user authentication throug...

Page 189: ...number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10...

Page 190: ...e RIP Select this to enable RIP in this interface Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interface sends and receives rou...

Page 191: ...to stop forwarding OSPF routing information from the selected interface As a result this interface only receives routing information Authentication Select an authentication method or disable authentic...

Page 192: ...WPA PSK WPA2 PSK Security Table 61 Network Interface WLAN Add WEP Security LABEL DESCRIPTION WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stat...

Page 193: ...are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters i...

Page 194: ...n the My Certificates screen EAP TTLS Tunneled Transport Layer Service is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secu...

Page 195: ...ing to have the router allow or deny access to wireless stations based on MAC addresses Disable MAC address filtering to have the router not perform MAC filtering on the wireless stations Association...

Page 196: ...the wireless clients connected to or trying to connect to a IEEE 802 11b g card installed in the ZyWALL To open the station monitor click Network Interface WLAN Station Monitor The screen appears as...

Page 197: ...in XX XX XX XX XX XX format of a connected wireless station Strength This displays the strength of the wireless client s radio signal The signal strength mainly depends on the antenna output power an...

Page 198: ...inside the sales department faster than the router does In addition broadcasts are limited to smaller more logical groups of users Higher security If each computer has a separate physical connection t...

Page 199: ...work Interface VLAN Each field is explained in the following table Table 67 Network Interface VLAN LABEL DESCRIPTION This field is a sequential value and it is not associated with any interface Name T...

Page 200: ...umn The VLAN Add Edit screen appears To create a virtual VLAN interface click the Add icon next to the corresponding VLAN interface The Virtual Interface Add Edit screen appears See Section 8 15 on pa...

Page 201: ...1 Figure 157 Network Interface VLAN Edit Each field is explained in the following table Table 68 Network Interface VLAN Edit LABEL DESCRIPTION General Settings Enable Interface Select this to enable t...

Page 202: ...his interface Subnet Mask This field is enabled if you select Use Fixed IP Address Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP address...

Page 203: ...ddress for the connectivity check Enter that domain name or IP address in the field next to it Check Port This field only displays when you set the Check Method to tcp Specify the port number to use f...

Page 204: ...ify these IP addresses Custom Defined enter a static IP address From ISP select the DNS server that another interface received from its DHCP server ZyWALL the ZyWALL uses the IP address of this interf...

Page 205: ...he destination MAC address in the table If the bridge knows on which port the destination MAC address is located it sends the packet to that port If the destination MAC address is not in the table the...

Page 206: ...routing table when lan1 is added to br0 Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed 8 14 1 Configuring the Bridge...

Page 207: ...d WLAN interfaces in the bridge interface It is blank for virtual interfaces Add icon This column lets you create edit remove activate and deactivate interfaces To create a bridge interface click the...

Page 208: ...Chapter 8 Interface ZyWALL USG 50 H User s Guide 208 Figure 161 Network Interface Bridge Add...

Page 209: ...this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically Use Fixed IP Address Select this if you want to specify the IP address sub...

Page 210: ...elds appear if the ZyWALL is a DHCP Server IP Pool Start Address Enter the IP address from which the ZyWALL begins allocating IP addresses If you want to assign a static IP address to a specific compu...

Page 211: ...igns the corresponding IP address Otherwise the ZyWALL assigns the IP address dynamically using the IP Pool Start Address and Pool Size Note You must click OK in the Static DHCP screen and then click...

Page 212: ...t change the MTU The virtual interface uses the same MTU that the underlying interface uses Unlike other interfaces virtual interfaces do not provide DHCP services and they do not verify that the gate...

Page 213: ...55 255 255 because it is a point to point interface For these interfaces you can only enter the IP address IP Address Assignment IP Address Enter the IP address for this interface Subnet Mask Enter th...

Page 214: ...irst entry in the routing table In PPPoE PPTP interfaces the other computer is the gateway for the interface by default In this case you should specify the metric If the interface gets its IP address...

Page 215: ...e DHCP client s MAC address is in the ZyWALL s static DHCP table the interface assigns the corresponding IP address If not the interface assigns IP addresses from a pool defined by the starting addres...

Page 216: ...this way WINS is similar to DNS although WINS does not use a hierarchy unlike DNS A network can have more than one WINS server Samba can also serve as a WINS server PPPoE PPTP Overview Point to Point...

Page 217: ...end the VoIP traffic through a trunk with the interface connected to the VoIP service provider set to active and another interface connected to another ISP set to passive This way VoIP traffic goes th...

Page 218: ...now that the desired file is actually on file server C At the same time register server B informs file server C that a computer located at the WAN1 s IP address will download a file 3 The ZyWALL is us...

Page 219: ...ng index meaning that it is less utilized than WAN 1 the ZyWALL will send the subsequent new session traffic through WAN 2 Weighted Round Robin The Weighted Round Robin WRR algorithm is best suited fo...

Page 220: ...ace when the traffic load exceeds the threshold on the first interface This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface In thi...

Page 221: ...me from a different WAN IP address the file server would deny the request See Link Sticking on page 218 for an example This setting applies when you use load balancing and have multiple WAN interfaces...

Page 222: ...of the connections set to active are down You can only set one of a group s interfaces to passive mode Weight This field displays with the weighted round robin load balancing algorithm Specify the we...

Page 223: ...looping fashion until a queue is empty Add icon This column lets you add remove and move trunk members To add an interface to the trunk click an Add icon The Trunk Member Select screen appears To remo...

Page 224: ...Chapter 9 Trunks ZyWALL USG 50 H User s Guide 224...

Page 225: ...nnect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 171 Example of Policy...

Page 226: ...d recommended for TCP and UDP traffic Use policy routes to manage other types of traffic like ICMP traffic and send traffic through VPN tunnels Bandwidth management in policy routes has priority over...

Page 227: ...service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state in...

Page 228: ...k Routing Policy Route LABEL DESCRIPTION Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL You must enable this setting to have individual policy routes...

Page 229: ...ns the ZyWALL sets the DSCP value of the route s outgoing packets to 0 SNAT This is the source IP address that the route uses It displays none if the ZyWALL does not perform NAT for this route BWM Thi...

Page 230: ...for details Incoming Interface Click Change to select an interface or VPN tunnel through which the incoming packets are received Source Address Select a source IP address object or select Create Objec...

Page 231: ...n the same segment as your ZyWALL s interface s VPN Tunnel This field displays when you select VPN Tunnel in the Type field Select a VPN tunnel through which the packets are sent to the remote network...

Page 232: ...ng rule from the ZyWALL A window displays asking you to confirm that you want to delete the rule In a numbered list click the Move to N icon to display a field to type a number for where you want to p...

Page 233: ...olicy routes OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 82 Network Routing Policy Route Edit continued LABEL DESCRIPTION Table 83...

Page 234: ...he host ID Subnet Mask Enter the IP subnet mask here Gateway IP Select the radio button and enter the IP address of the next hop gateway The gateway is a router or switch on the same segment as your Z...

Page 235: ...rule for each client computer Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service The ZyWALL records...

Page 236: ...maximize bandwidth usage the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgete...

Page 237: ...F Screens Use the RIP screen see Section 11 2 on page 238 to configure the ZyWALL to use RIP to receive and or send routing information Use the OSPF screen see Section 11 3 on page 239 to configure ge...

Page 238: ...nd static routes to the RIP network Costs might be calculated differently however so you use the Metric field to specify the cost in RIP terms RIP uses UDP port 520 Use the RIP screen to specify the a...

Page 239: ...essed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone MD5 Auth...

Page 240: ...l connected to it Area 1 is a normal area It has routing information about the OSPF AS and networks X and Y Area 2 is a stub area It has routing information about the OSPF AS but it depends on a defau...

Page 241: ...ed router DR and a backup designated router BDR All of the routers only exchange information with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR...

Page 242: ...OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 8 4 1 on page 154 4 Set up virtual links as needed 11 3 1 Configuring the OSPF Screen Use t...

Page 243: ...culates the cost associated with routing information from the indicated source Choices are Type 1 and Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS...

Page 244: ...ext uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Text Authentication Key This field is available if the Authentic...

Page 245: ...thentication ID of the interface that received it Authentication Select which authentication method to use in the virtual link This authentication protects the integrity but not the confidentiality of...

Page 246: ...ports a default authentication type by area If you want to use this default in an interface or virtual link you set the associated Authentication Type field to Same as Area As a result you only have t...

Page 247: ...oE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 183 Example Zones 12 1 1 W...

Page 248: ...e Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone Traffic Extra zone traffic is traffic to or from any interface or VPN tunnel that...

Page 249: ...edit zones To edit a zone click the Edit icon next to the zone The Zone Add Edit screen appears Table 92 Network Zone Edit LABEL DESCRIPTION Name This is the name of the zone Block Intra zone Traffic...

Page 250: ...Chapter 12 Zones ZyWALL USG 50 H User s Guide 250...

Page 251: ...nd vice versa Similarly dynamic DNS maps a domain name to a dynamic IP address As a result anyone can use the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web...

Page 252: ...configuration for existing domain names and delete domain names To access this screen login to the web configurator When the main screen appears click Network DDNS The following screen appears provid...

Page 253: ...name The ZyWALL uses the backup interface and IP address when the primary interface is disabled its link is down or its ping check fails from interface The IP address comes from the specified interfa...

Page 254: ...the underscore Spaces are not allowed For a Dynu DDNS entry this user name is the one you use for logging into the service not the name recorded in your personal information in the Dynu website Passwo...

Page 255: ...ovider Interface The ZyWALL uses the IP address of the specified interface This option appears when you select a specific interface in the Backup Binding Address Interface field Auto The DDNS server c...

Page 256: ...r changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 95 Network DDNS Add continued LABEL DESCRIPTION Table 96 Network DDNS Status LABEL DESCRIPTION Profile Name Th...

Page 257: ...lt server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure...

Page 258: ...configured in the ZyWALL entries per page Select how many virtual server entries to display per page in the screen Page x of x This is the number of the page of entries currently displayed and the to...

Page 259: ...al server To edit a virtual server click the Edit icon next to the virtual server The Virtual Server Add Edit screen appears To delete a virtual server click on the Remove icon next to the virtual ser...

Page 260: ...tual server supports a range of destination ports You might use a range of destination ports for unknown services or when one server supports more than one service See Appendix B on page 637 for some...

Page 261: ...o use a domain name to access this virtual server By default this virtual server entry only applies this address mapping to packets coming in from the WAN Or you can click Policy Route to go to the sc...

Page 262: ...AN_EG in the Object Address screen as shown next Figure 193 Create Address Objects Figure 194 Address Objects NAT 1 1 Virtual Server This section sets up a virtual server rule that changes the destina...

Page 263: ...1 21 defined in the LAN_SMTP object In this example the SMTP server also uses port 25 so the Mapped Port is set to 25 The following sections describe how to manually configure corresponding policy rou...

Page 264: ...ful of where you create the route as routes are ordered in descending priority Figure 198 Create a Policy Route NAT 1 1 Firewall Rule Create a firewall rule to allow access from the WAN zone to the ma...

Page 265: ...address to the private IP address of a LAN1 SMTP mail server to allow users to access the SMTP mail server from the WAN LAN1 users can also use an IP address to access the mail server However you nee...

Page 266: ...ack Virtual Server Click Network Virtual Server and the symbol and create the virtual server rule as shown next This virtual server rule is the same as in NAT 1 1 Virtual Server on page 262 except you...

Page 267: ...nfigure a policy route to use the IP address of the ZyWALL s LAN1 interface 192 168 1 1 as the source address of the traffic going to the LAN1 SMTP server from the LAN1 users This way the LAN1 SMTP se...

Page 268: ...P address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN1 user s computer The source in the return traffic matches the original destination address 1 1 1 1 and the L...

Page 269: ...nected to the lan1 zone wants to open a web page its HTTP request is redirected to proxy server A first If proxy server A cannot find the web page in its cache a policy route allows it to access the I...

Page 270: ...rules first and forwards HTTP traffic to a proxy server if matched You need to make sure there is no firewall rule s blocking the HTTP requests from the client to the proxy server You also need to man...

Page 271: ...of a rule Interface This is the interface on which the request must be received Proxy Server This is the IP address of the proxy server Port This is the service port number used by the proxy server A...

Page 272: ...y use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be rece...

Page 273: ...rnet H 323 A teleconferencing protocol suite that provides audio data and video conferencing FTP File Transfer Protocol an Internet file transfer service The following example shows SIP signaling 1 an...

Page 274: ...through NAT or routing Examples would be calls between LAN IP addresses that are on the same subnet The H 323 ALG allows calls to go out through NAT For example you could make a call from a private IP...

Page 275: ...orward the return traffic for the calls initiated from the LAN IP addresses For example you configure the firewall and virtual server to allow LAN IP address A to receive calls from the Internet throu...

Page 276: ...IP Addresses Finding Out More See Section 5 4 16 on page 89 for related information on these screens See Section 6 9 on page 124 for a tutorial showing how to use the ALG for peer to peer H 323 traffi...

Page 277: ...ffic before dropping it If no voice packets go through the SIP ALG before the timeout period expires the ZyWALL deletes the audio session You cannot hear anything and you will need to make a new call...

Page 278: ...a H 323 device or server that will modify IP addresses and port numbers embedded in the H 323 data payload H 323 Signaling Port If you are using a custom TCP port number not 1720 for H 323 traffic ent...

Page 279: ...ds to the server for uploading and downloading files H 323 H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point an...

Page 280: ...Chapter 16 ALG ZyWALL USG 50 H User s Guide 280...

Page 281: ...s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 215 IP MAC Binding Example 17 1 1 Wha...

Page 282: ...owing table describes the labels in this screen 17 2 1 IP MAC Binding Edit Click Network IP MAC Binding Edit to open the IP MAC Binding Edit screen Use this screen to configure an interface s IP to MA...

Page 283: ...resses Enable Logs for IP MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this interface attempts to use an IP address not assigned by the ZyWALL St...

Page 284: ...erface within the ZyWALL and the interface s IP address and subnet mask IP Address Enter the IP address that the ZyWALL is to assign to a device with the entry s MAC address MAC Address Enter the MAC...

Page 285: ...window displays asking you to confirm that you want to delete it Apply Click Apply to save your changes back to the ZyWALL Table 105 Network IP MAC Binding Exempt List continued LABEL DESCRIPTION Tab...

Page 286: ...Chapter 17 IP MAC Binding ZyWALL USG 50 H User s Guide 286...

Page 287: ...287 PART III Firewall Firewall 289...

Page 288: ...288...

Page 289: ...nitiated from the WAN or DMZ zone and destined for the LAN1 zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Fig...

Page 290: ...ewall rule is allowed This includes traffic to or from interfaces or VPN tunnels that are not assigned to any zone extra zone traffic From WAN to LAN Traffic from the WAN to the LAN is denied From WAN...

Page 291: ...ZyWALL source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the ZyWALL takes the actio...

Page 292: ...fy a schedule since you need the firewall rule to always be in effect The following figure shows the results of this rule Figure 222 Blocking All LAN to WAN IRC Traffic Example Your firewall would hav...

Page 293: ...omputer 192 168 1 7 for example to go to any destination address You do not need to specify a schedule since you want the firewall rule to always be in effect The following figure shows the results of...

Page 294: ...eck any other firewall rules 18 1 4 Firewall Rule Configuration Example The following Internet firewall rule example allows a hypothetical MyService from the WAN to IP addresses 192 168 1 10 through 1...

Page 295: ...ress Object 4 Select Create Object in the Service drop down list box 5 The screen for configuring a service object opens Configure it as follows and click OK Figure 227 Firewall Example Create a Servi...

Page 296: ...ll Example MyService Example Rule in Summary 18 2 The Firewall Screen Asymmetrical Routes If an alternate gateway on LAN1 has an IP address in the same subnet as the ZyWALL s LAN1 IP address return tr...

Page 297: ...s the packet to gateway A which is in Subnet 2 3 The reply from the WAN goes to the ZyWALL 4 The ZyWALL then sends it to the computer on LAN1 in Subnet 1 Figure 230 Using Virtual Interfaces to Avoid A...

Page 298: ...e LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets From Zone To Zone This is the direction of travel o...

Page 299: ...or user group name to which this firewall rule applies Source This displays the source address object to which this firewall rule applies Destination This displays the destination address object to wh...

Page 300: ...rule Select a user name or user group to which to apply the rule Select Create Object to configure a new user account see Section 28 2 1 on page 446 for details The firewall rule is activated only whe...

Page 301: ...ether to have the ZyWALL generate a log log log and alert log alert or not no when the rule is matched See Chapter 38 on page 563 for more on logs OK Click OK to save your customized settings and exit...

Page 302: ...rule on the ZyWALL Click the Add icon in an entry to add a rule below the current entry Click the Remove icon to delete an existing rule from the ZyWALL A window displays asking you to confirm that y...

Page 303: ...address should be within the IP address range Address Select a source address or address group for whom this rule applies Select Create Object to configure a new one Select any if the policy is effect...

Page 304: ...Chapter 18 Firewall ZyWALL USG 50 H User s Guide 304...

Page 305: ...305 PART IV VPN IPSec VPN 307 SSL VPN 341 SSL User Screens 349 SSL User Application Screens 357 L2TP VPN 363 L2TP VPN Example 369...

Page 306: ...306...

Page 307: ...d authentication at the IP layer The following figure is an example of an IPSec VPN tunnel Figure 235 IPSec VPN Example The VPN tunnel connects the ZyWALL X and the remote peer IPSec router Y These ro...

Page 308: ...ablishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router...

Page 309: ...outer can also initiate the VPN tunnel if this ZyWALL has a static IP address or a domain name Choose this if the remote IPSec router has a dynamic IP address You don t specify the remote IPSec router...

Page 310: ...nticate each other Make sure the ZyWALL and the remote IPSec router will trust each other s certificates See Chapter 34 on page 489 19 2 The VPN Connection Screen Click VPN IPSec VPN to open the VPN C...

Page 311: ...number to go to or use the arrows to navigate the pages of entries This field is a sequential value and it is not associated with a specific connection Name This field displays the name of the IPSec...

Page 312: ...creen allows you to create a new VPN connection policy or edit an existing one To access this screen go to the VPN Connection screen see Section 19 2 on page 310 and click either the Add icon or an Ed...

Page 313: ...Chapter 19 IPSec VPN ZyWALL USG 50 H User s Guide 313 Figure 238 VPN IPSec VPN VPN Connection Edit IKE...

Page 314: ...er can initiate the VPN tunnel Remote Access Server Role Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users Only...

Page 315: ...bit key with the DES encryption algorithm 3DES a 168 bit key with the DES encryption algorithm AES128 a 128 bit key with the AES encryption algorithm AES192 a 192 bit key with the AES encryption algor...

Page 316: ...ures allowed before the ZyWALL disconnects the VPN tunnel The ZyWALL resumes using the first peer gateway address when the VPN connection passes the connectivity check Check this Address Select this t...

Page 317: ...tial value and it is not associated with a specific NAT record However the order of records is the sequence in which conditions are checked and executed Original IP Select the address object that repr...

Page 318: ...y This is useful if you have problems with IKE key management To access this screen go to the VPN Connection summary screen see Section 19 2 on page 310 and click either the Add icon or an existing ma...

Page 319: ...tion Active Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not en...

Page 320: ...as listed above The remote IPSec router must have the same encryption key The ZyWALL ignores any characters above the minimum number of characters required by the algorithm For example if you enter 12...

Page 321: ...alue and it is not associated with a specific VPN gateway Name This field displays the name of the VPN gateway My address This field displays the interface or a domain name the ZyWALL uses for the VPN...

Page 322: ...er This value is case sensitive Gateway Settings My Address Select how the IP address of the ZyWALL in the IKE SA is defined If you select Interface select the Ethernet interface VLAN interface virtua...

Page 323: ...remote IPsec router If this certificate is signed by a CA the remote IPsec router must trust that CA Note The IPSec routers must trust each other s certificates The ZyWALL uses one of its Trusted Cert...

Page 324: ...rnative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including...

Page 325: ...are one or more NAT routers between the ZyWALL and remote IPSec router and these routers do not support IPSec pass thru or a similar feature The remote IPSec router must also enable NAT traversal and...

Page 326: ...n occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out to which spoke to route it encrypts it and...

Page 327: ...ble Table 121 VPN IPSec VPN Concentrator LABEL DESCRIPTION Name This field displays the name of the VPN concentrator Add icon This column provides icons to add edit and remove VPN concentrators To add...

Page 328: ...entrator and click the right arrow button to add them The VPN concentrator s member VPN connections appear on the right Select any VPN connections that you want to remove from the VPN concentrator and...

Page 329: ...he arrows to navigate the pages of entries This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displ...

Page 330: ...remote IPSec router You can usually enter a static IP address or a domain name for either or both IP addresses Sometimes your ZyWALL might offer another alternative such as using the IP address of a p...

Page 331: ...tes three times with three separate keys effectively tripling the strength of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bi...

Page 332: ...r identities In main mode the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6 as illustrated below The identities are also encrypted using the encryption algorithm and encrypti...

Page 333: ...essfully In contrast in Table 125 on page 333 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible to configure the ZyWALL...

Page 334: ...ng example there is another router A between router X and router Y Figure 250 VPN NAT Example If router A does NAT it might change the IP addresses port numbers or both If router X and router Y try to...

Page 335: ...certificates provide this information instead Instead of using the pre shared key the ZyWALL and remote IPSec router check the signatures on each other s certificates Unlike pre shared keys the signa...

Page 336: ...ol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols...

Page 337: ...similar to an IKE SA proposal see IKE SA Proposal on page 330 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec...

Page 338: ...he authentication key the ZyWALL and remote IPSec router use The ZyWALL and remote IPSec router must use the same encryption key and authentication key Authentication and the Security Parameter Index...

Page 339: ...M s network Destination the original destination address the remote network B SNAT the translated source address the local network A Source Address in Inbound Packets Inbound Traffic Source NAT You ca...

Page 340: ...rotocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination ports in Figure 252 on page 339 it might be port 25 for SMTP T...

Page 341: ...e SSL VPN connections and delete an active connection Use the Click VPN SSL VPN Global Setting screen see Section 20 4 on page 346 to set the IP address of the ZyWALL or a gateway device on your netwo...

Page 342: ...cy To delete the object you must first unassociate the object from the SSL access policy Web Mail File Share Web based Application https Application Server Non Web LAN 192 168 1 X 192 168 1 100 Table...

Page 343: ...N Access Privilege LABEL DESCRIPTION This field displays the index number of the entry Name This field displays the descriptive name of the SSL access policy for identification purposes User Group Thi...

Page 344: ...this SSL access policy Name Enter a descriptive name to identify this policy You can enter up to 15 characters a z A Z 0 9 with no spaces allowed Join SSL_VPN Zone Select this check box to add the SS...

Page 345: ...ion Select this option to create a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on the same local ne...

Page 346: ...e remote user screen Table 129 VPN SSL VPN Connection Monitor LABEL DESCRIPTION This field displays the index number User This field displays the account user name used to establish this SSL VPN conne...

Page 347: ...0 9 with spaces allowed Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web browser on the remote user computer The ZyXEL company logo is the default logo Speci...

Page 348: ...graphic Make sure the file is in GIF JPG or PNG format 3 Click Apply to start the file transfer process 4 Log in as a user to verify that the new logo displays properly The following shows an example...

Page 349: ...Methods As a remote user you can access resources on the local network using a supported web browser Once you have successfully logged in through the ZyWALL you can access any intranet site web based...

Page 350: ...LL or your network administrator Refer to Appendix C on page 641 for more information Finding Out More See Chapter 20 on page 341 for how to configure SSL VPN on the ZyWALL 21 2 Remote User Login This...

Page 351: ...ts establishing a secure connection to the ZyWALL after a successful login This may take up to two minutes If you get a message about needing Java download and install it and restart your browser and...

Page 352: ...have to click some pop ups to get your browser to allow the installation Figure 264 ActiveX Object Installation Blocked by Browser 6 The ZyWALL tries to install the SecuExtender client You may need to...

Page 353: ...allow this In Internet Explorer click Run Figure 266 SecuExtender Progress 8 Click Next to use the setup wizard to install the SecuExtender client on your computer Figure 267 SecuExtender Progress 9...

Page 354: ...r screens Figure 269 Remote User Screen The following table describes the various parts of a remote user screen 2 3 4 5 1 6 Table 131 Remote User Screen Overview DESCRIPTION 1 This menu identifies the...

Page 355: ...e default name in the Name field or enter a descriptive name to identify this link 3 Click OK to create a bookmark in your web browser Figure 270 Add Favorite 21 5 Logging Out of the SSL VPN User Scre...

Page 356: ...Chapter 21 SSL User Screens ZyWALL USG 50 H User s Guide 356...

Page 357: ...me field displays the descriptive name for an application The Type field shows that the application is for accessing a web site a Weblink To access a web site represented by a weblink simply click a l...

Page 358: ...Chapter 22 SSL User Application Screens ZyWALL USG 50 H User s Guide 358...

Page 359: ...SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 274 ZyWALL SecuExtender Icon Red the SSL VPN tunnel is not connected You cannot connect to...

Page 360: ...ess of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are th...

Page 361: ...All Programs ZyXEL ZyWALL SecuExtender Uninstall 2 In the confirmation screen click Yes 2009 03 12 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExten...

Page 362: ...23 ZyWALL SecuExtender ZyWALL USG 50 H User s Guide 362 Figure 277 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 278 ZyWALL SecuExtender Uninsta...

Page 363: ...e Section 24 3 on page 366 to display and manage the ZyWALL s connected L2TP VPN sessions 24 1 2 What You Need to Know About L2TP VPN The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link...

Page 364: ...t type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirement...

Page 365: ...on the ZyWALL uses for L2TP VPN All of the configured VPN connections display here but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN on page 363 Note M...

Page 366: ...these IP addresses two ways Custom Defined enter a static IP address From ISP use the IP address of a DNS server that another interface received from its DHCP server First WINS Server Second WINS Ser...

Page 367: ...H User s Guide 367 Disconnect Click the Disconnect icon next to an L2TP VPN connection to disconnect it Refresh Click Refresh to update the information in the display Table 134 VPN L2TP VPN Session Mo...

Page 368: ...Chapter 24 L2TP VPN ZyWALL USG 50 H User s Guide 368...

Page 369: ...ternet You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote...

Page 370: ...elect Pre Shared Key and configure a password This example uses top secret Click OK 2 Click the Default_L2TP_VPN_GW entry s Enable icon and click Apply to turn on the entry Figure 285 VPN IPSec VPN VP...

Page 371: ...ntains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses the wan1 interface s IP address 172 16 1 2 and is named L2TP_IFACE For the Remot...

Page 372: ...VPN connection Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 It is called L2TP_POOL here This example uses the default authentication method the ZyWALL s local user data...

Page 373: ...Windows XP and 2000 The following sections cover how to configure L2TP in remote user computers using Windows XP and Windows 2000 The example settings in these sections go along with the L2TP VPN con...

Page 374: ...come screen 3 Select Connect to the network at my workplace and click Next Figure 290 New Connection Wizard Network Connection Type 4 Select Virtual Private Network connection and click Next Figure 29...

Page 375: ...Connection Name 6 Select Do not dial the initial connection and click Next Figure 293 New Connection Wizard Public Network 7 Enter the domain name or WAN IP address configured as the My Address in th...

Page 376: ...376 Figure 294 New Connection Wizard VPN Server Selection 8 Click Finish 9 The Connect L2TP to ZyWALL screen appears Click Properties Security Figure 295 Connect L2TP to ZyWALL 10 Click Security selec...

Page 377: ...L2TP to ZyWALL Security 11 Select Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Cl...

Page 378: ...x and enter the pre shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click OK Figure 299 L2TP to ZyWALL Properties Security IPSec Settings 14 Click Networking Sel...

Page 379: ...L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 303 ZyWALL L2TP Status Details 19 Access a server or other network resource behind the ZyWALL to make sure your access works 2...

Page 380: ...ile and save a backup copy of your registry You can go back to using this backup if you misconfigure the registry settings 3 Select HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parame t...

Page 381: ...the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer use these directions to configure an IPSec policy for the computer to use 1 Click Start Run Type mmc...

Page 382: ...re 310 Add IP Security Policy Management Finish 4 Right click IP Security Policies on Local Machine and click Create IP Security Policy Click Next in the welcome screen Figure 311 Create IP Security P...

Page 383: ...Policy Name 6 Clear the Activate the default response rule check box and click Next Figure 313 IP Security Policy Request for Secure Communication 7 Leave the Edit Properties check box selected and c...

Page 384: ...4 8 In the properties dialog box click Add Next Figure 315 IP Security Policy Properties Add 9 Select This rule does not specify a tunnel and click Next Figure 316 IP Security Policy Properties Tunnel...

Page 385: ...uide 385 Figure 317 IP Security Policy Properties Network Type 11 Select Use this string to protect the key exchange preshared key type password in the text box and click Next Figure 318 IP Security P...

Page 386: ...erties IP Filter List Add 14 Configure the following in the Addressing tab Select My IP Address in the Source address drop down list box Select A specific IP Address in the Destination address drop do...

Page 387: ...Properties Addressing 15 Configure the following in the Filter Properties window s Protocol tab Set the protocol type to UDP from port 1701 Select To any port Click Apply OK and then Close Figure 322...

Page 388: ...curity Policy Properties IP Filter List 17 Select Require Security and click Next Then click Finish and Close Figure 324 IP Security Policy Properties IP Filter List 18 In the Console window right cli...

Page 389: ...Settings Network and Dial up connections Make New Connection In the wizard welcome screen click Next Figure 326 Start New Connection Wizard 2 Select Connect to a private network through the Internet...

Page 390: ...ure 328 New Connection Wizard Destination Address 4 Select For all users and click Next Figure 329 New Connection Wizard Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish F...

Page 391: ...curity and select Advanced custom settings and click Settings Figure 332 Connect L2TP to ZyWALL Security 8 Select Optional encryption allowed connect even if no encryption and the Allow these protocol...

Page 392: ...urity Advanced 9 Click Networking and select Layer 2 Tunneling Protocol L2TP from the drop down list box Click OK Figure 334 Connect L2TP to ZyWALL Networking 10 Enter your user name and password and...

Page 393: ...ick it to open a status screen Figure 336 ZyWALL L2TP System Tray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168...

Page 394: ...Chapter 25 L2TP VPN Example ZyWALL USG 50 H User s Guide 394...

Page 395: ...395 PART V Application Patrol Application Patrol BWM 397...

Page 396: ...396...

Page 397: ...s Use the General summary screen see Section 26 2 on page 405 to enable and disable application patrol and bandwidth management Use the Common Instant Messenger Peer to Peer VoIP and Streaming see Sec...

Page 398: ...on information Your custom policies take priority over the policy s default settings Classification of Applications There are two ways the ZyWALL can identify the application The first is called auto...

Page 399: ...tion responder to the connection initiator For example a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN Outbound traffic goes from a LAN1 zone device to a WAN zone device Bandwidth...

Page 400: ...ndwidth usage allows applications with maximize bandwidth usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL u...

Page 401: ...ts its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kbps for each The pr...

Page 402: ...an ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection The following sections give some simplified examples of using application patrol policies to manage applications competing f...

Page 403: ...limit before sending the traffic to the WAN Inbound traffic to the LAN and DMZ from the WAN is also limited to 200 kbps The ZyWALL applies this limit before sending the traffic to LAN or DMZ Highest...

Page 404: ...connection supports this Second highest priority 2 Set policies for other applications except SIP to lower priorities so the local users HTTP traffic gets sent before non SIP traffic Enable maximize...

Page 405: ...tbound and inbound traffic to 50 Mbps Fourth highest priority 4 Disable maximize bandwidth usage since you do not want to give FTP more bandwidth Figure 345 FTP LAN to DMZ Bandwidth Management Example...

Page 406: ...l policies apply bandwidth management This same setting also appears in the Network Routing Policy Route screen Enabling or disabling it in one screen also enables or disables it in the other screen E...

Page 407: ...DESCRIPTION This field is a sequential value and it is not associated with a specific application Service This field displays the name of the application Default Access This field displays what the Zy...

Page 408: ...it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the perfor...

Page 409: ...und bandwidth in kilobits per second this policy allows the application to use Outbound refers to the traffic the ZyWALL sends out from a connection s initiator If no displays here this policy does no...

Page 410: ...n page 446 for details Select any to apply the policy for every user From Select the source zone of the traffic to which this policy applies To Select the destination zone of the traffic to which this...

Page 411: ...gement Configure these fields to set the amount of bandwidth the application can use These fields only apply when Access is set to forward You must also enable bandwidth management in the main applica...

Page 412: ...er the number the higher the priority The ZyWALL gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority The ZyWALL uses a fairness based ro...

Page 413: ...displays the policy is effective for every source Destination This is the destination address or address group for whom this policy applies If any displays the policy is effective for every destinatio...

Page 414: ...traffic with a lower priority The ZyWALL ignores this number if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowest priority...

Page 415: ...the policy for every user From Select the source zone of the traffic to which this policy applies To Select the destination zone of the traffic to which this policy applies Access This field controls...

Page 416: ...d this policy allows the traffic to use Outbound refers to the traffic the ZyWALL sends out from a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the ma...

Page 417: ...atistics The middle of the AppPatrol BWM Statistics screen displays a bandwidth usage line graph for the selected protocols OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to e...

Page 418: ...s incoming bandwidth usage This is the protocol s traffic that the ZyWALL sends to the initiator of the connection A dotted line represents a protocol s outgoing bandwidth usage This is the protocol...

Page 419: ...s is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Dat...

Page 420: ...s out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN to the WAN is the outbound traffic Forwarded Data KB This is how much of...

Page 421: ...421 PART VI Anti X ADP 423...

Page 422: ...422...

Page 423: ...ly rules look for abnormal behavior or events such as port scanning sweeping or network flooding It operates at OSI layer 2 and layer 3 Traffic anomaly rules may be updated when you upload new firmwar...

Page 424: ...ections Figure 355 Anti X ADP General The following table describes the screens in this screen Table 147 Anti X ADP General LABEL DESCRIPTION General Settings Enable Anomaly Detection Select this chec...

Page 425: ...ing entry from the ZyWALL A window displays asking you to confirm that you want to delete the entry Note that subsequent entries move up by one when you take this action In a numbered list click the M...

Page 426: ...from a computer on one LAN subnet to a computer on another LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on th...

Page 427: ...tisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a rule Table 149 Base Pro...

Page 428: ...rules and then edit the default log options and actions 27 3 4 Traffic Anomaly Profiles The traffic anomaly screen is the second screen in an ADP profile Traffic anomaly detection looks for abnormal...

Page 429: ...Chapter 27 ADP ZyWALL USG 50 H User s Guide 429 Figure 359 Profiles Traffic Anomaly...

Page 430: ...t traffic anomaly attacks will be detected however you will have more logs and false positives Block Period Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim des...

Page 431: ...col Anomaly Configuration In the Anti X ADP Profile screen click the Edit icon or click the Add icon and choose a base profile then select the Protocol Anomaly tab If you made changes to other screens...

Page 432: ...Chapter 27 ADP ZyWALL USG 50 H User s Guide 432 Figure 360 Profiles Protocol Anomaly...

Page 433: ...ame123456789012 HTTP Inspection TCP Decoder UDP Decoder ICMP Decoder Name This is the name of the protocol anomaly rule Click the Name column heading to sort in ascending or descending order according...

Page 434: ...n services This may be used to evade intrusion detection These are distributed port scan types TCP Distributed Portscan UDP Distributed Portscan IP Distributed Portscan Port Sweeps Many different conn...

Page 435: ...l hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If an attacker A spoofs the source IP address of the ICMP echo request pack...

Page 436: ...rs flood SYN packets into a network with a spoofed source IP address of the network itself This makes it appear as if the computers in the network sent the packets to themselves so the network is unav...

Page 437: ...t information or privileges from a web server DIRECTORY TRAVERSAL ATTACK This rule normalizes directory traversals and self referential directories So abc this_is_not_a_real_dir xyz get normalized to...

Page 438: ...sitives than the directory option because it doesn t alert on directory traversals that stay within the web server directory structure It only alerts when the directory traversals go past the web serv...

Page 439: ...This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP address header length This may cause some applications to crash TRUNCATED HEADER ATTACK This is when an ICM...

Page 440: ...Chapter 27 ADP ZyWALL USG 50 H User s Guide 440...

Page 441: ...441 PART VII Objects User Group 443 Addresses 457 Services 463 Schedules 469 AAA Server 475 Authentication Method 485 Certificates 489 SSL Application 507...

Page 442: ...442...

Page 443: ...28 4 on page 449 controls default settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it...

Page 444: ...xt User using the local database the attempt always fails Once an Ext User user has been authenticated the ZyWALL tries to get the user type see Table 154 on page 443 from the external server If the e...

Page 445: ...ware login example Forced User Authentication Instead of making users for which user aware policies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display...

Page 446: ...unt settings used for BOB not bob User names have to be different than user group names Reserved user names are listed in the following table Table 155 Object User Group LABEL DESCRIPTION This field i...

Page 447: ...ser this user has access to the ZyWALL s services but cannot look at the configuration Guest this user has access to the ZyWALL s services but cannot look at the configuration Ext User this user accou...

Page 448: ...ires Reauthentication Time Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again You can specify 1 to 1440 minutes You can enter 0 to ma...

Page 449: ...Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case...

Page 450: ...default settings You can still manually configure any user account s authentication timeout settings User Type These are the kinds of user account the ZyWALL supports admin this user can look at and c...

Page 451: ...once the User idle timeout has been reached User idle timeout This is applicable for access users This field is effective when Enable user idle detection is checked Type the number of minutes each acc...

Page 452: ...plies Source This field displays the source address object of traffic to which this condition applies It displays any if this condition applies to traffic from all source addresses Destination This fi...

Page 453: ...User this user has access to the ZyWALL s services but cannot look at the configuration Guest this user has access to the ZyWALL s services but cannot look at the configuration Ext User this user acco...

Page 454: ...to be active Description Enter a description for this condition It can be up to 60 printable ASCII characters long Authentication Select whether users must log in force or whether users do not have to...

Page 455: ...yWALL sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 28 2 1 on page 446 Lease time field in the Setting...

Page 456: ...web configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts See Chapter 37 on page 553 for more information a...

Page 457: ...used in dynamic routes firewall rules application patrol and VPN connection policies Please see the respective sections for more information about how address objects and address groups are used in ea...

Page 458: ...plays the configured name of each address object Type This field displays the type of each address object INTERFACE means the object uses the settings of one of the ZyWALL s interfaces Address This fi...

Page 459: ...is field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only available if the Addre...

Page 460: ...ach address group Description This field displays the description of each address group if any Add icon This column provides icons to add edit and remove address groups To add an address group click t...

Page 461: ...d click the right arrow to add them to the member list Member This field displays the names of the address and address group objects that have been added to the address group The order of members is n...

Page 462: ...Chapter 29 Addresses ZyWALL USG 50 H User s Guide 462...

Page 463: ...and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data O...

Page 464: ...ules for each service Service groups may consist of services and other service groups The sequence of members in the service group is not important Finding Out More See Section 5 5 on page 89 for rela...

Page 465: ...ith a specific service Name This field displays the name of each service Content This field displays a description of each service Add icon This column provides icons to add edit and remove services T...

Page 466: ...This field appears if the IP Protocol is ICMP Type Select the ICMP message used by this service This field displays the message text not the message number IP Protocol Number This field appears if the...

Page 467: ...roup click on the Remove icon next to the service group The web configurator confirms that you want to delete the service group Table 171 Object Service Service Group continued LABEL DESCRIPTION Table...

Page 468: ...WALL USG 50 H User s Guide 468 OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 172 Object Service Service Group Edit conti...

Page 469: ...create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 31 2 2 on page 472 to create or edit a recurring schedule 31 1 2 What You Need to Know About Schedules One time S...

Page 470: ...click the Add icon at the top of the column The Schedule Add Edit screen appears To edit a schedule click the Edit icon next to the schedule The Schedule Add Edit screen appears To delete a schedule...

Page 471: ...refer to the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time Start Type the year mo...

Page 472: ...175 Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the f...

Page 473: ...Days Select each day of the week the recurring schedule is effective OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 175...

Page 474: ...Chapter 31 Schedules ZyWALL USG 50 H User s Guide 474...

Page 475: ...Figure 385 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWALL...

Page 476: ...ZyWALL s web configurator or network access users logging into the network through the ZyWALL You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightwei...

Page 477: ...s that have the same parent DN cn domain1 com ou Sales o MyCompany in the following examples cn domain1 com ou Sales o MyCompany c US cn domain1 com ou Sales o MyCompany c JP Base DN A base DN specifi...

Page 478: ...pecify the bind DN for logging into the LDAP server Enter up to 63 alphanumerical characters For example cn zywallAdmin specifies zywallAdmin as the user name Password If required enter the password u...

Page 479: ...tive Directory or LDAP Group to display the Active Directory or LDAP Group screen Figure 389 Object AAA Server Active Directory or LDAP Group The following table describes the labels in this screen 32...

Page 480: ...es to log into the AD or LDAP server s Base DN Specify the top level directory in the directory For example o ZyXEL c US CN Identifier Specify the unique common name that uniquely identifies a record...

Page 481: ...IP address in dotted decimal notation or the domain name up to 63 alphanumeric characters of a RADIUS server Authentication Port The default port of the RADIUS server for authentication is 1812 You ne...

Page 482: ...Group The following table describes the labels in this screen 32 5 1 Adding a RADIUS Server Member Click Object AAA Server RADIUS Group to display the RADIUS Group screen Click the Add icon or an Edit...

Page 483: ...the RADIUS server In this case user authentication fails Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down Host Members The ordering of th...

Page 484: ...Chapter 32 AAA Server ZyWALL USG 50 H User s Guide 484...

Page 485: ...ction 33 3 on page 487 to create a new authentication method object Finding Out More See Section 6 6 3 on page 115 for an example of how to set up user authentication using a radius server 33 1 2 Befo...

Page 486: ...on method objects Figure 395 Object Auth Method The following table describes the labels in this screen Table 182 Object Auth Method LABEL DESCRIPTION This field displays the index number Method Name...

Page 487: ...List drop down list box 6 You can add up to four server objects to the table The ordering of the Method List column is important The ZyWALL authenticates the users using the databases in the local us...

Page 488: ...n the AAA Server screen see Chapter 32 on page 475 for more information The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the o...

Page 489: ...hentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates...

Page 490: ...ory server s list of revoked certificates The framework of servers software procedures and policies that handles keys is called PKI public key infrastructure Advantages of Certificates Certificates of...

Page 491: ...ny programs use text files by default Finding Out More See Section 5 5 on page 89 for related information on these screens See Section 34 4 on page 505 for certificate background information 34 1 3 Ve...

Page 492: ...open the My Certificates screen This is the ZyWALL s summary list of certificates and certification requests Figure 399 Object Certificate My Certificates The following table describes the labels in...

Page 493: ...ying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this...

Page 494: ...rtificate It is recommended that each certificate have unique subject information Common Name Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type...

Page 495: ...ately online to have the ZyWALL generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported i...

Page 496: ...You can use this screen to view in depth certificate information and change the certificate s name Request Authentication When you select Create a certification request and enroll for a certificate i...

Page 497: ...splay the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certificatio...

Page 498: ...ion request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits...

Page 499: ...the File Download screen The Save As screen opens browse to the location that you want to use and click Save Export Certificate Only Use this button to save a copy of the certificate without its priv...

Page 500: ...ord that was created when the PKCS 12 file was exported OK Click OK to save the certificate on the ZyWALL Cancel Click Cancel to quit and return to the My Certificates screen Table 188 Object Certific...

Page 501: ...ssage if the certificate has expired icons Click the Edit icon to open a screen with an in depth list of information about the certificate The ZyWALL keeps all of your certificates unless you specific...

Page 502: ...n Path Click the Refresh button to have this read only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification author...

Page 503: ...from the entity maintaining the server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the CRL directory server usually a certificati...

Page 504: ...ificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate...

Page 505: ...mation The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a huge list When the ZyWALL requests certificate status infor...

Page 506: ...Chapter 34 Certificates ZyWALL USG 50 H User s Guide 506...

Page 507: ...es 35 1 2 What You Need to Know About SSL Application Objects Weblinks You can configure weblink SSL applications to allow remote users to access web sites Remote User Screen Links Available SSL appli...

Page 508: ...application click the Add or Edit button in the SSL Application screen to display the configuration screen as shown Figure 408 Object SSL Application Add Edit Table 191 Object SSL Application LABEL DE...

Page 509: ...re allowed URL Enter the Fully Qualified Domain Name FQDN or IP address of the application server Note You must enter the http or https prefix Remote users are restricted to access only files in this...

Page 510: ...Chapter 35 SSL Application ZyWALL USG 50 H User s Guide 510...

Page 511: ...511 PART VIII System System 513...

Page 512: ...512...

Page 513: ...re SHell used to securely access the ZyWALL s command line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen Figure 446...

Page 514: ...server To change your ZyWALL s time based on your local time zone and date click System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get th...

Page 515: ...This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply Ne...

Page 516: ...ast Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The tim...

Page 517: ...s will display the appropriate settings if the synchronization is successful If the synchronization was not successful a log displays in the View Log screen Try reconfiguring the Date Time screen To m...

Page 518: ...es in the following ways The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses manually enter them in the D...

Page 519: ...t s fully qualified domain name IP Address This is the IP address of a host Add icon Click the Add icon in the heading row to open a screen where you can add a new address PTR record Refer to Table 19...

Page 520: ...ail server that handles the mail for a particular domain This is the index number of the MX record Domain Name This is the domain name where the mail is destined for IP FQDN This is the IP address or...

Page 521: ...d is also called a reverse record or a reverse lookup record It is a mapping of an IP address to a domain name 36 5 5 Adding an Address PTR Record Click the Add icon in the Address PTR Record table to...

Page 522: ...he Domain Zone Forwarder table to add a domain zone forwarder record Figure 415 System DNS Domain Zone Forwarder Add Table 198 System DNS Address PTR Record Edit LABEL DESCRIPTION FQDN Type a fully qu...

Page 523: ...ified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP...

Page 524: ...ystem DNS MX Record Add continued LABEL DESCRIPTION Table 201 System DNS Service Control Rule Add LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to send DNS queries to the Z...

Page 525: ...rvice Access Limitations A service cannot be used to access the ZyWALL when 1 You have disabled that service in the corresponding screen 2 The allowed IP address address object in the Service Control...

Page 526: ...is used so that you can securely access the ZyWALL using the web configurator The SSL protocol specifies that the HTTPS server the ZyWALL must always authenticate itself to the HTTPS client the comput...

Page 527: ...eals with management access to the web configurator User Service Control deals with user access to the ZyWALL logging into SSL VPN for example Figure 420 System WWW Service Control The following table...

Page 528: ...ure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of...

Page 529: ...e ZyWALL zone s configured in the Zone field Accept or not Deny Add icon Click the Add icon in the heading row to open a screen where you can add a new rule Refer to Table 203 on page 530 for informat...

Page 530: ...dit LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined address object to just allow or deny the computer wi...

Page 531: ...hoose Enter the name of the desired color Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black Enter rgb followed by red g...

Page 532: ...Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Message Color Specif...

Page 533: ...Internet Explorer 36 6 7 2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the ser...

Page 534: ...s The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the certificate is a self signed certificate For the browser to trust a self signed certifica...

Page 535: ...Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web confi...

Page 536: ...pendix 36 6 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal cert...

Page 537: ...lick Browse if you wish to import a different certificate Figure 432 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA Figure 433 Personal Certificate Import Wizard 3 4...

Page 538: ...te Import Wizard 4 5 Click Finish to complete the wizard and begin the import process Figure 435 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is corr...

Page 539: ...web address field Figure 437 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the...

Page 540: ...f the ZyWALL for a management session Figure 440 SSH Communication Over the WAN Example 36 7 1 How SSH Works The following figure is an example of how a secure connection is established between two re...

Page 541: ...SH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for management using port 22 by default 36 7 3 Requi...

Page 542: ...ce for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configure...

Page 543: ...SH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the ZyWALL using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a messag...

Page 544: ...h a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply othe...

Page 545: ...lnet continued LABEL DESCRIPTION Table 207 System FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service...

Page 546: ...ccess Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can acce...

Page 547: ...ariables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the pu...

Page 548: ...g events occurs 36 10 3 Configuring SNMP To change your ZyWALL s SNMP settings click System SNMP tab The screen appears as shown Use this screen to configure your SNMP settings including from which zo...

Page 549: ...which ZyWALL zones This the index number of the service control rule The entry with a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that...

Page 550: ...Table 210 System Language LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL s web configurator screens You also need to open a new browser session to display the screens in...

Page 551: ...551 PART IX Maintenance Troubleshooting Specifications File Manager 553 Logs 563 Reports 575 Diagnostics 583 Reboot 585 Troubleshooting 587 Product Specifications 591...

Page 552: ...552...

Page 553: ...nfiguration File screen see Section 37 2 on page 555 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuration files fro...

Page 554: ...ing of a single to have the ZyWALL exit sub command mode Figure 451 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin pas...

Page 555: ...e configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off in the configuration file or shell scri...

Page 556: ...s and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file as a back up file If there is an error the ZyWALL generates a log and copies the startu...

Page 557: ...me of another configuration file in the ZyWALL Click a configuration file s row to select it and click Rename to open the Rename File screen Figure 454 Maintenance File Manager Configuration File Rena...

Page 558: ...management session the changes are applied to this configuration file The ZyWALL applies configuration changes made in the web configurator to the configuration file when you click Apply or OK It appl...

Page 559: ...ng a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 213 Maintenance File Manager Firmware Package LABEL DESCRIPTION Boot Module This is the...

Page 560: ...LL use commands that you specify Use a text editor to create the shell script files They must use a zysh filename extension Click Maintenance File Manager Shell Script to open the Shell Script screen...

Page 561: ...s including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Delete Click a shell script file s row to select it and...

Page 562: ...r s Guide 562 Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may take up to several minutes Table 214 Maintenance File Manage...

Page 563: ...log and you can also clear the log in this screen Use the Maintenance Log Settings screen Section 38 4 on page 565 to specify which log messages are e mailed where they are e mailed and how often they...

Page 564: ...he whole log regardless of what is currently displayed on the screen Filter These fields are displayed when you show the filter When the filter is shown the filter criteria are not applied until you c...

Page 565: ...rded in the ZyWALL entries per page Select the number of log messages you would like to see on one screen Choices are 30 50 and 80 Page x of x This is the number of the page of entries currently displ...

Page 566: ...Setting LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific log Name This field displays the name of the log system log or one of the remote servers Log Format...

Page 567: ...includes the e mail profiles Go to the Log Settings Summary screen see Section 38 4 1 on page 566 and click the system log Edit icon Active Log Summary Click this button to open the Active Log Summary...

Page 568: ...Chapter 38 Logs ZyWALL USG 50 H User s Guide 568 Figure 464 Maintenance Log Log Setting Edit System Log...

Page 569: ...user name to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when t...

Page 570: ...og tab the text count x where x is the number of original log messages is appended at the end of the Message field when multiple log messages were aggregated Log Consolidation Interval Type how often...

Page 571: ...ribes the labels in this screen Table 219 Maintenance Log Log Setting Edit Remote Server LABEL DESCRIPTION Log Settings for Remote Server 1 Active Select this check box to send log information accordi...

Page 572: ...ifferent files in the syslog server Please see the documentation for your syslog program for more information Active Log Log Category This field displays each category of messages It is the same value...

Page 573: ...discussed The Default category includes debugging messages generated by open source software The following table describes the fields in this screen Table 220 Maintenance Log Log Setting Active Log Su...

Page 574: ...information and alerts from this category enable all logs yellow checkmark log regular information alerts and debugging information from this category If you check one of the check boxes for All Logs...

Page 575: ...how to send daily reports and what reports to send 39 2 The Traffic Statistics Screen Click Maintenance Report Traffic Statistics to display the Traffic Statistics screen This screen provides basic in...

Page 576: ...on to update it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Statistics Interface Select the interface from which to collect info...

Page 577: ...imum number of services and service ports in this report is indicated in Table 222 on page 578 Protocol This field indicates what protocol the service was using Direction This field indicates whether...

Page 578: ...ource address Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all the active sessions by user or by service or you can filter the...

Page 579: ...ll sessions is selected Type the user whose sessions you want to view It is not possible to type part of the user name or use wildcards in this field you must enter the whole user name Service This fi...

Page 580: ...tive session If you are looking at the sessions by services report click the blue plus sign next to each protocol to look at detailed session information by user Source This field displays the source...

Page 581: ...ect Append date time to add the ZyWALL s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type...

Page 582: ...tems Select which information you want included in the report Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period Reset All Counters Click t...

Page 583: ...nostics screen Figure 470 Maintenance Diagnostics The following table describes the labels in this screen Table 225 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most rece...

Page 584: ...Chapter 40 Diagnostics ZyWALL USG 50 H User s Guide 584...

Page 585: ...write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 42 1 on page 589 reset returns the device to its defau...

Page 586: ...Chapter 41 Reboot ZyWALL USG 50 H User s Guide 586...

Page 587: ...computer at the other Before doing so ensure that both computers have Internet access via the IPSec routers It is also helpful to have a way to look at the packets that are being sent and received by...

Page 588: ...is not a firewall or NAT router between the ZyWALL and the remote users 4 Make sure the remote users are using public IP addresses V The VPN connection is up but VPN traffic cannot be transmitted thro...

Page 589: ...ed in the cellular device 2 Make sure the cellular device is properly connected to the correct slot The USB port for which you configured the corresponding cellular interface You may need to remove th...

Page 590: ...sure the SYS LED is on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the ZyWALL...

Page 591: ...ces 6 The WAN interfaces are Fast Ethernet 10 100 Mbps full duplex RJ 45 connectors auto negotiation auto MDI MDIX auto crossover The LAN DMZ Ethernet interfaces are Gigabit Ethernet full duplex RJ 45...

Page 592: ...ack mountable rack mount kit not included Wall mounting The ZyWALL has wall mounting holes on the bottom panel The centers of the holes are located 156 mm apart Table 227 Hardware Specifications conti...

Page 593: ...ice object in one group 500 Schedule Objects 64 Maximum Number of LDAP Groups 4 Maximum Number of LDAP Servers for Each LDAP Group 2 Maximum Number of RADIUS Groups 4 Maximum Number of RADIUS Servers...

Page 594: ...E 802 1d standard Interface RFCs 2131 2132 1541 Interface PPP RFCs 1144 1321 1332 1334 1661 1662 2472 Interface PPTP RFCs 2637 3078 Interface PPPOE RFC 2516 Interface VLAN IEEE 802 1Q Dynamic Route Sh...

Page 595: ...1 4252 4253 4254 Used by Time service RFCs 3339 Used by Telnet service RFCs 318 854 1413 Used by SIP ALG RFCs 3261 3264 DHCP relay RFC 1541 ZySH W3C XML standard ARP RFC 826 IP IPv4 RFC 791 TCP RFC 79...

Page 596: ...Chapter 43 Product Specifications ZyWALL USG 50 H User s Guide 596...

Page 597: ...597 PART X Appendices and Index Log Descriptions 599 Common Services 637 Importing Certificates 641 Wireless LANs 647 Open Software Announcements 661 Legal Information 687 Index 689...

Page 598: ...598...

Page 599: ...SL user SSL tunnel is disconnected An SSL tunnel has been disconnected The source is the login IP address The destination is the IP address given to the SSL user The s address object is invalid IP in...

Page 600: ...r setting has been modified in the specified SSL VPN policy s The IP pool is same subnet with s in SSL VPN policy s So s will not be injected to client side The IP pool is in the same subnet as the sp...

Page 601: ...the user s user name The third s is the name of the service the user is using HTTP or HTTPS Failed login attempt to SSLVPN from s login on a lockout address An SSL VPN login attempt from the listed u...

Page 602: ...specified user name s was denied access to the L2TP over IPSec service because the correct password was not provided User s has been denied from L2TP service Incorrect Username or Password A user with...

Page 603: ...me can t print entry s 1st zysh entry name s cannot retrieve entries from list 1st zysh list name can t get name for entry d 1st zysh entry index can t get reference count s 1st zysh list name can t p...

Page 604: ...http inspection attack tcp decoder attack The message gives details about the attack although the message is dropped if the log is more than 128 characters The action is what the ZyWALL did with the p...

Page 605: ...TTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL re auth timeout The ZyWALL is signing the specified user out due to a re authentication timeout 1st s The type of user account...

Page 606: ...1st s Protocol Name 2nd s port less or port base 3rd s Rule Index 4th s forward drop or reject Service s Rule s Action s Access drop Special packet logging for IM action 1st s Protocol Name 2nd s port...

Page 607: ...device failed to initiate XML System fatal error 60011004 The device failed to turn application patrol off while the system was initiating Table 237 IKE Logs LOG MESSAGE DESCRIPTION Peer has not annou...

Page 608: ...the tunnel name When negotiating Phase 1 the authentication method did not match SA Tunnel s Phase 1 encryption algorithm mismatch s is the tunnel name When negotiating Phase 1 the encryption algorit...

Page 609: ...sal in phase 1 the engine could not get the correct secure gateway address Could not dial dynamic tunnel s s is the tunnel name The tunnel is a dynamic tunnel and the device cannot dial it Could not d...

Page 610: ...d the VPN gateway VPN gateway s was enabled s is the gateway name An administrator enabled the VPN gateway XAUTH fail My name s s is the my xauth name This indicates that my name is invalid XAUTH fail...

Page 611: ...context Get outbound transform fail When outgoing packet need to be transformed the engine cannot obtain the transform context Inbound transform operation fail After encryption or hardware accelerate...

Page 612: ...ll rule d has been deleted d is the global index of rule Firewall rules have been flushed Firewall rules were flushed Firewall rule d was s d is the global index of rule s is appended inserted modifie...

Page 613: ...fail Allocating policy routing rule fails insufficient memory d the policy route rule number The policy route d uses empty user group Use an empty object group d the policy route rule number The polic...

Page 614: ...P port has changed to default port An administrator changed the port number for HTTP back to the default 80 SSH port has been changed to port s An administrator changed the port number for SSH s is po...

Page 615: ...nistrator changed the time zone s is time zone value Set timezone to default An administrator changed the time zone back to the default 0 Enable daylight saving An administrator turned on daylight sav...

Page 616: ...ave reached the maximum number of 32 Wizard apply DNS server fail because the device already has the maximum number of DNS records configured s is IP address of the DNS server Access control rules of...

Page 617: ...Partition name file system usage reaches d disk threshold max When memory usage drops below threshold min System Memory usage drops below the threshold of d mem threshold min When local storage usage...

Page 618: ...e device was not able to synchronize with the NTP time server successfully Device is rebooted by administrator An administrator restarted the device Insufficient memory Cannot allocate system memory C...

Page 619: ...d because of dyndns internal error Update profile failed because of a dynsdns internal error s is the profile name Update the profile s has failed because the feature requested is only available to do...

Page 620: ...dated because the IP of WAN iface is 0 0 0 0 1st s is the profile name Update the profile s has failed because ping check of WAN interface has failed DDNS profile cannot be updated because the ping ch...

Page 621: ...ocess can t execute isalive function from module for check link status s the connectivity module currently only ICMP available Create socket error The connectivity check process can t get socket to se...

Page 622: ...s been activated s Interface Name RIP direction on interface s has been changed to In Only RIP direction on interface s has been changed to In Only s Interface Name RIP direction on interface s has be...

Page 623: ...me RIP receive version on interface s has been changed to s RIP receive version on interface s has been changed to version 1 or 2 or both 1 2 2nd s Interface Name RIP send version on interface s has b...

Page 624: ...ion same as area however the area has invalid text authentication configuration s Interface Name Table 246 NAT Logs LOG MESSAGE DESCRIPTION The NAT range is full The NAT mapping table is full s FTP AL...

Page 625: ...Generate certificate request s failed errno d The router was not able to create a certificate request with the specified name See Table 249 on page 627 for details about the error number Generate PKCS...

Page 626: ...e certificate request name Decode imported certificate s failed The device was not able to decode an imported certificate s is certificate the request name Export PKCS 12 certificate s from My Certifi...

Page 627: ...as not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9...

Page 628: ...t work correctly An administrator configured ethernet vlan or bridge and this interface is base interface of PPP interface PPP interface MTU base interface MTU 8 PPP interface may not run correctly be...

Page 629: ...CHAP CHAP interface name Interface s is connected A PPP interface connected successfully s interface name Interface s is disconnected A PPP interface disconnected successfully s interface name Interf...

Page 630: ...serted Please remove the device then check the SIM card The SIM card for the cellular device associated with the listed cellular interface d cannot be detected The SIM card may be missing not inserted...

Page 631: ...e You need to manually enter the password for the listed cellular interface d Table 249 WLAN Logs LOG MESSAGE DESCRIPTION Wlan s is enabled The WLAN IEEE 802 11 b and or g feature has been turned on s...

Page 632: ...Interface s MAC s A wireless client used an incorrect WPA or WPA2 user password and failed authentication by the ZyWALL s local user database while trying to connect to the specified WLAN interface fi...

Page 633: ...in its group In this case the DHCP client will renew s interface name Port Grouping s has been changed An administrator configured port grouping s interface name Table 252 Force Authentication Logs L...

Page 634: ...HCP client s request for the specified IP address DHCP released s with s s A DHCP client released the specified IP address The DHCP client s hostname and MAC address are listed Sending ACK to s The DH...

Page 635: ...2X 02X The IP MAC binding feature dropped an Ethernet packet The interface the packet came in through and the sender s IP address and MAC address are also shown Cannot bind ip mac from dhcpd s u u u u...

Page 636: ...Appendix A Log Descriptions ZyWALL USG 50 H User s Guide 636...

Page 637: ...l is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 257 Commonly Used Servi...

Page 638: ...ogram NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP...

Page 639: ...midrange systems UNIX systems and network servers SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a...

Page 640: ...Appendix B Common Services ZyWALL USG 50 H User s Guide 640...

Page 641: ...creen to do this Figure 472 Security Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the se...

Page 642: ...ZyWALL USG 50 H User s Guide 642 Figure 473 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 474 Certificate General Information before Import 3 Click Next to beg...

Page 643: ...LL USG 50 H User s Guide 643 Figure 475 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 476 Certificate Import Wizard 2 5 Click Finish to...

Page 644: ...Appendix C Importing Certificates ZyWALL USG 50 H User s Guide 644 Figure 477 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 478 Root Certificate Store...

Page 645: ...Appendix C Importing Certificates ZyWALL USG 50 H User s Guide 645 Figure 479 Certificate General Information after Import...

Page 646: ...Appendix C Importing Certificates ZyWALL USG 50 H User s Guide 646...

Page 647: ...ependent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 480 Peer to Peer Communication in an Ad hoc N...

Page 648: ...wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired netw...

Page 649: ...rtially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 ch...

Page 650: ...requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if...

Page 651: ...support it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the ZyWALL uses long p...

Page 652: ...f IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management o...

Page 653: ...oint and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stoppe...

Page 654: ...e wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exch...

Page 655: ...at defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireles...

Page 656: ...ta has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more dif...

Page 657: ...is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants...

Page 658: ...PA 2 PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC ad...

Page 659: ...tdoor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how...

Page 660: ...and in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on...

Page 661: ...ain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following...

Page 662: ...is without express or implied warranty This Product includes expat 1 95 6 software under the Expat License Expat License Copyright c 1998 1999 2000 Thai Open Source Software Center Ltd Permission is h...

Page 663: ...is Product includes openssl 0 9 8d ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay...

Page 664: ...License Copyright C 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to con...

Page 665: ...d xinetd 2 3 14 software under the a 3 clause BSD License a 3 clause BSD style license This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU...

Page 666: ...notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY...

Page 667: ...d any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Enti...

Page 668: ...nd do not modify the License You may add Your own attribution notices within Derivative Works that You distribute alongside or as an addendum to the NOTICE text from the Work provided that such additi...

Page 669: ...ights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain th...

Page 670: ...sure the software is free for all its users This license the Lesser General Public License applies to some specially designated software packages typically libraries of the Free Software Foundation an...

Page 671: ...criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It a...

Page 672: ...keep intact all the notices that refer to this License and to the absence of any warranty and distribute a copy of this License along with the Library You may charge a fee for the physical act of tran...

Page 673: ...s no derivative of any portion of the Library but is designed to work with the Library by being compiled or linked with it is called a work that uses the Library Such a work in isolation is not a deri...

Page 674: ...eady sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a s...

Page 675: ...ts or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented...

Page 676: ...NY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUST...

Page 677: ...ssion to copy distribute and or modify the software Also for each author s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the...

Page 678: ...nt an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and sepa...

Page 679: ...or modifying the Program or works based on it 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to cop...

Page 680: ...by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivative...

Page 681: ...REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EV...

Page 682: ...provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a...

Page 683: ...S ACQUIRED AND YOUR MONEY WILL BE REFUNDED 1 Grant of License for Personal Use ZyXEL Communications Corp ZyXEL grants you a non exclusive non sublicense non transferable license to use the program wit...

Page 684: ...uch material are contained in the online electronic documentation for the Software and your use of such material is governed by their respective terms ZyXEL has provided as part of the Software packag...

Page 685: ...S REGULATIONS ORDERS OR OTHER RESTRICTIONS ON THE EXPORT OF THE SOFTWARE OR INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME YOU SHALL NOT EXPORT THE SOFTWARE DOCUMENTATION OR IN...

Page 686: ...C Taiwan This License Agreement shall constitute the entire Agreement between the parties hereto This License Agreement the rights granted hereunder the Software and Documentation shall not be assigne...

Page 687: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does i...

Page 688: ...t shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher va...

Page 689: ...encapsulation 341 ESP 340 active sessions 133 136 582 AD 479 AD Active Directory 480 address groups 461 and firewall 304 and force user authentication policies 458 and FTP 550 and SNMP 553 and SSH 546...

Page 690: ...unidentified applications 416 vs firewall 293 295 applications 37 ASCII encoding 441 asymmetrical routes 301 allowing through the firewall 302 vs virtual interfaces 301 attacks Denial of Service DoS...

Page 691: ...9 serial number 502 507 storage space 496 504 thumbprint algorithms 495 thumbprints 495 used for authentication 494 verifying fingerprints 495 where used 89 certification requests 499 certifications n...

Page 692: ...91 Distinguished Name DN 481 distributed port scans 438 DNS 189 522 address records 525 domain name forwarders 526 domain name to IP address 525 IP address to domain name 525 L2TP VPN 370 Mail eXchang...

Page 693: ...ration overview 86 global rules 295 prerequisites 87 priority 303 rule criteria 295 see also to ZyWALL firewall 294 session limits 305 to ZyWALL See also to ZyWALL firewall triangle routes 301 302 vs...

Page 694: ...c router 334 IP address ZyXEL device 334 local identity 337 main mode 334 337 338 NAT traversal 338 negotiation mode 334 password 339 peer identity 337 pre shared key 336 proposal 334 see also VPN use...

Page 695: ...y 319 PFS 319 phase 2 settings 318 policy enforcement 318 policy routes 314 proposals 319 remote access 318 remote IPSec router 311 remote network 311 remote policy 318 replay detection 318 SA life ti...

Page 696: ...21 algorithms 222 226 least load first 223 See also trunks 221 session oriented 222 spillover 224 tutorial 120 weighted round robin 223 local user database 480 log messages and alerts 569 categories 5...

Page 697: ...P 509 vs CRL 509 Open Shortest Path First See OSPF OSPF 161 243 and Ethernet interfaces 155 and RIP 245 and static routes 245 and to ZyWALL firewall 243 area 0 244 areas See OSPF areas authentication...

Page 698: ...and firewall 236 and policy routes 236 and service groups 236 and services 236 power off 33 power on 33 PPP 216 PPP interfaces 166 basic characteristics 148 gateway 167 ISP account 167 subnet mask 16...

Page 699: ...TP 283 RTS Request To Send 654 threshold 653 654 S safety warnings 8 schedules 473 and current date time 473 and firewall 304 414 417 419 and force user authentication policies 458 and policy routes 2...

Page 700: ...names 349 connection monitor 349 full tunnel mode 349 global setting 350 IP pool 349 network list 349 remote user login 354 remote user logout 359 See also SSL VPN 345 user screen bookmarks 359 user s...

Page 701: ...1 to ZyWALL firewall 294 and NAT traversal VPN 591 and OSPF 243 and remote management 295 and RIP 242 and service control 529 and virtual servers 265 and VPN 591 global rules 294 See also firewall 294...

Page 702: ...licy routes 234 412 414 417 419 and RADIUS 448 and service control 529 and shell scripts 460 attributes for Ext User 448 attributes for LDAP 460 attributes for RADIUS 460 attributes in AAA servers 460...

Page 703: ...s 274 see also HTTP redirect web based SSL application configuration example 511 create 512 webroot directory traversal attack 442 weighted round robin for load balancing 223 Wi Fi Protected Access 65...

Page 704: ...294 302 and FTP 550 and interfaces 80 251 and SNMP 553 and SSH 546 and Telnet 548 and VPN 80 251 and WWW 534 block intra zone traffic 253 301 configuration overview 85 default 81 extra zone traffic 25...

Reviews:

No comments

Related manuals for ZyWall USG 50-H Series

Eaton Power Xpert Meter 2000 User Manual preview
Power Xpert Meter 2000
Brand: Eaton Pages: 71
Eaton Power Xpert Gateway 900 Quick Start Manual preview
Power Xpert Gateway 900
Brand: Eaton Pages: 25
WAGO 750-658 Manual preview
750-658
Brand: WAGO Pages: 110
TANDBERG Codian GW 3201 Series Getting Started preview
Codian GW 3201 Series
Brand: TANDBERG Pages: 18
Patton SmartNode SN4150 User Manual preview
SmartNode SN4150
Brand: Patton Pages: 80
Garmin Flight Stream 110/210 Installation Manual preview
Flight Stream 110/210
Brand: Garmin Pages: 46
H3C MSR3610-I-DP Installation Manual preview
MSR3610-I-DP
Brand: H3C Pages: 39
AES Corporation 7177 Quick Start Manual preview
7177
Brand: AES Corporation Pages: 2
Badger Meter GALAXY II Installation Manual preview
GALAXY II
Brand: Badger Meter Pages: 24
LANSITEC 100-13248 Manual preview
100-13248
Brand: LANSITEC Pages: 25
Carotron GTW-MB-MBTCP Instruction Manual preview
GTW-MB-MBTCP
Brand: Carotron Pages: 20
Siemens SpeedStream 5450 User Manual preview
SpeedStream 5450
Brand: Siemens Pages: 83
Siemens SpeedStream 6500 Series User Manual preview
SpeedStream 6500 Series
Brand: Siemens Pages: 98
Ositech Communications Ositech Titan II Getting Started Manual preview
Ositech Titan II
Brand: Ositech Communications Pages: 4
TCAM T8000-I User Manual preview
T8000-I
Brand: TCAM Pages: 25
ICP DAS USA GW-5492 User Manual preview
GW-5492
Brand: ICP DAS USA Pages: 24
2Wire HomePortal 3800HGV-B User Manual preview
HomePortal 3800HGV-B
Brand: 2Wire Pages: 82
AMX NetLinx NXB-CCG-K Operation/Reference Manual preview
NetLinx NXB-CCG-K
Brand: AMX Pages: 32

Brands by name

Popular brands

Load more brands