ZyXEL Communications ZyXEL ZyWALL USG-1000 User Manual Download Page 507 | Manualshive

Page: 507 / 986

background image

Chapter 31 IDP

ZyWALL USG 2000 User’s Guide

507

Note: The ZyWALL checks all signatures and continues searching even after a match

is found. If two or more rules have conflicting actions for the same packet, then
the ZyWALL applies the more restrictive action (

reject-both, reject-receiver or

reject-sender, drop, none

in this order). If a packet matches a rule for

reject-

receiver

and it also matches a rule for

reject-sender

, then the ZyWALL will

reject-both

.

Figure 358

Anti-X > IDP > Custom Signatures

The following table describes the fields in this screen.

Table 152

Anti-X > IDP > Custom Signatures

LABEL

DESCRIPTION

Custom
Signature
Rules

Use this part of the screen to create, edit, delete or export (save to your
computer) custom signatures.

SID

SID is the signature ID that uniquely identifies a signature. Click the SID
header to sort signatures in ascending or descending order. It is
automatically created when you click the Add icon to create a new
signature. You can edit the ID, but it cannot already exist and it must be in
the 9000000 to 9999999 range.

Name

This is the name of your custom signature. Duplicate names can exist, but
it is advisable to use unique signature names that give some hint as to
intent of the signature and the type of attack it is supposed to prevent.

Add/Edit

Click the Add icon to create a new signature or click the Edit icon to edit
an existing signature.

Delete

Use this column to delete signatures. Select (or clear) the check boxes
next to individual signatures within the column. When you are certain that
you have only selected signatures that you want to remove, click the
Delete icon. Click OK in the confirm delete signature dialog box to delete
the selected signature(s).

Export

Use this column to save signatures to your computer. Select (or clear) the
check box in the header column to select (or clear) all check boxes in that
column. You can also select (or clear) individual signatures within the
column. When you are certain that you have only selected signatures that
you want to save, click Export. Click Save in the file download dialog box
and then select a location and name for the file.

Custom signatures must end with the ‘rules’ file name extension, for
example, MySig.rules.

«
...
505
506
507
508
509
...
»

Summary of Contents for ZyXEL ZyWALL USG-1000

Page 1: ... com ZyWALL USG 2000 Unified Security Gateway Copyright 2009 ZyXEL Communications Corporation Firmware Version 2 12 Edition 1 6 2009 Default Login Details LAN Port P1 IP Address https 192 168 1 1 User Name admin Password 1234 ...

Page 2: ......

Page 3: ...ecommended you read Chapter 6 on page 103 for ZyWALL application examples Subsequent chapters are arranged by menu item as defined in the web configurator Read each chapter carefully for detailed information on that menu item To find specific information in this guide use the Contents Overview the Table of Contents the Index or search the PDF file E mail techwriters zyxel com tw if you cannot find...

Page 4: ... or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters zyxel com tw Need More Help More help is available at www zyxel com Download Library Search for the latest product updates and documentation from this link Read the Tech Doc Overview to find out how to efficiently use the Use...

Page 5: ...bought the device See http www zyxel com web contact_us php for contact information Please have the following information ready when you contact an office Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Disclaimer Graphics in this book may differ slightly from the product due to differences ...

Page 6: ... key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click...

Page 7: ... User s Guide 7 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ...

Page 8: ...e Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT remove the plug and connect it to a power outlet by itself always attach the plug to the power adaptor first before connecting it to a power outlet Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT ...

Page 9: ...tatus 137 Registration 153 Signature Update 159 Network 167 Interfaces 169 Trunks 225 Policy and Static Routes 235 Routing Protocols 249 Zones 261 DDNS 265 Virtual Servers 273 HTTP Redirect 289 ALG 293 IP MAC Binding 301 Firewall 307 Firewall 309 VPN 327 IPSec VPN 329 SSL VPN 371 SSL User Screens 383 SSL User Application Screens 393 SSL User File Sharing 395 ZyWALL SecuExtender 403 L2TP VPN 407 L2...

Page 10: ...75 Device HA 593 Device HA 595 Objects 613 User Group 615 Addresses 631 Services 637 Schedules 643 AAA Server 649 Authentication Method 661 Certificates 665 ISP Accounts 687 SSL Application 691 System 699 System 701 Maintenance Troubleshooting Specifications 749 File Manager 751 Logs 763 Reports 777 Diagnostics 795 Reboot 797 Troubleshooting 799 Product Specifications 805 Appendices and Index 813 ...

Page 11: ...Front Panel LEDs 35 1 3 Management Overview 36 1 4 Starting and Stopping the ZyWALL 37 Chapter 2 Features and Applications 39 2 1 Features 39 2 2 Packet Flow 41 2 2 1 Interface to Interface Through ZyWALL 42 2 2 2 Interface to Interface To From ZyWALL 42 2 2 3 Interface to Interface From VPN Tunnel 42 2 2 4 Interface to Interface To VPN Tunnel 42 2 3 Applications 43 2 3 1 VPN Connectivity 43 2 3 2...

Page 12: ... 4 3 Device Registration 67 4 4 Installation Setup Two Internet Service Providers 69 4 4 1 Internet Access Wizard Setup Complete 71 4 5 VPN Setup 71 4 5 1 VPN Express Wizard 72 4 5 2 VPN Advanced Wizard 77 4 5 3 VPN Advanced Wizard Finish 83 Chapter 5 Configuration Basics 85 5 1 Object based Configuration 85 5 2 Zones Interfaces and Physical Ports 86 5 2 1 Interface Types 87 5 2 2 Default Interfac...

Page 13: ...nfigure a WAN Ethernet Interface 104 6 1 2 Configure Zones 105 6 1 3 Configure Port Grouping 105 6 2 How to Configure a Cellular Interface 106 6 3 How to Configure Load Balancing 109 6 3 1 Set Up Available Bandwidth on Ethernet Interfaces 110 6 3 2 Configure the WAN Trunk 110 6 4 How to Set Up an IPSec VPN Tunnel 111 6 4 1 Set Up the VPN Gateway 111 6 4 2 Set Up the VPN Connection 112 6 4 3 Set Up...

Page 14: ... a Virtual Server 134 Chapter 7 Status 137 7 1 Overview 137 7 1 1 What You Can Do in the Status Screens 137 7 2 The Status Screen 138 7 2 1 The CPU Usage Screen 144 7 2 2 The Memory Usage Screen 145 7 2 3 The Session Usage Screen 146 7 2 4 The VPN Status Screen 147 7 2 5 The DHCP Table Screen 148 7 2 6 The Port Statistics Screen 149 7 2 7 The Port Statistics Graph Screen 150 7 2 8 The Current User...

Page 15: ... 1 Ethernet Edit 179 10 5 The Static DHCP Screen 185 10 6 PPP Interfaces 186 10 6 1 PPP Interface Summary 187 10 6 2 PPP Interface Edit 188 10 7 Cellular Configuration Screen 3G 192 10 7 1 Cellular Add Edit Screen 195 10 8 Cellular Status Screen 199 10 9 VLAN Interfaces 201 10 9 1 VLAN Summary Screen 203 10 9 2 VLAN Add Edit 204 10 10 Bridge Interfaces 209 10 10 1 Bridge Summary 211 10 10 2 Bridge...

Page 16: ...45 Chapter 13 Routing Protocols 249 13 1 Routing Protocols Overview 249 13 1 1 What You Can Do in the RIP and OSPF Screens 249 13 1 2 What You Need to Know About Routing Protocols 249 13 2 The RIP Screen 250 13 3 The OSPF Screen 251 13 3 1 Configuring the OSPF Screen 255 13 3 2 OSPF Area Add Edit Screen 257 13 4 Routing Protocol Technical Reference 259 Chapter 14 Zones 261 14 1 Zones Overview 261 ...

Page 17: ...ut HTTP Redirect 290 17 2 The HTTP Redirect Screen 291 17 2 1 The HTTP Redirect Edit Screen 292 Chapter 18 ALG 293 18 1 ALG Overview 293 18 1 1 What You Can Do in the ALG Screen 293 18 1 2 What You Need to Know About ALG 294 18 1 3 Before You Begin 297 18 2 The ALG Screen 297 18 3 ALG Technical Reference 299 Chapter 19 IP MAC Binding 301 19 1 IP MAC Binding Overview 301 19 1 1 What You Can Do in t...

Page 18: ...Sec VPN 330 21 1 3 Before You Begin 332 21 2 The VPN Connection Screen 332 21 2 1 The VPN Connection Add Edit IKE Screen 334 21 2 2 The VPN Connection Add Edit Manual Key Screen 341 21 3 The VPN Gateway Screen 345 21 3 1 The VPN Gateway Add Edit Screen 346 21 4 The VPN Concentrator Screen 354 21 4 1 The VPN Concentrator Add Edit Screen 355 21 5 The SA Monitor Screen 357 21 6 IPSec VPN Background I...

Page 19: ...he SSL VPN File Sharing 395 25 2 The Main File Sharing Screen 396 25 3 Opening a File or Folder 396 25 3 1 Downloading a File 398 25 3 2 Saving a File 399 25 4 Creating a New Folder 399 25 5 Renaming a File or Folder 400 25 6 Deleting a File or Folder 400 25 7 Uploading a File 401 Chapter 26 ZyWALL SecuExtender 403 26 1 The ZyWALL SecuExtender Icon 403 26 2 Statistics 403 26 3 View Log 405 26 4 Su...

Page 20: ...at You Need to Know About Application Patrol 444 29 1 3 Application Patrol Bandwidth Management Examples 449 29 2 Application Patrol General Screen 452 29 3 Application Patrol Applications 454 29 3 1 The Application Patrol Edit Screen 455 29 3 2 The Application Patrol Policy Edit Screen 457 29 4 The Other Applications Screen 460 29 4 1 The Other Applications Add Edit Screen 463 29 5 Application Pa...

Page 21: ...n 493 31 5 Creating New Profiles 494 31 5 1 Procedure To Create a New Profile 494 31 6 Profiles Packet Inspection 495 31 6 1 Profile Group View Screen 496 31 6 2 Policy Types 499 31 6 3 IDP Service Groups 500 31 6 4 Profile Query View Screen 501 31 6 5 Query Example 503 31 7 Introducing IDP Custom Signatures 504 31 7 1 IP Packet Header 505 31 8 Configuring Custom Signatures 506 31 8 1 Creating or ...

Page 22: ...Screen 546 33 4 Content Filter Profile Screen 548 33 5 Content Filter Categories Screen 548 33 5 1 Content Filter Blocked and Warning Messages 559 33 6 Content Filter Customization Screen 559 33 7 Content Filter Cache Screen 562 33 8 Content Filter Technical Reference 564 Chapter 34 Content Filter Reports 567 34 1 Overview 567 34 2 Viewing Content Filter Reports 567 Chapter 35 Anti Spam 575 35 1 O...

Page 23: ...ode Monitored Interface 603 36 5 The Legacy Mode Screen 604 36 6 Configuring the Legacy Mode Screen 605 36 7 Device HA Technical Reference 610 Part VIII Objects 613 Chapter 37 User Group 615 37 1 Overview 615 37 1 1 What You Can Do Using The User Group Screens 615 37 1 2 What You Need To Know About User Groups 615 37 2 User Summary Screen 618 37 2 1 User Add Edit Screen 618 37 3 User Group Summary...

Page 24: ...ou Can Do in the Schedule Screens 643 40 1 2 What You Need to Know About Schedules 643 40 2 The Schedule Summary Screen 644 40 2 1 The One Time Schedule Add Edit Screen 645 40 2 2 The Recurring Schedule Add Edit Screen 646 Chapter 41 AAA Server 649 41 1 Overview 649 41 1 1 Directory Service AD LDAP Overview 649 41 1 2 RADIUS Server Overview 650 41 1 3 ASAS 650 41 1 4 What You Can Do Using The AAA ...

Page 25: ...it Screen 675 43 2 3 The My Certificates Import Screen 678 43 3 The Trusted Certificates Screen 679 43 3 1 The Trusted Certificates Edit Screen 680 43 3 2 The Trusted Certificates Import Screen 684 43 4 Certificates Technical Reference 685 Chapter 44 ISP Accounts 687 44 1 Overview 687 44 1 1 What You Can Do in the ISP Account Screens 687 44 2 ISP Account Summary 687 44 2 1 ISP Account Edit 688 Cha...

Page 26: ...der 712 46 5 8 MX Record 713 46 5 9 Adding a MX Record 713 46 5 10 Adding a DNS Service Control Rule 713 46 6 WWW Overview 714 46 6 1 Service Access Limitations 715 46 6 2 System Timeout 715 46 6 3 HTTPS 715 46 6 4 Configuring WWW Service Control 716 46 6 5 Service Control Rules 720 46 6 6 Customizing the WWW Login Page 720 46 6 7 HTTPS Example 724 46 7 SSH 732 46 7 1 How SSH Works 733 46 7 2 SSH ...

Page 27: ...ript Screen 760 Chapter 48 Logs 763 48 1 Overview 763 48 2 What You Can Do In The Log Screens 763 48 3 View Log Screen 763 48 4 Log Setting Screens 766 48 4 1 Log Setting Summary 767 48 4 2 Edit System Log Settings 768 48 4 3 Edit Remote Server Log Settings 772 48 4 4 Active Log Summary Screen 773 Chapter 49 Reports 777 49 1 Overview 777 49 1 1 What You Can Do in the Report Screens 777 49 2 The Tr...

Page 28: ... ZyWALL 801 52 2 Changing a Power Module 802 52 3 Getting More Troubleshooting Help 804 Chapter 53 Product Specifications 805 53 1 3G PCMCIA Card Installation 811 Part XI Appendices and Index 813 Appendix A Log Descriptions 815 Appendix B Common Services 875 Appendix C Displaying Anti Virus Alert Messages in Windows 879 Appendix D Importing Certificates 885 Appendix E Open Software Announcements 9...

Page 29: ...29 PART I Getting Started Introducing the ZyWALL 31 Features and Applications 39 Web Configurator 47 Configuration Basics 85 Tutorials 103 Status 137 Registration 153 Signature Update 159 ...

Page 30: ...30 ...

Page 31: ... Instant Messaging IM and Peer to Peer P2P control NAT port forwarding policy routing DHCP server and many other powerful features Flexible configuration helps you set up the network and enforce security policies efficiently See Chapter 2 on page 39 for a more detailed overview of the ZyWALL s features The front panel physical Gigabit Ethernet ports labeled P1 P2 P3 and so on are mapped to Gigabit...

Page 32: ...auto negotiating auto crossover Ethernet ports support 100 1000 Mbps Gigabit Ethernet so the speed can be 100 Mbps or 1000 Mbps The duplex mode can be both half or full duplex at 100 Mbps and full duplex only at 1000 Mbps An auto negotiating port can detect and adjust to the optimum Ethernet speed 100 1000 Mbps and duplex mode full duplex or half duplex of the connected device An auto crossover au...

Page 33: ...v 1 0 for details You can change transceivers while the ZyWALL is operating You can use different transceivers to connect to devices with different types of fiber optic connectors Type SFP connection interface Connection speed 1 Gigabit per second Gbps To avoid possible eye injury do not look into an operating fiber optic module s connectors or fiber optic cable Transceiver and Fiber optic Cable I...

Page 34: ...link status Figure 4 Installing the Fiber optic Cable Fiber optic Cable and Transceiver Removal Use the following steps to remove a mini GBIC transceiver SFP module 1 Press down on the top of the fiber optic cable where it connects to the transceiver to release it Then pull the fiber optic cable out Figure 5 Removing the Fiber optic Cable Example 2 Open the transceiver s latch latch styles vary Fi...

Page 35: ...ction 1 4 on page 37 If the LED shines red again then please contact your vendor SYS Off The ZyWALL is turned off Green On The ZyWALL is ready and operating normally Flashing The ZyWALL is self testing Red On The ZyWALL is malfunctioning AUX Off The AUX port is not connected Orange On The AUX port has a dial in management connection Flashing The AUX port is sending or receiving packets for the dia...

Page 36: ...igure the ZyWALL You can access it using remote management for example SSH or Telnet or via the console port See the Command Reference Guide for more information about the CLI P1 P8 Green Off There is no traffic on this port Flashing The ZyWALL is sending or receiving packets on this port Orange Off There is no connection on this port On This port has a successful link LNK Orange Off The Ethernet ...

Page 37: ...ld start occurs when you turn on the power to the ZyWALL The ZyWALL powers up checks the hardware and starts the system processes Rebooting the ZyWALL A warm start without powering down and powering up again occurs when you use the Reboot button in the Reboot screen or when you use the reboot command The ZyWALL writes all cached data to the local storage stops the system processes and then does a ...

Page 38: ...Chapter 1 Introducing the ZyWALL ZyWALL USG 2000 User s Guide 38 resources temporarily while the ZyWALL is applying configuration files or running shell scripts ...

Page 39: ...ovides reliable secure Internet access set up one or more of the following Multiple WAN ports and configure load balancing between these ports One or more 3G cellular connections An auxiliary backup Internet connection A backup ZyWALL in the event the master ZyWALL fails device HA Virtual Private Networks VPN Use IPSec SSL or L2TP VPN to provide secure communication between two sites over the Inte...

Page 40: ...n violations of protocol standards RFCs Requests for Comments Abnormal flows such as port scans The ZyWALL s ADP protects against network based intrusions See Section 32 3 4 on page 527 and Section 32 3 5 on page 530 for more on the kinds of attacks that the ZyWALL can protect against You can also create your own custom ADP rules Bandwidth Management Bandwidth management allows you to allocate net...

Page 41: ...lication s individual features like text messaging voice video conferencing and file transfers Application patrol has powerful bandwidth management including traffic prioritization to enhance the performance of delay sensitive applications like voice and video You can also use an option that gives SIP priority over all other traffic This maximizes SIP traffic throughput for improved VoIP call soun...

Page 42: ...to another VPN tunnel VPN concentrator Ethernet VLAN Encap ALG DNAT Routing zFW IPSec D ALG AC DNAT Routing FW IDP AP CF AV AS SNAT BWM Encap VLAN Ethernet 2 2 4 Interface to Interface To VPN Tunnel This example shows the flow to a VPN tunnel from a source other than the ZyWALL or another VPN tunnel VPN concentrator Ethernet VLAN Encap ALG DNAT Routing FW IDP AP CF AV AS SNAT IPSec E Routing BWM E...

Page 43: ...rovide secure access to your network You can also set up additional connections to the Internet to provide better service Figure 9 Applications VPN Connectivity 2 3 2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users There are two SSL VPN network access modes reverse proxy and full tunnel 2 3 2 1 Reverse Proxy Mode In reverse proxy mode the ZyWAL...

Page 44: ...ient software on the remote user computers for access Figure 10 Network Access Mode Reverse Proxy 2 3 2 2 Full Tunnel Mode In full tunnel mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This allows them to access network resources in the same way as if they were part of the internal network Figure 11 Network Access Mode Full T...

Page 45: ...rmation and shared resources based on the user who is trying to access it Figure 12 Applications User Aware Access Control 2 3 4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port or set up multiple connections on different ports In either case you can balance the loads between them Figure 13 Applications Multiple WAN Interfaces ...

Page 46: ...ures and Applications ZyWALL USG 2000 User s Guide 46 2 3 5 Device HA Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network Figure 14 Applications Device HA ...

Page 47: ...u must Use Internet Explorer 6 0 or later Netscape Navigator 7 2 or later or Firefox 1 0 7 or later Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScripts enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution is 1024 x 768 pixels 3 2 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connect...

Page 48: ... password default 1234 If your account is configured to use an ASAS authentication server use the OTP One Time Password token to generate a number Enter it in the One Time Password field The number is only good for one login You must use the token to generate a new number the next time you log in 4 Click Login If you logged in using the default user name and password the Update Admin Info screen F...

Page 49: ...the default user account this screen does not appear anymore Follow the directions in this screen If you change the default password the Login screen Figure 15 on page 48 appears after you click Apply If you click Ignore the main screen appears Figure 17 Main Screen 3 3 Web Configurator Main Screen As illustrated in Figure 17 on page 49 the main screen is divided into these parts A C D B ...

Page 50: ...e in which you can use the command line interface CLI Site Map Click this icon to display the site map for the Web Configurator You can use the site map to go directly to any menu item or any tab in the Web Configurator About Click this icon to display basic information about the ZyWALL Logout Click this icon to log out of the Web Configurator Table 6 Navigation Panel Summary LINK TAB FUNCTION Sta...

Page 51: ... load balancing and link HA Routing Policy Route Use this screen to create and manage routing policies Static Route Use this screen to create and manage IP static routing information RIP Use this screen to configure device level RIP settings OSPF Use this screen to configure device level OSPF settings including areas and virtual links Zone Use this screen to configure zones used to define various ...

Page 52: ...sessions AppPatrol General Use this screen to enable or disable traffic management by application and see registration and signature information Common Use this screen to manage traffic of the most commonly used web file transfer and e mail protocols Instant Messenger Use this screen to manage instant messenger traffic Peer to Peer Use this screen to manage peer to peer traffic VoIP Use this scree...

Page 53: ... to see how many mail sessions the ZyWALL is currently checking and DNSBL statistics Device HA General Use this to configure device HA global settings and see the status of each interface monitored by device HA Active Passive Mode Use these screens to configure the new active passive mode device HA Legacy Mode Use these screens to use legacy mode device HA with other ZyWALLs that already have devi...

Page 54: ... to create SSL web application or file sharing objects System Host Name Use this screen to configure the system and domain name for the ZyWALL Date Time Use this screen to configure the current date time and time zone in the ZyWALL Console Speed Use this screen to set the console speed DNS Use this screen to configure the DNS server and address records for the ZyWALL WWW Service Control Use this s...

Page 55: ...ge and run shell script files for the ZyWALL Log View Log Use this screen to look at log entries Log Setting Use this screen to configure the system log e mail logs and remote syslog servers Report Traffic Statistics Use this screen to collect traffic information and display basic reports about it Session Monitor Use this screen to display the status of all current sessions Anti Virus Use this scr...

Page 56: ...ew the ZyWALL s current warning messages These warning messages display in a popup window such as the following Figure 19 Warning Messages Click Refresh Now to update the screen Close the popup window when you are done with it Click Clear Warning Messages to remove the current warning messages from the window ...

Page 57: ...lick Change Display Style to show or hide the index numbers for the commands the commands are more convenient to copy and paste without the index numbers Click Refresh Now to update the screen For example if you just enabled a particular feature you can look at the commands the Web Configurator generated to enable it Close the popup window when you are done with it See the Command Reference Guide ...

Page 58: ...Chapter 3 Web Configurator ZyWALL USG 2000 User s Guide 58 ...

Page 59: ...n the Web Configurator See the feature specific chapters in this User s Guide for background information Note Use the installation wizards only for initial configuration starting from the default configuration Changes you make in an installation or VPN wizard may not be applied if you have already changed the ZyWALL s configuration In the Web Configurator click the Wizard icon to open the Wizard S...

Page 60: ...rk You can use the second WAN connection for load balancing to increase overall network throughput or as a backup to enhance network reliability This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP This wizard also configures a WAN trunk See Chapter 11 on page 225 for more on load balancing and trunks VPN SETUP Use VPN SETUP to configure a VPN connection See Sec...

Page 61: ...rs Encapsulation Choose the Ethernet option when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP WAN IP Address Assignments WAN Interface This is the interface you are configuring for Internet access Zone Select the security zone to which you want this interface and Internet connection to belong IP Addres...

Page 62: ... Address Enter the IP address that your ISP gave you This should be a static public IP address IP Subnet Mask Enter the subnet mask for the IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First DNS Server Second DNS Server DNS Domain Name System is for mapping a domain name to its corresponding IP address and ...

Page 63: ...tion This displays the type of Internet connection you are configuring Service Name Type the PPPoE service name given to you by your ISP PPPoE uses a service name to identify and reach the PPPoE server You can use alphanumeric and _ characters and it can be up to 64 characters long Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CH...

Page 64: ... connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address Enter your WAN IP address in this field First DNS Server Second DNS Server These fields displayd if you selected static IP address assignment DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremel...

Page 65: ...f Internet connection you are configuring Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your ZyWALL accepts either CHAP or PAP when requested by this remote node CHAP Your ZyWALL accepts CHAP only PAP Your ZyWALL accepts PAP only MSCHAP Your ZyWALL accepts MSCHAP only MSCHAP V2 Your ZyWALL accepts MSCHAP V2 only User Nam...

Page 66: ... WAN IP Address Assignments These fields are read only if you selected Auto as the IP Address Assignment in the previous screen WAN Interface This displays the identity of the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address Enter your WAN IP address in this field First DNS Server Second D...

Page 67: ...y click Close to exit the wizard 4 3 Device Registration Use this screen to register your ZyWALL with myZXEL com and activate trial periods of subscription security features if you have not already done so Note You must be connected to the Internet to register This screen displays a read only user name and password if the ZyWALL is already registered It also shows which trial services are activate...

Page 68: ...t allowed Check Click this button to check with the myZyXEL com database to verify the user name you entered has not been used Password Enter a password of between six and 20 alphanumeric characters and the underscore Spaces are not allowed Confirm Password Enter the password again for confirmation E Mail Address Enter your e mail address You can use up to 80 alphanumeric characters periods and th...

Page 69: ...ard allows you to configure two interfaces for Internet access through either two different Internet Service Providers ISPs or two different accounts with the same ISP The configuration of the following screens is explained in Section 4 2 on page 60 section Configure the First WAN Interface and click Next Figure 28 Internet Access Step 1 First WAN Interface ...

Page 70: ... WAN Interface Click Next to continue Figure 29 Internet Access Step 3 Second WAN Interface After you configure the Second WAN Interface a summary of configuration settings display for both WAN interfaces Figure 30 Internet Access Finish Note You can register your ZyWALL with myZyXEL com and activate trials of services like IDP ...

Page 71: ...he wizard 4 4 1 Internet Access Wizard Setup Complete Well done You have successfully set up your ZyWALL to access the Internet 4 5 VPN Setup The VPN wizard creates corresponding VPN connection and VPN gateway settings a policy route and address objects that you can use later in configuring more VPN connections or other features Click VPN SETUP in the Wizard Setup Welcome screen Figure 21 on page ...

Page 72: ... Wizard Step 2 Table 12 VPN Wizard Step 1 Wizard Type LABEL DESCRIPTION Express Use this wizard to create a VPN connection with another ZLD based ZyWALL using a pre shared key and default security settings Advanced Use this wizard to configure detailed VPN security settings such as using certificates The VPN connection can be to another ZLD based ZyWALL or other IPSec device Back Click Back to ret...

Page 73: ...uter has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec router has a dynamic IP address Only the remote IPSec router can initiate the VPN tunnel Remote Access Server Role Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in use...

Page 74: ...hexadecimal 0 9 A F characters Precede a hexadecimal key with 0x Both ends of the VPN tunnel must use the same pre shared key You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type a static local IP address that corresponds to the remote IPSec router s configured remote IP address the remote IP address of the other Z...

Page 75: ...ess and Subnet Mask on the LAN behind your ZyWALL Remote Policy This is a static IP address and Subnet Mask on the network behind the remote IPSec router If this field displays Any only the remote IPSec router can initiate the VPN connection Configuration for Secure Gateway These commands set the matching VPN connection settings for the remote gateway If the remote gateway is a ZLD based ZyWALL yo...

Page 76: ...u have not already done so use the myZyXEL com link and register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Close to exit the wizard Back Click Back to return to the previous screen Save Click Save to store the VPN settings on your ZyWALL Table 15 VPN Express Wizard Step 4 continued LABEL DESCRIPTION ...

Page 77: ...case sensitive Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec router has a dynamic IP address Only the remote IPSec router can initiate the VPN tunnel Remote Access Server Role Choose this to allow incoming connections from IPSec VPN clients The clien...

Page 78: ...or the chosen scenario If this field is configurable enter the WAN IP address or domain name of the remote IPSec router secure gateway in the field below to identify the remote IPSec router by its IP address or a domain name Set this field to 0 0 0 0 if the remote IPSec router has a dynamic WAN IP address My Address interface Select an interface from the drop down list box to use on your ZyWALL Ne...

Page 79: ...s security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected NAT Traversal Select this check box to enable NAT traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers Note The remote IPSec rout...

Page 80: ...p 4 LABEL DESCRIPTION Phase 2 Setting Active Protocol Select the security protocols used for an SA Both AH and ESP increase ZyWALL processing requirements and communications latency delay Encapsulation Tunnel is compatible with NAT Transport is not Tunnel mode encapsulates the entire IP packet to transmit it securely Tunnel mode is required for gateway services to provide access to internal system...

Page 81: ... setup but is not so secure Select DH1 DH2 or DH5 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1536 bit random number more secure yet slower Policy Setting Local Policy IP Mask Type a static local IP address that corresponds to the remote IPSec router s configured ...

Page 82: ...PN connection and VPN gateway Secure Gateway This is the WAN IP address or domain name of the remote IPSec router If this field displays Any only the remote IPSec router can initiate the VPN connection Pre Shared Key This is a pre shared key identifying a communicating party during a phase 1 IKE negotiation Local Policy This is a static IP address and Subnet Mask on the LAN behind your ZyWALL Remo...

Page 83: ... gateway If the remote gateway is a ZLD based ZyWALL you can copy and paste this list into its command line interface in order to configure it for the VPN tunnel You can also use a text editor to save these commands as a shell script file with a zysh filename extension Then you can use the file manager to run the script in order to configure the VPN connection See the commands reference guide for ...

Page 84: ...Chapter 4 Wizard Setup ZyWALL USG 2000 User s Guide 84 ...

Page 85: ... as well You might also have to configure criteria for the policy route Section 5 5 on page 99 identifies the objects that store information used by other features Section 5 6 on page 100 introduces some of the tools available for system management 5 1 Object based Configuration The ZyWALL stores information or settings as objects You use these objects to configure many of the ZyWALL s features an...

Page 86: ...e ZyWALL Figure 41 Zones Interfaces and Physical Ethernet Ports Physical Ports Interfaces Zones LAN P1 P2 P3 P4 P5 P6 P7 ge1 ge2 ge3 ge6 WAN ge7 P8 ge4 ge5 DMZ ge8 Table 20 Zones Interfaces and Physical Ethernet Ports Zones WAN LAN DMZ A zone is a group of interfaces and VPN tunnels Use zones to apply security settings such as firewall IDP remote management anti virus and application patrol Interf...

Page 87: ...e tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Then you can configure the IP address and subnet mask of the bridge It is also possible to configure zone level security between the memb...

Page 88: ...The WAN zone contains the ge2 and ge3 interfaces physical ports 2 and 3 They use public IP addresses to connect to the Internet PORT INTERFACE ZONE IP ADDRESS AND DHCP SETTINGS SUGGESTED USE WITH DEFAULT SETTINGS P1 ge1 LAN 192 168 1 1 DHCP server enabled Protected LAN P2 P3 ge2 ge3 WAN DHCP clients Connections to the Internet P4 P6 ge4 ge5 ge6 DMZ 192 168 2 1 192 168 3 1 192 168 4 1 DHCP server d...

Page 89: ...S FEATURE TERM ZYWALL FEATURE TERM Port forwarding Virtual server IP alias Virtual interface Gateway policy VPN gateway Network policy IPSec SA VPN connection Hub and spoke VPN VPN concentrator Table 23 ZyWALL Terminology That Might Be Different Than Other Products FEATURE TERM ZYWALL FEATURE TERM Destination NAT DNAT Virtual server Source NAT SNAT Policy route Table 24 NAT Differences Between the...

Page 90: ...ssign it to a zone MENU ITEM S This shows you the sequence of menu items and tabs you should click to find the main screen s for this feature See the web help or the related User s Guide chapter for information about each screen PREREQUISITES These are other features you should configure before you configure the main screen s for this feature If you did not configure one of the prerequisites first...

Page 91: ...ub and spoke VPN Example See Chapter 6 on page 103 5 4 5 SSL VPN Use SSL VPN to provide secure network access to remote users MENU ITEM S Network Interface except Network Interface Trunk PREREQUISITES Port groups configured in the Interface Port Grouping screen WHERE USED Zones trunks IPSec VPN device HA DDNS policy routes static routes HTTP redirect virtual server application patrol MENU ITEM S N...

Page 92: ...e a zone the ZyWALL does not create any firewall rules assign an IDP profile or configure remote management for the new zone Example For example to create the DMZ 2 zone and add ge7 click Network Zone and then the Add icon PREREQUISITES Interfaces SSL application users user groups addresses network list IP pool for assigning to clients DNS and WINS server addresses to ZyWALL firewall firewall WHER...

Page 93: ...ngs in other screens first Example You have an FTP server connected to ge4 in the DMZ zone You want to limit the amount of FTP traffic that goes out from the FTP server through your WAN connection 1 Create an address object for the FTP server Object Address 2 Click Network Routing Policy Route to go to the policy route configuration screen Add a policy route MENU ITEM S Device HA PREREQUISITES Int...

Page 94: ... routes in the order that they are listed So make sure that your custom policy route comes before any other routes that would also match the FTP traffic 5 4 11 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL 5 4 12 Firewall The firewall controls the travel of traffic between or within zones You can also configure the firewall to control traffi...

Page 95: ...ach rule is in the correct place in the sequence 5 4 13 Application Patrol Use application patrol to control which individuals can use which services through the ZyWALL and when they can do so You can also specify allowed amounts of bandwidth and priorities You must subscribe to use application patrol You can subscribe using the Licensing Registration screens or one of the wizards Example Suppose ...

Page 96: ...u must subscribe to use IDP You can subscribe using the Licensing Registration screens or one of the wizards 5 4 16 ADP Use ADP to detect and take action on traffic and protocol anomalies 5 4 17 Content Filter Use content filtering to block or allow access to specific categories of web site content individual web sites and web features such as cookies You can define which user accounts or groups c...

Page 97: ...web filter service 6 Decide what to do for matched web sites Block in this example unrated web sites and what to do when the category based content filtering service is not available 7 Select the Arts Entertainment category you need to click Advanced to display it 8 Click OK 9 Click General to go to the content filter general configuration screen 10 Enable the content filter 11 Add a policy that u...

Page 98: ...ALL will forward the packets received for the original IP address 6 In Mapping Type select Port 7 Enter 21 in both the Original and the Mapped Port fields 5 4 20 HTTP Redirect Configure this feature to have the ZyWALL transparently forward HTTP web traffic to a proxy server This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are rea...

Page 99: ...ete an object because you have to delete references to the object first MENU ITEM S Network ALG Table 26 Objects Overview OBJECT WHERE USED user group See the User Group section for details on users and user groups address VPN connections local remote network NAT policy routes criteria next hop HOST NAT firewall application patrol source destination content filter virtual server HOST user settings...

Page 100: ... WWW SSH TELNET FTP SNMP Dial in Mgmt Vantage CNM Use these screens to set which services or protocols can be used to access the ZyWALL through which zone and from which addresses address objects the certificates VPN gateways WWW SSH FTP SSL Application SSL VPN Table 26 Objects Overview OBJECT WHERE USED Table 27 User Types TYPE ABILITIES Admin Change ZyWALL configuration web CLI Limited Admin Loo...

Page 101: ...iles to back up and restore the complete configuration of the ZyWALL You can store multiple configuration files in the ZyWALL and switch between them without restarting Shell scripts Use shell scripts to run a series of CLI commands These are useful for large repetitive configuration changes for example creating a lot of VPN tunnels and for troubleshooting You can edit configuration files and shel...

Page 102: ... ZyWALL provides a system log offers two e mail profiles to which to send log messages and sends information to four syslog servers It also provides statistical reports to track user activity web site hits virus traffic and intrusions and can e mail them to you on a daily basis 5 6 6 Diagnostics The ZyWALL can generate a file containing the ZyWALL s configuration and diagnostic information MENU IT...

Page 103: ...ping and Zones This tutorial shows how to configure Ethernet interfaces port grouping and zones for the following example configuration see Section 5 2 2 on page 88 for the default configuration Interface ge2 uses a static IP address of 1 2 3 4 and is in the WAN zone DMZ servers are connected to ports P4 and P5 and need full wire speed communication with each other so ports P4 and P5 are combined ...

Page 104: ... Interface Port Grouping and Zone Configuration Example 6 1 1 Configure a WAN Ethernet Interface You need to assign the ZyWALL s ge2 interface a static IP address of 1 2 3 4 Click Network Interface Ethernet and the ge2 interface s Edit icon Configure the IP address subnet mask and default gateway settings as follows and click OK Figure 44 Network Interface Ethernet Edit ge2 ...

Page 105: ...ct IPSEC Default_L2TP_VPN_Connection and move it to the Member box and click OK Figure 45 Network Zone WAN Edit 6 1 3 Configure Port Grouping Here is how to combine physical ports P4 and P5 into the ge4 interface port group 1 Click Network Interface Port Grouping 2 Drag physical port 5 onto representative interface ge4 and click Apply Figure 46 Network Interface Port Grouping Example ...

Page 106: ...ing 6 2 How to Configure a Cellular Interface Use 3G cards for cellular WAN Internet connections Table 261 on page 805 lists the compatible 3G devices In this example you install or connect the 3G card before you configure the cellular interfaces but is also possible to reverse the sequence 1 Make sure the 3G device s SIM card is installed 2 Install the 3G device in the ZyWALL s PCIMCIA slot or co...

Page 107: ...ion Leaving Zone blank has the ZyWALL not apply any security settings to the 3G connection Enter the PIN Code provided by the cellular 3G service provider 0000 in this example In Related Setting click WAN Trunk to go to a screen where you can add this interface to the WAN Trunk to allow WAN load balancing A pop up asks if you want to apply your configuration click OK Figure 49 Network Interface Ce...

Page 108: ...on Figure 50 Trunk 6 In the Trunk Edit screen click a Member icon Figure 51 Trunk Edit 7 In the Member List screen select the cellular interface and use the right arrow button to move it to the list on the right Click OK in the Member List screen and again in the Trunk Edit screen Figure 52 Member List ...

Page 109: ...interface is properly configured and your cellular device is working To fine tune the load balancing configuration see Chapter 11 on page 225 See also Section 6 3 on page 109 for an example 6 3 How to Configure Load Balancing This example shows how to configure a trunk for two WAN connections to the Internet The available bandwidth for the connections is 1Mbps ge2 and 512 Kbps ge3 respectively As ...

Page 110: ...ick OK Figure 55 Network Interface Ethernet Edit ge2 2 Repeat the process to set the egress bandwidth for ge3 to 512 Kbps 6 3 2 Configure the WAN Trunk 1 Click Network Interface Trunk Click the WAN_TRUNK Edit icon 2 In the Load Balancing Algorithm field select Spillover After the screen refreshes click the Add icon at the top of the right hand column 3 In the Load Balancing Algorithm field select ...

Page 111: ...Create the VPN tunnel between ZyWALL X s LAN subnet 192 168 1 0 24 and the LAN subnet behind peer IPSec router Y 172 16 1 0 24 6 4 1 Set Up the VPN Gateway The VPN gateway manages the IKE SA You do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication 1 Click VPN IPSec VPN VPN Gateway and then clic...

Page 112: ...c VPN VPN Gateway Add 6 4 2 Set Up the VPN Connection The VPN connection manages the IPSec SA You have to set up the address objects for the local network and remote network before you can set up the VPN connection 1 Click Object Address Click the Add icon 2 Give the new address object a name VPN_REMOTE_SUBNET change the Address Type to SUBNET Set up the Network field to 172 16 1 0 and the Netmask...

Page 113: ...e to site and the VPN gateway VPN_GW_EXAMPLE Under Policy select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote Click OK Figure 60 VPN IPSec VPN VPN Connection Add 6 4 3 Set Up the Policy Route for the VPN Tunnel Do the following to create a policy route to have the ZyWALL send traffic through the VPN tunnel ...

Page 114: ... as shown next This policy route applies to traffic from the LAN subnet Use the VPN connection s local and remote objects as the source address and destination address objects here The next hop is the VPN connection that you created Click OK Figure 62 Network Routing Policy Route Add 3 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel To trigger the VPN eithe...

Page 115: ...example that does not include priorities for different types of traffic See Bandwidth Management on page 445 for more on bandwidth management The users are authenticated by an external RADIUS server at 192 168 1 200 First set up the user accounts and user groups in the ZyWALL Then set up user authentication using the RADIUS server Finally set up the policies in the table above The ZyWALL has its d...

Page 116: ...user groups 1 Click Object User Group Group Click the Add icon 2 Enter the name of the group that is used in Table 28 on page 115 In this example it is Finance Then select User Leo and click the right arrow to move him to the Member list This example only has one member in this group so click OK Of course you could add more members later Figure 64 Object User Group Group Add 3 Repeat this process ...

Page 117: ...on Select group radius because the ZyWALL should use the specified RADIUS server for authentication Click OK Figure 66 Object Auth method Add 4 Click System WWW In the Authentication section select the new authentication method in the Client Authentication Method field Click Apply Figure 67 System WWW Authentication 5 Click Object User Group Setting In the Force User Authentication Policy section ...

Page 118: ...reen appears They have to log in using the user name and password in the RADIUS server 6 5 4 Set Up Web Surfing Policies With Bandwidth Restrictions Use application patrol AppPatrol to enforce the web surfing and MSN policies You must have already subscribed for the application patrol service You can subscribe using the Licensing Registration screens or using one of the wizards 1 Click AppPatrol I...

Page 119: ...icon next to the default http service Figure 70 AppPatrol Common 3 Click the Default policy s Edit icon Figure 71 AppPatrol Common http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web Click OK Figure 72 AppPatrol Common http Edit Default ...

Page 120: ...ons for all the other user groups that are allowed to browse the web Figure 73 AppPatrol Common http Edit Default 6 5 5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days 1 Click Object Schedule Click the Add icon for recurring schedules 2 Give the schedule a descriptive name Set up the days Monday through Friday and...

Page 121: ...ntrol access from LAN to the DMZ 1 Click Firewall In From Zone select LAN in To Zone select DMZ and click Refresh The default rule for LAN to DMZ traffic allows all traffic You want to limit access to specific groups so change the default rule first Click the Add icon next to it Figure 75 Firewall LAN to DMZ 2 Set the Access field to deny and click OK Figure 76 Firewall LAN to DMZ Add 3 Click the ...

Page 122: ...ules that control HTTP and HTTPS user access logging into SSL VPN for example See Chapter 46 on page 701 for more on service control The To ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL They do not distinguish between administrator management access and user access If you configure service control to allow management or user HTTP or HTTPS access make sure the fi...

Page 123: ... 6 Tutorials ZyWALL USG 2000 User s Guide 123 2 In HTTPS Admin Service Control click the Add icon Figure 78 System WWW 3 In the Zone field select LAN and click OK Figure 79 System WWW Service Control Rule Edit ...

Page 124: ...2000 User s Guide 124 4 Click the new rule s Add icon Figure 80 System WWW First Example Admin Service Rule Configured 5 In the Zone field select ALL and set the Action to Deny Click OK Figure 81 System WWW Service Control Rule Edit ...

Page 125: ... zone Non admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL s zones to use SSL VPN for example 6 7 How to Allow Incoming H 323 Peer to peer Calls Suppose you have a H 323 device on the LAN for VoIP calls and you want it to be able to receive peer to peer calls from the WAN Here is an example of how to configure virtual server port forwarding and firewall rules to have t...

Page 126: ...WAN to LAN H 323 Peer to peer Calls Example 6 7 1 Turn On the ALG Click Network ALG Select Enable H 323 transformations and click Apply Figure 84 Network ALG 6 7 2 Set Up a Virtual Server Policy For H 323 In this example you need a virtual server policy to forward H 323 TCP port 1720 traffic received on the ZyWALL s 10 0 0 8 WAN IP address to LAN IP address 192 168 1 56 10 0 0 8 192 168 1 56 ...

Page 127: ...reate Address Objects 2 Click Network Virtual Server Add 3 Configure the screen as follows and click OK Figure 86 Network Virtual Server Add 6 7 3 Set Up a Firewall Rule For H 323 Here is how to configure a firewall rule to allow H 323 TCP port 1720 traffic received on the WAN_IP for H323 IP address to go to LAN IP address 192 168 1 56 1 Click Firewall In From Zone select WAN in To Zone select LAN...

Page 128: ...fic before applying the firewall rule Figure 88 Firewall Add 6 8 How to Use Active Passive Device HA Here is an example of using device HA High Availability to backup ZyWALL A the master with ZyWALL B ZyWALL B automatically takes over all of A s functions if A fails or loses its ge1 or ge2 connection An Ethernet switch connects both ZyWALLs ge1 interfaces to the LAN Whichever ZyWALL is functioning...

Page 129: ...p ZyWALL A s management IP address is 192 168 1 3 and ZyWALL B s is 192 168 1 5 Figure 90 Device HA Management IP Addresses 6 8 1 Before You Start ZyWALL A should already be configured You will use device HA to copy ZyWALL A s settings to B later in Section 6 8 3 on page 131 To avoid an IP address conflict do not connect ZyWALL B to the LAN subnet until after you configure its device HA settings a...

Page 130: ... and 255 255 255 0 as the Subnet Mask Click OK Figure 91 Device HA Active Passive Mode Edit Master ZyWALL Example 3 Set the Device Role to Master This example focuses on the connection from the LAN ge1 to the Internet through the ge2 interface so turn on monitoring for the ge1 and ge2 interfaces Enter a Synchronization Password mySyncPassword in this example and click Apply Figure 92 Device HA Act...

Page 131: ...eb Configurator Connect ZyWALL B to the Internet and subscribe it to the same subscription services like content filtering and anti virus to which ZyWALL A is subscribed See Chapter 8 on page 153 for more on the subscription services 2 In ZyWALL B click Device HA Active Passive Mode Click ge1 s Edit icon 3 Configure 192 168 1 5 as the Management IP and 255 255 255 0 as the Subnet Mask Click OK Fig...

Page 132: ...and set the Interval to 60 Click Apply Figure 95 Device HA Active Passive Mode Backup ZyWALL Example 5 Click the General tab Turn on device HA and click Apply Figure 96 Device HA General Master ZyWALL Example 6 8 4 Deploy the Backup ZyWALL Connect ZyWALL B s ge1 interface to the LAN network Connect ZyWALL B s ge2 interface to the same router that ZyWALL A s ge2 interface uses for Internet access Z...

Page 133: ... they cannot check your connections and device HA configuration Congratulations Now that you have configured device HA for LAN you can use the same process for any of the ZyWALL s other local networks For example enable device HA monitoring on the DMZ interfaces and use an Ethernet switch to connect both ZyWALLs DMZ interfaces to your publicly available servers 6 9 How to Allow Public Access to a ...

Page 134: ...e symbol and create a new virtual server entry as shown next This virtual server is for traffic coming in on ge3 to IP address 1 1 1 2 defined in the ge3_HTTP object The virtual server sends this traffic to the HTTP server s private IP address of 192 168 3 7 defined in the DMZ_HTTP object HTTP traffic and the HTTP server in this example both use TCP port 80 So you set the Port Mapping Type to Port...

Page 135: ...er See NAT Loopback Example on page 282 for details Figure 100 Creating the Virtual Server The firewall allows traffic from the WAN zone to the DMZ zone by default so your configuration is done Now the public can go to IP address 1 1 1 2 to access the HTTP server If a domain name is registered for IP address 1 1 1 2 users can just go to the domain name to access the web server ...

Page 136: ...Chapter 6 Tutorials ZyWALL USG 2000 User s Guide 136 ...

Page 137: ...lished Use the DHCP Table screen see Section 7 2 5 on page 148 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Port Statistics screen see Section 7 2 7 on page 150 to look at packet statistics for each physical port To access this screen click Port Statistics in the Status screen Use the Port Statistics Graph screen se...

Page 138: ...yWALL s general device information system status system resource usage licensed service status and interface status Figure 101 Status The following table describes the labels in this screen Table 29 Status LABEL DESCRIPTION Refresh Interval Select how often you want the screen to automatically refresh Refresh Now Click this to update the screen immediately Device Information ...

Page 139: ...ays what percentage of the ZyWALL s processing capability is currently being used Click the icon to display a chart of the ZyWALL s recent CPU usage Memory Usage This field displays what percentage of the ZyWALL s RAM is currently being used Click the icon to display a chart of the ZyWALL s recent memory usage Flash Usage This field displays what percentage of the ZyWALL s onboard flash memory is ...

Page 140: ...ected The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected HA Status This field displays the status of the interface in the virtual router Active This interface is the master interface in the virtual router Stand By This interface is a backup interface in the virtual router Fault This VRRP group is not functioning in the virtual router right now Fo...

Page 141: ...an click to see detailed card status information System Status System Uptime This field displays how long the ZyWALL has been running since it last restarted or was turned on Current Date Time This field displays the current date and time in the ZyWALL The format is yyyy mm dd hh mm ss VPN Status Click this to look at the VPN tunnels that are currently established See Section 7 2 1 on page 144 DHC...

Page 142: ...r modules It can continue operating on a single power module if one fails ready The power module is connected and working properly fail Check the power module s connection or replace the module See Section 52 2 on page 802 for how to change a power module Licensed Service Status IDP License Status Remaining days This field displays the current status of the license and how many days longer it is s...

Page 143: ...us Remaining Days This field displays the current status of the license and how many days longer it is still valid If it displays 0 days the license has expired If the status is not Licensed click this to open the screen where you can activate or extend the license See Section 8 2 on page 155 Top 5 Intrusion Virus Detection The following is a list of the five intrusions or viruses that the ZyWALL ...

Page 144: ...gure 102 Status CPU Usage The following table describes the labels in this screen Table 30 Status CPU Usage LABEL DESCRIPTION 100 The y axis represents the percentage of CPU usage time The x axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window rig...

Page 145: ...n Figure 103 Status Memory Usage The following table describes the labels in this screen Table 31 Status Memory Usage LABEL DESCRIPTION 100 The y axis represents the percentage of RAM usage time The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the ...

Page 146: ...en Figure 104 Status Session Usage The following table describes the labels in this screen Table 32 Status Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session time The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information i...

Page 147: ...value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec SA is encapsulated IPSec Algorithm This field displays the encryption and authentication algorithms used in the SA Poll Interval Enter how often you want this window to be updated automatically and click Set Interval Set Interval Click this to set the ...

Page 148: ... sort order Host Name This field displays the name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries b...

Page 149: ...as last connected RxPkts This field displays the number of packets received by the ZyWALL on the physical port since it was last connected Collisions This field displays the number of collisions on the physical port since it was last connected Tx B s This field displays the transmission speed in bytes per second on the physical port in the one second interval before the screen updated Rx B s This ...

Page 150: ...View LABEL DESCRIPTION Port Select the number of the physical port for which you want to display graphics Switch to Table View Click this to display the port statistics as a table bps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmission or reception occurred Tx This line represents traffic transmitted from the ZyWALL on the ...

Page 151: ...d on Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Table 36 Status Port Statistics Switch to Graphic View continued LABEL DESCRIPTION Table 37 Status Current Users LABEL DESCRIPTION This field is a sequential value and is not associated with any entry User ID This field displays the user n...

Page 152: ...VPN provides 500 Mbps VPN throughput 2 000 IPSec VPN tunnels and 750 SSL VPN users SEM UTM UTM accelerator The SEM UTM provides 400 Mbps anti virus and IDP throughput SEM DUAL accelerator for both VPN and UTM The SEM DUAL provides the benefits of both the ZyWALL UTM and ZyWALL VPN Status This field displays one of the following Active The SEM card is working properly Ready to activate The SEM was ...

Page 153: ...ter myZyXEL com myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL To update signature files or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL Note You need to create a myZyXEL com account before you can register your device an...

Page 154: ...period not a separate trial period for each anti virus engine After the trial expires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using a...

Page 155: ...the following fields to create an account and register your ZyWALL existing myZyXEL com account If you already have an account at myZyXEL com select this option and enter your user name and password in the fields below to register your ZyWALL UserName Enter a user name for your myZyXEL com account The name should be from six to 20 alphanumeric characters and the underscore Spaces are not allowed C...

Page 156: ...DP and application patrol features use the IDP AppPatrol signature files on the ZyWALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com You will get auto...

Page 157: ... the Service screen to update your service subscription status Figure 112 Licensing Registration Registered Device 8 3 The Service Screen Use this screen to display the status of your service registrations and upgrade licenses To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key in this screen Click Licensing Registration Service to o...

Page 158: ...iption this field also displays the type of anti virus engine Expiration date This field displays the date your service expires You can continue to use IDP AppPatrol or Anti Virus after the registration expires you just won t receive updated signatures Count This field displays how many VPN tunnels you can use with your current license This field does not apply to the other services License Upgrad...

Page 159: ...tails on IDP See Chapter 29 on page 443 for details on application patrol Use the Licensing Update System Protect screen Section 9 4 on page 163 to update the system protection signatures 9 1 2 What you Need to Know About Signature Updates You need a valid service registration to update the anti virus signatures and the IDP AppPatrol signatures You do not need a service registration to update the ...

Page 160: ...executable file scan throughput Current Version This field displays the anti virus signatures version number currently used by the ZyWALL This number is defined by the ZyXEL Security Response Team ZSRT who maintain and update them This number gets larger as new signatures are added so you should refer to this number regularly Go to https mysecurity zyxel com mysecurity to see what the latest versi...

Page 161: ...the Update IDP AppPatrol screen to schedule or immediately download IDP signatures Figure 115 Licensing Update IDP AppPatrol Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly at the time and day specified You should select a time when your network is not busy for minimal interruption Hourly Select this option to have the ZyWALL check for new sign...

Page 162: ...e fields to have the ZyWALL check for new IDP signatures at myZyXEL com If new signatures are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new IDP signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new IDP signatures regularly at the ti...

Page 163: ...t it uses to protect itself from intrusions These signatures are continually updated as new attack types evolve These system protection signature updates are free and can be downloaded to the ZyWALL periodically The system protection function is part of the IDP feature The system protection feature is enabled by default and can only be disabled via the commands You do not need an IDP subscription ...

Page 164: ...emote Update Use these fields to have the ZyWALL check for new signatures at myZyXEL com If new signatures are found they are then downloaded to the ZyWALL Update Now Click this button to have the ZyWALL check for new signatures immediately If there are new ones the ZyWALL will then download them Auto Update Select this check box to have the ZyWALL automatically check for new signatures regularly ...

Page 165: ...Chapter 9 Signature Update ZyWALL USG 2000 User s Guide 165 Figure 120 Successful System Protect Signature Download ...

Page 166: ...Chapter 9 Signature Update ZyWALL USG 2000 User s Guide 166 ...

Page 167: ...167 PART II Network Interfaces 169 Trunks 225 Policy and Static Routes 235 Routing Protocols 249 Zones 261 DDNS 265 Virtual Servers 273 HTTP Redirect 289 ALG 293 IP MAC Binding 301 ...

Page 168: ...168 ...

Page 169: ...n physical ports and port groups to Ethernet interfaces Use the Ethernet screens Section 10 4 on page 177 to configure the Ethernet interfaces Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces Use the PPP screens Section 10 6 on page 186 for PPPoE or PPTP Internet connections Use the Cellular screens Secti...

Page 170: ...etween physical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create...

Page 171: ...lan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the web configurator it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual interface Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physi...

Page 172: ...background information on interfaces See Section 6 1 on page 103 for an example of configuring Ethernet interfaces and port groups See Section 6 2 on page 106 for an example of configuring a cellular 3G interface See Chapter 11 on page 225 to configure load balancing using trunks VLAN interface Ethernet interface bridge interface Ethernet interface VLAN interface PPP interface Ethernet interface V...

Page 173: ...le Table 45 Network Interface Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it its entry is displayed in light gray text Expand Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces Name This field displays the name of each interface If there is a Expand icon plus sig...

Page 174: ...ted The auxiliary interface is enabled and connected Disconnected The auxiliary interface is not connected For virtual interfaces this field always displays Up If the virtual interface is disabled it does not appear in the list For VLAN and bridge interfaces this field always displays Up If the VLAN or bridge interface is disabled it does not appear in the list For PPP interfaces Connected The PPP...

Page 175: ... of these ways to get or to update its IP address this field displays n a Interface Statistics This table provides packet statistics for each interface Refresh Click this button to update the information in the screen Expand Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces Name This field displays the name of each interface If ther...

Page 176: ...roup Port groups have the following characteristics There is a layer 2 Ethernet switch between physical ports in the port group This provides wire speed throughput but no security It can increase the bandwidth between the port group and other interfaces See Section 6 1 3 on page 105 for an example of port grouping 10 3 2 Port Grouping Screen Define the relationship between physical ports port grou...

Page 177: ...ces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one The more routing information is exchanged the more efficient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management The ZyWALL supports two routing pro...

Page 178: ...nterfaces Mask This field displays the interface s subnet mask in dot decimal notation Modify This column lets you create edit remove activate and deactivate interfaces You cannot add or remove Ethernet interfaces however To create a virtual Ethernet interface click the Add icon next to the corresponding Ethernet interface The Virtual Interface Add Edit screen appears See Section 10 12 on page 219...

Page 179: ...bject With RIP you can use Ethernet interfaces to do the following things Enable and disable RIP in the underlying physical port or port group Select which direction s routing information is exchanged The ZyWALL can receive routing information send routing information or do both Select which version of RIP to support in each direction The ZyWALL supports RIP 1 RIP 2 and both versions Select the br...

Page 180: ... the DR or BDR if one does not exist Figure 124 Network Interface Ethernet Edit Each field is described in the table below Table 48 Network Interface Ethernet Edit LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface Clear this to disable this interface ...

Page 181: ...age 595 Use Fixed IP Address Select this if you want to specify the IP address subnet mask and gateway manually IP Address This field is enabled if you select Use Fixed IP Address Enter the IP address for this interface Subnet Mask This field is enabled if you select Use Fixed IP Address Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP a...

Page 182: ...till available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the ZyWALL stops...

Page 183: ...pt for the first address network address last address broadcast address and the interface s IP address First DNS Server Second DNS Server Third DNS Server Specify the IP addresses up to three DNS servers for the DHCP clients to use Use one of the following ways to specify these IP addresses Custom Defined enter a static IP address From ISP select the DNS server that another interface received from...

Page 184: ...the drop down list box BiDir This interface sends and receives routing information In Only This interface receives routing information Out Only This interface sends routing information Send Version This field is effective when RIP is enabled Select the RIP version s used for sending RIP packets Choices are 1 2 and 1 and 2 Receive Version This field is effective when RIP is enabled Select the RIP v...

Page 185: ...p to eight characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password can consist of alphanumeric characters and the underscore and it can be up to 16 characters long MAC ...

Page 186: ...bnet mask and gateway used to make routing decisions they Table 49 Static DHCP LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Address Enter the MAC address to which to assign this entry s IP address Description Enter a description to help identify this static D...

Page 187: ...he subnet mask is always 255 255 255 255 In addition the ZyWALL always treats the ISP as a gateway At the time of writing it is possible to set up the IP address of the gateway ISP using CLI commands but not in the web configurator 10 6 1 PPP Interface Summary Note You must set up an ISP account before you create a PPPoE PPTP interface This screen lists every PPPoE PPTP interface To access this sc...

Page 188: ...P Interface Edit screen appears To remove an interface click the Remove icon next to it The ZyWALL confirms you want to remove it before doing so To activate or deactivate an interface click the Active icon next to it Make sure you click Apply to save and apply the change To connect or disconnect an interface click the Connect icon next to it You might use this icon to test the interface or to man...

Page 189: ...creen click the Add icon or an Edit icon in the PPP Interface screen Figure 128 Network Interface PPP Edit Each field is explained in the following table Table 51 Network Interface PPP Edit Configuration LABEL DESCRIPTION General Settings Enable Interface Select this to enable this interface Clear this to disable this interface ...

Page 190: ...P interface uses The drop down box lists ISP accounts by name Select Create Object to create a new ISP account see Chapter 44 on page 687 for details Protocol This field is read only It displays the protocol specified in the ISP account User Name This field is read only It displays the user name for the ISP account Service Name This field is read only It displays the PPPoE service name specified i...

Page 191: ...method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a respo...

Page 192: ...sage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data It allows fast transfer of voice and non voice data and provides broadband Internet access to mobile devices Note The actual data rate you obtain varies depending on the 3G card you use the signal strength to the service provider s base station and so on ...

Page 193: ...standards that use CDMA a multiple access scheme for digital radio CDMA2000 1xRTT 1 times Radio Transmission Technology is the core CDMA2000 wireless air interface standard It is also known as 1x 1xRTT or IS 2000 and considered to be a 2 5G or 2 75G technology 2 75G Packet switched Enhanced Data rates for GSM Evolution EDGE Enhanced GPRS EGPRS etc 3G Packet switched UMTS Universal Mobile Telecommu...

Page 194: ... interface is set to use Add icon This column lets you create edit remove activate and deactivate cellular interfaces To create an interface click the Add icon at the top of the column In the pop up window that displays select the slot that you want to configure To activate or deactivate an interface click the Active icon next to it Make sure you click Apply to save and apply the change To edit an...

Page 195: ...e 195 10 7 1 Cellular Add Edit Screen To change your 3G settings click Network Interface Cellular Add or Edit In the pop up window that displays select the slot that you want to configure The following screen displays Figure 130 Interface Cellular Add ...

Page 196: ...ction if there is little traffic through the interface or if it costs money to keep the connection available Idle timeout This value specifies the time in seconds 0 360 that elapses before the ZyWALL automatically disconnects from the ISP s server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the 3G device s profiles of device settings Then select the pr...

Page 197: ...umeric and _ characters Spaces are not allowed Retype to Confirm This field displays when you select an authentication type other than None This field is read only if you selected Device in the profile selection and the password is included in the 3G card s profile If this field is configurable re enter the password for this SIM card exactly as the service provider gave it to you SIM Card Setting ...

Page 198: ...ts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the ZyWALL stops routing through the gateway Check Default Gateway Select this to use the default gateway for the connectivity check Check this address Select this to specify a domain name or IP address for the connectivity check E...

Page 199: ...If you are unsure what to select check with your 3G service provider to find the 3G service available to you in your region Select auto to have the card connect to an available network Choose this option if you do not know what networks are available You may want to manually specify the type of network to use if you are charged differently for different types of network or you only have one type o...

Page 200: ...ered an incorrect PUK Unlock PIN fail Your attempt to unlock a WCDMA 3G device s PIN failed because you entered an incorrect PIN Unlock device fail Your attempt to unlock a CDMA2000 3G device failed because you entered an incorrect device code Device unlocked You entered the correct device code and unlocked a CDMA2000 3G device Get dev info fail The ZyWALL cannot get cellular device information Ge...

Page 201: ...r Limited Service when the signal strength is too low Cellular System This field displays what type of cellular network the 3G connection is using The network type varies depending on the 3G card you inserted and could be UMTS UMTS HSDPA GPRS or EDGE when you insert a GSM 3G card or 1xRTT EVDO Rev 0 or EVDO Rev A when you insert a CDMA 3G card Signal Quality This displays the strength of the signa...

Page 202: ...een VLANs or between a VLAN and another type of network is layer 3 communication network layer IP addresses It is handled by the router This approach provides a few advantages Increased performance In VLAN 2 the extra switch should route traffic inside the sales department faster than the router does In addition broadcasts are limited to smaller more logical groups of users Higher security If each...

Page 203: ...de DHCP services and they can verify the gateway is available 10 9 1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces To access this screen click Network Interface VLAN Figure 134 Network Interface VLAN Each field is explained in the following table Table 56 Network Interface VLAN LABEL DESCRIPTION This field is a sequential value a...

Page 204: ...Add Edit screen appears To create a virtual VLAN interface click the Add icon next to the corresponding VLAN interface The Virtual Interface Add Edit screen appears See Section 10 12 on page 219 To edit an interface click the Edit icon next to it The VLAN Add Edit screen or Virtual Interface Add Edit screen appears accordingly To remove an interface click the Remove icon next to it The ZyWALL conf...

Page 205: ...VLAN Summary screen The following screen appears Figure 135 Network Interface VLAN Edit Each field is explained in the following table Table 57 Network Interface VLAN Edit LABEL DESCRIPTION General Settings Enable Interface Select this to turn this interface on Clear this to disable this interface ...

Page 206: ...IP Address Select this if you want to specify the IP address subnet mask and gateway manually IP Address This field is enabled if you select Use Fixed IP Address Enter the IP address for this interface Subnet Mask This field is enabled if you select Use Fixed IP Address Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP address is the same...

Page 207: ...p to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the ZyWALL stops routing through the gat...

Page 208: ... address last address broadcast address and the interface s IP address First DNS Server Second DNS Server Third DNS Server Specify the IP addresses up to three DNS servers for the DHCP clients to use Use one of the following ways to specify these IP addresses Custom Defined enter a static IP address From ISP select the DNS server that another interface received from its DHCP server ZyWALL the DHCP...

Page 209: ... bridge broadcasts the packet on every port except the one on which it was received Enable Logs for IP MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this VLAN attempts to use an IP address that is bound to another device s MAC address Edit static DHCP table Click this to configure static IP addresses for the ZyWALL to assign to computers connec...

Page 210: ...ectivity check To use the whole ZyWALL as a transparent bridge add all of the ZyWALL s interfaces to a bridge interface A bridge interface may consist of the following members Zero or one VLAN interfaces and any associated virtual VLAN interfaces Any number of Ethernet interfaces and any associated virtual Ethernet interfaces When you create a bridge interface the ZyWALL removes the members entrie...

Page 211: ... br0 241 241 241 241 32 ge4 242 242 242 242 32 ge5 Table 60 Example Routing Table Before and After Bridge Interface br0 Is Created IP ADDRESS ES DESTINATION IP ADDRESS ES DESTINATION Table 61 Network Interface Bridge LABEL DESCRIPTION This field is a sequential value and it is not associated with any interface Name This field displays the name of the interface IP Address This field displays the cu...

Page 212: ...t the top of the column The Bridge Add Edit screen appears To create a virtual interface click the Add icon next to the corresponding bridge interface The Virtual Interface Add Edit screen appears See Section 10 12 on page 219 To edit an interface click the Edit icon next to it The Bridge Add Edit screen or Virtual Interface Add Edit screen appears accordingly To remove an interface click the Remo...

Page 213: ...row to add it to the bridge interface Each bridge interface can only have one VLAN interface Member This field displays the interfaces that are part of the bridge interface Select one and click the arrow to remove it from the bridge interface IP Address Assignment Get Automatically Select this if this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and...

Page 214: ... of traffic in kilobits per second the ZyWALL can receive from the network through the interface Allowed values are 0 1048576 MTU Maximum Transmission Unit Type the maximum size of each data packet in bytes that can move through this interface If a larger packet arrives the ZyWALL divides it into smaller fragments Allowed values are 576 1500 Usually this value is 1500 DHCP Settings DHCP Select wha...

Page 215: ...P address From ISP select the DNS server that another interface received from its DHCP server ZyWALL the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay First WINS Server Second WINS Server Type the IP address of the WINS Windows Internet Naming Service server that you want to send to the DHCP clients The WINS server keeps a mapping table of the computer names...

Page 216: ...Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have the ZyWALL regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection ch...

Page 217: ...drops the Data Terminal Ready DTR signal and issues the command ATH 10 11 2 Auxiliary Use the Auxiliary screen to configure the ZyWALL s auxiliary interface Click Network Interface Auxiliary to open it Figure 138 Network Interface Auxiliary Each field is described in the table below Table 63 Network Interface Auxiliary LABEL DESCRIPTION General Settings Enable Interface Select this to turn on the ...

Page 218: ...nal call User Name Enter the user name required for authentication Password Enter the password required for authentication Retype to confirm Enter the password again to make sure you have not typed it incorrectly Authentication Type Select the authentication protocol to use for outgoing calls Choices are CHAP PAP Your ZyWALL accepts either CHAP Challenge Handshake Authentication Protocol or PAP Pa...

Page 219: ...ther interfaces virtual interfaces have an IP address subnet mask and gateway used to make routing decisions However you have to manually specify the IP address and subnet mask virtual interfaces cannot be DHCP clients Like other interfaces you can restrict bandwidth through virtual interfaces but you cannot change the MTU The virtual interface uses the same MTU that the underlying interface uses ...

Page 220: ...ss is the same for all computers in the network Gateway Enter the IP address of the gateway The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination The gateway should be on the same network as the interface Metric Enter the priority of the gateway if any on this interface The ZyWALL decides which gateway to use based on this priority The lower the n...

Page 221: ...ddress In many interfaces you can also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interface is a DHCP client Virtual interfaces however cannot be DHCP clients You have to assign the IP address and subnet mask manually In general the IP address and subnet mask of each interface should not overlap though it is possible for this to happen...

Page 222: ...ts the amount of traffic the ZyWALL allows in through the interface from the network 1 If you set the bandwidth restrictions very high you effectively remove the restrictions The ZyWALL also restricts the size of each data packet The maximum number of bytes in each packet is called the maximum transmission unit MTU If a packet is larger than the MTU the ZyWALL divides it into smaller fragments Eac...

Page 223: ...CP table the interface assigns the corresponding IP address If not the interface assigns IP addresses from a pool defined by the starting address of the pool and the pool size The ZyWALL cannot assign the first address network address or the last address broadcast address in the subnet defined by the interface s IP address and subnet mask For example in the first entry if the subnet mask is 255 25...

Page 224: ...f broadcasting a request for a computer name s IP address In this way WINS is similar to DNS although WINS does not use a hierarchy unlike DNS A network can have more than one WINS server Samba can also serve as a WINS server PPPoE PPTP Overview Point to Point Protocol over Ethernet PPPoE RFC 2516 and Point to Point Tunneling Protocol PPTP RFC 2637 are usually used to connect two computers over ph...

Page 225: ...You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B Or maybe one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP s...

Page 226: ...fic types through the best WAN interface for that type of traffic If that interface s connection goes down the ZyWALL can still send its traffic through another interface You can define multiple trunks for the same physical interfaces Link Sticking You can have the ZyWALL send each local computer s traffic through a single WAN interface for a specified period of time This is useful when a redirect...

Page 227: ...s the ZyWALL can use to decide which interface the traffic from the LAN should use for a session2 The available bandwidth you configure on the ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using Least Load First The least load first algorithm uses the current or recent outbound bandwidth utilization of each tr...

Page 228: ...han an interface with a smaller weight For example in the figure below the configured available bandwidth of ge2 is 1M and ge3 is 512K You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively The ZyWALL assigns the traffic of two sessions to ge2 for every session s traffic assigned to ge3 Figure 143 Weighted Ro...

Page 229: ...hreshold of the first interface is set to 800K The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface Figure 144 Spillover Algorithm Example Finding Out More See Section 5 4 3 on page 91 for related information on the Trunk screens See Section 11 4 on page 232 for more background information on trunks See Section 6 3 on page 109 for an example of how...

Page 230: ...his setting applies when you use load balancing and have multiple WAN interfaces set to active mode Timeout Specify for how long the ZyWALL is to send all of each local computer s traffic through one WAN interface Name This field displays the label that you specified to identify the trunk Algorithm This field displays the load balancing method that the trunk is set to use Add icon This column lets...

Page 231: ... the first group member interface has more traffic than it can handle Select Least Load First to send new session traffic through the least utilized trunk member Select Spillover to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used and so on This column displays the priorities of the group s interfaces...

Page 232: ...ilobits of data the ZyWALL is to allow to come in through the interface per second Egress Bandwidth This field displays with the least load first or spillover load balancing algorithm It displays the maximum number of kilobits of data the ZyWALL is to send out through the interface per second Spillover This field displays with the spillover load balancing algorithm Specify the maximum bandwidth of...

Page 233: ...pter 11 Trunks ZyWALL USG 2000 User s Guide 233 bandwidth and then moves to the end of the list and so on depending on the number of queues being used This works in a looping fashion until a queue is empty ...

Page 234: ...Chapter 11 Trunks ZyWALL USG 2000 User s Guide 234 ...

Page 235: ...ect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 147 Example of Policy Routing Topology You also use policy routes to send traffic through VPN tunnels Using the VPN wizard automatically configures a corresponding policy route but you must manually configure a policy route...

Page 236: ...s Bandwidth Shaping You can allocate bandwidth to traffic that matches routing policies and prioritize traffic however the application patrol s bandwidth management is more flexible and recommended for TCP and UDP traffic Use policy routes to manage other types of traffic like ICMP traffic and send traffic through VPN tunnels Note Bandwidth management in policy routes has priority over application...

Page 237: ...LL and propagate it to other routers you could configure a policy route and an equivalent static route Finding Out More See Section 5 4 10 on page 93 for related information on the policy route screens See Section 12 4 on page 245 for more background information on policy routing See Section 6 4 3 on page 113 for an example of configuring a policy route for an IPSec VPN tunnel 12 2 Policy Route Sc...

Page 238: ...n also enables or disables it in the other screen Total Connection This field displays the total number of policy routes connection per page Select how many entries you want to display on each page Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries Type a page number to go to or use the arrows to navigate the pages of entries This is ...

Page 239: ...ntry The Active icon displays whether the rule is enabled or not Click the Active icon to activate or deactivate the policy Make sure you click Apply to save and apply the change Click the Edit icon to go to the screen where you can edit the routing policy on the ZyWALL Click the Add icon in an entry to add a rule below the current entry Click the Remove icon to delete an existing routing policy f...

Page 240: ...which the packets are sent Select Create Object to configure a new user account see Section 37 2 1 on page 618 for details Incoming Interface Click Change to select an interface or VPN tunnel through which the incoming packets are received Source Address Select a source IP address object or select Create Object to configure a new one Destination Address Select a destination IP address object or se...

Page 241: ...Type field Select a HOST address object The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination The gateway must be a router or switch on the same segment as your ZyWALL s interface s VPN Tunnel This field displays when you select VPN Tunnel in the Type field Select a VPN tunnel through which the packets are sent to the remote network that is connected t...

Page 242: ...e using a port triggering rule This is the rule index number Incoming Service Select the service that the client computer sends to a remote server The incoming service should have the same service or protocol type as what you configured in the Service field Trigger Service Select a service that a remote server sends It causes triggers the ZyWALL to forward the traffic received on the outgoing inte...

Page 243: ...h unbudgeted and do not enable Maximize Bandwidth Usage Bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic The smaller the number the higher the priority If you set the maximum bandwidth to 0 the bandwidth priority will be changed to 0 after you click OK That means the route has the highest priority and will get all the bandwidth it needs up to the maximum available ...

Page 244: ... same segment as your ZyWALL s interface s The gateway helps forward packets to their destinations Metric This is the route s priority among the ZyWALL s routes The smaller the number the higher priority the route has Add icon Click the Add icon to go to the screen where you can set up a static route on the ZyWALL Click the Edit icon to go to the screen where you can edit the static route on the Z...

Page 245: ...other client computer s IP address Port triggering allows the client computer to take turns using a service dynamically Whenever a client computer s packets match the routing policy it can use the pre defined port triggering setting to connect to the remote server without manually configuring a port forwarding rule for each client computer Gateway IP Select the radio button and enter the IP addres...

Page 246: ...n the packets match a policy with SNAT configured 2 Game server 1 responds using a port number ranging between 5670 5678 The ZyWALL allows and forwards the traffic to computer A 3 Computer A and game server 1 are connected to each other until the connection is closed or times out Any other computers such as B or C cannot connect to remote server 1 using the same port triggering rule as computer A ...

Page 247: ...icy route requires more bandwidth the ZyWALL gives the extra bandwidth to that policy route When multiple policy routes require more bandwidth the ZyWALL gives the highest priority policy routes the available bandwidth first as much as they require if there is enough available bandwidth and then to lower priority policy routes if there is still bandwidth available The ZyWALL distributes the availa...

Page 248: ...Chapter 12 Policy and Static Routes ZyWALL USG 2000 User s Guide 248 ...

Page 249: ...PF Screens Use the RIP screen see Section 13 2 on page 250 to configure the ZyWALL to use RIP to receive and or send routing information Use the OSPF screen see Section 13 3 on page 251 to configure general OSPF settings and manage OSPF areas Use the OSPF Area Add Edit screen see Section 13 3 2 on page 257 to create or edit an OSPF area 13 1 2 What You Need to Know About Routing Protocols The ZyWA...

Page 250: ... of RIP settings before you can use it in an interface First the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent This is discussed in more detail in Authentication Types on page 259 Second the ZyWALL can also redistribute routing information from non RIP networks specifically OSPF networks and static routes to ...

Page 251: ...r text authentication The key can consist of alphanumeric characters and the underscore and it can be up to 8 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1 and 255 MD5 Authentication Key This field is available if the Authentication is MD5 Type the password for MD5 authentication The password ca...

Page 252: ...pressed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone A normal area is a group of adjacent networks A normal area has routing information about the OSPF AS any networks outside the OSPF AS to which it is directly connected and any networks outside the OSPF AS ...

Page 253: ...o confirm which neighbor layer 3 devices exist and then they exchange database descriptions DDs to create a synchronized link state database The link state database contains records of router IDs their associated links and path costs The link state database is then constantly updated through Link State Advertisements LSA Each router uses the link state database and the Dijkstra algorithm to comput...

Page 254: ...DR All of the routers only exchange information with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR and BDR are selected by priority if two routers have the same priority the highest router ID is used The DR and BDR are selected in each group of routers that are directly connected to each other If a router is directly connected to several gro...

Page 255: ...the backbone You cannot create a virtual link to a router in a different area OSPF Configuration Follow these steps when you configure OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 10 4 1 on page 179 4 Set up virtual links as needed 13 3 1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the ZyWALL uses i...

Page 256: ...IP the ZyWALL advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas If you select this for static routes the ZyWALL advertises routes learned from static routes to all types of areas Route This field displays other sources of routing information that the ZyWALL can advertise in the OSPF AS Type Select how OSPF calculates the cost associated with routing information from...

Page 257: ... type of area This type is different from the Type field above Authentication This field displays the default authentication method in the area Add icon This column provides icons to add edit and remove areas To add an area click the Add icon at the top of the column The OSPF Area Add Edit screen appears To edit an area click the Edit icon next to the area The Area Add Edit screen appears To delet...

Page 258: ...text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to 8 characters long MD5 Authentication ID This field is available if the Auth...

Page 259: ... has the virtual link also use the Authentication settings above Text Authentication Key This field is available if the Authentication is Text Type the password for text authentication The key can consist of alphanumeric characters and the underscore and it can be up to 8 characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the default ID for MD5 authenti...

Page 260: ...ets if these conditions are satisfied The packet s authentication ID is the same as the authentication ID of the interface that received it The packet s message digest is the same as the one the ZyWALL calculates using the MD5 password For RIP authentication is not available in RIP version 1 In RIP version 2 you can only select one authentication type for all interfaces For OSPF the ZyWALL support...

Page 261: ...ettings such as firewall rules and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 159 Example Zones 14 1 1 What You Can Do in the Zones Screens Use the Zon...

Page 262: ... up firewall rules to control intra zone traffic for example DMZ to DMZ but many other types of zone based security and policy settings do not affect intra zone traffic Inter zone Traffic Inter zone traffic is traffic between interfaces or VPN tunnels in different zones For example in Figure 159 on page 261 traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when ...

Page 263: ... of the zone Block Intra zone This field indicates whether or not the ZyWALL blocks network traffic between members in the zone Member This field displays the names of the interfaces that belong to each zone Add icon This column provides icons to add edit and remove zones To add a zone click the Add icon at the top of the column The Zone Add Edit screen appears To edit a zone click the Edit icon n...

Page 264: ... be a number This value is case sensitive Block Intra zone Traffic Select this check box to block network traffic between members in the zone Member List Available lists the interfaces and VPN tunnels that do not belong to any zone The word in front of the name indicates whether this member is an interface or a VPN tunnel INTERFACE this member is an interface IPSEC this member is a VPN tunnel Sele...

Page 265: ... IP address and vice versa Similarly dynamic DNS maps a domain name to a dynamic IP address As a result anyone can use the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before ...

Page 266: ...n this screen allows you to add new domain names edit the configuration for existing domain names and delete domain names Click Network DDNS to open the following screen Figure 162 Network DDNS The following table describes the labels in this screen No IP No IP www no ip com Peanut Hull Peanut Hull www oray cn 3322 3322 Dynamic DNS 3322 Static DNS www 3322 org Table 82 DDNS Service Providers conti...

Page 267: ...ectivity check fails from interface The IP address comes from the specified interface auto detected The DDNS server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name custom The IP address is static Add icon This column provides icons to add edit and remove domain names To add a domain name click the Add icon at the top of the column The DDNS ...

Page 268: ...cores _ or dashes but the first character cannot be a number This value is case sensitive This field is read only when you are editing an entry DDNS Type Select the type of DDNS service you are using Username Type the user name used when you registered your domain name You can use up to 31 alphanumeric characters and the underscore Spaces are not allowed For a Dynu DDNS entry this user name is the...

Page 269: ...main name The ZyWALL still sends the static IP address to the DDNS server Custom IP This field is only available when the IP Address is Custom Type the IP address to use for the domain name Backup Binding Address Use these fields to set an alternate interface to map the domain name to when the interface specified by the Primary Binding Interface settings is not available Interface Select the inter...

Page 270: ...count DynDNS can route e mail for your domain name to a mail server called a mail exchanger For example DynDNS routes e mail for john doe yourhost dyndns org to the host record specified as the mail exchanger If you are using this service type the host record of your mail server here Otherwise leave the field blank See www dyndns org for more information about mail exchangers Backup Mail Exchanger...

Page 271: ...pdate Status This shows whether the last attempt to resolve the IP address for the domain name was successful or not Updating means the ZyWALL is currently attempting to resolve the IP address for the domain name Last Update Time This shows when the last attempt to resolve the IP address for the domain name occurred in year month day hour minute second format Update Click this to have the ZyWALL u...

Page 272: ...Chapter 15 DDNS ZyWALL USG 2000 User s Guide 272 ...

Page 273: ... server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 165 Multiple Servers Behind NAT Example 16 1 1 What You Can Do in the Virtual Server Screens Use the Virtual Server screens see Section 16 2 on page 274 to view and manage the list of virtual servers an...

Page 274: ...ck Network Virtual Server The following screen appears providing a summary of the existing virtual servers Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 166 Network Virtual Server The following table describes the labels in this screen Table 86 Network Virtual Server LABEL DESCRIPTION Total Virtual Se...

Page 275: ...here is no restriction on the original destination port Mapped Port This field displays the new destination port s for the packet This field is blank if there is no restriction on the original destination port Add icon This column provides icons to add edit and remove virtual servers In addition you can activate and deactivate virtual servers To add a virtual server click the Add icon at the top o...

Page 276: ...ce Select the interface on which packets for the virtual server must be received It can be an Ethernet VLAN bridge or PPPoE PPTP interface Original IP Use the drop down list box to indicate which destination IP address this virtual server supports Choices are Any this virtual server supports the IP address of the selected interface User Defined this virtual server supports a specific IP address sp...

Page 277: ... by the service requesting the connection Original Port This field is available if Mapping Type is Port Enter the original destination port this virtual server supports Mapped Port This field is available if Mapping Type is Port Enter the translated destination port if this virtual server forwards the packet Original Start Port This field is available if Mapping Type is Ports Enter the beginning o...

Page 278: ...cess this virtual server By default this virtual server entry only applies this address mapping to packets coming in from the WAN Or you can click Policy Route to go to the screens where you can manually configure a NAT loopback policy route for this virtual server See page 282 for an example of NAT loopback Firewall By default the firewall blocks incoming connections from external addresses After...

Page 279: ...ology NAT 1 1 Address Objects Use Object Address Add to create address objects for the private and public IP addresses LAN_SMTP and WAN_EG as shown next Figure 169 Create Address Objects NAT 1 1 Virtual Server This section sets up a virtual server rule that changes the destination of SMTP traffic coming to IP address 1 1 1 1 at the ZyWALL s ge3 interface to the LAN 192 168 1 21 ge3 1 1 1 1 LAN ...

Page 280: ...symbol and create a new virtual server entry as shown next This entry maps TCP port 25 SMTP traffic coming to IP address 1 1 1 1 on ge3 to the IP address of the SMTP server 192 168 1 21 defined in the LAN_SMTP object In this example the SMTP server also uses port 25 so the Mapped Port is set to 25 The following sections describe how to manually configure corresponding policy routes for NAT 1 1 map...

Page 281: ...ress from 192 168 1 21 to 1 1 1 1 This is also called Source NAT SNAT It sends the traffic out through the ge3 interface Figure 172 NAT 1 1 Example Policy Route Click Network Routing Policy Route Add and configure the screen as shown next Be careful of where you create the route as routes are ordered in descending priority Figure 173 Create a Policy Route 192 168 1 21 Source 1 1 1 1 NAT SMTP Sourc...

Page 282: ...e careful of where you create the rule as firewall rules are ordered in descending priority Figure 174 Create a Firewall Rule NAT Loopback Example The NAT 1 1 Example on page 278 maps a public IP address to the private IP address of a LAN SMTP mail server to allow users to access the SMTP mail server from the WAN LAN users can also use an IP address to access the mail server ...

Page 283: ...ddress 192 168 1 89 queries the domain name xxx LAN SMTP com in this example from a public DNS server and gets the SMTP server s 1 1 NAT mapped public IP address of 1 1 1 1 NAT Loopback Virtual Server When a LAN user sends SMTP traffic to IP address 1 1 1 1 the traffic comes into the ZyWALL through the LAN interface thus it does not match the NAT 1 1 192 168 1 21 xxx LAN SMTP com LAN DNS 192 168 1...

Page 284: ...r rule as shown next This virtual server rule is the same as in NAT 1 1 Virtual Server on page 279 except you use the ge1 interface instead of the ge3 interface This rule maps TCP port 25 SMTP traffic destined for IP address 1 1 1 1 and coming in on ge3 to the SMTP server IP address 192 168 1 21 In this example the SMTP server also uses port 25 so the Mapped Port is set to 25 Figure 177 Create a V...

Page 285: ...es not match the original destination address 1 1 1 1 The user s computer shuts down the session Figure 178 Triangle Route Configure a policy route to use the IP address of the ZyWALL s ge1 interface 192 168 1 1 as the source address of the traffic going to the LAN SMTP server from the LAN users This way the LAN SMTP server replies to the ZyWALL and the ZyWALL applies NAT Figure 179 NAT Loopback P...

Page 286: ...ffic sent from LAN to the SMTP server Figure 180 Create a Policy Route Now the LAN SMTP server replies to the ZyWALL s LAN IP address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN user s computer The source in the return traffic matches the original destination address 1 1 1 1 and the LAN user can use the LAN SMTP server Figure 181 NAT Loopback Successful 192 16...

Page 287: ...Chapter 16 Virtual Servers ZyWALL USG 2000 User s Guide 287 ...

Page 288: ...Chapter 16 Virtual Servers ZyWALL USG 2000 User s Guide 288 ...

Page 289: ...ected to the LAN zone wants to open a web page its HTTP request is redirected to proxy server A first If proxy server A cannot find the web page in its cache a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 182 HTTP Redirect Example 17 1 1 What You Can Do in the HTTP Redirect Screens Use the HTTP Redirect scree...

Page 290: ... traffic is 1 Firewall 2 Application Patrol 3 HTTP Redirect 4 Policy Route Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule the ZyWALL checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched You need to make sure there is no firewall rule s blocking the HTTP requests from the client to the proxy server You also ne...

Page 291: ... Network HTTP Redirect LABEL DESCRIPTION Name This is the descriptive name of a rule Interface This is the interface on which the request must be received Proxy Server This is the IP address of the proxy server Port This is the service port number used by the proxy server Add icon Click the Add icon in the heading row to add a new entry The Active icon displays whether the rule is enabled or not C...

Page 292: ...SCRIPTION Enable Use this option to turn the HTTP redirect rule on or off Name Enter a name to identify this rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be received for the ZyWALL to forward it to the specified proxy server Proxy Server Ent...

Page 293: ...can be used to create voice and multimedia sessions over Internet H 323 This is a teleconferencing protocol suite that provides audio data and video conferencing The following example shows SIP signaling 1 and audio 2 sessions between SIP clients A and B and the SIP server Figure 185 SIP ALG Example The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL s NAT 18 1 1 ...

Page 294: ...ules if you want to allow access to the server from the WAN H 323 ALG The H 323 ALG supports peer to peer H 323 calls The H 323 ALG handles H 323 calls that go through NAT or that the ZyWALL routes You can also make other H 323 calls that do not go through NAT or routing Examples would be calls between LAN IP addresses that are on the same subnet The H 323 ALG allows calls to go out through NAT Fo...

Page 295: ...ng the application patrol to use custom port numbers for SIP traffic also configures SIP ALG to use the same port numbers for SIP traffic Peer to Peer Calls and the ZyWALL The ZyWALL ALG can allow peer to peer VoIP calls for both H 323 and SIP You must configure the firewall and virtual server port forwarding to allow incoming peer to peer calls from the WAN to a private IP address on the LAN or D...

Page 296: ...g lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses For example you configure firewall and virtual server rules to allow LAN IP address A to receive calls through public WAN IP address 1 You configure different firewall and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2 You configure correspondin...

Page 297: ...ervice you must enable the ALG in order to use the application patrol on that service s traffic Figure 189 Network ALG The following table describes the labels in this screen Table 90 Network ALG LABEL DESCRIPTION SIP Setting Enable SIP Transformations Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the ZyWALL s NAT The ZyWALL modifies IP addresses and port numbers em...

Page 298: ...nother custom UDP port number for SIP traffic You can have a total of up to eight Click the Remove icon to delete a custom UDP port number for SIP traffic H 323 Setting Enable H 323 transformations Turn on the H 323 ALG to detect H 323 traffic and help build H 323 sessions through the ZyWALL s NAT The ZyWALL modifies IP addresses and port numbers embedded in the H 323 data payload Enabling the H 3...

Page 299: ...onfigure routing policies to specify which interface the ALG managed traffic uses You could also have a trunk with one interface set to active and a second interface set to passive The ZyWALL does not automatically change ALG managed connections to the second passive interface when the active interface s connection goes down When the active interface s connection fails the client needs to re initi...

Page 300: ...ssion Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol SIP signaling is separate from the media for which it handles sessions The media that is exchanged during the session can us...

Page 301: ... static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 190 IP MAC Binding Example 19 1 1 What You Can Do in the IP MAC Binding Screens Use the Summary and Edit screens Section 19 2 on page 302 to bind IP addresses to MAC addresses Use the Exempt List screen S...

Page 302: ...ion screen 19 2 IP MAC Binding Summary Click Network IP MAC Binding to open the IP MAC Binding Summary screen This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface Figure 191 Network IP MAC Binding Summary The following table describes the labels in this screen Table 91 Network IP MAC Binding Summary LABEL DESCRIPTION This is the index n...

Page 303: ... IP MAC Binding Edit LABEL DESCRIPTION IP MAC Binding Settings Interface Name This field displays the name of the interface within the ZyWALL and the interface s IP address and subnet mask Enable IP MAC Binding Select this option to have this interface enforce links between specific IP addresses and specific MAC addresses This stops anyone else from manually using a bound IP address on another dev...

Page 304: ...go to the screen where you can edit the entry Click the Remove icon to delete an entry A window displays asking you to confirm that you want to delete it OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 92 Network IP MAC Binding Edit continued LABEL DESCRIPTION Table 93 Network IP MAC Binding Edit Add LABEL DESCRIPTION Interface Name ...

Page 305: ...es that have received an IP address from ZyWALL interfaces with IP MAC binding enabled and have ever established a Table 94 Network IP MAC Binding Exempt List LABEL DESCRIPTION This is the index number of the IP MAC binding list entry Name Enter a name to help identify this entry Start IP Enter the first IP address in a range of IP addresses for which the ZyWALL does not apply IP MAC binding End I...

Page 306: ...d to show to which devices it has assigned an IP address This is the index number of an IP MAC binding entry IP Address This is the IP address that the ZyWALL assigned to a device Host Name This field displays the name used to identify this device on the network the computer name The ZyWALL learns these from the DHCP client requests MAC Address This field displays the MAC address to which the IP a...

Page 307: ...307 PART III Firewall Firewall 309 ...

Page 308: ...308 ...

Page 309: ...rom within the LAN zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Figure 196 Default Firewall Action 20 1 1 What You Can Do in the Firewall Screens Use the Firewall screens S...

Page 310: ...o the ZyWALL itself By default The firewall allows only LAN WAN computers to access or manage the ZyWALL Table 96 Default Firewall Rules FROM ZONE TO ZONE STATEFUL PACKET INSPECTION From ANY to ANY Traffic that does not match any firewall rule is allowed This includes traffic to or from interfaces or VPN tunnels that are not assigned to a zone extra zone traffic From WAN to LAN Traffic from the WA...

Page 311: ...or VPN tunnel that is not included in a zone The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface Firewall Rule Criteria The ZyWALL checks the schedule user name user s login name on the ZyWALL source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them W...

Page 312: ...ns such as file sharing applications may use a large number of NAT sessions A single client could use all of the available NAT sessions and prevent others from connecting to or through the ZyWALL The ZyWALL lets you limit the number of concurrent NAT firewall sessions a client can use Finding Out More See Section 5 4 12 on page 94 for related information on the Firewall screens See Section 6 5 6 o...

Page 313: ... rules Any traffic that does not match the first firewall rule will match the second rule and the ZyWALL forwards it Now suppose that your company wants to let the CEO use IRC You can configure a LAN to WAN firewall rule that allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO logs int...

Page 314: ...2 168 1 7 to access the IRC service on the WAN The second row blocks LAN access to the IRC service on the WAN The third row is the firewall s default policy of allowing all traffic from the LAN to go to the WAN Alternatively you configure a LAN to WAN rule with the CEO s user name say CEO to allow IRC traffic from any source IP address to go to any destination address Your firewall would have the ...

Page 315: ...ch that rule and the ZyWALL would drop it and not check any other firewall rules 20 1 4 Firewall Rule Configuration Example The following Internet firewall rule example allows a hypothetical MyService from the WAN to IP addresses 192 168 1 10 through 192 168 1 15 Dest_1 on the LAN 1 Click Firewall Click the Add icon in the heading row to configure a new first entry Remember the sequence priority o...

Page 316: ...t box 5 The screen for configuring a service object opens Configure it as follows and click OK Figure 201 Firewall Example Create a Service Object 6 Select From WAN and To LAN 7 Enter the name of the firewall rule 8 Make sure Dest_1 is selected for the Destination and MyService is selected as the Service Enter a description and configure the rest of the screen as follows Click OK when you are done...

Page 317: ...tion However allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets Virtual interfaces allow you to partition your network into logical sections over the same interface See the chapter about interfaces for more information By putti...

Page 318: ...one traffic blocking see the chapter about zones the firewall automatically creates implicit rules to deny packet passage between the interfaces in the specified zone Besides configuring the firewall you also need to configure virtual servers NAT port forwarding to allow computers on the WAN to access LAN devices See Chapter 16 on page 273 for more information The ZyWALL applies virtual server Des...

Page 319: ...metrical Route If an alternate gateway on the LAN has an IP address in the same subnet as the ZyWALL s LAN IP address return traffic may not go through the ZyWALL This is called an asymmetrical or triangle route This causes the ZyWALL to reset the connection as the connection has not been acknowledged Select this check box to have the ZyWALL permit the use of asymmetrical route topology on the net...

Page 320: ...ies This is the index number of your firewall rule It is not associated with a specific rule The entry with a hyphen instead of a number is the default firewall behavior that the ZyWALL performs on traffic that does not match any other traffic direction Only the access right and log alert are configurable for the default firewall rule To apply other behavior configure a firewall rule that traffic ...

Page 321: ...nd apply the change Click the Edit icon to go to the screen where you can edit the rule on the ZyWALL Click the Add icon in an entry to add a rule below the current entry Click the Remove icon to delete an existing rule from the ZyWALL A window displays asking you to confirm that you want to delete the rule Note that subsequent firewall rules move up by one when you take this action In a numbered ...

Page 322: ...elect any and there is no need for user logging Note If you specified a source IP address group instead of any in the field below the user s IP address should be within the IP address range Source Select a source address or address group for whom this rule applies Select Create Object to configure a new one Select any if the policy is effective for every source Destination Select a destination add...

Page 323: ...l Session Limit LABEL DESCRIPTION General Settings Enable Session limit Select this check box to control the number of concurrent sessions hosts can have Default Session per Host Use this field to set a common limit to the number of concurrent NAT firewall sessions each client computer can have If only a few clients use peer to peer applications you can raise this number to improve their performan...

Page 324: ...Edit icon to go to the screen where you can edit the rule on the ZyWALL Click the Add icon in an entry to add a rule below the current entry Click the Remove icon to delete an existing rule from the ZyWALL A window displays asking you to confirm that you want to delete the rule Note that subsequent rules move up by one when you take this action In a numbered list click the Move to N icon to displa...

Page 325: ... when the user logs out Otherwise select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the field below the user s IP address should be within the IP address range Address Select a source address or address group for whom this rule applies Select Create Object to configure a new one Select any if the policy is effective for every so...

Page 326: ...Chapter 20 Firewall ZyWALL USG 2000 User s Guide 326 ...

Page 327: ...327 PART IV VPN IPSec VPN 329 SSL VPN 371 SSL User Screens 383 SSL User Application Screens 393 SSL User File Sharing 395 L2TP VPN 407 L2TP VPN Example 413 ...

Page 328: ...328 ...

Page 329: ...ke the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is an example of an IPSec VPN tunnel Figure 209 IPSec VPN Example The VPN tunnel connects the ZyWALL X and the remote peer IPSec router Y These routers then connect the local network A and remote network B 21 1 1 W...

Page 330: ...ty association SA a contract indicating what security parameters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote netw...

Page 331: ... IPSec router s address but you specify the remote policy the addresses of the devices behind the remote IPSec router This ZyWALL must have a static IP address or a domain name Only the remote IPSec router can initiate the VPN tunnel Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users You don t specify the addre...

Page 332: ...tication If the ZyWALL is in server mode you should set up the authentication method AAA server first The authentication method specifies how the ZyWALL authenticates the remote IPSec router See Chapter 41 on page 649 In a VPN gateway the ZyWALL and remote IPSec router can use certificates to authenticate each other Make sure the ZyWALL and the remote IPSec router will trust each other s certifica...

Page 333: ...ach dynamic IPSec tunnel Ignore Don t Fragment setting in packet header Select this to fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the header turned on When you clear this the ZyWALL drops packets larger than the MTU that have the don t fragment bit in the header turned on Total Connection This field displays the total number of VPN connection...

Page 334: ...nect disconnect VPN connections To add a VPN connection click the Add icon at the top of the column The VPN Connection Add Edit Manual screen appears To edit a VPN connection click the Edit icon next to the connection The VPN Connection Add Edit Manual or VPN Connection Add Edit Gateway screen appears accordingly To delete a VPN connection click the Remove icon next to the connection The Web Confi...

Page 335: ...Chapter 21 IPSec VPN ZyWALL USG 2000 User s Guide 335 Figure 212 VPN IPSec VPN VPN Connection Edit IKE ...

Page 336: ...cation Scenario Select the scenario that best describes your intended VPN connection Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic Peer Choose this if the remote IPSec router has a dynamic IP address Only the remote IPSec router can initiate the VPN tunnel Remote Access Server Role Choo...

Page 337: ... there are users who are accessing remote resources Active Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not encryption If you select AH you must select an Authentication algorithm ESP RFC 2406 provides encryption and the same services offered by AH but its authen...

Page 338: ...r must both have a proposal that uses the same authentication algorithm Add icon This column contains icons to add and remove proposals To add a proposal click the Add icon at the top of the column To remove a proposal click the Remove icon next to the proposal The ZyWALL confirms that you want to delete it before doing so Perfect Forward Secrecy PFS Select whether or not you want to enable Perfec...

Page 339: ...ss for the connectivity check Enter that domain name or IP address in the field next to it Check the First and Last IP Address in the Remote Policy Select this to have the ZyWALL check the connection to the first and last IP addresses in the connection s remote policy Make sure one of these is the peer gateway s LAN IP address Log Select this to have the ZyWALL generate a log every time it checks ...

Page 340: ...ddress range Source must be equal to the size of the translated source address range SNAT Destination NAT This translation forwards packets for example mail from the remote network to a specific computer for example the mail server in the local network This field is a sequential value and it is not associated with a specific NAT record However the order of records is the sequence in which conditio...

Page 341: ... VPN Gateway section of the screen select Manual Key Add icon This column contains icons to add move and remove NAT records To add a NAT record click the Add icon at the top of the column To move a NAT record click the Move to N icon next to the record and then type the row number to which you want to move it The records are renumbered automatically To remove a NAT record click the Remove icon nex...

Page 342: ...1 2 on page 332 for descriptions of the other fields Table 107 VPN IPSec VPN VPN Connection Manual Key Edit LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA 0 0 0 0 is invalid Secure Gateway Address Type the IP address of the remote IPSec router in the IPSec SA SPI Type a unique SPI Security Parameter Index between 256 and 4095 The SPI is used to identify t...

Page 343: ... offered by AH but its authentication is weaker If you select ESP you must select an Encryption Algorithm and Authentication Algorithm The ZyWALL and remote IPSec router must use the same protocol Encryption Algorithm This field is applicable when the Active Protocol is ESP Select which key size and encryption algorithm to use in the IPSec SA Choices are NULL no encryption key or algorithm DES a 5...

Page 344: ...ou enter 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key Authentication Key Enter the authentication key which depends on the authentication algorithm MD5 type a unique key 16 20 characters long SHA1 type a unique key 20 characters long You can use any alphanumeric characters or _ If you want to enter the key in hexadecimal type 0x at the...

Page 345: ... IPSec VPN VPN Gateway LABEL DESCRIPTION Total Connection This field displays the total number of VPN gateway policies connection per page Select how many entries you want to display on each page Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries Type a page number to go to or use the arrows to navigate the pages of entries This field...

Page 346: ... gateway click the Add icon at the top of the column The VPN Gateway Add Edit screen appears To edit a VPN gateway click the Edit icon next to the gateway The VPN Gateway Add Edit screen appears accordingly To delete a VPN gateway click on the Remove icon next to the gateway The Web Configurator confirms that you want to delete the VPN gateway To activate or deactivate a VPN gateway click the Acti...

Page 347: ...d in the following table Table 109 VPN IPSec VPN VPN Gateway Edit LABEL DESCRIPTION General Settings VPN Gateway Name Type the name used to identify this VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Gateway Settings ...

Page 348: ...annot establish an IKE SA with the first one Select Dynamic Address if the remote IPSec router has a dynamic IP address and does not use DDNS Authentication Click Advanced to display more settings Click Basic to display fewer settings Note The ZyWALL and remote IPSec router must use the same authentication method to establish the IKE SA Pre Shared Key Select this to have the ZyWALL and remote IPSe...

Page 349: ...fied by an IP address DNS the ZyWALL is identified by a domain name E mail the ZyWALL is identified by an e mail address Content This field is read only if the ZyWALL and remote IPSec router use certificates to identify each other Type the identity of the ZyWALL during authentication The identity depends on the Local ID Type IP type an IP address if you type 0 0 0 0 the ZyWALL uses the IP address ...

Page 350: ...ess DNS the remote IPSec router is identified by a domain name E mail the remote IPSec router is identified by an e mail address Any the ZyWALL does not check the identity of the remote IPSec router If the ZyWALL and remote IPSec router use certificates there is one more choice Subject Name the remote IPSec router is identified by the subject name in the certificate Table 109 VPN IPSec VPN VPN Gat...

Page 351: ...he note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including spaces Note If Peer ID Type is IP please read the rest of this section If you type 0 0 0 0 the ZyWALL uses the IP address specified in the Secure Gateway Address field This is not recommended in the following situations The...

Page 352: ...LL and the remote IPSec router must use the same key size and encryption algorithm Longer keys require more processing power resulting in increased latency and decreased throughput Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA Choices are SHA1 and MD5 SHA1 is generally considered stronger than MD5 but it is also slower The remote IPSec router must us...

Page 353: ...a tunnel for example use extended authentication to enforce a user name and password check This way even though they all know the VPN tunnel s security settings each still has to provide a unique user name and password Enable Extended Authentication Select this if one of the routers the ZyWALL or the remote IPSec router verifies a user name and password from the other router using the local user d...

Page 354: ... concentrator reduces the number of VPN connections that you have to set up and maintain in the network You might also be able to consolidate the policy routes in each spoke router depending on the IP addresses and subnets of each spoke However a VPN concentrator is not for every situation The hub router is a single failure point so a VPN concentrator is not as appropriate if the connection betwee...

Page 355: ... VPN Concentrator summary screen see Section 21 4 on page 354 and click either the Add icon or an Edit icon Figure 218 VPN IPSec VPN Concentrator Edit Table 110 VPN IPSec VPN Concentrator LABEL DESCRIPTION Name This field displays the name of the VPN concentrator Add icon This column provides icons to add edit and remove VPN concentrators To add a VPN concentrator click the Add icon at the top of ...

Page 356: ...ect any VPN connection policies that you want to add to the VPN concentrator and click the right arrow button to add them The VPN concentrator s member VPN connections appear on the right Select any VPN connections that you want to remove from the VPN concentrator and click the left arrow button to remove them Figure 219 Network IPSec VPN Concentrator Edit Member Add icon This column provides icon...

Page 357: ...k Search to find it You can use a keyword or regular expression Use up to 30 alphanumeric and _ characters See Regular Expressions in Searching IPSec SAs on page 364 for more details Search Click this button to search for an IPSec SA that matches the information you specified above Total Connection This field displays the total number of associated IPSec SAs connection per page Select how many ent...

Page 358: ...e for either or both IP addresses Sometimes your ZyWALL might offer another alternative such as using the IP address of a port or interface as well Up Time This field displays how many seconds the IPSec SA has been active This field displays N A if the IPSec SA uses manual keys Timeout This field displays how many seconds remain in the SA life time before the ZyWALL automatically disconnects the I...

Page 359: ...one proposal Each proposal consists of an encryption algorithm authentication algorithm and DH key group that the ZyWALL wants to use in the IKE SA The remote IPSec router selects an acceptable proposal and sends the accepted proposal back to the ZyWALL If the remote IPSec router rejects all of the proposals the ZyWALL and remote IPSec router cannot establish an IKE SA Note Both routers must use t...

Page 360: ... about DH key groups Diffie Hellman DH Key Exchange The ZyWALL and the remote IPSec router use DH public key cryptography to establish a shared secret The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA In main mode this is done in steps 3 and 4 as illustrated next Figure 222 IKE SA Main Negotiation Mode Steps 3 4 DH Key Exchange DH public key cryptography is bas...

Page 361: ...y used for identification Any domain name or e mail address that you enter does not have to actually exist Similarly any domain name or IP address that you enter does not have to correspond to the ZyWALL s or remote IPSec router s properties The ZyWALL and the remote IPSec router have their own identities so both of them must store two sets of information one for themselves and one for the other r...

Page 362: ...ec router The remote IPSec router selects an acceptable proposal and sends it back to the ZyWALL Steps 3 4 The ZyWALL and the remote IPSec router exchange pre shared keys for authentication and participate in a Diffie Hellman key exchange based on the accepted DH key group to establish a shared secret Steps 5 6 Finally the ZyWALL and the remote IPSec router generate an encryption key from the shar...

Page 363: ...ot establish a VPN tunnel Most routers like router A now have an IPSec pass thru feature This feature helps router A recognize VPN packets and route them appropriately If router A has this feature router X and router Y can establish a VPN tunnel as long as the active protocol is ESP See Active Protocol on page 365 for more information about active protocols If router A does not have an IPSec pass ...

Page 364: ... ZyWALL and remote IPSec router to authenticate each other with certificates In this case you do not have to set up the pre shared key local identity or remote identity because the certificates provide this information instead Instead of using the pre shared key the ZyWALL and remote IPSec router check the signatures on each other s certificates Unlike pre shared keys the signatures do not have to...

Page 365: ...e s connected to the ZyWALL may be called the local policy Similarly the remote network the one s connected to the remote IPSec router may be called the remote policy Active Protocol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols AH Authentication H...

Page 366: ...and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see IKE SA Proposal on page 359 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established This is called Perfect Forward Secrecy PFS If you enable PFS the ZyWALL and remote IPSec router perform a DH key exchange every tim...

Page 367: ...y several proposals There is no DH key exchange so you have to provide the encryption key and the authentication key the ZyWALL and remote IPSec router use Note The ZyWALL and remote IPSec router must use the same encryption key and authentication key Authentication and the Security Parameter Index SPI For authentication the ZyWALL and remote IPSec router use the SPI instead of pre shared keys ID ...

Page 368: ...twork B If you do not configure it the remote IPSec router may not route messages for computer M through the IPSec SA because computer M s IP address is not part of its local policy To set up this NAT you have to specify the following information Source the original source address most likely computer M s network Destination the original destination address the remote network B SNAT the translated...

Page 369: ... this kind of NAT The ZyWALL checks these rules similar to the way it checks rules for a firewall The first part of these rules define the conditions in which the rule apply Original IP the original destination address the remote network B Protocol the protocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination ports in...

Page 370: ...Chapter 21 IPSec VPN ZyWALL USG 2000 User s Guide 370 ...

Page 371: ...VPN Global Setting screen see Section 22 4 on page 378 to set the IP address of the ZyWALL or a gateway device on your network for full tunnel mode access enter access messages or upload a custom logo to be displayed on the remote user screen 22 1 2 What You Need to Know About SSL VPN There are two SSL VPN network access modes reverse proxy and full tunnel Reverse Proxy Mode In reverse proxy mode ...

Page 372: ...in the same way as if they were part of the internal network Figure 228 Network Access Mode Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks limit user access to specific applications or files on the network allow user access to specific networks assign private IP addresses and provide DNS WINS server information to remote users to access int...

Page 373: ...en lists the configured SSL access policies Figure 229 VPN SSL VPN Access Privilege Table 115 Objects OBJECT TYPE OBJECT SCREEN DESCRIPTION User Accounts User Account User Group Configure a user account or user group to which you want to apply this SSL access policy Application SSL Application Configure an SSL application object to specify the type of application and the address of the local compu...

Page 374: ...icy This field displays up to three names Application This field displays the descriptive name of the SSL application object this policy uses Add icon This column provides icons to add edit and remove policies To add a new policy click the Add icon at the top of the column To activate or disable the policy click the Activate Deactivate icon To edit a policy click the Edit icon next to the policy T...

Page 375: ... Edit The following table describes the labels in this screen Table 117 VPN SSL VPN Access Privilege Add Edit LABEL DESCRIPTION Configuration Enable Policy Select this option to activate this SSL access policy Name Enter a descriptive name to identify this policy You can enter up to 15 characters a z A Z 0 9 with no spaces allowed Description Enter additional information about this SSL access poli...

Page 376: ...al Enable Network Extension Select this option to create a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on the same local network Clear this option to disable this feature Users can only access the applications as defined by the selected SSL application settings and the remote user computers are not...

Page 377: ...s in this screen OK Click Ok to save the changes and return to the main Access Privilege screen Cancel Click Cancel to discard all changes and return to the main Access Privilege screen Table 117 VPN SSL VPN Access Privilege Add Edit continued LABEL DESCRIPTION Table 118 VPN SSL VPN Connection Monitor LABEL DESCRIPTION This field displays the index number User This field displays the account user ...

Page 378: ...s in this screen Outbound Bytes This field displays the number of bytes transmitted by the ZyWALL on this connection Action Click the icon to terminate the connection of the user and delete corresponding session information from the ZyWALL Refresh Click Refresh to update this screen Table 118 VPN SSL VPN Connection Monitor continued LABEL DESCRIPTION Table 119 VPN SSL VPN Global Setting LABEL DESC...

Page 379: ...Z 0 9 with spaces allowed Logout Message Specify a message to display on the screen when a user logs out and the SSL VPN connection is terminated successfully You can enter up to 60 characters a z A Z 0 9 with spaces allowed Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web browser on the remote user computer The ZyXEL company logo is the default logo Spec...

Page 380: ...r PNG format 3 Click Apply to start the file transfer process 4 Log in as a user to verify that the new logo displays properly The following shows an example logo on the remote user screen Figure 234 Example Logo Graphic Display Reset Logo to Default Click Reset Logo to Default to display the ZyXEL company logo on the remote user s web browser Apply Click Apply to save the changes and or start the...

Page 381: ... configured the SSL VPN settings on the ZyWALL use the ZyWALL login screen s SSL VPN button to establish an SSL VPN connection See Section 23 2 on page 384 for details 1 Display the ZyWALL s login screen and enter your user account information the user name and password Click SSL VPN Figure 235 Login Screen ...

Page 382: ...hould see the client portal screen The following shows an example Figure 236 SSL VPN Client Portal Screen Example If the user account is not set up for SSL VPN access an SSL VPN connection is not activated message displays in the Login screen Clear the Login to SSL VPN check box and try logging in again For more information on user portal screens refer to Chapter 23 on page 383 ...

Page 383: ...crosoft Outlook Web Access OWA Network Resource Access Methods As a remote user you can access resources on the local network using one of the following methods Using a supported web browser Once you have successfully logged in through the ZyWALL you can access intranet sites web based applications or web based e mails using one of the supported web browsers Using the ZyWALL SecuExtender client On...

Page 384: ...the network administrator to log in and access network resources the domain name or IP address of the ZyWALL the login account user name and password if also required the user name and or password to access the network resource Certificates The remote user s computer establishes an HTTPS connection to the ZyWALL to access the login screen If instructed by your network administrator you must instal...

Page 385: ... the Address in a Web Browser 2 Click OK or Yes if a security screen displays Figure 239 Login Security Screen 3 A login screen displays Enter the user name and password of your login account If a token password is also required enter it in the One Time Password field 4 Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources Figure 240 Login Screen ...

Page 386: ...ser and re login If a certificate warning screen displays click OK Yes or Continue Figure 241 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client As shown next you may have to click some pop ups to get your browser to allow the installation Figure 242 ActiveX Object Installation Blocked by Browser 7 The ZyWALL tries to install the SecuExtender client You may need to click a p...

Page 387: ...xplorer 8 The ZyWALL tries to run the ssltun application You may need to click something to get your browser to allow this In Internet Explorer click Run Figure 244 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer Figure 245 SecuExtender Progress ...

Page 388: ...o finish installing the SecuExtender client on your computer Figure 246 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you See Figure 247 on page 389 for a screen example Note Available resource links vary depending on the configuration your network administrator made ...

Page 389: ...o to the Application or File Sharing screen 2 Click this icon to create a bookmark to the SSL VPN user screen in your web browser 3 Click this icon to display the on line help window 4 Click this icon to log out and terminate the secure connection 5 Select your preferred language for the interface 6 This part of the screen displays a list of the resources available to you In the Application screen...

Page 390: ... user screen click the Add to Favorite icon 2 A screen displays Accept the default name in the Name field or enter a descriptive name to identify this link 3 Click OK to create a bookmark in your web browser Figure 248 Add Favorite 23 5 Logging Out of the SSL VPN User Screens To properly terminate a connection click on the Logout icon in any remote user screen 1 Click the Logout icon in any remote...

Page 391: ...apter 23 SSL User Screens ZyWALL USG 2000 User s Guide 391 3 An information screen displays to indicate that the SSL VPN connection is about to terminate Figure 250 Logout Connection Termination Progress ...

Page 392: ...Chapter 23 SSL User Screens ZyWALL USG 2000 User s Guide 392 ...

Page 393: ...an access depends on the ZyWALL s configuration 24 2 The Application Screen Click the Application tab to display the screen The Name field displays the descriptive name for an application The Type field displays wether the application is a web site Web Server or web based e mail using Microsoft Outlook Web Access OWA To access a web based application simply click a link in the Application screen t...

Page 394: ...Chapter 24 SSL User Application Screens ZyWALL USG 2000 User s Guide 394 ...

Page 395: ...ng screen to display and access shared files folders on a file server You can also perform the following actions Access a folder Open a file if your web browser cannot open the file you are prompted to download it Save a file to your computer Create a new folder Rename a file or folder Delete a file or folder Upload a file Note Available actions you can perform in the File Sharing screen vary depe...

Page 396: ...shared folder s available The following figure shows an example with one file share Figure 252 File Sharing 25 3 Opening a File or Folder You can open a file if the file extension is recognized by the web browser and the associated application is installed on your computer 1 Log in as a remote user and click the File Sharing tab 2 Click on a file share icon ...

Page 397: ...G 2000 User s Guide 397 3 If an access user name and password are required a screen displays as shown in the following figure Enter the account information and click Login to continue Figure 253 File Sharing Enter Access User Name and Password ...

Page 398: ...lick a folder to access it For this example click on a doc file to open the Word document Figure 254 File Sharing Open a Word File 25 3 1 Downloading a File You are prompted to download a file which cannot be opened using a web browser Follow the on screen instructions to download and save the file to your computer Then launch the associated application to open the file ...

Page 399: ... the on screen instructions Figure 255 File Sharing Save a Word File 25 4 Creating a New Folder To create a new folder in the file share location click the New Folder icon Specify a descriptive name for the folder You can enter up to 356 characters Then click Add Note Make sure the length of the folder name does not exceed the maximum allowed on the file server Figure 256 File Sharing Save a Word ...

Page 400: ...ndow displays Specify the new name and or file extension in the field provided You can enter up to 356 characters Then click Apply Note Make sure the length of the name does not exceed the maximum allowed on the file server You may not be able to open a file if you change the file extension Figure 258 File Sharing Rename 25 6 Deleting a File or Folder Click the Delete icon next to a file or folder...

Page 401: ...ify the location and or name of the file you want to upload Or click Browse to locate it 3 Click Upload to send the file to the file server 4 After the file is uploaded successfully you should see the name of the file and a message in the screen Figure 259 File Sharing File Upload Note Uploading a file with the same name and file extension replaces the existing file on the file server No warning m...

Page 402: ...Chapter 25 SSL User File Sharing ZyWALL USG 2000 User s Guide 402 ...

Page 403: ...ram you must have the VNC client installed on your computer 26 1 The ZyWALL SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 260 ZyWALL SecuExtender Icon Red the SSL VPN tunnel is not connected You cannot connect to the SSL application and network resources Green the SSL VPN tunnel is connected You can connect to the SSL application and n...

Page 404: ...ress of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are the IP addresses of the WINS Windows Internet Naming Service and backup WINS servers for the SSL VPN connection The WINS server keeps a mapping table of the computer names on your network and the IP ad...

Page 405: ...tender 1 Click start All Programs ZyXEL ZyWALL SecuExtender Uninstall 2009 03 12 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExtender Agent DEBUG rasphone pbk C Documents and Settings 11746 rasphone pbk 2009 03 12 13 35 50 SecuExtender Agent DEBUG SecuExtender log C Documents and Settings 11746 SecuExtender log 2009 03 12 13 35 50 SecuExtender Age...

Page 406: ...nder ZyWALL USG 2000 User s Guide 406 2 In the confirmation screen click Yes Figure 263 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 264 ZyWALL SecuExtender Uninstallation ...

Page 407: ...L s L2TP VPN settings Use the L2TP VPN screen see Section 27 3 on page 410 to display and manage the ZyWALL s connected L2TP VPN sessions 27 1 2 What You Need to Know About L2TP VPN The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first and then ...

Page 408: ... this address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key Policy Route You must configure a policy route to let remote u...

Page 409: ...w settings Figure 267 VPN L2TP VPN The following table describes the fields in this screen Table 122 VPN IPSec VPN VPN Connection LABEL DESCRIPTION Enable L2TP Over IPSec Use this field to turn the ZyWALL s L2TP VPN function on or off VPN Connection Select the IPSec VPN connection the ZyWALL uses for L2TP VPN All of the configured VPN connections display here but the one you use must meet the requ...

Page 410: ...etails Otherwise select any to allow any user with a valid account and password on the ZyWALL to log in Keep Alive Timer The ZyWALL sends a Hello message after waiting this long without receiving any traffic from the remote user The ZyWALL disconnects the VPN tunnel if the remote user does not respond First DNS Server Second DNS Server Specify the IP addresses of DNS servers to assign to the remot...

Page 411: ...me This field displays the name of the computer that has this L2TP VPN connection with the ZyWALL Assigned IP This field displays the IP address that the ZyWALL assigned for the remote user s computer to use within the L2TP VPN tunnel Public IP This field displays the public IP address that the remote user is using to connect to the Internet Action Click the Disconnect icon next to an L2TP VPN con...

Page 412: ...Chapter 27 L2TP VPN ZyWALL USG 2000 User s Guide 412 ...

Page 413: ...atic IP address of 172 16 1 2 for the ge2 interface The remote user has a dynamic public IP address and connects through the Internet You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192 168 1 x subnet LAN_SU...

Page 414: ...Click the Default_L2TP_VPN_GW entry s Edit icon Figure 270 VPN IPSec VPN VPN Gateway Edit Configure the My Address setting This example uses interface ge2 with static IP address 172 16 1 2 Select Pre Shared Key and configure a password This example uses top secret Click OK 2 Click the Default_L2TP_VPN_GW entry s Enable icon and click Apply to turn on the entry Figure 271 VPN IPSec VPN VPN Gateway ...

Page 415: ...it 2 Click the Policy section s Advanced button Enforce and configure the local and remote policies For the Local Policy create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses the ge2 interface s IP address 172 16 1 2 and is named L2TP_IFACE For the Remote Policy create an address ob...

Page 416: ...ure 274 VPN L2TP VPN Example 2 Configure the following Enable the connection Set it to use the Default_L2TP_VPN_Connection VPN connection Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 It is called L2TP_POOL here This example uses the default authentication method the ZyWALL s local user data base Select a user or group of users that can use the tunnel Here a user acc...

Page 417: ...N Example 2 Configure the following Enable the policy route Set the policy route s Source Address to the address object that you want to allow the remote users to access LAN_SUBNET in this example Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP_POOL in this example Set the next hop to be the Default_L2TP_VPN_Connection VPN tunnel Click OK ...

Page 418: ...of the following commands from the Windows command prompt to make sure the computer is running the Microsoft IPSec service Make sure you include the quotes For Windows XP use net start ipsec services For Windows 2000 use net start ipsec policy agent 28 6 1 Configuring L2TP in Windows XP In Windows XP do the following to establish an L2TP VPN connection 1 Click Start Control Panel Network Connectio...

Page 419: ...WALL USG 2000 User s Guide 419 4 Select Virtual Private Network connection and click Next Figure 277 New Connection Wizard Network Connection 5 Type L2TP to ZyWALL as the Company Name Figure 278 New Connection Wizard Connection Name ...

Page 420: ...d click Next Figure 279 New Connection Wizard Public Network 7 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN 172 16 1 2 in this example Figure 280 New Connection Wizard VPN Server Selection 8 Click Finish 172 16 1 2 ...

Page 421: ...G 2000 User s Guide 421 9 The Connect L2TP to ZyWALL screen appears Click Properties Security Figure 281 Connect L2TP to ZyWALL 10 Click Security select Advanced custom settings and click Settings Figure 282 Connect L2TP to ZyWALL Security ...

Page 422: ...encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Figure 283 Connect ZyWALL L2TP Security Advanced 12 Click IPSec Settings Figure 284 L2TP to ZyWALL Properties Security ...

Page 423: ...t the ZyWALL is using for L2TP VPN Click OK Figure 285 L2TP to ZyWALL Properties Security IPSec Settings 14 Click Networking Select L2TP IPSec VPN as the Type of VPN Click OK Figure 286 L2TP to ZyWALL Properties Networking 15 Enter the user name and password of your ZyWALL account Click Connect Figure 287 Connect L2TP to ZyWALL 16 A window appears while the user name and password are verified ...

Page 424: ... 10 192 168 10 20 Figure 289 ZyWALL L2TP Status Details 19 Access a server or other network resource behind the ZyWALL to make sure your access works 28 6 2 Configuring L2TP in Windows 2000 Windows 2000 does not support using pre shared keys by default Use the following procedures to edit the registry and then configure the computer to use the L2TP client 28 6 2 1 Editing the Windows 2000 Registry...

Page 425: ...or 2 Click Registry Export Registry File and save a backup copy of your registry You can go back to using this backup if you misconfigure the registry settings 3 Select HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman P arameters Figure 291 Registry Key 4 Right click Parameters and select New DWORD Value Figure 292 New DWORD Value ...

Page 426: ...start the computer and continue with the next section 28 6 2 2 Configure the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer use these directions to configure an IPSec policy for the computer to use 1 Click Start Run Type mmc and click OK Figure 294 Run mmc 2 Click Console Add Remove Snap in Figure 295 Console Add Remove Snap in ...

Page 427: ... Add IP Security Policy Management Add Finish Click Close OK Figure 296 Add IP Security Policy Management Finish 4 Right click IP Security Policies on Local Machine and click Create IP Security Policy Click Next in the welcome screen Figure 297 Create IP Security Policy ...

Page 428: ...User s Guide 428 5 Name the IP security policy L2TP to ZyWALL and click Next Figure 298 IP Security Policy Name 6 Clear the Activate the default response rule check box and click Next Figure 299 IP Security Policy Request for Secure Communication ...

Page 429: ...0 User s Guide 429 7 Leave the Edit Properties check box selected and click Finish Figure 300 IP Security Policy Completing the IP Security Policy Wizard 8 In the properties dialog box click Add Next Figure 301 IP Security Policy Properties Add ...

Page 430: ...2000 User s Guide 430 9 Select This rule does not specify a tunnel and click Next Figure 302 IP Security Policy Properties Tunnel Endpoint 10 Select All network connections and click Next Figure 303 IP Security Policy Properties Network Type ...

Page 431: ...uide 431 11 Select Use this string to protect the key exchange preshared key type password in the text box and click Next Figure 304 IP Security Policy Properties Authentication Method 12 Click Add Figure 305 IP Security Policy Properties IP Filter List ...

Page 432: ... in the Addressing tab Select My IP Address in the Source address drop down list box Select A specific IP Address in the Destination address drop down list box and type the ZyWALL s WAN IP address 172 16 1 2 in this example in the IP Address field Make certain the Mirrored Also match packets with the exact opposite source and destination addresses check box is selected and click Apply Figure 307 F...

Page 433: ...ollowing in the Filter Properties window s Protocol tab Set the protocol type to UDP from port 1701 Select To any port Click Apply OK and then Close Figure 308 Filter Properties Protocol 16 Select ZyWALL WAN_IP and click Next Figure 309 IP Security Policy Properties IP Filter List ...

Page 434: ...d Close Figure 310 IP Security Policy Properties IP Filter List 18 In the Console window right click L2TP to ZyWALL and select Assign Figure 311 Console L2TP to ZyWALL Assign 28 6 2 3 Configure the Windows 2000 Network Connection After you have configured the IPSec policy use these directions to create a network connection ...

Page 435: ...re 312 Start New Connection Wizard 2 Select Connect to a private network through the Internet and click Next Figure 313 New Connection Wizard Network Connection Type 3 Enter the domain name or WAN IP address configured as the My Address in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click Next Figure 314 New Connection Wizard Destination Address 172 16 1 2 ...

Page 436: ...36 4 Select For all users and click Next Figure 315 New Connection Wizard Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish Figure 316 New Connection Wizard Naming the Connection 6 Click Properties Figure 317 Connect L2TP to ZyWALL ...

Page 437: ... Settings Figure 318 Connect L2TP to ZyWALL Security 8 Select Optional encryption allowed connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Click OK Click Yes if a screen pops up Figure 319 Connect L2TP to ZyWALL Security Advanced ...

Page 438: ...ck OK Figure 320 Connect L2TP to ZyWALL Networking 10 Enter your user name and password and click Connect It may take up to one minute to establish the connection and register on the network Figure 321 Connect L2TP to ZyWALL 11 A ZyWALL L2TP icon displays in your system tray Double click it to open a status screen Figure 322 ZyWALL L2TP System Tray Icon ...

Page 439: ...etails and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 323 L2TP to ZyWALL Status Details 13 Access a server or other network resource behind the ZyWALL to make sure your access works ...

Page 440: ...Chapter 28 L2TP VPN Example ZyWALL USG 2000 User s Guide 440 ...

Page 441: ...441 PART V Application Patrol Application Patrol 443 ...

Page 442: ...442 ...

Page 443: ...trol Screens Use the General summary screen see Section 29 2 on page 452 to enable and disable application patrol Use the Common Instant Messenger Peer to Peer VoIP and Streaming see Section 29 3 on page 454 screens to look at the applications the ZyWALL can recognize and review the settings for each one You can also enable and disable the rules for each application and specify the default and cus...

Page 444: ...connection schedule user source and destination information Your custom policies take priority over the policy s default settings Classification of Applications There are two ways the ZyWALL can identify the application The first is called auto The ZyWALL looks at the IP payload OSI level 7 inspection and attempts to match it with known patterns for specific applications Usually this occurs at the...

Page 445: ...ote Bandwidth management in policy routes has priority over application patrol bandwidth management It is recommended to use application patrol instead of policy routes to manage the bandwidth of TCP and UDP traffic Connection and Packet Directions Application patrol looks at the connection direction that is from which zone the connection was initiated and to which zone the connection is going A c...

Page 446: ...affic is limited to 200 kbps The connection initiator is on the LAN so outbound means the traffic traveling from the LAN to the WAN Each of the WAN zone s two interfaces can send the limit of 200 kbps of traffic Inbound traffic is limited to 500 kbs The connection initiator is on the LAN so inbound means the traffic traveling from the WAN to the LAN Figure 325 LAN to WAN Outbound 200 kbps Inbound ...

Page 447: ...unused bandwidth Bandwidth Management Behavior The following sections show how bandwidth management behaves with various settings For example you configure DMZ to WAN policies for FTP servers A and B Each server tries to send 1000 kbps but the WAN is set to a maximum outgoing speed of 1000 kbps You configure policy A for server A s traffic and policy B for server B s traffic Figure 326 Bandwidth M...

Page 448: ...ps for a total of 550 kbps Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority You should regard extreme over allotment of traffic with different priorities as shown here as a configuration error Even though the ZyW...

Page 449: ... users must get through with the least possible delay regardless of if it is an outgoing call or an incoming call The VIP users must be able to make and receive SIP calls no matter which interface they are connected to HTTP traffic needs to be given priority over FTP traffic FTP traffic from the WAN to the DMZ must be limited so it does not interfere with SIP and HTTP traffic FTP traffic from the ...

Page 450: ...r DMZ Highest priority 1 Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth Figure 328 SIP Any to WAN Bandwidth Management Example 29 1 3 3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN It is ...

Page 451: ...s to the DMZ FTP server outbound but only 100 kbps for downloads inbound Third highest priority 3 Disable maximize bandwidth usage since you do not want to give FTP more bandwidth Figure 330 FTP WAN to DMZ Bandwidth Management Example 29 1 3 6 FTP LAN to DMZ Bandwidth Management Example The LAN and DMZ zone interfaces are connected to Ethernet networks not an ADSL device so you limit both outbound...

Page 452: ...nt Example 29 2 Application Patrol General Screen Use this screen to enable and disable application patrol It also lists the registration status and details about the signature set the ZyWALL is using Note You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 8 on page 153 for how to register BWM Outbound 50 Mbps BWM Inbound 50 Mbps ...

Page 453: ... maximize the throughput of SIP traffic to improve SIP based VoIP call sound quality This has the ZyWALL immediately send SIP traffic upon identifying it The ZyWALL ignores any other application patrol rules for SIP traffic so there is no bandwidth control for SIP traffic When this option is enabled the ZyWALL also does not record SIP traffic bandwidth usage statistics Registration The following f...

Page 454: ...tion The following fields display information on the current signature set that the ZyWALL is using Current Version This field displays the IDP signature and anomaly rule set version number This number gets larger as the set is enhanced Released Date This field displays the date and time the set was released Update Signatures Click this link to go to the screen you can use to download signatures f...

Page 455: ...oices are forward drop and reject Modify This column provides icons to activate and deactivate each application and to edit the settings for each one To activate or deactivate patrol for an application click the Active icon for the corresponding application Make sure you click Apply to save and apply the change To edit the settings for an application click the Edit icon next to the application The...

Page 456: ...ionality you might improve the performance of the ZyWALL by putting more common conditions at the top of the list Port This field displays the specific port number to which this policy applies Schedule This is the schedule that defines when the policy applies any means the policy is active at all times if enabled User This is the user name or user group to which the policy applies If any displays ...

Page 457: ...on with higher priority is given bandwidth before traffic of an application with lower priority The ZyWALL ignores this number if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowest priority 7 regardless of this field s configuration Log This field shows whether the ZyWALL generates a log log a log and alert log alert or n...

Page 458: ...t Create Object to configure a new user account see Section 37 2 1 on page 618 for details Select any to apply the policy for every user From Select the source zone of the traffic to which this policy applies To Select the destination zone of the traffic to which this policy applies Source Select a source address or address group for whom this policy applies Select Create Object to configure a new...

Page 459: ...o the traffic the ZyWALL sends to a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the application s traffic that the ZyWALL sends to the initiator Traffic with bandwidth management disabled inbound and outbound are both set to 0 is automatically treated as the lowest priority 7 If the sum of the bandwidths for routes using the same next hop is highe...

Page 460: ... gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority The ZyWALL uses a fairness based round robin scheduler to divide bandwidth between applications with the same priority The number in this field is ignored if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowe...

Page 461: ...lies any means the policy always applies User This is the user name or user group to which the policy applies If any displays the policy applies to all users From This is the source zone of the traffic to which this policy applies To This is the destination zone of the traffic to which this policy applies Source This is the source address or address group for whom this policy applies If any displa...

Page 462: ...ic is automatically treated as being set to the lowest priority 7 regardless of this field s configuration Log Select whether to have the ZyWALL generate a log log log and alert log alert or neither no when traffic matches this policy See Chapter 48 on page 763 for more on logs Add icon Click the Add icon in the heading row to add a new first entry The Active icon displays whether the entry is ena...

Page 463: ...o configure a new one see Chapter 40 on page 643 for details Otherwise select any to make the policy always effective User Select a user name or user group to which to apply the policy Select Create Object to configure a new user account see Section 37 2 1 on page 618 for details Select any to apply the policy for every user From Select the source zone of the traffic to which this policy applies T...

Page 464: ... a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the matching traffic that the ZyWALL sends out from the initiator Traffic with bandwidth management disabled inbound and outbound are both set to 0 is automatically treated as the lowest priority 7 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission s...

Page 465: ...e see Chapter 48 on page 763 for more information no the ZyWALL does not record anything log the ZyWALL creates a record in the log log alert the ZyWALL creates an alert OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 133 AppPatrol Other Edit continued LABEL DESCRIPTION Table 134 AppPatrol Statistics General Setup LABEL ...

Page 466: ...tics The y axis represents the amount of bandwidth used The x axis shows the time period over which the bandwidth usage occurred A solid line represents a protocol s incoming bandwidth usage This is the protocol s traffic that the ZyWALL sends to the initiator of the connection A dotted line represents a protocol s outgoing bandwidth usage This is the protocol s traffic that the ZyWALL sends out f...

Page 467: ...application s traffic the ZyWALL has sent in kilobytes Dropped Data KB This is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Data KB This is how much of the application s traffic the ZyWALL has discarded and notified the client that the traffic was rejec...

Page 468: ...ds out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN to the WAN is the outbound traffic Forwarded Data KB This is how much of the application s traffic the ZyWALL has sent in kilobytes Dropped Data KB This is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffi...

Page 469: ...469 PART VI Anti X Anti Virus 471 IDP 487 ADP 521 Content Filtering 541 Content Filter Reports 567 Anti Spam 575 ...

Page 470: ...470 ...

Page 471: ...o interfaces to the LAN zone Figure 341 ZyWALL Anti Virus Example 30 1 1 What You Can Do in the Anti Virus Screens Use the General screens Section 30 2 on page 474 to turn anti virus on or off set up anti virus policies and check the anti virus engine type and the anti virus license and signature status Use the Black White List screen Section 30 3 on page 479 to set up anti virus black blocked and...

Page 472: ...cates itself The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable ZyWALL Anti Virus Scanner The ZyWALL has a built in signature database Setting up the ZyWALL between your local network and the Internet allows the ZyWALL to scan files transmitting throug...

Page 473: ...can detect polymorphic viruses 2 When a virus is detected an alert message is displayed in Microsoft Windows computers Refer to Appendix C on page 879 if your Windows computer does not display the alert messages 3 Changes to the ZyWALL s anti virus settings affect new sessions not the sessions that already existed before you applied the changed settings 4 The ZyWALL does not scan the following fil...

Page 474: ...nti Virus to display the configuration screen as shown next Figure 342 Anti X Anti Virus General The following table describes the labels in this screen Table 136 Anti X Anti Virus General LABEL DESCRIPTION General Settings Click Advanced to display more settings Click Basic to display fewer settings Enable Anti Virus and Anti Spyware Select this check box to check traffic for viruses and spyware ...

Page 475: ... of traffic to scan for viruses FTP applies to traffic using the TCP port number specified for FTP in the ALG screen HTTP applies to traffic using TCP ports 80 8080 and 3128 SMTP applies to traffic using TCP port 25 POP3 applies to traffic using TCP port 110 IMAP4 applies to traffic using TCP port 143 Add icon Click the Add icon in the heading row to add a new first entry The Active displays wheth...

Page 476: ...ature set that the ZyWALL is using Anti Virus Engine Type This field displays whether the ZyWALL is set to use ZyXEL s anti virus engine or the one powered by Kaspersky Upgrading the ZyWALL to firmware version 2 11 and updating the anti virus signatures automatically upgrades the ZyXEL anti virus engine to v2 0 v2 0 has more virus signatures and offers improved non executable file scan throughput ...

Page 477: ...the ZyWALL apply this anti virus policy to check traffic for viruses From To Select source and destination zones for traffic to scan for viruses The anti virus policy has the ZyWALL scan traffic coming from the From zone and going to the To zone Protocols to Scan Select which protocols of traffic to scan for viruses HTTP applies to traffic using TCP ports 80 8080 and 3128 FTP applies to traffic us...

Page 478: ...ck List Select this check box to check files against the black list File decompression Enable file decompression ZIP and RAR Select this check box to have the ZyWALL scan a ZIP file the file does not have to have a zip or rar file extension The ZyWALL first decompresses the ZIP file and then scans the contents for viruses Note The ZyWALL decompresses a ZIP file once The ZyWALL does NOT decompress ...

Page 479: ...ti X Anti Virus General Add continued LABEL DESCRIPTION Table 138 Anti X Anti Virus Black White List Black List LABEL DESCRIPTION Enable Black List Select this check box to log and delete files with names that match the black list patterns Use the black list to log and delete files with names that match the black list patterns Total Rule This is the number of entries configured rules per page Sele...

Page 480: ...X Anti Virus Black White List Black List or White List Add Add icon This column provides icons to add activate deactivate edit and remove entries To add an entry click the Add icon at the top of the column Click an entry s Active icon to activate or deactivate the entry Make sure you click Apply to save and apply the change Click an entry s Edit icon to edit the entry To delete an entry click the ...

Page 481: ...viruses Use up to 80 characters Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends with a z...

Page 482: ...f x This is the number of the page of entries currently displayed and the total number of pages of entries Type a page number to go to or use the arrows to navigate the pages of entries This is the entry s index number in the list File Pattern This is the file name pattern If a file s name matches this pattern the ZyWALL does not check the file for viruses Add icon This column provides icons to ad...

Page 483: ...i X Anti Virus Signature LABEL DESCRIPTION Signatures Search Select the criteria on which to perform the search Select By Name from the drop down list box and type the name or part of the name of the signature s you want to find This search is not case sensitive Select By ID from the drop down list box and type the ID or part of the ID of the signature you want to find Select By Severity from the ...

Page 484: ...g to the ID Severity This is the severity level of the anti virus signature Click the severity column header to sort your search results by ascending or descending severity Category This column displays whether the signature is for identifying a virus or spyware Click the column heading to sort your search results by category Table 141 Anti X Anti Virus Signature continued LABEL DESCRIPTION Table ...

Page 485: ...ners cannot eliminate all viruses for a number of reasons HAV scanners are slow in stopping virus threats through real time traffic such as from the Internet HAV scanners may reduce computing performance as they also share the resources such as CPU time on the computer for file inspection You have to update the virus signatures and or perform virus scans on all computers in the network regularly A...

Page 486: ...0 User s Guide 486 NAV scanners stops virus threats at the network edge before they enter or exit a network NAV scanners reduce computing loading on computers as the read time data traffic inspection is done on a dedicated security device ...

Page 487: ...e 492 to add a new profile edit an existing profile or delete an existing profile Use the Anti X IDP Custom Signature screens Section 31 8 on page 506 to create a new signature edit an existing signature delete existing signatures or save signatures to your computer 31 1 2 What You Need To Know About IDP Packet Inspection Signatures A signature identifies a malicious or suspicious packet and speci...

Page 488: ...guration Changes to the ZyWALL s IDP settings affect new sessions not the sessions that already existed before you applied the changed settings Finding Out More See Section 5 4 15 on page 96 for IDP prerequisite information See Chapter 32 on page 521 for anomaly detection and protection See Section 31 9 on page 518 for more information on network based intrusions See Section 31 6 2 on page 499 for...

Page 489: ...rvice has not yet been registered a warning screen displays and IDP is not enabled Figure 348 Anti X IDP General The following table describes the screens in this screen Table 143 Anti X IDP General LABEL DESCRIPTION General Settings Enable Signature Detection You must register for IDP service in order to use packet inspection signatures If you don t have a standard license you can register for a ...

Page 490: ...window displays asking you to confirm that you want to delete the entry Note that subsequent entries move up by one when you take this action In a numbered list click the Move to N icon to display a field to type an index number for where you want to put that entry and press ENTER to move the entry to the number that you typed For example if you type 6 the entry you are moving becomes number 6 and...

Page 491: ...y gets larger as the set is enhanced Older signatures and rules may be removed if they are no longer applicable or have been supplanted by newer ones Released Date This field displays the date and time the set was released Update Signatures Click this link to go to the screen you can use to download signatures from the update server Apply Click Apply to save your changes Reset Click Reset to start...

Page 492: ...own attacks while anomaly detection looks for abnormal behavior see Chapter 32 on page 521 for information on anomaly detection 31 3 1 Base Profiles The ZyWALL comes with several base profiles You use base profiles to create new profiles In the Anti X IDP Profile screen click the Add icon to display the following screen Figure 350 Base Profiles IDP Profile Select an IDP profile to apply to the ent...

Page 493: ...medium severity level two or three generate logs not log alerts and no action is taken on packets that trigger them Signatures with a very low severity level one are disabled lan This profile is most suitable for common LAN network services Signatures for common services such as DNS FTP HTTP ICMP IM IMAP MISC NETBIOS P2P POP3 RPC RSERVICE SMTP SNMP SQL TELNET TFTP MySQL are enabled Signatures with...

Page 494: ...each network is different false positives and false negatives are common on initial IDP deployment You could create a new monitor profile that creates logs but all actions are disabled Observe the logs over time and try to eliminate the causes of the false alarms When you re satisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure a...

Page 495: ...xplorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive just click No to continue 3 Type a new profile name 4 Enable or disable individual signatures 5 Edit the default log options and actions 31 6 Profiles Packet Inspection Select Anti X IDP Profile and then add a new or edit an existing profile select Packet inspection signat...

Page 496: ...Chapter 31 IDP ZyWALL USG 2000 User s Guide 496 31 6 1 Profile Group View Screen Figure 352 Anti X IDP Profile Edit Group View ...

Page 497: ...d it A service group is a group of related IDP signatures Message This is the name of the signature SID This is the signature ID identification number that uniquely identifies a ZyWALL signature Severity These are the severities as defined in the ZyWALL The number in brackets is the number you use if using commands Severe 5 These denote attacks that try to run arbitrary code or gain system privile...

Page 498: ...matches the signature s Neither sender nor receiver are notified reject sender Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to the sender when a packet matches the signature If it is a TCP attack packet the ZyWALL will send a packet with a RST flag If it is an ICMP or UDP attack packet the ZyWALL will send an ICMP unreachable packet reje...

Page 499: ... users via networks connected computers After you enter a chat or chat room any room member can type a message that will appear on the monitors of all the other participants SPAM Spam is unsolicited junk e mail sent to large numbers of people to promote products or services DoS DDoS The goal of Denial of Service DoS attacks is not to steal information but to disable a device or network on the Inte...

Page 500: ...ter to another on a network A worm s uncontrolled replication consumes system resources thus slowing or stopping other tasks Backdoor Trojan A backdoor also called a trapdoor is hidden software or a hardware mechanism that can be triggered to gain access to a program online service or an entire computer system A Trojan horse is a harmful program that is hidden inside apparently harmless programs o...

Page 501: ...etting for service group logs and or actions all signatures within that group are returned to their last saved settings Figure 353 Anti X IDP Profile Edit IDP Service Group 31 6 4 Profile Query View Screen Click Switch to query view in the screen as shown in Figure 352 on page 496 to go to a signature query screen In the query view screen you can search for ...

Page 502: ...ery Signatures Select the criteria on which to perform the search Search all custom signatures Select this check box to search for signatures you created or imported in the Custom Signatures screen You can search by name or ID If the name and ID fields are left blank then all custom signatures are displayed Name Type the name or part of the name of the signature s you want to find Signature ID Typ...

Page 503: ...er several pages depending on how broad the search criteria selected were The tighter the criteria selected the fewer the signatures returned Query Result The results are displayed in a table showing the SID Name Severity Attack Type Platform Service Activation Log and Action criteria as selected in the search Click the SID column header to sort search results by signature ID Total IDP This displa...

Page 504: ... Query Example Search Criteria Figure 356 Query Example Search Results 31 7 Introducing IDP Custom Signatures Create custom signatures for new attacks or attacks peculiar to your network Custom signatures can also be saved to from your computer so as to share with others ...

Page 505: ...e particular quality of service needs from the network Total Length This is the size of the datagram in bytes It is the combined length of the header and the data Identification This is a 16 bit number which together with the source address uniquely identifies this packet It is used during reassembly of fragmented datagrams Flags Flags are used to control whether routers are allowed to fragment a ...

Page 506: ...n an IP network Source IP Address This is the IP address of the original sender of the packet Destination IP Address This is the IP address of the final destination of the packet Options IP options is a variable length list of IP options for a datagram that define IP Security Option IP Stream Identifier security and handling restrictions for the military Record Route have each router record its IP...

Page 507: ... and it must be in the 9000000 to 9999999 range Name This is the name of your custom signature Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent Add Edit Click the Add icon to create a new signature or click the Edit icon to edit an existing signature Delete Use this column ...

Page 508: ...en to import custom signatures previously saved to your computer to the ZyWALL Note The name of the complete custom signature file on the ZyWALL is custom rules If you import a file named custom rules then all custom signatures on the ZyWALL are overwritten with the new file If this is not your intention make sure that the files you import are not named custom rules File Path Type the file path an...

Page 509: ...USG 2000 User s Guide 509 Try to write signatures that target a vulnerability for example a certain type of traffic on certain operating systems instead of a specific exploit Figure 359 Anti X IDP Custom Signatures Add Edit ...

Page 510: ...s the operating systems you want to protect from this intrusion SGI refers to Silicon Graphics Incorporated who manufactures multi user Unix workstations that run the IRIX operating system SGI s version of UNIX A router is an example of a network device Service Select the IDP service group that the intrusion exploits or targets See Table 149 on page 500 for a list of IDP service groups The custom ...

Page 511: ...lect Equal Smaller or Greater and then type in a number IP Options IP options is a variable length list of IP options for a datagram that define IP Security Option IP Stream Identifier security and handling restrictions for the military Record Route have each router record its IP address Loose Source Routing specifies a list of IP addresses that must be traversed by the datagram Strict Source Rout...

Page 512: ...ck Sequence Number Use this field to check for a specific TCP sequence number Ack Number Use this field to check for a specific TCP acknowledgement number Window Size Use this field to check for a specific TCP window size Transport Protocol UDP Port Select the check box and then enter the source and destination UDP port numbers that will trigger this signature Transport Protocol ICMP Type Use this...

Page 513: ...ity for example an electronic document an image a service today s weather report for Taiwan a collection of other resources An identifier is an object that can act as a reference to something that has identity Example URIs are ftp ftp is co za rfc rfc1808 txt ftp scheme for File Transfer Protocol services http www math uio no faq compression faq part1 html http scheme for Hypertext Transfer Protoc...

Page 514: ...e positives As an example say you want to create a signature for the Microsoft Windows Plug and Play Service Remote Overflow MS 05 39 attack Search the Security Focus web site and you will find it uses the NetBIOS service in established TCP connections to a server using port 445 31 8 2 2 Analyze Packets Then use a packet sniffer such as TCPdump or Ethereal to investigate some more From the NetBIOS...

Page 515: ...ent of the SMB header Add FF SMB and TransactionNmPipe to the signature as the next patterns Figure 361 Custom Signature Example Pattern 2 Figure 362 Custom Signature Example Patterns 3 and 4 The final custom signature should look like as shown in the following figure ...

Page 516: ...Chapter 31 IDP ZyWALL USG 2000 User s Guide 516 If the attack occurs check the logs for a log of your custom signature This indicates the signature works correctly Figure 363 Example Custom Signature ...

Page 517: ...ng Custom Signatures You should configure the signature to create a log when an attack packet matches the signature You may also want to configure an alert if the attack is more serious and needs more immediate attention After you apply the signature to a zone you can see if it works by checking the logs Maintenance Logs View Log All IDP signatures come under the IDP category The Priority column s...

Page 518: ... calls to the kernel or APIs in order to prevent attacks as well as log them Disadvantages of host IDPs are that you have to install them on each device that you want to protect in your network and due to the necessarily tight integration with the host operating system future operating system upgrades could cause problems Network Intrusions Network based intrusions have the goal of bringing down a...

Page 519: ...e option keywords The rule header contains the rule s Action Protocol Source and destination IP addresses and netmasks Source and destination ports information The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken These are some equivalent Snort terms in the ZyWALL Table 154 ZyWALL Snort Equi...

Page 520: ...col ICMP Type itype Code icode ID icmp_id Sequence Number icmp_seq Payload Options Snort rule options Payload Size dsize Offset relative to start of payload offset Relative to end of last match distance Content content Case insensitive nocase Decode as URI uricontent Table 154 ZyWALL Snort Equivalent Terms continued ZYWALL TERM SNORT EQUIVALENT TERM ...

Page 521: ...tion 2 ADP traffic and anomaly rules are updated when you upload new firmware This is different from the IDP packet inspection signatures and the system protect signatures you download from myZyXEL com 32 1 2 What You Can Do Using the ADP Screens Use Anti X ADP General Section 32 2 on page 523 to turn anomaly detection on or off and apply anomaly profiles to traffic directions Use Anti X ADP Profi...

Page 522: ... apply ADP profiles to traffic flowing from one zone to another Base ADP Profiles Base ADP profiles are templates that you use to create new ADP profiles The ZyWALL comes with several base profiles See Table 157 on page 526 for details on ADP base profiles ADP Policy An ADP policy refers to application of an ADP profile to a traffic flow Finding Out More See Section 5 4 16 on page 96 for ADP prere...

Page 523: ...ection Policies Use this list to specify which anomaly profile the ZyWALL uses for traffic flowing in a specific direction Priority This is the rank in the list of anomaly profile policies The list is applied in order of priority From To This is the direction of travel of packets to which an anomaly profile is bound Note Depending on your network topology and traffic load applying every packet dir...

Page 524: ... entry below the current entry Click the Remove icon to delete an existing entry from the ZyWALL A window displays asking you to confirm that you want to delete the entry Note that subsequent entries move up by one when you take this action In a numbered list click the Move to N icon to display a field to type an index number for where you want to put that entry and press ENTER to move the entry t...

Page 525: ...ZyWALL itself To Use the To field to specify the zone to which the traffic is going Select ZyWALL to specify traffic destined for the ZyWALL itself From LAN To LAN means packets traveling from a computer on one LAN subnet to a computer on another LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subne...

Page 526: ... DESCRIPTION all All traffic anomaly and protocol anomaly rules are enabled Rules with a high or severe severity level greater than three generate log alerts and cause packets that trigger them to be dropped Rules with a very low low or medium severity level less than or equal to three generate logs not log alerts and no action is taken on packets that trigger them none All traffic anomaly and pro...

Page 527: ...eby you configure appropriate actions to be taken when a packet matches a rule ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles To create a new profile select a base profile see Table 157 on page 526 and then click OK to go to the profile details screen Type a new profile name enable or disable individual rules and then edit the default log options and actions 32 3 4 ...

Page 528: ...Chapter 32 ADP ZyWALL USG 2000 User s Guide 528 profile make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab Figure 370 Profiles Traffic Anomaly ...

Page 529: ...nomaly attacks will be detected however you will have more logs and false positives Block Period Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack Name This is the name of the traffic anomaly rule Click the Name column heading to sort in ascending or descending order according to the rule name Activation Click the icon...

Page 530: ...ration In the Anti X ADP Profile screen click the Edit icon or click the Add icon and choose a base profile then select the Protocol Anomaly tab If you made changes to other screens belonging to this profile make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab Cancel Click Cancel to return to the profile summary page without saving any changes Save Cl...

Page 531: ...Chapter 32 ADP ZyWALL USG 2000 User s Guide 531 Figure 371 Profiles Protocol Anomaly ...

Page 532: ... ascending or descending order according to the protocol anomaly rule name Activation Click the icon to enable or disable a rule or group of rules Log Select whether to have the ZyWALL generate a log log log and alert log alert or neither no when traffic matches this anomaly rule See Chapter 48 on page 763 for more on logs Action Select what the ZyWALL should do when a packet matches a rule none T...

Page 533: ... and ICMP protocols in use by the remote computer but also additional IP protocols such as EGP Exterior Gateway Protocol or IGP Interior Gateway Protocol Determining these additional protocols can help reveal if the destination device is a workstation a printer or a router Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address These are some decoy scan types ...

Page 534: ...e These are some filtered port scan examples Flood Detection Flood attacks saturate a network with useless data use up all available bandwidth and therefore make communications in the network impossible ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system that it slows it down or locks it up Smurf A smurf attacker A floods a router B ...

Page 535: ...t starts a session by sending a SYN synchronize packet to a server The receiver returns an ACK acknowledgment packet and its own SYN and then the initiator responds with an ACK acknowledgment After this handshake a connection is established Figure 373 TCP Three Way Handshake A SYN flood attack is when an attacker sends a series of SYN packets Each packet causes the receiver to reply with a SYN ACK...

Page 536: ...protocol and it does not require any connection setup procedure to transfer data A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system When the victim system receives a UDP packet it will determine what application is waiting on the destination port When it realizes that there is no application that is waiting on the port it will generate an ICMP ...

Page 537: ... to get information or privileges from a web server DIRECTORY TRAVERSAL ATTACK This rule normalizes directory traversals and self referential directories So abc this_is_not_a_real_dir xyz get normalized to abc xyz Also abc xyz gets normalized to abc xyz If a user wants to configure an alert then specify yes otherwise no This alert may give false positives since some web sites refer to files using ...

Page 538: ...F 8 unicode sequences that are in the URI This abides by the unicode standard and only uses encoding Apache uses this standard so for any Apache servers make sure you have this option turned on When this rule is enabled ASCII decoding is also enabled to enforce correct functioning WEBROOT DIRECTORY TRAVERSAL ATTACK This is when a directory traversal traverses past the web server root directory Thi...

Page 539: ...CATED HEADER ATTACK This is when a UDP packet is sent which has a UDP datagram length of less the UDP header length This may cause some applications to crash UNDERSIZE LEN ATTACK This is when a UDP packet is sent which has a UDP length field of less than 8 bytes This may cause some applications to crash ICMP Decoder TRUNCATED ADDRESS HEADER ATTACK This is when an ICMP packet is sent which has an I...

Page 540: ...Chapter 32 ADP ZyWALL USG 2000 User s Guide 540 ...

Page 541: ...ing Content Filtering Content filtering allows you to block certain web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s ac...

Page 542: ...bers When a matching policy is found the content filter allows or blocks the request depending on the settings of the filtering profile specified by the policy Some requests may not match any policy The ZyWALL allows the request if the default policy is not set to block The ZyWALL blocks the request if the default policy is set to block External Web Filtering Service When you register for and enab...

Page 543: ...on 33 8 on page 564 for content filtering background technical information 33 1 3 Before You Begin You must configure an address object a schedule object and a filtering profile before you can set up a content filter policy You must subscribe to use the external database content filtering see the Licensing Registration screens 33 2 Content Filter General Screen Click Anti X Content Filter General ...

Page 544: ...s of the content filter policies Address A content filter policy applies to web access from the IP addresses listed here any means the content filter policy applies to all of the web access requests that the ZyWALL receives from any IP address Schedule This column displays the name of the schedule for each content filter policy You can define different policies for different time periods none mean...

Page 545: ...order they are listed The ZyWALL checks requests for Web sessions against the list of content filter policies starting from the first in the list The ZyWALL s content filter feature blocks or allows the Web session according to the first matching content filter policy and does not check any other content filter policies The ZyWALL does not perform content filter on Web session requests that do not...

Page 546: ...b page s category The query fails if the content filter is not active You can view content filter reports after you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 34 on page 567 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully register...

Page 547: ... of the time Address Select the address or address group for which you want to use this policy Select Create Object to configure a new address or address group Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any IP address Filter Profile Use the drop down list box to select the content filter profile that you want to use for this p...

Page 548: ...g and select which web site categories to block and or log Note You must register for external content filtering before you can use it See Section 8 2 on page 155 for how to register Table 164 Anti X Content Filter Filter Profile LABEL DESCRIPTION This column lists the index numbers of the content filter profiles Filtering Profile Name This column lists the names of the content filter profiles Add...

Page 549: ...Chapter 33 Content Filtering ZyWALL USG 2000 User s Guide 549 See Chapter 34 on page 567 for how to view content filtering reports Figure 378 Anti X Content Filter Filter Profile Add ...

Page 550: ...you register the ZyWALL and activate the subscription service in the Registration screen see Chapter 34 on page 567 License Type This read only field displays what kind of service registration you have for the content filtering database None displays if you have not successfully registered and activated the service Standard displays if you have successfully registered the ZyWALL and activated the ...

Page 551: ...ages that match the other categories that you select below When external database content filtering blocks access to a web page it displays the denied access message that you configured in the Content Filter General screen along with the category of the blocked web page Select Log to record attempts to access web pages that match the other categories that you select below Action for Unrated Web Pa...

Page 552: ...rnal content filtering s license key is invalid Select Log to record attempts to access web pages that occur when the external content filtering database is unavailable Content Filter Category Service Timeout Specify a number of seconds 1 to 60 for the ZyWALL to wait for a response from the external content filtering server If there is still no response by the time this period expires the ZyWALL b...

Page 553: ...connect and send user info sites that make extensive use of tracking cookies without a posted privacy statement and sites to which browser hijackers redirect users Usually does not include sites that can be marked as Spyware Malware Note Sites rated as spyware effects typically have a second category assigned with them Managed Categories These are categories of web pages based on their content Sel...

Page 554: ... It does not include pages that sell gambling related products or machines It also does not include pages for offline casinos and hotels as long as those pages do not meet one of the above requirements Violence Hate Racism This category includes pages that depict extreme physical harm to people or property or that advocate or provide instructions on how to cause such harm It also includes pages th...

Page 555: ...pages that offer educational information distance learning and trade school information or programs It also includes pages that are sponsored by schools educational facilities faculty or alumni groups Cultural Charitable Organization This category includes pages that nurture cultural understanding and foster volunteerism such as 4H the Lions and Rotary Clubs Also encompasses non profit association...

Page 556: ...ages that provide assistance in finding employment and tools for locating prospective employers News Media This category includes pages that primarily report information or comments on current events or contemporary issues of the day It also includes radio stations and magazines It does not include pages that can be rated in other categories Personals Dating This category includes pages that promo...

Page 557: ...ia essentially act as your personal hard drive on the Internet Remote Access Tools This category includes pages that primarily focus on providing information about and or methods that enables authorized access to and use of a desktop computer or private network remotely Shopping This category includes pages that provide or advertise the means to obtain goods or services It does not include pages t...

Page 558: ...sers including software that enables file search and sharing across a network without dependence on a central server Streaming Media MP3s This category includes pages that sell deliver or stream music or video content in any format including sites that provide downloads for such viewers Proxy Avoidance This category includes pages that provide information on how to bypass proxy server appliance fe...

Page 559: ... Messages 33 6 Content Filter Customization Screen Click Anti X Content Filter Filter Profile Add or Edit Customization to open the Customization screen You can create a list of good allowed web site addresses and a list of bad blocked web site addresses You can also block OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table ...

Page 560: ...tive name for this content filtering profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Enable Custom Service Select this check box to allow trusted web sites and block forbidden web sites Content filter list customization may be enabled and disabled without re entering these site names Allow Web tra...

Page 561: ...tes When this box is selected the ZyWALL will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to allow Java ActiveX or Cookies from sites that are known and trusted Trusted Web Sites These are sites that you want to allow access to regardless of their content rating can be allowed by adding them to this list Add Trusted Web S...

Page 562: ...se up to 63 characters 0 9a z The casing does not matter Forbidden Web Sites This list displays the forbidden web sites already added Add Click this button when you have finished adding the host name in the text field above Delete Select a web site name from the Forbidden Web Sites list and then click this button to delete it from that list Blocked URL Keywords This section allows you to block Web...

Page 563: ...n s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 381 Anti X Content Filter Cache The following table describes the labels in this screen Table 167 Anti X Content Filter Cache LABEL DESCRIPTION URL Cache Entry Flush Click this button to clear all web site addresses from the cache manually ...

Page 564: ...which access was allowed Point the triangle down to display the URLs to which access was allowed before the blocked URLs URL This is a web site s address that the ZyWALL previously checked with the external content filtering database Remaining Time minutes This is the number of minutes left before the URL entry is discarded from the cache Remove Click the Delete icon to remove the URL entry from t...

Page 565: ...configuration 3 Use the Content Filter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses see Section 33 7 on page 562 All of the web site address records are also cleared from the local cache when the ZyWALL restarts 4 If the ZyWALL has no record of the web site it queries the external content filter database and simultaneously send...

Page 566: ...Chapter 33 Content Filtering ZyWALL USG 2000 User s Guide 566 ...

Page 567: ... register your device and activate the subscription services 34 2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the categories you selected in your device content filter screen You need to register your iCard before you can view content filtering reports Alternatively you can also view content filtering rep...

Page 568: ...Chapter 34 Content Filter Reports ZyWALL USG 2000 User s Guide 568 2 Fill in your myZyXEL com account information and click Login Figure 383 myZyXEL com Login ...

Page 569: ...ys Click your ZyWALL s model name and or MAC address under Registered ZyXEL Products the ZyWALL 70 is shown as an example here You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen see Figure 385 on page 570 Figure 384 myZyXEL com Welcome ...

Page 570: ... 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens Figure 385 myZyXEL com Service Management 5 In the Web Filter Home screen click the Reports tab Figure 386 Content Filter Reports Main Screen ...

Page 571: ...orts Figure 387 Content Filter Reports Report Home 7 Select a time period in the Date Range field either Allowed or Blocked in the Action Taken field and a category or enter the user name if you want to view single user reports and click Run Report The screens vary according to the report type you selected in the Report Home screen ...

Page 572: ...Chapter 34 Content Filter Reports ZyWALL USG 2000 User s Guide 572 8 A chart and or list of requested web site categories display in the lower half of the screen Figure 388 Global Report Screen Example ...

Page 573: ...ntent Filter Reports ZyWALL USG 2000 User s Guide 573 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested Figure 389 Requested URLs Example ...

Page 574: ...Chapter 34 Content Filter Reports ZyWALL USG 2000 User s Guide 574 ...

Page 575: ...tus screen Section 35 6 on page 586 to see how many mail sessions the ZyWALL is currently checking and DNSBL statistics 35 1 2 What You Need to Know About Anti Spam White list Configure white list entries to identify legitimate e mail The white list entries have the ZyWALL classify any e mail that is from a specified sender or uses a specified header field and header value as being legitimate see ...

Page 576: ...use SMTP to send messages to a mail server The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it This is why many e mail applications require you to specify both the SMTP server and the POP or IMAP server even though they may actually be the same server The ZyWALL s anti spam feature checks SMTP TCP port 25 and POP3 TCP port 110 e mails The anti spam...

Page 577: ...the routing addresses of e mail against DNSBLs and classify an e mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL Finding Out More See Section 35 8 on page 589 for more background information on anti spam 35 2 Before You Begin Configure your zones before you configure anti spam 35 3 The Anti Spam General Screen Click Anti X Anti Spam to open the Anti Spam Gene...

Page 578: ...e the ZyWALL allow the excess e mail sessions without any spam filtering Select Drop to have the ZyWALL drop mail connections to stop the excess e mail sessions The e mail client or server will have to re attempt to send or receive e mail later when the number of e mail sessions is under the threshold Policy Summary Priority This is the position of an anti spam policy in the list The ordering of y...

Page 579: ...Add icon in an entry to add an entry below the current entry Click the Remove icon to delete an existing entry from the ZyWALL A window displays asking you to confirm that you want to delete the entry Note that subsequent entries move up by one when you take this action In a numbered list click the Move to N icon to display a field to type an index number for where you want to put that entry and p...

Page 580: ... log alert An alert is an e mailed log for more serious events that may need more immediate attention Select this option to have the ZyWALL send an alert From To Select source and destination zones for traffic to scan for spam The anti spam policy has the ZyWALL scan traffic coming from the From zone and going to the To zone Protocols to Scan Select which protocols of traffic to scan for spam SMTP...

Page 581: ...eck box to check e mail against the ZyWALL s configured DNSBL domains The ZyWALL classifies e mail that matches a DNS black list as spam Actions for Spam Mail Use this section to set how the ZyWALL is to handle spam mail SMTP Select how the ZyWALL is to handle spam SMTP mail Select drop to discard spam SMTP mail Select forward to allow spam SMTP mail to go through Select forward with tag to add a ...

Page 582: ...any entries you want to display on each page Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries Type a page number to go to or use the arrows to navigate the pages of entries This is the entry s index number in the list Type This field displays whether the entry is based on the e mail s subject source or relay IP address source e mail...

Page 583: ...k e mail for a specific source or relay IP address Select E Mail Address to have the ZyWALL check e mail for a specific source e mail address or domain name Select Mail Header to have the ZyWALL check e mail for specific header fields and values Configure black list header entries to check for e mail from bulk mail programs or with content commonly used in spam Configure white list header entries ...

Page 584: ...List and then the White List tab to display the Anti Spam White List screen Configure the white list to identify legitimate e mail You can create white list entries based on the sender s or relay s IP address or e mail address You can also Mail Header Field Name This field displays when you select the Mail Header type Type the name part of an e mail header the part that comes before the colon Use ...

Page 585: ...e arrows to navigate the pages of entries This is the entry s index number in the list Type This field displays whether the entry is based on the e mail s subject source or relay IP address source e mail address or a header Content This field displays the subject content source or relay IP address source e mail address or header value for which the entry checks Add icon This column provides icons ...

Page 586: ...the ZyWALL DNSBL Spam Tag Enter a message or label up to 15 ASCII characters to add to the beginning of the mail subject of e mails that have a sender or relay IP address in the header that matches a black list maintained by one of the DNSBL domains listed in the ZyWALL This tag is only added if the anti spam policy is configured to forward spam mail with a spam tag Max IPs Checking Per Mail Set u...

Page 587: ...meout tag to the mail subject of an POP3 mail and send it Timeout Value Set how long the ZyWALL waits for a reply from the DNSBL domains listed below If there is no reply before this time period expires the ZyWALL takes the action defined in the relevant Actions when Query Timeout field Timeout Tag Enter a message or label up to 15 ASCII characters to add to the mail subject of e mails that the Zy...

Page 588: ...tion Figure 396 Anti X Anti Spam DNSBL Add The following table describes the labels in this screen 35 7 The Anti Spam Status Screen Click Anti X Anti Spam Status to display the Anti Spam Status screen Use the Anti Spam Status screen to see how many e mail sessions the anti spam feature is scanning and statistics for the DNSBLs Figure 397 Anti X Anti Spam Status Table 174 Anti X Anti Spam DNSBL Add...

Page 589: ...ow much of the ZyWALL s total spam checking capability is currently being used The lighter shaded part of the bar and the pop up show the historical high The first number to the right of the bar is how many e mail sessions the ZyWALL is presently checking for spam The second number is the maximum number of e mail sessions that the ZyWALL can check at once An e mail session is when an e mail client...

Page 590: ... mail as spam or legitimate have no effect The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours The ZyWALL checks an e mail s sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache Here is an example of an e mail classified as spam based on DNSBL replies Figure 398 DNSBL Spam Detection Example 1 The...

Page 591: ... c and relayed by an e mail server at IP address d d d d The ZyWALL sends a separate query to each of its DNSBL domains for IP address c c c c The ZyWALL sends another separate query to each of its DNSBL domains for IP address d d d d 2 DNSBL B replies that IP address d d d d does not match any entries in its list not spam 3 DNSBL C replies that IP address c c c c does not match any entries in its...

Page 592: ...rate query to each of its DNSBL domains for IP address w x y z 2 DNSBL A replies that IP address a b c d does not match any entries in its list not spam 3 While waiting for a DNSBL reply about IP address w x y z the ZyWALL receives a reply from DNSBL B saying IP address a b c d is in its list 4 The ZyWALL immediately classifies the e mail as spam and takes the action for spam that you defined in t...

Page 593: ...593 PART VII Device HA Device HA 595 ...

Page 594: ...594 ...

Page 595: ...ve Passive Mode screens Section 36 3 on page 598 to use active passive mode device HA You can configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs Use the Legacy Mode screens Section 36 5 on page 604 to use legacy mode device HA You can configure general legacy mode HA settings including link monitoring configure t...

Page 596: ...i virus IDP application patrol and system protect and certificates Note Only ZyWALLs of the same model and firmware version can synchronize Otherwise you must manually configure the master ZyWALL s settings on the backup by editing copies of the configuration files in a text editor for example Finding Out More See Section 5 4 8 on page 93 for related information on these screens See Section 36 7 o...

Page 597: ...yWALLs such as active active or using different ZyWALLs as the master for individual interfaces The master and its backups must all use the same device HA mode Click the link to go to the screen where you can configure the ZyWALL to use the device HA mode that it is not currently using Monitored Interface Summary This table shows the status of the interfaces that you selected for monitoring in the...

Page 598: ...splays the monitored interface s status in the virtual router Active This interface is up and using the virtual IP address and subnet mask Stand By This interface is a backup interface in the virtual router It is not using the virtual IP address and subnet mask Fault This interface is not functioning in the virtual router right now In active passive mode or in legacy mode with link monitoring enab...

Page 599: ...nd backup ZyWALLs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL Virtual Router and Management IP Addresses If a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can also have a management IP addres...

Page 600: ...ment IP Addresses 36 3 1 Configuring Active Passive Mode Device HA The Device HA Active Passive Mode screen lets you configure general active passive mode device HA settings view and manage the list of monitored interfaces and synchronize backup ZyWALLs To access this screen click Device HA Active Passive Mode Figure 406 Device HA Active Passive Mode A 192 168 1 1 B 192 168 1 1 192 168 1 5 192 168...

Page 601: ...is master the ZyWALL preempts by default Cluster Settings Click Advanced to display more settings Click Basic to display fewer settings Cluster ID Type the cluster ID number A virtual router consists of a master ZyWALL and all of its backup ZyWALLs If you have multiple ZyWALL virtual routers on your network use a different cluster ID for each virtual router Authentication Select the authentication...

Page 602: ...ce s IP address the virtual router IP address Server Address If this ZyWALL is set to backup role enter the IP address or Fully Qualified Domain Name FQDN of the ZyWALL from which to get updated configuration Usually you should enter the IP address or FQDN of a virtual router on a secure network If this ZyWALL is set to master role this field displays the ZyWALL s IP addresses and or Fully Qualifi...

Page 603: ...cified Interval the ZyWALL does not synchronize immediately Interval When you select Auto Synchronize set how often the ZyWALL synchronizes with the master Apply This appears when the ZyWALL is currently using active passive mode device HA Click Apply to save your changes back to the ZyWALL Apply switch to Active Passive Mode This appears when the ZyWALL is currently configured for legacy mode dev...

Page 604: ...ic IP addresses You can only enable one VRRP group for each interface and you can only have one active VRRP group for each virtual router If you create a VRRP group for an Ethernet interface that has a VLAN interface configured on it make sure you create a separate VRRP group for the VLAN interface This will avoid an IP conflict if the backup ZyWALL takes over for the master Virtual Router IP VRIP...

Page 605: ... uses IP protocol 51 AH instead of IP protocol 112 VRRP Link Monitoring and Management Access Link monitoring has a backup ZyWALL take over all of an unavailable master ZyWALL s static IP addresses This way the backup ZyWALL takes over all of the master ZyWALL s functions This also means you can only access the original master ZyWALL through its management IP address 36 6 Configuring the Legacy Mo...

Page 606: ...address not the management IP address of the VRRP group Backup This interface is a backup interface in the virtual router The interface may use its static IP address or the management IP address of the VRRP group depending on whether or not the backup has become the master VRID This field displays the virtual router ID number Virtual Router IP Netmask This is the interface s IP address and subnet ...

Page 607: ... synchronization This password is different than the one that is used for authentication in the VRRP group Every ZyWALL in the virtual router must use the same password If you leave this field blank in the master ZyWALL it does not allow any backup ZyWALLs to synchronize from it If you leave this field blank in a backup ZyWALL it cannot synchronize from the master ZyWALL Auto Synchronize Select th...

Page 608: ... in the virtual router The virtual router uses the VRID The name can consist of alphanumeric characters the underscore and the dash and may be up to fifteen characters long Description Type the description of the VRRP group This field is only for your reference It may be up to sixty printable ASCII characters long Interface Name Select the interface in this device that is part of the virtual route...

Page 609: ... preempts by default Virtual Router Settings Click Advanced to display more settings Click Basic to display fewer settings VRID Type the virtual router ID number Virtual Router IP VRIP Subnet Mask Type the interface s IP address and subnet mask in the virtual router Authentication Select the authentication method used in the virtual router Every interface in a virtual router must use the same auth...

Page 610: ...ation The VR ID is not shown In normal operation ZyWALL A is the master It has the same IP address as the default gateway and forwards traffic for the network ZyWALL B is a backup It is using its management IP address 192 168 10 112 ZyWALL A sends regular messages to ZyWALL B to let ZyWALL B know that ZyWALL A is available If ZyWALL A becomes unavailable it stops sending messages to ZyWALL B ZyWAL...

Page 611: ...ow many VRRP groups you might configure The ZyWALL uses Secure FTP on a port number you can change to synchronize but it is still recommended that the backup ZyWALL synchronize with a master ZyWALL on a secure network The backup ZyWALL gets the configuration from the master ZyWALL The backup ZyWALL cannot become the master or be managed while it applies the new configuration This usually takes two...

Page 612: ...Chapter 36 Device HA ZyWALL USG 2000 User s Guide 612 The backup applies the entire configuration if it is different from the backup s current configuration ...

Page 613: ...613 PART VIII Objects User Group 615 Addresses 631 Services 637 Schedules 643 AAA Server 649 Authentication Method 661 Certificates 665 ISP Accounts 687 SSL Application 691 ...

Page 614: ...614 ...

Page 615: ...sers and other user groups You cannot put admin users in user groups The Setting screen see Section 37 4 on page 622 controls default settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them 37 1 2 What You Need To Know About User Groups User Account A user account ...

Page 616: ...te an Ext User using the local database the attempt always fails Once an Ext User user has been authenticated the ZyWALL tries to get the user type see Table 181 on page 615 from the external server If the external server does not have the information the ZyWALL sets the user type for this session to User For the rest of the user attributes such as reauthentication time the ZyWALL checks the follo...

Page 617: ...ALL first The ZyWALL is then aware of the user who is logged in and you can create user aware policies that define what services they can use See Section 37 4 3 on page 629 for a user aware login example Forced User Authentication Instead of making users for which user aware policies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display the Login scree...

Page 618: ...contain the following characters Alphanumeric A z 0 9 there is no unicode support _ underscores Table 182 Object User Group LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific user User Name This field displays the user name of each user Description This field displays the description for each user Add icon This column provides icons to add edit and remove u...

Page 619: ...via CIFS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 37 2 on page 618 and click either the Add icon or an Edit icon Figure 413 User Group User Edit adm admin any bin daemon debug devicehaecived ftp games halt ldap users lp mail news nobody ...

Page 620: ... the Ext User user type Enter the password again Description Enter the description of each user if any You can use up to 60 printable ASCII characters Default descriptions are provided Authentication Timeout Settings If you want to set authentication timeout to a value other than the default settings select Use Manual Settings then fill your preferred values in the fields that follow Lease Time En...

Page 621: ...RIPTION This field is a sequential value and it is not associated with a specific user group Group Name This field displays the name of each user group Description This field displays the description for each user group Member This field lists the members in the user group Each member is separated by a comma Add icon This column provides icons to add edit and remove user groups To add a user group...

Page 622: ... the name for this user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user group if any You can use up to 60 characters punctuation marks and spaces Available This field displays the names of the users and us...

Page 623: ...n this screen Table 186 Object User Group Setting LABEL DESCRIPTION User Authentication Timeout Settings Default Authentication Timeout Settings This authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authenti...

Page 624: ... automatically renewed before the lease time expires Reauthentication Time minutes This is the default reauthentication time for each type of user account It defines the number of minutes the user can be logged into the ZyWALL in one session before having to log in again Unlike Lease Time the user has no opportunity to renew the session without logging out Edit Click the icon to open a screen wher...

Page 625: ... before the IP address is locked out for the specified lockout period The number must be between 1 and 99 Lockout period This field is effective when Enable logon retry limit is checked Type the number of minutes the user must wait to try to login again if logon retry limit is enabled and the maximum retry count is reached This number must be between 1 and 65 535 about 45 5 days Force User Authent...

Page 626: ...nd satisfied Add icon This column provides icons to add edit move and remove conditions It also provides icons to activate and deactivate conditions To add a condition click the Add icon at the top of the column or next to each condition If you click the one at the top of the column the new condition is first in the list If you click the one next to a condition the new condition appears right belo...

Page 627: ...emote server such as RADIUS or LDAP See Ext User Accounts on page 616 for more information about this type Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Admin users renew the session every time the main screen refreshes in the w...

Page 628: ...orce or whether users do not have to log in skip when this condition is checked and satisfied Source Address Select a source IP address object or select Create Object to configure a new one Select any if this condition applies to traffic from all source addresses Destination Address Select the destination address of traffic to which this condition applies or select Create Object to configure a new...

Page 629: ... you specified The default value is the lease time that you specified Renew Access users can click this button to reset the lease time the amount of time remaining before the ZyWALL automatically logs them out The ZyWALL sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 37 2 1 on page 618 Lease time field...

Page 630: ... that creates the user accounts See Chapter 47 on page 751 for more information about shell scripts Remaining time before lease timeout This field displays the amount of lease time that remains though the user might be able to reset it Remaining time before auth timeout This field displays the amount of time that remains before the ZyWALL automatically logs the access user out regardless of the le...

Page 631: ...Groups Address objects and address groups are used in dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of ad...

Page 632: ...ific address Name This field displays the configured name of each address object Type This field displays the type of each address object INTERFACE means the object uses the settings of one of the ZyWALL s interfaces Address This field displays the IP addresses represented by each address object If the object s settings are based on one of the ZyWALL s interfaces the name of the interface displays...

Page 633: ...yWALL automatically updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of IP addresses that t...

Page 634: ...ving your changes Table 192 Object Address Address Edit continued LABEL DESCRIPTION Table 193 Object Address Address Group LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific address group Name This field displays the name of each address group Description This field displays the description of each address group if any Add icon This column provides icons to...

Page 635: ...first character cannot be a number This value is case sensitive Description This field displays the description of each address group if any You can use up to 60 characters punctuation marks and spaces Available This field displays the names of the address and address group objects that can be added to the address group Select address and address group objects that you want to be members of this g...

Page 636: ...Chapter 38 Addresses ZyWALL USG 2000 User s Guide 636 ...

Page 637: ...ts the next level protocol that is sent in this packet This section discusses three of the most common IP protocols Computers use Transmission Control Protocol TCP IP protocol 6 and User Datagram Protocol UDP IP protocol 17 to exchange data with each other TCP guarantees reliable delivery but is slower and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less re...

Page 638: ...o send it Service Objects and Service Groups Use service objects to define IP protocols TCP applications UDP applications ICMP messages user defined services for other types of IP protocols These objects are used in policy routes firewall rules and IDP profiles Use service groups when you want to create the same rule for several services instead of creating separate rules for each service Service ...

Page 639: ...ge x of x This is the number of the page of entries currently displayed and the total number of pages of entries Type a page number to go to or use the arrows to navigate the pages of entries This field is a sequential value and it is not associated with a specific service Name This field displays the name of each service Content This field displays a description of each service Add icon This colu...

Page 640: ...alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP and User Defined Starting Port Ending Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the service uses that port If...

Page 641: ... of each service group By default the ZyWALL uses services starting with Default_Allow_ in the firewall rules to allow certain services to connect to the ZyWALL Description This field displays the description of each service group if any Add icon This column provides icons to add edit and remove service groups To add a service group click the Add icon at the top of the column The Service Group Add...

Page 642: ...or dashes but the first character cannot be a number This value is case sensitive Description Enter a description of the service group if any You can use up to 60 printable ASCII characters Available This field displays the names of the service and service group objects that can be added to the service group Select service and service group objects that you want to be members of this group and cli...

Page 643: ...ll schedules in the ZyWALL Use the One Time Schedule Add Edit screen Section 40 2 1 on page 645 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 40 2 2 on page 646 to create or edit a recurring schedule 40 1 2 What You Need to Know About Schedules One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date an...

Page 644: ...LABEL DESCRIPTION One Time This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Day Time This field displays the date and time at which the schedule begins Stop Day Time This field displays the date and time at which the schedule ends Add icon This column provides icons to a...

Page 645: ...is field displays the name of the schedule which is used to refer to the schedule Start Time This field displays the time at which the schedule begins Stop Time This field displays the time at which the schedule ends Add icon This column provides icons to add edit and remove schedules To add a schedule click the Add icon at the top of the column The Schedule Add Edit screen appears To edit a sched...

Page 646: ...ters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time Start Type the year month day hour and minute when the schedule begins Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 Hour 0 23 Minute 0 59 All of these fields are required Stop Type the year month day hour and minute when the schedule e...

Page 647: ...bels in this screen Table 201 Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time Start Type the hour and minute when the schedule begins each day Year disabled Month disabled Day dis...

Page 648: ...e Hour and Minute fields are both required To set all day 24 hours configure the stop hour to 23 and minute to 59 Weekly Week Days Select each day of the week the recurring schedule is effective OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 201 Object Schedule Edit Recurring continued LABEL DESCRIPTION ...

Page 649: ...e Chapter 42 on page 661 41 1 1 Directory Service AD LDAP Overview LDAP AD allows a client the ZyWALL to connect to a server to retrieve information from a directory A network example is shown next Figure 433 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWALL tr...

Page 650: ...ure The package contains server software and physical OTP tokens PIN generators Do the following to use OTP See the documentation included on the ASAS CD for details 1 Install the ASAS server software on a computer 2 Create user accounts on the ZyWALL and in the ASAS server 3 Import each token s database file located on the included CD into the server 4 Assign users to OTP tokens on the ASAS serve...

Page 651: ...d a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or built in RADIUS ser...

Page 652: ...om ou Sales o MyCompany c US cn domain1 com ou Sales o MyCompany c JP Base DN A base DN specifies a directory A base DN usually contains information such as the name of an organization a domain name and or country For example o MyCompany c UK where o means organization and c means country Bind DN A bind DN is used to authenticate with an LDAP AD server For example a bind DN of cn zywallAdmin allow...

Page 653: ...ntication requests Enter a number between 1 and 65535 The default is 389 Bind DN Specify the bind DN for logging into the AD or LDAP server Enter up to 127 alphanumerical characters For example cn zywallAdmin specifies zywallAdmin as the user name Password If required enter the password up to 15 alphanumerical characters for the ZyWALL to bind or log in to the AD or LDAP server Base DN Specify the...

Page 654: ... LDAP Group to display the Active Directory or LDAP Group screen Figure 437 Object AAA Server Active Directory or LDAP Group The following table describes the labels in this screen Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server Apply Click Apply to save the changes Reset Click Reset to start configuring this screen again Table 202 Object AAA Server Active Director...

Page 655: ...ngs All AD or LDAP servers in a group share the same settings in the fields below Host Enter a descriptive name up to 63 alphanumerical characters for identification purposes Port Specify the port number on the AD or LDAP server s to which the ZyWALL sends authentication requests Enter a number between 1 and 65535 This port number should be the same on all AD or LDAP server s in this group Bind DN...

Page 656: ...en either the user information is not in the AD or LDAP server s or the AD or LDAP server s is down Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server s Host Members The ordering of the LDAP servers is important as the ZyWALL uses the AD or LDAP servers for user authentication in the order they appear in this table This field displays the index number Members Specify ...

Page 657: ...n Port The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 15 alphanumeric characters as the key to be shared between the external authentication server and the ZyWALL The key is not sent over the network This key must be the same on the extern...

Page 658: ...w entry Click Edit to edit the settings of an entry Click Delete to remove an entry Table 206 Object AAA Server RADIUS Group continued LABEL DESCRIPTION Table 207 Object AAA Server RADIUS Group Add LABEL DESCRIPTION General Settings All RADIUS servers in a group share the same settings in the fields below Name Enter a descriptive name up to 63 alphanumeric characters for identification purposes Ke...

Page 659: ...appear in this table This field displays the index number Members Enter the IP address in dotted decimal notation or the domain name up to 63 alphanumeric characters of a RADIUS server Authentication Port The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Add icon Click...

Page 660: ...Chapter 41 AAA Server ZyWALL USG 2000 User s Guide 660 ...

Page 661: ... to view authentication method objects Use the Object Auth Method Add screen Section 42 3 on page 663 to create a new authentication method object Finding Out More See Section 6 5 3 on page 116 for an example of how to set up user authentication using a radius server 42 1 2 Before You Begin Configure AAA server objects see Chapter 41 on page 649 before you configure authentication method objects 4...

Page 662: ...mple Using Authentication Method in VPN 42 2 Viewing Authentication Method Objects Click Object Auth Method to display the screen as shown Note You can create up to 16 authentication method objects Figure 443 Object Auth Method The following table describes the labels in this screen Table 208 Object Auth Method LABEL DESCRIPTION This field displays the index number Method Name This field displays ...

Page 663: ...r objects to the table The ordering of the Method List column is important The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specify the ZyWALL does not continue the search on the second authentication server wh...

Page 664: ...ver object from the drop down list box You can create a server object in the AAA Server screen see Chapter 41 on page 649 for more information The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the order they appear in this screen If two accounts with the same username exist on two authentication servers you specify the ZyWALL...

Page 665: ...rtificate It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate 43 1 2 What You Need to Know About Certificates When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in ...

Page 666: ...lgorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The ZyWALL does not trust a certificate if any certificate on its path has expired or been revoked Certification authorities ma...

Page 667: ...rs and numerals to convert a binary PKCS 7 certificate into a printable form Binary PKCS 12 This is a format for transferring public key and private key certificates The private key in a PKCS 12 file is within a password encrypted envelope The file s password is not connected to your certificate s public or private passwords Exporting a PKCS 12 file creates this and you must provide it to decrypt ...

Page 668: ...pen the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 446 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS con...

Page 669: ...e this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate CERT represents a certificate issued by a certification authority Subject This field displays ide...

Page 670: ...yWALL keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates Click the Delete icon to remove a certificate A window displays asking you to confirm that you want to delete the certificate Subsequent certificates move up by one when you take this action You cannot delete certificates that any of the ...

Page 671: ...rtificates Add LABEL DESCRIPTION Name Type a name to identify this certificate You can use up to 31 alphanumeric and _ characters Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field although the Common Name is mandatory The certification authority may add fields such as a serial number to the subject informa...

Page 672: ...cters the hyphen and the underscore Key Type Select RSA to use the Rivest Shamir and Adleman public key algorithm Select DSA to use the Digital Signature Algorithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Opti...

Page 673: ...net Engineering Task Force IETF and is specified in RFC 2510 CA Server Address This field applies when you select Create a certification request and enroll for a certificate immediately online Enter the IP address or URL of the certification authority server For a URL you can use up to 511 of the following characters a zA Z0 9 _ CA Certificate This field applies when you select Create a certificat...

Page 674: ...Create screen Click Return and check your information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online OK Click OK to begin certificate or certification request generation Cancel Click Cancel to quit and return to the My Certificates scree...

Page 675: ...rtificates Edit Screen Click Object Certificate My Certificates and then the Edit icon to open the My Certificate Edit screen You can use this screen to view in depth certificate information and change the certificate s name Figure 449 Object Certificate My Certificates Edit ...

Page 676: ...ificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority or generated ...

Page 677: ...y certificate into a printable form You can copy and paste a certification request into a certification authority s web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a ...

Page 678: ...ertificates screen You must remove any spaces from the certificate s filename before you can import it Figure 450 Object Certificate My Certificates Import The following table describes the labels in this screen OK Click OK to save your changes back to the ZyWALL You can only change the name Cancel Click Cancel to quit and return to the My Certificates screen Table 212 Object Certificate My Certif...

Page 679: ... LABEL DESCRIPTION Table 214 Object Certificate Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyWALL s PKI storage space that is currently in use When the storage space is almost full you should consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certific...

Page 680: ...lick the Edit icon to open a screen with an in depth list of information about the certificate The ZyWALL keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your certificates Click the Delete icon to remove a certificate A window displays asking you to confirm that you want to delete the certificates Note that s...

Page 681: ...Chapter 43 Certificates ZyWALL USG 2000 User s Guide 681 revoked certificates before trusting a certificate issued by the certification authority Figure 452 Object Certificate Trusted Certificates Edit ...

Page 682: ...LDAP server details OCSP Server Select this check box if the directory server uses OCSP Online Certificate Status Protocol URL Type the protocol IP address and pathname of the OCSP server ID The ZyWALL may need to authenticate itself in order to assess the OCSP server Type the login name up to 31 ASCII characters from the entity maintaining the server usually a certification authority Password Typ...

Page 683: ...D5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already ex...

Page 684: ...ate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses lowercase letters uppercase letters and numerals to convert a binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text edi...

Page 685: ...tion in network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a huge list When the ZyWALL requests certificate status information the OCSP server returns a expired current or unknown response Table 216 Object Certificate Trusted Certificates Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click...

Page 686: ...Chapter 43 Certificates ZyWALL USG 2000 User s Guide 686 ...

Page 687: ... More See Section 10 6 on page 186 for information about PPPoE PPTP interfaces See Section 5 5 on page 99 for related information on these screens 44 1 1 What You Can Do in the ISP Account Screens Use the Object ISP Account screens Section 44 2 on page 687 to create and manage ISP accounts in the ZyWALL 44 2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL To access...

Page 688: ... the profile name of the ISP account This name is used to identify the ISP account Protocol This field displays the protocol used by the ISP account Authentication Type This field displays the authentication type used by the ISP account User Name This field displays the user name of the ISP account Add icon This column provides icons to add edit and remove ISP accounts To add information about a n...

Page 689: ...accepts MSCHAP V2 only Encryption Method This field is available if this ISP account uses the PPTP protocol Use the drop down list box to select the type of Microsoft Point to Point Encryption MPPE Options are nomppe This ISP account does not use MPPE mppe 40 This ISP account uses 40 bit MPPE mppe 128 This ISP account uses 128 bit MMPE User Name Type the user name given to you by your ISP Password...

Page 690: ...ically disconnects from the PPPoE PPTP server This value must be an integer between 0 and 360 If this value is zero this timeout is disabled OK Click OK to save your changes back to the ZyWALL If there are no errors the program returns to the ISP Account screen If there are errors a message box explains the error and the program stays in the ISP Account Edit screen Cancel Click Cancel to return to...

Page 691: ...ation objects Use the SSL Application Edit screen to create or edit web based application objects to allow remote users to access an application via standard web browsers Section 45 2 1 on page 694 You can also use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser Section 45 2 2 on page 696 4...

Page 692: ...files and programs The LAN computer to be managed must have VNC Virtual Network Computing or RDP Remote Desktop Protocol server software installed The remote user s computer does not use VNC or RDP client software The ZyWALL works with the following remote desktop connection software RDP Windows Remote Desktop supported in Internet Explorer VNC RealVNC TightVNC UltraVNC For example user A uses an ...

Page 693: ...d select Web Server 6 Select Web Page Encryption to prevent users from saving the web content 7 Click Apply to save the settings The configuration screen should look similar to the following figure Figure 457 Example SSL Application Specifying a Web Site for Access 45 2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects Click Object...

Page 694: ...ect SSL Application LABEL DESCRIPTION This field displays the index number Name This field displays the name of the object Address This field displays the IP address URL of the application server or the location of a file share Type This field shows whether the object is a file sharing web server Outlook Web Access Virtual Network Computing or Remote Desktop Protocol SSL application Add icon This ...

Page 695: ...you enter remote in this field emote users can only access files in the remote directory If a link contains a file that is not within this domain then remote users cannot access it Preview This field displays if the Server Type is set to Web Server or OWA Click Preview to access the URL you specified in a new IE web browser Entry Point This field displays if the Server Type is set to Web Server or...

Page 696: ...e server for remote access Refer to the document that comes with your file server Figure 460 Object SSL Application Add Edit File Sharing The following table describes the labels in this screen Ok Click Ok to save the changes and return to the main SSL Application Configuration screen Cancel Click Cancel to discard the changes and return to the main SSL Application Configuration screen Table 220 O...

Page 697: ... name computer name share name For example if you enter my server Tmp this allows remote users to access all files and or folders in the Tmp share on the my server computer Preview Click Preview to display the file share in a new web browser Ok Click Ok to save the changes and return to the main SSL Application Configuration screen Cancel Click Cancel to discard the changes and return to the main ...

Page 698: ...Chapter 45 SSL Application ZyWALL USG 2000 User s Guide 698 ...

Page 699: ...699 PART IX System System 701 ...

Page 700: ...700 ...

Page 701: ...ystem SSH screen see Section 46 7 on page 732 to configure SSH Secure SHell used to securely access the ZyWALL s command line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen see Section 46 8 on page 737 to configure Telnet to access the ZyWALL s command line interface Specify which zones allow Telnet access and from ...

Page 702: ... Name A host name is the unique name by which a device is known on a network Click System Host Name to open the Host Name screen Figure 461 System Host Name The following table describes the labels in this screen 46 3 Date and Time For effective scheduling and logging the ZyWALL system time must be accurate The ZyWALL s Real Time Chip RTC keeps track of the time and date There is Table 222 System ...

Page 703: ...PTION Current Time and Date Current Time This field displays the present time of your ZyWALL Current Date This field displays the present date of your ZyWALL Time and Date Setup Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date yo...

Page 704: ... difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Select this option if you use Daylight Saving Time Start Date Configure the day and time when Daylight Saving Time starts if you selected...

Page 705: ...aylight Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight S...

Page 706: ...nfiguring the Date Time screen To manually set the ZyWALL date and time 1 Click System Date Time 2 Select Manual under Time and Date Setup 3 Enter the ZyWALL s time in the New Time field 4 Enter the ZyWALL s date in the New Date field 5 Under Time Zone Setup select your Time Zone from the list 6 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for dayligh...

Page 707: ...in name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it 46 5 1 DNS Server Address Assignment The ZyWALL can get the DNS server addresses in the following ways Table 225 System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of ...

Page 708: ...or ZyWALL system features like VPN DDNS and the time server You can also configure the ZyWALL to accept or discard DNS queries Use the Network Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices Figure 465 System DNS The following table describes the labels in this screen Table 226 System DNS LABEL DESCRIPTION Address PTR Record This...

Page 709: ...n name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name A means all domain zones From This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually DNS Server This is the IP address of a DNS server This field displays N A if you have the ZyWALL get a DNS server...

Page 710: ...ules are applied in sequence The entry with a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allo...

Page 711: ...ecord Figure 466 System DNS Address PTR Record Edit The following table describes the labels in this screen 46 5 6 Domain Zone Forwarder A domain zone forwarder contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain zones for features like VPN DDNS and the time server A domain zone is a fully qualified domain name without the host Table 227 System DNS Address PTR ...

Page 712: ...DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A displays for any DNS server IP address fields for which the ISP does not as...

Page 713: ...d Click the Add icon in the MX Record table to add a MX record Figure 468 System DNS MX Record Add The following table describes the labels in this screen 46 5 10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule Figure 469 System DNS Service Control Rule Add Table 229 System DNS MX Record Add LABEL DESCRIPTION Domain Name Enter the dom...

Page 714: ...traffic See To ZyWALL Rules on page 310 for more on To ZyWALL firewall rules Table 230 System DNS Service Control Rule Add LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to send DNS queries to the ZyWALL Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the ZyWALL Zone Select ALL to allow o...

Page 715: ...anagement session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires You can change the timeout settings in the User Group screens 46 6 3 HTTPS You can set the ZyWALL to use HTTP or HTTPS HTTPS adds security for Web...

Page 716: ...e HTTPS client must send the ZyWALL a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port 443 by default on the ZyWALL s web server 2 HTTP connection requests from a web browser go to port 80 by default on the ZyWALL s web server Figure 471...

Page 717: ...le to access the ZyWALL Web Configurator using secure HTTPs connections Server Port The HTTPS server listens on port 443 by default If you change the HTTPS server port to a different number on the ZyWALL for example 8443 then you must notify people who need to access the ZyWALL Web Configurator to use https ZyWALL IP Address 8443 as the URL Authenticate Client Certificates Select Authenticate Clie...

Page 718: ... This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the ZyWALL zone s configured in the Zone field Accept or not Deny Add icon Click the Add icon in the heading row to open a screen w...

Page 719: ... the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can access the ZyWALL zone s configured in the Zone field Accept or not Deny Add icon Click the Add icon in the heading row to open a screen where you can add a new rule Refer to Table 232 on page 720 for information on the fields Click the Edit icon to go to the screen where ...

Page 720: ...ystem Service Control Rule Edit LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the ZyWALL using this service Zone Select ALL to allow or prevent any ZyWALL zones from being accessed using this service Sel...

Page 721: ...Chapter 46 System ZyWALL USG 2000 User s Guide 721 access network services like the Internet See Chapter 37 on page 615 for more on access user accounts Figure 474 System WWW Login Page ...

Page 722: ...choose Enter the name of the desired color Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black Enter rgb followed by red green and blue values in parenthesis and separate by commas For example use rgb 0 0 0 for black 1 Logo 2 Banner 3 Banner Floor 4 Title 5 Message color of all text 6 Note Message 7 Background 8 Window ...

Page 723: ...Floor Color Specify the color of the line below the banner that goes across the top of the login screen and access page Customized Login Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Message Color Specify the color of the screen s text Note Message Enter a note to d...

Page 724: ...he ZyWALL Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Message Color Specify the color of the screen s text Note Message Enter a note to display below the title Use up to 64 printable ASCII characters Spaces are allowed Window Background Set how the window s background looks To use a graphic select Picture and upload a graphic Specify t...

Page 725: ... 477 Security Alert Dialog Box Internet Explorer 46 6 7 2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the ZyWALL If Accept this certificate temporarily for this session is select...

Page 726: ...suing certificate authority of the ZyWALL s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a tru...

Page 727: ...ate if Authenticate Client Certificates is selected on the ZyWALL You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA Web Configurator screen Figure 481 ZyWALL Trusted CA ...

Page 728: ...igure 482 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix 46 6 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next ...

Page 729: ...wizard Figure 483 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 484 Personal Certificate Import Wizard 2 ...

Page 730: ... you by the CA Figure 485 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 486 Personal Certificate Import Wizard 4 ...

Page 731: ...u should see the following screen when the certificate is correctly installed on your computer Figure 488 Personal Certificate Import Wizard 6 46 6 7 6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS 1 Enter https ZyWALL IP Address in your browser s web address field Figure 489 Access the ZyWALL Via HTTPS ...

Page 732: ...e example Figure 490 SSL Client Authentication 3 You next see the Web Configurator login screen Figure 491 Secure Web Configurator Login Screen 46 7 SSH You can use SSH Secure SHell to securely access the ZyWALL s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data enc...

Page 733: ...cure connection is established between two remote hosts using SSH v1 Figure 493 How SSH v1 Works Example 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new ser...

Page 734: ...pports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for management using port 22 by default 46 7 3 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the ZyWALL over SSH 46 7 4 Configuring SSH Click ...

Page 735: ...onfigured in the My Certificates screen Click My Certificates and see Chapter 43 on page 665 for details Service Control This specifies from which computers you can access which ZyWALL zones This the index number of the service control rule Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is all...

Page 736: ...ore Host Key Enter the password to log in to the ZyWALL The CLI screen displays next 46 7 5 2 Example 2 Linux This section describes how to access the ZyWALL using the OpenSSH client program that comes with most Linux distributions 1 Test whether the SSH service is available on the ZyWALL Enter telnet 192 168 1 1 22 at a terminal prompt and press ENTER The computer attempts to connect to port 22 o...

Page 737: ...and line interface Specify which zones allow Telnet access and from which IP address the access can come 46 8 1 Configuring Telnet Click System TELNET to configure your ZyWALL for remote Telnet access Use this screen to specify from which zones Telnet can be used to manage the ZyWALL You can also specify from which IP addresses the access can come Figure 498 System Telnet ssh 1 192 168 1 1 The aut...

Page 738: ...red rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address...

Page 739: ...number for a service if needed however you must use the same port number in order to use that service for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for FTP connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 43 on page 665 for details Serv...

Page 740: ...to open a screen where you can add a new rule Refer to Table 232 on page 720 for information on the fields Click the Edit icon to go to the screen where you can edit the rule Click the Add icon in an entry to add a rule below the current entry Click the Delete icon to remove an existing rule A window display asking you to confirm that you want to delete the rule Note that subsequent rules move up ...

Page 741: ...twork management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager ...

Page 742: ... throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zyxel com 46 10 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs 46 10 3 Configuring SNMP To change your ZyWALL s SNMP settings click System SNMP tab The screen appears as shown Use ...

Page 743: ...t Community Enter the Set community which is the password for incoming Set requests from the management station The default is private and allows all requests Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to Service Control This...

Page 744: ...rings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the serial modem The response strings Action This displays whether the computer with the IP address specified above can access the ZyWALL zone s configured in the Zone field Accept or not Deny Add icon Click the Add icon in the heading row to open a screen where you can add a n...

Page 745: ...Enter some information about this connection Mute Select this check box to stop the external serial modem from making audible sounds during a dial in management session Answer Rings Set how many times the ZyWALL lets the incoming dial in management session ring before processing it Port Speed Use the drop down list box to select the speed of the connection between the ZyWALL s auxiliary port and t...

Page 746: ... your device s Vantage CNM settings Figure 503 System Vantage CNM The following table describes the labels in this screen Table 240 System Vantage CNM LABEL DESCRIPTION Vantage CNM Click Advanced to display more configuration fields or click Basic to display fewer fields Enable Select this check box to allow Vantage CNM to manage your ZyWALL Server IP Address FQDN Enter the IP address or fully qua...

Page 747: ... IP Specify the ZyWALL s IP address that allows Vantage CNM sessions This field applies when you select Custom in the Device Management IP field Keepalive Interval Set how often the ZyWALL sends a keep alive packet to the Vantage CNM server if there is no other traffic The keep alive packets maintain the Vantage CNM server s control session Periodic Inform Interval Select this option to have the Z...

Page 748: ...ystem Language LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL s Web Configurator screens You also need to open a new browser session to display the screens in the new language Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh ...

Page 749: ...749 PART X Maintenance Troubleshooting Specifications File Manager 751 Logs 763 Reports 777 Diagnostics 795 Reboot 797 Troubleshooting 799 Product Specifications 805 ...

Page 750: ...750 ...

Page 751: ...onfiguration File screen see Section 47 2 on page 754 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuration files from your computer to the ZyWALL Use the Firmware Package screen see Section 47 3 on page 758 to check your current firmware version and upload firmware to the ZyWALL Use the Shell Script screen see Sec...

Page 752: ... Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote manageme...

Page 753: ...onfiguration file or run a shell script the ZyWALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on ...

Page 754: ... previous settings Configuration File Flow at Restart If there is not a startup config conf when you restart the ZyWALL whether through a management interface or by physically turning the power off and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no...

Page 755: ...ude the setenv startup stop on error off command The ZyWALL ignores any errors in the startup config conf file and applies all of the valid commands The ZyWALL still generates a log for any errors Figure 506 Maintenance File Manager Configuration File Do not turn off the ZyWALL while configuration file upload is in progress ...

Page 756: ...a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Rename Use this button to change the label of a configuration file on the ZyWALL You can only rename manually saved configuration files You cannot rename the lastgood conf system default conf and startup config conf files You cannot rename a configuration file to the ...

Page 757: ...and click Apply to reset all of the ZyWALL settings to the factory defaults This configuration file is included when you upload a firmware package The startup config conf file is the configuration file that the ZyWALL is currently using If you make and save changes during your management session the changes are applied to this configuration file The ZyWALL applies configuration changes made in the...

Page 758: ...e the anti virus Destroy compressed files that could not be decompressed option The ZyWALL classifies the firmware package as not being able to be decompressed and deletes it You can upload the firmware package to the ZyWALL with the option enabled so you only need to clear the Destroy compressed files that could not be decompressed option while you download the firmware package See Section 30 2 1...

Page 759: ...ly reboots after a successful upload Table 244 Maintenance File Manager Firmware Package LABEL DESCRIPTION Boot Module This is the version of the boot module that is currently on the ZyWALL Current Version This is the firmware version and the date created Released Date This is the date that the version of the firmware was created File Path Type in the location of the file you want to upload in thi...

Page 760: ...ror 47 4 The Shell Script Screen Use shell script files to have the ZyWALL use commands that you specify Use a text editor to create the shell script files They must use a zysh filename extension Click Maintenance File Manager Shell Script to open the Shell Script screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell script files o...

Page 761: ... name of another shell script in the ZyWALL Click a shell script s row to select it and click Rename to open the Rename File screen Figure 515 Maintenance File Manager Shell Script Rename Specify the new name for the shell script file Use up to 25 characters including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file...

Page 762: ...t changed or saved Upload Shell Script The bottom part of the screen allows you to upload a new or previously saved shell script file from your computer to your ZyWALL File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may tak...

Page 763: ...essages You can change the way the log is displayed you can e mail the log and you can also clear the log in this screen Use the Maintenance Log Settings screen Section 48 4 on page 766 to specify which log messages are e mailed where they are e mailed and how often they are e mailed 48 3 View Log Screen Log messages are stored in two separate logs one for regular log messages and one for debuggin...

Page 764: ...ilable If the filter settings are shown the Display Priority Source Address Destination Address Service Keyword and Search fields are available Display Select the log category you want to view Filter Hidden These fields and buttons display when you hide the filter Email Log Now Click this button to send log message s to the Active e mail address es specified in the Send Log To field on the Log Set...

Page 765: ...is displayed You can use up to 63 alphanumeric characters and the underscore as well as punctuation marks the period double quotes and brackets are not allowed Search Click this button to update the log using the current filter settings Column Setting Click this icon to open a screen where you can configure how the columns in the log table display Select the titles of any columns you don t want to...

Page 766: ...f all the settings You can use the Log Settings Edit screen to maintain the detailed settings such as log categories e mail addresses server names etc for any log Alternatively if you want to edit what events is included in each log you can also use the Active Log Summary screen to edit this information for all logs at the same time Time This field displays the time the log message was recorded Pr...

Page 767: ...Format This field displays the format of the log Internal system log you can view the log on the View Log tab VRPT Syslog ZyXEL s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Summary This field is a summary of the settings for each log Please see Section 48 4 2 on page 768 for more information Modify This column provides icons to activate or deact...

Page 768: ...ngs for each log in the system log which includes the e mail profiles Go to the Log Settings Active Log Summary Click this button to open the Active Log Summary Edit screen Apply Click this button to save your changes activate and deactivate logs and make them take effect Table 247 Maintenance Log Log Setting continued LABEL DESCRIPTION ...

Page 769: ...Chapter 48 Logs ZyWALL USG 2000 User s Guide 769 Summary screen see Section 48 4 1 on page 767 and click the system log Edit icon Figure 519 Maintenance Log Log Setting Edit System Log ...

Page 770: ...formation is e mailed Choices are When Full Hourly and When Full Daily and When Full and Weekly and When Full Day for Sending Log This field is available if the log is e mailed weekly Select the day of the week the log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notatio...

Page 771: ... Select whether this category of events should be included in log messages when it is e mailed green checkmark and or in alerts yellow exclamation point for the e mail settings specified in E Mail Server 2 The ZyWALL does not e mail debugging information even if it is recorded in the System log Log Consolidation Active Select this to activate log consolidation Log consolidation aggregates multiple...

Page 772: ...Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server syslog Go to the Log Settings Summary screen see Section 48 4 1 on page 767 and click a remote server Edit icon Figure 520 Maintenance Log Log Setting Edit Remote Server ...

Page 773: ... Type the server name or the IP address of the syslog server to which to send log information Log Facility Select a log facility The log facility allows you to log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Log Category This field displays each category of messages It is the same value used in the Displa...

Page 774: ...ctive Log Summary button Figure 521 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 48 4 2 on page 768 where this process is discussed The Default category includes debugging messages generated by open source software ...

Page 775: ...re Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green checkmark log regular information and alerts from this category enable all logs yellow checkmark log regular information alerts and debugging information from this category If you check one of...

Page 776: ...Chapter 48 Logs ZyWALL USG 2000 User s Guide 776 ...

Page 777: ...statistics Use the IDP screen Section 49 5 on page 785 to start or stop data collection and view IDP statistics Use the Content Filter screen Section 49 6 on page 787 to start or stop data collection and view content filter statistics Use the Anti Spam screen Section 49 7 on page 789 to start or stop data collection and view spam statistics Use the Email Daily Report screen Section 49 8 on page 79...

Page 778: ...llect data for the report If the ZyWALL has already been collecting data the collection period displays to the right The progress is not tracked here real time but you can click the Refresh button to update it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Statistics Interface Select the interface from which to collect informatio...

Page 779: ...ble 252 on page 780 These fields are available when the Traffic Type is Service Port This field is the rank of each record The protocols and service ports are sorted by the amount of traffic Service Port This field displays the service and port in this record The maximum number of services and service ports in this report is indicated in Table 252 on page 780 Protocol This field indicates what pro...

Page 780: ...by user protocol service or service group source address and or destination address and view it by user Web Site This field displays the domain names most often visited The ZyWALL counts each page viewed on a Web site as another hit The maximum number of domain names in this report is indicated in Table 252 on page 780 Hits This field displays how many hits the Web site received The ZyWALL counts ...

Page 781: ...if you view all sessions Select your desired filter criteria and click the Search button to filter the list of sessions User This field displays when View is set to all sessions Type the user whose sessions you want to view It is not possible to type part of the user name or use wildcards in this field you must enter the whole user name Service This field displays when View is set to all sessions ...

Page 782: ...each active session If you are looking at the sessions by source IP report click or to display or hide details about a source IP address s sessions Destination This field displays the destination IP address and port in each active session If you are looking at the sessions by destination IP report click or to display or hide details about a destination IP address s sessions Rx This field displays ...

Page 783: ...splays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display Total Viruses Detected This field displays the number of different viruses that the ZyWALL has detected Infected Files De...

Page 784: ...he name of a detected virus Source IP This column displays when you display the entries by Source It shows the source IP address of virus infected files that the ZyWALL has detected Destination IP This column displays when you display the entries by Destination It shows the destination IP address of virus infected files that the ZyWALL has detected Occurrences This field displays how many times th...

Page 785: ...d All of the statistics are erased if you restart the ZyWALL or click Flush Data Collecting starts over and a new collection start time displays Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update th...

Page 786: ... name identifies a specific intrusion pattern Click the hyperlink for more detailed information on the intrusion Type This column displays when you display the entries by Signature Name It shows the categories of intrusions See Table 148 on page 499 for more information Severity This column displays when you display the entries by Signature Name It shows the level of threat that the intrusions may...

Page 787: ... you display the top entries by destination Figure 529 Maintenance Report IDP Destination 49 6 The Content Filter Report Screen Click Maintenance Report Content Filter to display the following screen This screen displays content filter statistics Figure 530 Maintenance Report Content Filter ...

Page 788: ...splayed a warning before allowing users access Web Pages Blocked by Category Service This is the number of web pages to which the ZyWALL did not allow access because they matched an external database content filtering category to which the ZyWALL was configured to block access Web Pages Blocked by Custom Service This is the number of web pages to which the ZyWALL did not allow access due to the co...

Page 789: ...rts after you have activated the category based content filtering subscription service Table 256 Maintenance Report Content Filter continued LABEL DESCRIPTION Table 257 Maintenance Report Anti Spam LABEL DESCRIPTION Collect Statistics Select this check box to have the ZyWALL collect anti spam statistics The collection starting time displays after you click Apply All of the statistics in this scree...

Page 790: ...L allowed because they exceeded the maximum number of e mail sessions that the anti spam feature can check at a time You can see the ZyWALL s threshold of concurrent e mail sessions in the Anti Spam Status screen Use the Anti Spam General screen to set whether the ZyWALL forwards or drops sessions that exceed this threshold Mail Sessions Dropped This is how many e mail sessions the ZyWALL dropped ...

Page 791: ... Address This column displays the e mail addresses from which the ZyWALL has detected the most spam Occurrence This field displays how many spam e mails the ZyWALL detected from the sender Total This field displays the sum of the occurrences of the events in the entries Table 257 Maintenance Report Anti Spam continued LABEL DESCRIPTION ...

Page 792: ... screen to have the ZyWALL e mail you system statistics every day Figure 532 Maintenance Report Email Daily Report The following table describes the labels in this screen Table 258 Maintenance Report Email Daily Report LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by e mail every day Mail Server Type the name or IP address of the outgoing SMTP server ...

Page 793: ... to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when the log is e mailed Send Report Now Click this button to have the ZyWALL send the daily e mail report immediately Time for sending report Select the time of day hours and minutes when the log is e mailed Use 24...

Page 794: ...Chapter 49 Reports ZyWALL USG 2000 User s Guide 794 ...

Page 795: ...gnostics screen Figure 533 Maintenance Diagnostics The following table describes the labels in this screen Table 259 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created dia...

Page 796: ...Chapter 50 Diagnostics ZyWALL USG 2000 User s Guide 796 ...

Page 797: ... write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 52 1 on page 801 reset returns the device to its default configuration 51 2 The Reboot Screen The Reboot screen is part of the Web configurator so that remote users can restart the device To access this screen click Maintenance Reboot Figure 534 Mainten...

Page 798: ...Chapter 51 Reboot ZyWALL USG 2000 User s Guide 798 ...

Page 799: ...age 329 The system log can often help to identify a configuration problem If the sites are were previously connected using a leased line or ISDN router physically disconnect these devices from the network before testing your new VPN connection The old route may have been learnt by RIP and would take priority over the new VPN connection To test whether or not a tunnel is working ping from a compute...

Page 800: ...the remote IPsec router trusts that CA The ZyWALL uses one of its Trusted Certificates to authenticate the remote IPSec router s certificate The trusted certificate can be the remote IPSec router s self signed certificate or that of a trusted CA that signed the remote IPSec router s certificate I cannot set up an L2TP VPN tunnel 1 Make sure you have configured L2TP correctly on the remote user com...

Page 801: ...bjects based on an interface s IP address subnet or gateway if the interface s IP address settings change However you need to manually edit any address objects for your LAN that are not based on the interface 52 1 Resetting the ZyWALL If you cannot access the ZyWALL by any method try restarting it by turning the power off and then on again If you still cannot access the ZyWALL by any method or you...

Page 802: ...er modules are near the top of the front panel of the main chassis Obtain ZyWALL power modules from your local vendor Use the following procedure to change a power module 1 Make sure that the power module you want to disconnect has the power switch in the off position You only need to turn off the power module that has failed The ZyWALL can continue operating on power from the other power module 2...

Page 803: ...ndle to slide out the power module and remove it Figure 536 Removing the Power Module 6 Install the new ZyWALL power module Figure 537 Installing the Replacement Power Module 7 Tighten the power module s retaining screw Figure 538 Replacing the Power Module Retaining Screw ...

Page 804: ... cord to the new ZyWALL power module 9 Reconnect the power cord to the power outlet 10 Push the ZyWALL power module switch to the on position 52 3 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 805: ...SPECIFICATION Number of MAC addresses 8 Ethernet Interfaces Number of Ethernet interfaces 8 6 Ethernet interfaces are Gigabit Ethernet full duplex RJ 45 connectors auto negotiation auto MDI MDIX auto crossover 2 Ethernet interfaces are dual personality combo ports Each consists of a Gigabit RJ 45 Ethernet port and SFP slot pair The 45 connectors support auto negotiation and auto MDI MDIX auto cros...

Page 806: ...r modules One power module is redundant The ZyWALL can be fully powered by just one power module so the system can keep running while you replace a power module Operating Environment Temperature 5º C to 40º C Humidity 5 to 90 non condensing Storage Environment Temperature 30 C to 60 C Humidity 5 to 90 non condensing MTBF Mean Time Between Failures 99 141 hours Dimensions 430 W x 487 D x 89 H mm We...

Page 807: ...00 FIREWALL Firewall ACL Rules 10 000 10 000 APPLICATION PATROL Maximum Rules for Other Protocols 64 64 Maximum Exception Rules 64 64 Allowed Ports 8 8 Default Ports 8 8 Address Space Number 640001 640001 USER PROFILES Maximum Local Users 4096 4096 Maximum Admin Users 20 20 Maximum User Groups 256 256 Maximum Users in One User Group 4096 4096 OBJECTS Address Objects 10 000 10 000 Address Groups 2 ...

Page 808: ...2000 with the SEM Maximum Number of VPN Concentrators 64 64 CERTIFICATES Certificate Buffer Size 4 MB 4 MB BUILT IN SERVICES A record 2048 2048 NS record 32 32 MX record 32 32 Maximum Number of Service Control Entries 32 per service 32 per service Maximum Number of DHCP Network Pools 32 32 Maximum DHCP Host Pool 2048 2048 Maximum Number of DDNS Profiles 20 20 DHCP Relay 2 per interface 2 per inter...

Page 809: ...m Number of Keywords that Can Be Blocked 512 per profile 512 per profile Local Cache Size 8192 8192 Maximum Number of Connections 1024 1024 ANTI SPAM Maximum Number of Concurrent Mail Sessions 1 000 1 000 Maximum Number of Anti Spam Rules 64 64 Maximum Number of White List Entries 1024 1024 Maximum Number of Black List Entries 1024 1024 Maximum Number of DNSBLs 5 5 Maximum Number of Anti Spam Stat...

Page 810: ...453 2328 3101 3137 Telnet server RFCs 1408 1572 SSH server RFCs 4250 4251 4252 4253 4254 Built in service DNS server RFCs 1034 1035 1123 1183 1535 1536 1706 1712 1750 1876 1982 1995 1996 2136 2163 2181 2230 2308 2535 2536 2537 2538 2539 2671 2672 2673 2782 3007 3090 Built in service DHCP server RFCs 1542 2131 2132 2485 2489 Built in service HTTP server RFCs 1945 2616 2965 2732 2295 Built in servic...

Page 811: ...onnector end of the card into the slot Note Do not force bend or twist the card Used by Time service RFCs 3339 Used by Telnet service RFCs 318 854 1413 Used by SIP ALG RFCs 3261 3264 DHCP relay RFC 1541 ZySH W3C XML standard ARP RFC 826 IP IPv4 RFC 791 TCP RFC 793 Table 263 Standards Referenced by Features continued FEATURE STANDARDS REFERENCED ...

Page 812: ...Chapter 53 Product Specifications ZyWALL USG 2000 User s Guide 812 ...

Page 813: ...T XI Appendices and Index Common Services 875 Displaying Anti Virus Alert Messages in Windows 879 Importing Certificates 885 Open Software Announcements 911 Legal Information 957 Customer Support 899 Index 961 ...

Page 814: ...814 ...

Page 815: ...anged to use port 80 due to a configuration change Content filter has been changed zsb port to 23 The content filtering checking for unsafe web sites has been changed to use port 23 due to a configuration change Table 265 Forward Web Site Logs LOG MESSAGE DESCRIPTION s Trusted Web site The device allowed access to a web site in a trusted domain s website host s The device allowed access to a web s...

Page 816: ...alid service license 4 Rating service is restarting 5 Can t connect to rating server 6 Query failed 7 Query timeout 8 Too many queries 9 Unknown reason s website host s s cache hit The web site s category exists in the device s local cache and access was blocked according to a content filter profile 1st s website host 2nd s website category s Not in trusted web list The web site is not a trusted h...

Page 817: ...licy with the specified index number d has been added to the end of the list Anti Spam policy d has been deleted The anti spam policy with the specified index number d has been removed Anti Spam policy d has been moved to d The anti spam policy with the specified index number first d was moved to the specified index number second d White List checking has been activated The anti spam white list ha...

Page 818: ...een added DNSBL domain s has been modified to s The specified DNSBL domain name first s has been changed to the second s DNSBL domain s has been deleted The specified DNSBL domain name s has been removed DNSBL domain s has been activated The specified DNSBL domain name s has been turned on DNSBL domain s has been deactivated The specified DNSBL domain name s has been turned off Match White List d ...

Page 819: ...he IP address given to the SSL user The s address object is invalid IP in SSL Policy s The listed address object first s is not an allowed IP for the listed SSL policy second s The s address object does not has assignable IP in SSL Policy s There are no more assignable IP addresses in the listed address object first s The address object is used by the listed SSL policy second s The s address objec...

Page 820: ...in SSL VPN policy s So s will not be injected to client side The IP pool is in the same subnet as the specified address object first s in the listed SSL VPN policy second s so the listed address third s will not be given to an SSL VPN client The s is same subnet with IP pool in SSL VPN policy s So s will not be injected to client side The specified address object first s is in the same subnet as t...

Page 821: ...ser is using HTTP or HTTPS s s from s has been logged out SSLVPN idle timeout The specified user was signed out by the device due to an idle timeout The first s is the type of user account The second s is the user s user name The third s is the name of the service the user is using HTTP or HTTPS Failed login attempt to SSLVPN from s login on a lockout address An SSL VPN login attempt from the list...

Page 822: ...ecause the user name does not exist User s has been denied from L2TP service Disallowed User A user with the specified user name s was denied access to the L2TP over IPSec service because the user name is not specified in the L2TP over IPSec configuration User s has been denied from L2TP service Incorrect Password A user with the specified user name s was denied access to the L2TP over IPSec servi...

Page 823: ...group name cannot create too many groups d 1st max group num s cannot find entry s 1st zysh group name 2st zysh entry name s cannot remove entry s 1st zysh group name 2st zysh entry name List OPS can t alloc entry s 1st zysh entry name can t retrieve entry s 1st zysh entry name can t get entry s 1st zysh entry name can t print entry s 1st zysh entry name s cannot retrieve entries from list 1st zys...

Page 824: ...zysh table name Unable to move entry d 1st zysh entry num s invalid index 1st zysh table name Unable to delete entry d 1st zysh entry num Unable to change entry d 1st zysh entry num s cannot retrieve entries from table 1st zysh table name s invalid old new index 1st zysh table name Unable to move entry d 1st zysh entry num s apply failed at initial stage 1st zysh table name s apply failed at main ...

Page 825: ...er first num was moved to the specified index number second num New ADP rule has been appended An ADP rule has been added to the end of the list ADP rule num has been inserted An ADP rule has been inserted num is the number of the new rule ADP rule num has been modified The ADP rule of the specified number has been changed ADP profile name has been deleted The ADP rule with the specified name has ...

Page 826: ... compressed file because there were too many compressed files at the same time 1st s The protocol of the packet 2nd s The filename of the related file s due to more than one layer compressed file s could not be decompressed The ZyWALL could not decompress a compressed file because it contained other compressed files 1st s The protocol of the packet 2nd s The filename of the related file s due to p...

Page 827: ... was too large AV signature update has failed An anti virus signatures update failed for unknown reasons Anti Virus signatures missing refer to your user documentation to recover the default database file When the ZyWALL started it could not find the anti virus signature file See the CLI reference guide for how to restore the default system database Update signature version has failed An attempt t...

Page 828: ... file pattern was deleted from the white or black list 1st s The file pattern 2nd s The white list or black list File pattern s has been added in s An anti virus file pattern was added to the white or black list 1st s The file pattern 2nd s The white list or black list s has been s An anti virus file pattern white list or black list was turned on or off 1st s The white list or black list 2nd s Act...

Page 829: ...using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL lease timeout The ZyWALL is signing the specified user out due to a lease timeout 1st s The type of user account 2nd s The user s user name 3rd s The name of the service the user is using HTTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL idle timeout The ZyWALL is signing the specified user ou...

Page 830: ...Table 274 myZyXEL com Logs LOG MESSAGE DESCRIPTION Send registration message to MyZyXEL com server has failed The device was not able to send a registration message to MyZyXEL com Get server response has failed The device sent packets to the MyZyXEL com server but did not receive a response The root cause may be that the connection is abnormal Timeout for get server response zysh need to catch MyZ...

Page 831: ...ervice activation has failed Because of lack must fields The device received an incomplete response from the myZyXEL com server and it caused a parsing error for the device Service expiration check has failed s The service expiration day check failed this log will append an error message returned by the MyZyXEL com server s error message returned by myZyXEL com server Service expiration check has ...

Page 832: ...ate has stopped because the device couldn t resolve the myZyXEL com server s FQDN to an IP address through gethostbyname Verify server s certificate has failed Update stop The device could not process an HTTPS connection because it could not verify the myZyXEL com server s certificate The update has stopped Send download request to update server has failed The device s attempt to send a download m...

Page 833: ...nti Virus signature download has succeeded The device successfully downloaded an anti virus signature file Anti Virus signature update has succeeded The device successfully downloaded and applied an anti virus signature file Anti Virus signature download has failed The device still cannot download the anti virus signature after 3 retries System protect signature download has succeeded The device s...

Page 834: ...y check The device processes a service expiration day check immediately after it starts up After register Do expiration daily check immediately The device processes a service expiration day check immediately after device registration Time is up Do expiration daily check The processes a service expiration day check every 24 hrs Read MyZyXEL com storage has failed Read data from EEPROM has failed Op...

Page 835: ... get server response After the device sent packets to a server the device did not receive any response from the server The root cause may be a network delay issue Download file size is wrong The file size downloaded for AS is not identical with content length Parse HTTP header has failed Device can t parse the HTTP header in a response returned by a server Maybe some HTTP headers are missing Table...

Page 836: ...stom IDP signature failed The error sid and message are displayed Custom signature import error line line sid sid error_message An attempt to import a custom IDP signature failed The errored line number in the file the error sid and error message are displayed Custom signature replace error line line sid sid error_message Custom IDP signature replacing failed Error line number of file sid and mess...

Page 837: ...last signature file update failed IDP signature update failed Can not update synchronized file An attempt to update the IDP signatures failed Rebuilding of the IDP device HA synchronized file failed IDP signature update from version version to version version has succeeded An IDP signature update succeeded The previous and updated IDP signature versions are listed IDP system protect signature upda...

Page 838: ... update the IDP signatures failed due to an internal system error System internal error Create IDP traffic anomaly entry failed There was an internal system error Query signature version failed The device could not get the signature version from the new signature package it downloaded from the update server Can not get signature version The device could not get the signature version from the new s...

Page 839: ...name has been modified IDP profile has been modified name is profile name IDP signatures missing please refer to your user documentation to recover the default database file When the ZyWALL started it could not find the IDP signature file See the CLI reference guide for how to restore the default system database IDP signature size is over system limitation The IDP signature set is too large exceed...

Page 840: ... the listed protocol s traffic Default port s of protocol s has been added The listed default port first s has been added for the listed protocol second s Default port s of protocol s has been removed The listed default port first s has been deleted for the listed protocol second s Rule s s has been moved to index s An application patrol rule has been moved 1st s Protocol name 2nd s From rule inde...

Page 841: ...he tunnel name When negotiating Phase 1 and selecting matched proposal My IP Address could not be resolved ID Tunnel s Phase 1 ID mismatch s is the tunnel name When negotiating Phase 1 the peer ID did not match ID Tunnel s Phase 2 Local ID mismatch s is the tunnel name When negotiating Phase 2 and checking IPsec SAs or the ID is IPv6 ID ID Tunnel s Phase 2 Remote ID mismatch s is the tunnel name W...

Page 842: ...ch SA Tunnel s Phase 2 pfs unsupported d s is the tunnel name When negotiating Phase 2 this device does not support the PFS specified SA Tunnel s Phase 2 SA encapsulation mismatch s is the tunnel name When negotiating Phase 2 the SA encapsulation did not match SA Tunnel s Phase 2 SA protocol mismatch s is the tunnel name When negotiating Phase 2 the SA protocol did not match SA Tunnel s SA sequenc...

Page 843: ...mote name The device sent a request to enter Aggressive Mode Send SA KE ID CER T CR HASH SIG NON CE DEL VID ATTR N OTFY s This is a combined message for outgoing IKE packets Start Phase 2 Quick Mode Indicates the beginning of phase 2 using quick mode The cookie pair is 0x 08x 08x 0x 08x 08x Indicates the initiator responder cookie pair The IPSec tunnel s is already established s is the tunnel name...

Page 844: ...s 0x x 0x x s rekeyed successfully The variables represent the phase 1 name tunnel name old SPI new SPI and the xauth name optional The tunnel was rekeyed successfully Tunnel s s Phase 1 pre shared key mismatch The variables represent the phase 1 name and tunnel name When negotiating phase 1 the pre shared keys did not match Tunnel s s Recving IKE request The variables represent the phase 1 name a...

Page 845: ... SEQ 0x x Packet Anti Replay detected The variables represent the SPI and the sequence number The device received a packet again that it had already received VPN connection s was disabled s is the VPN connection name An administrator disabled the VPN connection VPN connection s was enabled s is the VPN connection name An administrator enabled the VPN connection Due to active connection allowed exc...

Page 846: ... disabled Asymmetrical Route has been turned off Table 280 Sessions Limit Logs LOG MESSAGE DESCRIPTION Maximum sessions per host d was exceeded d is maximum sessions per host Table 281 Policy Route Logs LOG MESSAGE DESCRIPTION Can t open bwm_entries Policy routing can t activate BWM feature Can t open link_down Policy routing can t detect link up down status Cannot get handle from UAM user aware P...

Page 847: ...rule number Policy route rule d was moved to d Rule is moved 1st d the original policy route rule number 2nd d the new policy route rule number Policy route rule d was deleted Rule is deleted d the policy route rule number Policy route rules were flushed Policy routing rules are cleared BWM has been activated The global setting for bandwidth management on the ZyWALL has been turned on BWM has been...

Page 848: ...an administrator assigns a certificate for SSH the device needs to convert it to a key used for SSH s is certificate name assigned by user TELNET port has been changed to port s An administrator changed the port number for TELNET s is port number assigned by user TELNET port has been changed to default port An administrator changed the port number for TELNET back to the default 23 FTP certificate ...

Page 849: ...rieved from it Set timezone to s An administrator changed the time zone s is time zone value Set timezone to default An administrator changed the time zone back to the default 0 Enable daylight saving An administrator turned on daylight saving Disable daylight saving An administrator turned off daylight saving DNS access control rules have been reached the maximum number An administrator tried to ...

Page 850: ...led Wizard adds DNS server s failed because DNS zone setting has conflictd Wizard apply DNS server failed because DNS zone conflicted s is the IP address of the DNS server Wizard adds DNS server s failed because Zone Forwarder numbers have reached the maximum number of 32 Wizard apply DNS server fail because the device already has the maximum number of DNS records configured s is IP address of the...

Page 851: ...t d is down When LINK is down d is the port number s is dead at s A daemon process is gone was killed by the operating system 1st s Daemon Name 2nd s date and time s process count is incorrect at s The count of the listed process is incorrect 1st s Daemon Name 2nd s date and time s becomes Zombie at s A process is present but not functioning 1st s Daemon Name 2nd s date and time When memory usage ...

Page 852: ...esponse from an unknown client In total received d arp response packets for the requested IP address The device received the specified total number of ARP response packets for the requested IP address Clear arp cache successfully The ARP cache was cleared successfully Client MAC address is not an Ethernet address A client MAC address is not an Ethernet address DHCP request received via interface s...

Page 853: ...lformed for DynDNS server 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s is not under your control The owner of this FQDN is not the user 1st s is the profile name 2nd s is the FQDN of the profile Update the profile s has failed because the FQDN s was blocked for abuse The FQDN is blocked by DynDNS 1st s is the profile name 2nd s is th...

Page 854: ...ame Update the profile s has failed because Custom IP was empty The DDNS profile s IP select type is custom and a custom IP was not defined s is the profile name Update the profile s has failed because WAN interface was empty If the DDNS profile s IP select type is iface it needs a WAN iface s is the profile name The profile s has been paused because the VRRP status of WAN interface was standby Th...

Page 855: ...S profile cannot be updated because the fail of ping check for HA iface s is the profile name DDNS has been disabled by Device HA DDNS is disabled by Device HA because all VRRP groups are standby DDNS has been enabled by Device HA DDNS is enabled by Device HA because one of VRRP groups is active Disable DDNS has succeeded Disable DDNS Enable DDNS has succeeded Enable DDNS DDNS profile s has been r...

Page 856: ...n t get memory from OS Can t load s module The connectivity check process can t load module for check link status s the connectivity module currently only ICMP available Can t handle isalive function of s module The connectivity check process can t execute isalive function from module for check link status s the connectivity module currently only ICMP available Create socket error The connectivity...

Page 857: ...as been created s the name of VRRP group Device HA VRRP group s has been modified An VRRP group has been modified s the name of VRRP group Device HA VRRP group s has been deleted An VRRP group has been deleted s the name of VRRP group Device HA VRRP interface s for VRRP Group s has changed Configuration of an interface that belonged to a VRRP group has been changed 1st s VRRP interface name 2ed s ...

Page 858: ... s Synchronization failed because the Backup could not connect to the Master The object to be synchronized 2ed s The feature name for the object to be synchronized Backup firmware version can not be recognized Stop syncing from Master The firmware version on the Backup cannot be resolved to check if it is the same as on the Master A Backup device only synchronizes from the Master if the Master and...

Page 859: ...nized d the retry count Recovring to Backup original state for s has failed An update failed The device will try to recover the failed update feature to the original state before Device HA synchronizes the specified object Recovering to Backup original state for s has succeeded Recovery succeeded when an update for the specified object failed One of VRRP groups has became avtive Device HA Sync has...

Page 860: ...n interface s has been changed to Out Only RIP direction on interface s has been changed to Out Only s Interface Name RIP authentication mode has been changed to s RIP authentication mode has been changed to text or md5 RIP text authentication key has been changed RIP text authentication key has been changed RIP md5 authentication id and key have been changed RIP md5 authentication id and key have...

Page 861: ...d s RIP Version RIP receive version on interface s has been reset to current global version s RIP receive version on interface s has been reset to current global version s 1st s Interface Name 2nd s RIP RIP v2 broadcast on interface s has been disabled RIP v2 broadcast on interface s has been disabled s Interface Name OSPF on interface s has been stopped because Device HA binds this interface Devi...

Page 862: ...terface Name Table 287 NAT Logs LOG MESSAGE DESCRIPTION The NAT range is full The NAT mapping table is full s FTP ALG has succeeded The FTP Application Layer Gateway ALG has been turned on or off s Enable or Disable Extra signal port of FTP ALG has been modified Extra FTP ALG port has been changed Signal port of FTP ALG has been modified Default FTP ALG port has been changed s H 323 ALG has succee...

Page 863: ...cessfully The router created a certificate request with the specified name Generate certificate request s failed errno d The router was not able to create a certificate request with the specified name See Table 296 on page 865 for details about the error number Generate PKCS 12 certificate s successfully The router created a PKCS 12 format certificate with the specified name Generate PKCS 12 certi...

Page 864: ...request name Import PKCS 7 certificate s into Trusted Certificate successfully The device imported a PKCS 7 format certificate into Trusted Certificates s is the certificate request name Decode imported certificate s failed The device was not able to decode an imported certificate s is certificate the request name Export PKCS 12 certificate s from My Certificate successfully The device exported a ...

Page 865: ...icate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Certificate was not found anywhere 11 Certificat...

Page 866: ...t and a user tried to use the disconnect aux command Interface s will reapply because Device HA become active status Device ha became active and is using a PPP base interface the PPP interface must reapply s is the interface name Interface s will reapply because Device HA is not running Device ha was deleted and free PPP base interface PPP interface must reapply s is the interface name Interface s...

Page 867: ...status s TxP kts u RxPkts u Colli u T xB s u RxB s u UpTime s Port statistics log This log will be sent to the VRPT server 1st s physical port name 2nd s physical port status 1st u physical port Tx packets 2nd u physical port Rx packets 3rd u physical port packets collisions 4th u physical port Tx Bytes s 5th u physical port Rx Bytes s 3rd s physical port up time name s status s TxP kts u RxPkts u...

Page 868: ...ection timed out due to a lack of response from the PPPOE server s PPP interface name Interface s create failed because has no member A bridge interface has no member s bridge interface name Interface cellular Application Error Code d n The listed error code d was generated due to an internal cellular interface error An error d occurred while negotiating with the device in s Please try to remove t...

Page 869: ... PIN code setting The listed cellular interface d does has the wrong PIN code configured Unable to query the signal quality from the device in s Please try to remove then insert the device The ZyWALL could not check the signal strength for the listed cellular interface d This could be due to an error or being out of range of the ISP s cellular station Interface cellular d cannot connect to the ser...

Page 870: ...ks up because of changing Port Group Enable DHCP client An administrator used port grouping to assign a port to a representative Interface and this representative interface is set to DHCP client and only has one member In this case the DHCP client will be enabled s interface name Interface s links down because of changing Port Group Disable DHCP client An administrator used port grouping to assign...

Page 871: ...s 1st s is CLI command 2nd s is error message when apply CLI command WARNING s s Apply configuration failed this log will be what CLI command is and what warning message is 1st s is CLI command 2nd s is warning message when apply CLI command ERROR s s Run script failed this log will be what wrong CLI command is and what error message is 1st s is CLI command 2nd s is error message when apply CLI co...

Page 872: ...stname and MAC address are listed Table 295 E mail Daily Report Logs LOG MESSAGE DESCRIPTION Email Daily Report has been activated The daily e mail report function has been turned on The ZyWALL will e mail a daily report about the selected items at the scheduled time if the required settings are configured correctly Email Daily Report has been deactivated The daily e mail report function has been ...

Page 873: ... 02X 02X 02X 02X 02X The IP MAC binding feature could not create an IP MAC binding hash table entry The interface the packet came in through the sender s IP address and MAC address are also shown along with the binding type s for static or d for dynamic Cannot remove ip mac binding from dhcpd s u u u u 0 2X 02X 02X 02X 02X 02X The IP MAC binding feature could not delete an IP MAC binding hash tabl...

Page 874: ...Appendix A Log Descriptions ZyWALL USG 2000 User s Guide 874 ...

Page 875: ...ther information about port numbers If the Protocol is TCP UDP or TCP UDP this is the IP port number If the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 297 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Aut...

Page 876: ... Internet Group Management Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for ne...

Page 877: ...is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems an...

Page 878: ... Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Table 297 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION ...

Page 879: ... message on Miscrosoft Windows based computers If the log shows that virus files are being detected but your Miscrosoft Windows based computer is not displaying an alert message use one of the following procedures to make sure your computer is set to display the messages Windows XP 1 Click Start Control Panel Administrative Tools Services Figure 539 Windows XP Opening the Services Window ...

Page 880: ... s Guide 880 2 Select the Messenger service and click Start Figure 540 Windows XP Starting the Messenger Service 3 Close the window when you are done Windows 2000 1 Click Start Settings Control Panel Administrative Tools Services Figure 541 Windows 2000 Opening the Services Window ...

Page 881: ...the window when you are done Windows 98 SE Me For Windows 98 SE Me you must open the WinPopup window in order to view real time alert messages Click Start Run and enter winpopup in the field provided and click OK The WinPopup window displays as shown Figure 543 Windows 98 SE WinPopup If you want to display the WinPopup window at startup follow the steps below for Windows 98 SE steps are similar fo...

Page 882: ...USG 2000 User s Guide 882 1 Right click on the program task bar and click Properties Figure 544 WIndows 98 SE Program Task Bar 2 Click the Start Menu Programs tab and click Advanced Figure 545 Windows 98 SE Task Bar Properties 3 Double click Programs and click StartUp ...

Page 883: ...yWALL USG 2000 User s Guide 883 4 Right click in the StartUp pane and click New Shortcut Figure 546 Windows 98 SE StartUp 5 A Create Shortcut window displays Enter winpopup in the Command line field and click Next Figure 547 Windows 98 SE Startup Create Shortcut ...

Page 884: ... accept the default and click Finish Figure 548 Windows 98 SE Startup Select a Title for the Program 7 A shortcut is created in the StartUp pane Restart the computer when prompted Figure 549 Windows 98 SE Startup Shortcut Note The WinPopup window displays after the computer finishes the startup process see Figure 543 on page 881 ...

Page 885: ...cates These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it However because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers you will need to import the ZyXEL created certificate into your web browser and flag that certificate as a...

Page 886: ... the first time you browse to it you are presented with a certification error Figure 550 Internet Explorer 7 Certification Error 2 Click Continue to this website not recommended Figure 551 Internet Explorer 7 Certification Error 3 In the Address Bar click Certificate Error View certificates Figure 552 Internet Explorer 7 Certificate Error ...

Page 887: ...ZyWALL USG 2000 User s Guide 887 4 In the Certificate dialog box click Install Certificate Figure 553 Internet Explorer 7 Certificate 5 In the Certificate Import Wizard click Next Figure 554 Internet Explorer 7 Certificate Import Wizard ...

Page 888: ...matically select certificate store based on the type of certificate click Next again and then go to step 9 Figure 555 Internet Explorer 7 Certificate Import Wizard 7 Otherwise select Place all certificates in the following store and then click Browse Figure 556 Internet Explorer 7 Certificate Import Wizard ...

Page 889: ...t Certificate Store dialog box choose a location in which to save the certificate and then click OK Figure 557 Internet Explorer 7 Select Certificate Store 9 In the Completing the Certificate Import Wizard screen click Finish Figure 558 Internet Explorer 7 Certificate Import Wizard ...

Page 890: ...lly click OK when presented with the successful certificate installation message Figure 560 Internet Explorer 7 Certificate Import Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page a sealed padlock icon appears in the address bar Click it to view the page s Website Identification information Figure 561 Internet Explorer 7 Website Identification ...

Page 891: ... one has been issued to you 1 Double click the public key certificate file Figure 562 Internet Explorer 7 Public Key Certificate File 2 In the security warning dialog box click Open Figure 563 Internet Explorer 7 Open File Security Warning 3 Refer to steps 4 12 in the Internet Explorer procedure beginning on page 885 to complete the installation process Removing a Certificate in Internet Explorer ...

Page 892: ...LL USG 2000 User s Guide 892 1 Open Internet Explorer and click Tools Internet Options Figure 564 Internet Explorer 7 Tools Menu 2 In the Internet Options dialog box click Content Certificates Figure 565 Internet Explorer 7 Internet Options ...

Page 893: ...icates Authorities tab select the certificate that you want to delete and then click Remove Figure 566 Internet Explorer 7 Certificates 4 In the Certificates confirmation click Yes Figure 567 Internet Explorer 7 Certificates 5 In the Root Certificate Store dialog box click Yes Figure 568 Internet Explorer 7 Root Certificate Store ...

Page 894: ... following example uses Mozilla Firefox 2 on Windows XP Professional however the screens can also apply to Firefox 2 on all platforms 1 If your device s Web Configurator is set to use SSL certification then the first time you browse to it you are presented with a certification error 2 Select Accept this certificate permanently and click OK Figure 569 Firefox 2 Website Certified by an Unknown Autho...

Page 895: ...the address bar which you can click to open the Page Info Security window to view the web page s security information Figure 570 Firefox 2 Page Info Installing a Stand Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you ...

Page 896: ...ng Certificates ZyWALL USG 2000 User s Guide 896 1 Open Firefox and click Tools Options Figure 571 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 572 Firefox 2 Options ...

Page 897: ...tes Import Figure 573 Firefox 2 Certificate Manager 4 Use the Select File dialog box to locate the certificate and then click Open Figure 574 Firefox 2 Select File 5 The next time you visit the web site click the padlock in the address bar to open the Page Info Security window to see the web page s security information ...

Page 898: ...ng a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2 1 Open Firefox and click Tools Options Figure 575 Firefox 2 Tools Menu 2 In the Options dialog box click Advanced Encryption View Certificates Figure 576 Firefox 2 Options ...

Page 899: ...e Figure 577 Firefox 2 Certificate Manager 4 In the Delete Web Site Certificates dialog box click OK Figure 578 Firefox 2 Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed a certification error appears Opera The following example uses Opera 9 on Windows XP Professional however the screens can apply to Opera 9 on all platform...

Page 900: ...time you browse to it you are presented with a certification error 2 Click Install to accept the certificate Figure 579 Opera 9 Certificate signer not found 3 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Figure 580 Opera 9 Security information ...

Page 901: ...nd Alone Certificate File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted you can install a stand alone certificate file if one has been issued to you 1 Open Opera and click Tools Preferences Figure 581 Opera 9 Tools Menu ...

Page 902: ...Appendix D Importing Certificates ZyWALL USG 2000 User s Guide 902 2 In Preferences click Advanced Security Manage certificates Figure 582 Opera 9 Preferences ...

Page 903: ...USG 2000 User s Guide 903 3 In the Certificates Manager click Authorities Import Figure 583 Opera 9 Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open Figure 584 Opera 9 Import certificate ...

Page 904: ...stall authority certificate 6 Next click OK Figure 586 Opera 9 Install authority certificate 7 The next time you visit the web site click the padlock in the address bar to open the Security information window to view the web page s security details Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9 ...

Page 905: ...Importing Certificates ZyWALL USG 2000 User s Guide 905 1 Open Opera and click Tools Preferences Figure 587 Opera 9 Tools Menu 2 In Preferences Advanced Security Manage certificates Figure 588 Opera 9 Preferences ...

Page 906: ...ificate you just removed a certification error appears Note There is no confirmation when you delete a certificate authority so be absolutely certain that you want to go through with it before clicking the button Konqueror The following example uses Konqueror 3 5 on openSUSE 10 3 however the screens apply to Konqueror 3 5 on all Linux KDE distributions 1 If your device s Web Configurator is set to...

Page 907: ...queror 3 5 Server Authentication 3 Click Forever when prompted to accept the certificate Figure 591 Konqueror 3 5 Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page s security details Figure 592 Konqueror 3 5 KDE SSL Information ...

Page 908: ...en prompted you can install a stand alone certificate file if one has been issued to you 1 Double click the public key certificate file Figure 593 Konqueror 3 5 Public Key Certificate File 2 In the Certificate Import Result Kleopatra dialog box click OK Figure 594 Konqueror 3 5 Certificate Import Result The public key certificate appears in the KDE certificate manager Kleopatra Figure 595 Konquero...

Page 909: ... security details Removing a Certificate in Konqueror This section shows you how to remove a public key certificate in Konqueror 3 5 1 Open Konqueror and click Settings Configure Konqueror Figure 596 Konqueror 3 5 Settings Menu 2 In the Configure dialog box select Crypto 3 On the Peer SSL Certificates tab select the certificate you want to delete and then click Remove Figure 597 Konqueror 3 5 Conf...

Page 910: ...e next time you go to the web site that issued the public key certificate you just removed a certification error appears Note There is no confirmation when you remove a certificate authority so be absolutely certain you want to go through with it before clicking the button ...

Page 911: ...rials related to such distribution and use acknowledge that the software was developed by the Australian National University The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF...

Page 912: ... the name of the project nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN N...

Page 913: ...modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NO...

Page 914: ...L please contact openssl core openssl org OpenSSL License Copyright c 1998 2007 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributio...

Page 915: ...mentation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are aheared to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this dis...

Page 916: ...NG NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution licence including the GNU Public Licence Note This Product includes libevent 1 1a ...

Page 917: ...OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Note This Product includes bind 9 2 3 software under the Internet Software Consortium and Nominum License Copyright C 1996 2002 Internet Software Consortium Permission to use copy modify and distribute this software for any purpose with or without fee is hereby granted provided that th...

Page 918: ...ssion to use copy modify and distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIA...

Page 919: ...ot limited to compiled object code generated documentation and conversions to other media types Work shall mean the work of authorship whether in Source or Object form made available under the License as indicated by a copyright notice that is included in or attached to the work an example is provided in the Appendix below Derivative Works shall mean any work whether in Source or Object form that ...

Page 920: ...ination of their Contribution s with the Work to which such Contribution s was submitted If You institute patent litigation against any entity including a cross claim or counterclaim in a lawsuit alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement then any patent licenses granted to You under this License for that Work shall ...

Page 921: ... trademarks service marks or product names of the Licensor except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file 7 Disclaimer of Warranty Unless required by applicable law or agreed to in writing Licensor provides the Work and each Contributor provides its Contributions on an AS IS BASIS WITHOUT WARRANTIES OR CONDITI...

Page 922: ...he following acknowledgment This product includes software developed by the Apache Software Foundation http www apache org Alternately this acknowledgment may appear in the software itself if and wherever such third party acknowledgments normally appear The names Apache and Apache Software Foundation must not be used to endorse or promote products derived from this software without prior written p...

Page 923: ...re are designed to take away your freedom to share and change it By contrast the GNU General Public Licenses are intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This license the Lesser General Public License applies to some specially designated software packages typically libraries of the Free Software Foundation and other au...

Page 924: ...ure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder Therefore we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license Most GNU software including some libraries is covered by the ordinary GNU General Public License This license the...

Page 925: ... derived from the library whereas the latter must be combined with the library in order to run GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this ...

Page 926: ...or a table of data to be supplied by an application program that uses the facility other than as an argument passed when the facility is invoked then you must make a good faith effort to ensure that in the event an application does not supply such function or table the facility still operates and performs whatever part of its purpose remains meaningful For example a function in a library to comput...

Page 927: ... not compelled to copy the source along with the object code 5 A program that contains no derivative of any portion of the Library but is designed to work with the Library by being compiled or linked with it is called a work that uses the Library Such a work in isolation is not a derivative work of the Library and therefore falls outside the scope of this License However linking a work that uses t...

Page 928: ...1 uses at run time a copy of the library already present on the user s computer system rather than copying library functions into the executable and 2 will operate properly with a modified version of the library if the user installs one as long as the modified version is interface compatible with the version that the work was made with c Accompany the work with a written offer valid for at least t...

Page 929: ...ribute the Library or any work based on the Library the recipient automatically receives a license from the original licensor to copy distribute link with or modify the Library subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties with this License 1...

Page 930: ...tions either of that version or of any later version published by the Free Software Foundation If the Library does not specify a license version number you may choose any version ever published by the Free Software Foundation 14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these write to the author to ask for permissio...

Page 931: ...erbatim copies of this license document but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public License applies to most of the Free Soft...

Page 932: ...ION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Progra...

Page 933: ...ed from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other lic...

Page 934: ... the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required t...

Page 935: ...tries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Softwa...

Page 936: ... OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS All other trademarks ...

Page 937: ...s License 1 8 License means this document 1 8 1 Licensable means having the right to grant to the maximum extent possible whether at the time of the initial grant or subsequently acquired any and all of the rights conveyed herein 1 9 Modifications means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications When Covered Code is release...

Page 938: ...der common control with You For purposes of this definition control means a the power direct or indirect to cause the direction or management of such entity whether by contract or otherwise or b ownership of more than fifty percent 50 of the outstanding shares or beneficial ownership of such entity 2 Source Code License 2 1 The Initial Developer Grant The Initial Developer hereby grants You a worl...

Page 939: ...ed in Sections 2 2 a and 2 2 b are effective on the date Contributor first makes Commercial Use of the Covered Code Notwithstanding Section 2 2 b above no patent license is granted 1 for any code that Contributor has deleted from the Contributor Version 2 separate from the Contributor Version 3 for infringements caused by i third party modifications of Contributor Version or ii the combination of ...

Page 940: ...e Code and b in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code 3 4 Intellectual Property Matters a Third Party Claims If Contributor has knowledge that a license under a third party s intellectual property rights is required to exercise the rights granted by such Contributor under Sections 2 1 or 2 2 Contributor must i...

Page 941: ... 6 Distribution of Executable Versions You may distribute Covered Code in Executable form only if the requirements of Sections 3 1 3 2 3 3 3 4 and 3 5 have been met for that Covered Code and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License including a description of how and where You have fulfilled the obligations of Sect...

Page 942: ...etscape may publish revised and or new versions of the License from time to time Each version will be given a distinguishing version number 6 2 Effect of New Versions Once Covered Code has been published under a particular version of the License You may always continue to use it under the terms of that version You may also choose to use such Covered Code under the terms of any subsequent version o...

Page 943: ...oper or a Contributor the Initial Developer or Contributor against whom You file such action is referred to as Participant alleging that such Participant s Contributor Version directly or indirectly infringes any patent then any and all rights granted by such Participant to You under Sections 2 1 and or 2 2 of this License shall upon 60 days notice from Participant terminate prospectively unless i...

Page 944: ...s negligence to the extent applicable law prohibits such limitation Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages so this exclusion and limitation may not apply to you 10 U S government end users The Covered Code is a commercial item as that term is defined in 48 C F R 2 101 Oct 1995 consisting of commercial computer software and commercial comp...

Page 945: ... described in Exhibit A Exhibit A Mozilla Public License The contents of this file are subject to the Mozilla Public License Version 1 1 the License you may not use this file except in compliance with the License You may obtain a copy of the License at http www mozilla org MPL Software distributed under the License is distributed on an AS IS basis WITHOUT WARRANTY OF ANY KIND either express or imp...

Page 946: ...ny Lee Onno van der Linden Igor Mandrichenko Steve P Miller Sergio Monesi Keith Owens George Petrov Greg Roelofs Kai Uwe Rommel Steve Salisbury Dave Smith Steven M Schweda Christian Spieler Cosmin Truta Antoine Verheijen Paul von Behren Rich Wales Mike White This software is provided as is without warranty of any kind express or implied In no event shall Info ZIP or its contributors be held liable...

Page 947: ...ote This Product includes libpcap 0 8 3 libnet 1 1 2 1 net snmp 5 1 1 libpcap 0 9 4 and openssh 4 3p2 software under BSD license BSD Copyright c dates as appropriate to package The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of ...

Page 948: ...rmission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN A...

Page 949: ...CE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale use or other dealing in this Software without specific written prior permission Title to copyright in this Software shall at all times remain with copyright holders OpenLD...

Page 950: ...nying documentation Although their code does not appear in gd the authors wish to thank David Koblas David Rowley and Hutchison Avenue Software Corporation for their prior contributions Note This Product includes Tablekit software under the below License Copyright c 2007 Andrew Tetlaw Millstream Web Softwarehttp www millstream com au view code tablekit Version 1 2 1 2007 03 11 Permission is hereby...

Page 951: ...E PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOW EVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE ...

Page 952: ...PROCURE MENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Note Some components of the ZyWALL USG 2000 incorporate source code covered ...

Page 953: ...cumentation 4 Restrictions You may not publish display disclose sell rent lease modify store loan distribute or create derivative works of the Software or any part thereof You may not assign sublicense convey or otherwise transfer pledge as security or otherwise encumber the rights and licenses granted hereunder with respect to the Software You may not copy reverse engineer decompile reverse compi...

Page 954: ...PLY AFTER THAT PERIOD 7 Limitation of Liability IN NO EVENT WILL ZyXEL BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION INDIRECT SPECIAL PUNITIVE OR EXEMPLARY DAMAGES FOR LOSS OF BUSINESS LOSS OF PROFITS BUSINESS INTERRUPTION OR LOSS OF BUSINESS INFORMATION ARISING OUT OF THE USE OF OR INABILITY TO USE THE PROGRAM OR FOR ANY CLAIM BY ANY ...

Page 955: ...on and to certify in writing that all known copies including backup copies have been destroyed All provisions relating to confidentiality proprietary rights and non disclosure shall survive the termination of this Software License Agreement 12 General This License Agreement shall be construed interpreted and governed by the laws of Republic of China without regard to conflicts of laws provisions t...

Page 956: ...Appendix E Open Software Announcements ZyWALL USG 2000 User s Guide 956 ...

Page 957: ...ing out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyX...

Page 958: ...levision reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consul...

Page 959: ...all deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions ...

Page 960: ...Appendix F Legal Information ZyWALL USG 2000 User s Guide 960 ...

Page 961: ...ess control attacks 500 Access Point Name see APN access users 616 617 custom page 720 forcing login 617 idle timeout 624 logging in 617 multiple logins 625 see also users 616 Web Configurator 629 access users see also force user authentication policies account myZyXEL com 155 user 615 accounting server 649 ACT LED 36 Active Directory see AD active protocol 365 AH 365 and encapsulation 366 ESP 365...

Page 962: ...H 337 365 and transport mode 366 alerts 766 770 773 774 775 anti spam 580 anti virus 478 IDP 498 ALG 293 299 and firewall 293 296 and NAT 294 and policy routes 295 296 299 and trunks 299 and virtual servers 296 configuration overview 99 FTP 294 H 323 294 300 peer to peer calls 295 RTP 300 see also VoIP pass through 294 SIP 294 tutorial 125 announcements software 911 Anomaly Detection and Preventio...

Page 963: ...mize bandwidth usage 447 448 460 464 over allotment of bandwidth 448 port less 444 ports 444 prerequisites 95 priority 448 priority effect 448 protocol statistics 467 registration status 453 service ports 444 statistics 465 trial service activation 156 unidentified applications 460 updating signatures 161 vs firewall 309 311 applications 43 AppPatrol see application patrol 161 ASAS Authenex Strong...

Page 964: ...ntication Authorization Accounting servers see AAA server authorization server 649 AUX LED 35 AUX port 744 see also auxiliary interface 744 auxiliary interface 170 216 217 744 when used 217 B backdoor attacks 500 backing up configuration files 754 backslashes 537 bad length options attack 538 bandwidth egress 197 ingress 197 usage statistics 466 bandwidth management 443 and policy routes 243 behav...

Page 965: ...chronization device HA 611 and VPN gateways 332 and WWW 718 certification path 666 676 682 expired 666 factory default 667 file formats 667 fingerprints 677 683 importing 670 in IPSec 349 in the VPN wizard 80 not used for encryption 666 revoked 666 self signed 666 672 serial number 676 683 storage space 669 679 thumbprint algorithms 668 thumbprints 668 used for authentication 666 verifying fingerp...

Page 966: ...42 562 by URL 542 561 by web feature 542 561 cache 562 565 categories 552 category service 550 configuration overview 96 default policy 542 544 external web filtering service 550 565 filter list 542 license status 143 managed web pages 551 message for blocked access 545 policies 541 542 prerequisites 96 registration status 158 546 550 reports see content filtering reports statistics 787 testing 55...

Page 967: ...ee device HA 595 device introduction 31 DHCP 222 702 and DNS servers 224 and domain name 702 and interfaces 223 client list 148 pool 223 static 185 static DHCP 223 diagnostics 795 dial backup 170 dial backup port and dial in management 744 DIAL BACKUP port 216 See also auxiliary interface dial in management answer rings 745 AT command strings 744 Dial string 744 DTR 744 initial string 745 mute 745...

Page 968: ... 422 437 IPSec 338 RSA 676 encryption algorithms 359 3DES 359 AES 360 and active protocol 359 DES 359 encryption method 689 end of IP list 506 enforcing policies in IPSec 337 error messages 55 ESP 337 365 and transport mode 366 Ethereal 514 Ethernet interfaces 103 170 and OSPF 179 and RIP 179 and routing protocols 177 basic characteristics 171 virtual 219 Ethernet ports 31 32 default settings 32 e...

Page 969: ...ent version 139 759 getting updated 758 uploading 758 759 uploading with FTP 738 flags 505 flash usage 139 flood detection 534 force log out 378 force user authentication policies 625 and address groups 628 and address objects 628 and schedules 628 prerequisites 100 forcing login 617 FQDN 710 fragmentation flag 511 fragmentation offset 511 fragmenting IPSec packets 333 front panel ports 31 FTP 738...

Page 970: ...tification IP 510 identifying legitimate e mail 575 spam 576 IDP 487 action 498 alerts 498 and services 638 applying custom signatures 517 base profiles 488 492 configuration overview 96 custom signature example 514 custom signatures 504 false negatives 494 false positives 494 inline profile 494 license status 142 log options 498 monitor profile 494 packet inspection profiles 495 packet inspection...

Page 971: ...c routes 245 and virtual servers 276 and VPN gateways 332 and VRRP groups 604 and zones 86 170 as DHCP relays 223 as DHCP servers 223 702 auxiliary see also auxiliary interface backup see trunks bandwidth management 222 232 bridge see also bridge interfaces cellular 170 configuration overview 90 default configuration 88 DHCP clients 221 Ethernet see also Ethernet interfaces gateway 222 general cha...

Page 972: ...s 338 remote access 336 remote IPSec router 329 remote network 329 remote policy 337 replay detection 336 SA life time 337 SA monitor 357 SA see also IPSec SA 365 see also VPN site to site with dynamic peer 336 static site to site 336 transport encapsulation 337 tunnel encapsulation 337 VPN gateway 332 IPSec SA active protocol 365 and firewall 312 800 and to ZyWALL firewall 799 authentication algo...

Page 973: ...re used 92 WINS 410 LAN interface 31 IP address 31 LAND attack 536 lastgood conf 754 757 Layer 2 Tunneling Protocol Virtual Private Network see L2TP VPN 407 LDAP 649 and users 616 Base DN 652 Bind DN 652 653 655 CN identifier 653 656 default server settings 653 directory 649 directory structure 651 Distinguished Name see DN DN 652 653 656 group 654 group members 656 host 653 655 password 653 655 p...

Page 974: ... 5 see MD5 messages 55 CLI 57 warning 56 metrics see reports Microsoft Challenge Handshake Authentication Protocol MSCHAP 218 689 Challenge Handshake Authentication Protocol Version 2 MSCHAP V2 218 689 Point to Point Encryption MPPE 689 Windows Plug and Play Service Remote Overflow MS 05 39 attack 514 mini GBIC ports 33 connection speed 33 connector type 33 transceiver installation 33 transceiver ...

Page 975: ...ined char attack 537 HTTP delimiter attack 538 NSSA 252 O object based configuration 85 objects 85 99 372 AAA server 649 addresses and address groups 631 authentication method 661 certificates 665 for configuration 85 introduction to 85 schedules 643 services and service groups 637 SSL application 691 users user groups 615 obsolete options attack 538 offset patterns 513 One Time Password OTP 650 O...

Page 976: ...r P2P 499 calls 125 295 managing 443 Perfect Forward Secrecy PFS 338 Diffie Hellman key group 366 Personal Identification Number code see PIN code PFS Perfect Forward Secrecy 338 366 phishing 552 physical ports 31 and interfaces 86 packet statistics 149 150 PIN code 197 PIN generator 650 pointer record 711 Point to Point Protocol over Ethernet see PPPoE Point to Point Tunneling Protocol see PPTP p...

Page 977: ... and GRE 224 as VPN 224 privacy concerns 553 product overview 31 registration 959 profiles ADP 525 packet inspection 495 proposals in IPSec 338 protocol anomaly 522 537 detection 530 protocol usage statistics 467 proxy servers 290 web see web proxy servers PTR record 711 public server tutorial 133 Public Key Infrastructure PKI 666 public private key pairs 665 PWR LEDs 35 Q query view IDP 497 501 Q...

Page 978: ... proxy mode 43 371 RFC 1058 RIP 250 1389 RIP 250 1587 OSPF areas 252 1631 NAT 245 1889 RTP 300 2131 DHCP 222 2132 DHCP 222 2328 OSPF 251 2338 VRRP 604 2402 AH 337 365 2406 ESP 337 365 2510 Certificate Management Protocol or CMP 673 2516 PPPoE 224 2637 PPTP 224 2890 GRE 224 3261 SIP 300 RIP 250 and Ethernet interfaces 179 and OSPF 250 and static routes 250 and to ZyWALL firewall 250 authentication ...

Page 979: ...iggering 242 subscription 154 where used 99 Session Initiation Protocol see SIP session limits 312 323 session monitor L2TP VPN 410 sessions 780 sessions usage 139 146 severity IDP 493 497 SHA1 360 shell scripts 751 and users 630 downloading 761 editing 760 how applied 752 managing 760 not stopping or starting the ZyWALL 37 syntax 752 uploading 762 shutdown 37 signal quality 201 signature categori...

Page 980: ...l desktop logo 379 computer names 376 connection monitor 377 full tunnel mode 376 global setting 378 IP pool 376 network list 376 remote user login 384 remote user logout 390 see also SSL VPN 371 user screen bookmarks 390 user screens 383 389 user screens access methods 383 user screens certificates 384 user screens login 384 user screens logout 390 user screens required information 384 user scree...

Page 981: ...58 453 476 trial service activation 156 upgrading 158 supported browsers 47 supporting disc 4 SYN flood 536 synchronization 596 and subscription services 596 information synchronized 611 password 602 607 port number 602 607 restrictions 611 syntax conventions 6 SYS LED 35 syslog 767 773 syslog servers see also logs system log see logs system name 139 702 system protect updating signatures 163 syst...

Page 982: ... 799 packet flow 41 truncated address header attack 539 truncated header attack 539 truncated options attack 538 truncated timestamp header attack 539 trunk 31 trunks 171 225 and ALG 299 and policy routes 226 241 configuration overview 91 member interface mode 232 member interfaces 231 prerequisites 91 see also load balancing 225 tutorial 109 where used 91 Trusted Certificates see also certificate...

Page 983: ...firewall 322 325 and LDAP 616 and policy routes 240 456 458 461 463 and RADIUS 616 and service control 715 and shell scripts 630 attributes for Ext User 616 attributes for LDAP 630 attributes for RADIUS 630 attributes in AAA servers 630 configuration overview 100 currently logged in 141 151 default lease time 624 627 default reauthentication time 624 627 default type for Ext User 616 Ext User type...

Page 984: ...ssociations SA 330 see also IKE SA see also IPSec 329 see also IPSec SA see also L2TP VPN 329 status 147 VPN concentrator 354 advantages 354 and IPSec SA policy enforcement 356 disadvantages 354 VPN connections and address objects 332 and policy routes 240 241 799 VPN gateways and certificates 332 and extended authentication 332 and interfaces 332 and to ZyWALL firewall 800 VRID 606 VRPT Vantage R...

Page 985: ...L2TP VPN 410 WINS server 183 410 Wizard Setup 59 worm 472 500 attacks 500 WWW 716 and address groups 720 and address objects 720 and authentication method objects 719 and certificates 718 and zones 720 see also HTTP HTTPS 122 716 www zyxel com 4 Z zones 86 261 and firewall 310 320 and FTP 739 and interfaces 86 261 and SNMP 743 and SSH 735 and Telnet 738 and VPN 86 261 and WWW 720 block intra zone ...

Page 986: ...Index ZyWALL USG 2000 User s Guide 986 ...

Reviews:

No comments

Related manuals for ZyXEL ZyWALL USG-1000

Proventia GX5000 Series

Brand: IBM Pages: 3

Brand: IBM Pages: 2

Brand: IBM Pages: 7

NetPilot Globemaster

Brand: NetPilot Pages: 36

Brand: Solida systems Pages: 49

Brand: Watchguard Pages: 37

Brand: Fujitsu Pages: 72

FortiGate-3016B

Brand: Fortinet Pages: 2

Brand: Fortinet Pages: 2

FortiGate-1240B

Brand: Fortinet Pages: 2

Brand: Fortinet Pages: 2

FortiGate Voice-80C

Brand: Fortinet Pages: 2

FortiGate FortiGate-800F

Brand: Fortinet Pages: 2

FortiGate FortiGate-60B

Brand: Fortinet Pages: 2

Brand: Fortinet Pages: 2

Brand: Fortinet Pages: 16

FortiGate FortiGate-50B

Brand: Fortinet Pages: 52

FortiGate FortiGate-800

Brand: Fortinet Pages: 64

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands