ZyXEL Communications ZyWall USG 50-H Series Скачать руководство пользователя страница 1

Страница: 1 / 704

www.zyxel.com

ZyWALL USG 50-H Series

Unified Security Gateway

User’s Guide

Version 2.16
6/2009
Edition 1

DEFAULT LOGIN

Port

LAN/DMZ 1

IP Address

https://192.168.1.1

User Name

admin

Password

1234

Содержание ZyWall USG 50-H Series

Страница 1: ...www zyxel com ZyWALL USG 50 H Series Unified Security Gateway User s Guide Version 2 16 6 2009 Edition 1 DEFAULT LOGIN Port LAN DMZ 1 IP Address https 192 168 1 1 User Name admin Password 1234...

Страница 2: ......

Страница 3: ...are arranged by menu item as defined in the web configurator Read each chapter carefully for detailed information on that menu item To find specific information in this guide use the Contents Overview...

Страница 4: ...ons Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters zyxel com tw Need More Help More help is available at www zyxel com Download Library Search for the la...

Страница 5: ...contact your vendor then contact a ZyXEL office for the region in which you bought the device See http www zyxel com web contact_us php for contact information Please have the following information r...

Страница 6: ...A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the EN...

Страница 7: ...s Guide 7 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server...

Страница 8: ...plug and connect it to a power outlet by itself always attach the plug to the power adaptor first before connecting it to a power outlet Do NOT allow anything to rest on the power adaptor or cord and...

Страница 9: ...with this symbol which is known as the WEEE mark WEEE stands for Waste Electronics and Electrical Equipment It means that used electrical and electronic products should not be mixed with general waste...

Страница 10: ...Safety Warnings ZyWALL USG 50 H User s Guide 10...

Страница 11: ...s 93 Status 131 Network 145 Interface 147 Trunks 217 Policy and Static Routes 225 Routing Protocols 237 Zones 247 DDNS 251 Virtual Servers 257 HTTP Redirect 269 ALG 273 IP MAC Binding 281 Firewall 287...

Страница 12: ...Services 463 Schedules 469 AAA Server 475 Authentication Method 485 Certificates 489 SSL Application 507 System 511 System 513 Maintenance Troubleshooting Specifications 551 File Manager 553 Logs 563...

Страница 13: ...the ZyWALL 33 Chapter 2 Features and Applications 35 2 1 Features 35 2 2 Packet Flow 36 2 2 1 Interface to Interface Through ZyWALL 37 2 2 2 Interface to Interface To From ZyWALL 37 2 2 3 Interface t...

Страница 14: ...ignment 60 4 3 9 Step 2 Internet Access PPTP 61 4 3 10 Step 4 Internet Access Finish 63 4 4 Installation Setup Two Internet Service Providers 63 4 4 1 Internet Access Wizard Setup Complete 65 4 5 Wire...

Страница 15: ...Accounts 98 6 4 2 How to Create the WLAN Interface 98 6 4 3 How to Set Up the Wireless Clients to Use the WLAN Interface 100 6 5 How to Set Up an IPSec VPN 110 6 5 1 How to Set Up the VPN Gateway 110...

Страница 16: ...4 7 2 2 The Memory Usage Screen 135 7 2 3 The Session Usage Screen 136 7 2 4 The VPN Status Screen 137 7 2 5 The DHCP Table Screen 138 7 2 6 The Port Statistics Screen 139 7 2 7 The Port Statistics Gr...

Страница 17: ...6 8 13 VLAN Interface Screen 197 8 13 1 Configuring the VLAN Summary Screen 199 8 13 2 Configuring the VLAN Add Edit Screen 200 8 14 Bridge Interface Screen 205 8 14 1 Configuring the Bridge Summary S...

Страница 18: ...12 1 1 What You Can Do in the Zones Screens 247 12 1 2 What You Need to Know About Zones 247 12 2 The Zone Screen 248 12 2 1 The Zone Edit Screen 249 Chapter 13 DDNS 251 13 1 DDNS Overview 251 13 1 1...

Страница 19: ...7 1 1 What You Can Do in the IP MAC Binding Screens 281 17 1 2 What You Need to Know About IP MAC Binding 282 17 2 IP MAC Binding Summary 282 17 2 1 IP MAC Binding Edit 282 17 2 2 Static DHCP Edit 283...

Страница 20: ...en 328 19 6 IPSec VPN Background Information 330 Chapter 20 SSL VPN 341 20 1 Overview 341 20 1 1 What You Can Do in the SSL VPN Screens 341 20 1 2 What You Need to Know About SSL VPN 341 20 2 The SSL...

Страница 21: ...25 3 Configuring the Default L2TP VPN Connection Example 370 25 4 Configuring the L2TP VPN Settings Example 372 25 5 Configuring the Policy Route for L2TP Example 372 25 6 Configuring L2TP VPN in Win...

Страница 22: ...file Summary Screen 426 27 3 1 Base Profiles 426 27 3 2 Configuring The ADP Profile Summary Screen 427 27 3 3 Creating New ADP Profiles 427 27 3 4 Traffic Anomaly Profiles 428 27 3 5 Protocol Anomaly...

Страница 23: ...reen 466 30 3 1 The Service Group Add Edit Screen 467 Chapter 31 Schedules 469 31 1 Overview 469 31 1 1 What You Can Do in the Schedule Screens 469 31 1 2 What You Need to Know About Schedules 469 31...

Страница 24: ...icates 489 34 1 3 Verifying a Certificate 491 34 2 The My Certificates Screen 492 34 2 1 The My Certificates Add Screen 493 34 2 2 The My Certificates Edit Screen 496 34 2 3 The My Certificates Import...

Страница 25: ...Record 523 36 5 10 Adding a DNS Service Control Rule 524 36 6 WWW Overview 524 36 6 1 Service Access Limitations 525 36 6 2 System Timeout 525 36 6 3 HTTPS 526 36 6 4 Configuring WWW Service Control...

Страница 26: ...Screens 565 38 4 1 Log Setting Summary 566 38 4 2 Edit System Log Settings 567 38 4 3 Edit Remote Server Log Settings 570 38 4 4 Active Log Summary Screen 572 Chapter 39 Reports 575 39 1 Overview 575...

Страница 27: ...ecifications 591 43 2 Power Adaptor Specifications 595 Part X Appendices and Index 597 Appendix A Log Descriptions 599 Appendix B Common Services 637 Appendix C Importing Certificates 641 Appendix D W...

Страница 28: ...Table of Contents ZyWALL USG 50 H User s Guide 28...

Страница 29: ...29 PART I Getting Started Introducing the ZyWALL 31 Features and Applications 35 Web Configurator 41 Configuration Basics 79 Tutorials 93 Status 131...

Страница 30: ...30...

Страница 31: ...r powerful features Flexible configuration helps you set up the network and enforce security policies efficiently See Chapter 2 on page 35 for a more detailed overview of the ZyWALL s features The ZyW...

Страница 32: ...information about the CLI Table 1 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The ZyWALL is turned off Green On The ZyWALL is turned on Red On There is a hardware component failure Shut dow...

Страница 33: ...ETHOD DESCRIPTION Connecting the power A cold start occurs when you turn on the power to the ZyWALL The ZyWALL powers up checks the hardware and starts the system processes Rebooting the ZyWALL A warm...

Страница 34: ...Chapter 1 Introducing the ZyWALL ZyWALL USG 50 H User s Guide 34...

Страница 35: ...vide secure communication between two sites over the Internet or any insecure network that uses TCP IP for communication The ZyWALL also offers hub and spoke IPSec VPN Security Zones Many security set...

Страница 36: ...s individual features like text messaging voice video conferencing and file transfers Application patrol has powerful bandwidth management including traffic prioritization to enhance the performance...

Страница 37: ...LG DNAT Routing zFW IPSec D ALG AC DNAT Routing FW AP SNAT BWM Encap VLAN Ethernet 2 2 4 Interface to Interface To VPN Tunnel This example shows the flow to a VPN tunnel from a source other than the Z...

Страница 38: ...what is known as full tunnel mode SSL VPN network access In full tunnel mode a virtual connection is created for remote users with private IP addresses in the same subnet as the local network This all...

Страница 39: ...rmation and shared resources based on the user who is trying to access it Figure 5 Applications User Aware Access Control 2 3 4 Multiple WAN Interfaces Set up multiple connections to the Internet on t...

Страница 40: ...Chapter 2 Features and Applications ZyWALL USG 50 H User s Guide 40...

Страница 41: ...Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScripts enabled by default Enable Java permissions enabled by default Enable cookies The recommended screen resolution...

Страница 42: ...ears Otherwise the main screen Figure 9 on page 43 appears Figure 8 Update Admin Info Screen 5 The screen above appears every time you log in using the default user name and default password If you ch...

Страница 43: ...Main Screen 3 3 Web Configurator Main Screen As illustrated in Figure 9 on page 43 the main screen is divided into these parts A title bar B navigation panel C main window D status bar 3 3 1 Title Bar...

Страница 44: ...tus system resource usage and interface status Network Interface Status Use this screen to see information about all of the ZyWALL s interfaces and their connection status Port Role Use this screen to...

Страница 45: ...is screen to monitor current SSL VPN connection Global Setting Use this screen to configure the ZyWALL s SSL VPN settings that apply to all connections L2TP VPN L2TPVPN Use this screen to configure L2...

Страница 46: ...ADIUS Group Use this screen to create and manage groups of RADIUS servers Auth Method Use these screens to create and manage ways of authenticating users Certificate My Certificates Use this screen to...

Страница 47: ...manage and upload configuration files for the ZyWALL Firmware Package Use this screen to look at the current firmware version and to upload firmware Shell Script Use this screen to manage and run shel...

Страница 48: ...configurator These commands appear in a popup window such as the following Figure 12 CLI Messages Click Change Display Style to show or hide the index numbers for the commands the commands are more co...

Страница 49: ...TALLATION SETUP ONE ISP Click this link to open a wizard to set up a single Internet connection for Gigabit Ethernet interface wan1 This wizard creates matching ISP account settings in the ZyWALL if y...

Страница 50: ...e 13 Wizard Setup Welcome 4 2 Installation Setup One ISP The wizard screens vary depending on what encapsulation type you use Refer to information provided by your ISP to know what to enter in each fi...

Страница 51: ...Assignment Select Auto If your ISP did not assign you a fixed IP address Select Static If the ISP assigned a fixed IP address Table 7 Internet Access Step 1 LABEL DESCRIPTION ISP Parameters Encapsulat...

Страница 52: ...the following screen displays Click Next to apply the configuration settings Figure 15 Ethernet Encapsulation Auto Finish You have set up your ZyWALL to access the Internet Click Close to exit the wiz...

Страница 53: ...ify here to resolve domain names for VPN DDNS and the time server Table 8 Ethernet Encapsulation Static LABEL DESCRIPTION ISP Parameters Encapsulation This displays the type of Internet connection you...

Страница 54: ...PPoE Auto IP Address Assignment If you select Auto as the IP Address Assignment in the previous screen the following screen displays after you click Next Figure 18 PPPoE Encapsulation Auto The followi...

Страница 55: ...characters and it can be up to 31 characters long Password Type the password associated with the user name above Use up to 64 ASCII characters except the and This field can be blank Retype to Confirm...

Страница 56: ...cept the and This field can be blank Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in...

Страница 57: ...n the previous screen WAN Interface This is the number of the interface that will connect with your ISP Zone This is the security zone to which this interface and Internet connection will belong IP Ad...

Страница 58: ...ulation Static Finish You have set up your ZyWALL to access the Internet Click Close to exit the wizard 4 3 7 PPTP Auto IP Address Assignment If you select Auto as the IP Address Assignment in the pre...

Страница 59: ...ur ISP if given Server IP Type the IP address of the PPTP server Connection ID Enter the connection ID or connection name in this field It must follow the c id and n name format For example C 12 or N...

Страница 60: ...TP Encapsulation Auto Finish You have set up your ZyWALL to access the Internet Click Close to exit the wizard 4 3 8 PPTP Static IP Address Assignment If you select Static as the IP Address Assignment...

Страница 61: ...ou by your ISP if given Server IP Type the IP address of the PPTP server Connection ID Enter the connection ID or connection name in this field It must follow the c id and n name format For example C...

Страница 62: ...pe a Connection ID or connection name It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router 4...

Страница 63: ...etup Two Internet Service Providers This wizard allows you to configure two interfaces for Internet access through either two different Internet Service Providers ISPs or two different accounts with t...

Страница 64: ...you can configure the Second WAN Interface Click Next to continue Figure 27 Internet Access Step 3 Second WAN Interface After you configure the Second WAN Interface a summary of configuration setting...

Страница 65: ...ters for the wireless LAN Channel The ZyWALL automatically scans for and selects an available wireless frequency Security Select the type of wireless security to use for this wireless LAN interface WE...

Страница 66: ...DNS server information to the wireless clients The ZyWALL is the DHCP server for the wireless network None has the ZyWALL not be the DHCP server for the wireless network There must be another DHCP se...

Страница 67: ...nnection and VPN gateway settings a policy route and address objects that you can use later in configuring more VPN connections or other features Click VPN SETUP in the Wizard Setup Welcome screen Fig...

Страница 68: ...ey and default security settings Advanced Use this wizard to configure detailed VPN security settings such as using certificates The VPN connection can be to another ZLD based ZyWALL or other IPSec de...

Страница 69: ...zard Step 3 LABEL DESCRIPTION Secure Gateway If Any displays in this field it is not configurable for the chosen scenario If this field is configurable enter the WAN IP address or domain name of the r...

Страница 70: ...ses on a network by their subnet mask type the subnet mask of the LAN behind the remote gateway Back Click Back to return to the previous screen Next Click Next to continue Table 16 VPN Express Wizard...

Страница 71: ...the matching VPN connection settings for the remote gateway If the remote gateway is a ZLD based ZyWALL you can copy and paste this list into its command line interface in order to configure it for t...

Страница 72: ...be a number This value is case sensitive Site to site Choose this if the remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel Site to site with Dynamic...

Страница 73: ...tion mode Encryption Algorithm When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and v...

Страница 74: ...message to the remote IPSec server If the remote IPSec server responds the ZyWALL transmits the data If the remote IPSec server does not respond the ZyWALL shuts down the IKE SA Authentication Method...

Страница 75: ...ey which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES tha...

Страница 76: ...ts encrypted by the remote IPSec router to enter the ZyWALL via this interface Remote Policy IP Mask If Any displays in this field it is not configurable for the chosen scenario If this field is confi...

Страница 77: ...ur ZyWALL Remote Policy This is a static IP address and Subnet Mask on the network behind the remote IPSec router If this field displays Any only the remote IPSec router can initiate the VPN connectio...

Страница 78: ...p ZyWALL USG 50 H User s Guide 78 Figure 41 VPN Wizard Step 6 Advanced If you have not already done so you can register your ZyWALL with myZyXEL com and activate trials of services like IDP Click Clos...

Страница 79: ...available for system management 5 1 Object based Configuration The ZyWALL stores information or settings as objects You use these objects to configure many of the ZyWALL s features and settings Once y...

Страница 80: ...ons via a connected 3G device WLAN interfaces are for wireless LAN IEEE 802 11b g n connections VLAN interfaces recognize tagged frames The ZyWALL automatically adds or removes the tags as needed Each...

Страница 81: ...d Zone Configuration This section explains the ZyWALL s factory default zone and interface configuration The following figure uses letters to denote public IP addresses or part of a private IP address...

Страница 82: ...8 3 254 range The WLAN zone contains the wlan1 1 interface and uses the built in wireless LAN interface This is a second protected zone for connecting wireless access points The wlan interface uses pr...

Страница 83: ...OSI level 7 bandwidth management Application patrol General bandwidth management Policy route MENU ITEM S This shows you the sequence of menu items and tabs you should click to find the main screen s...

Страница 84: ...on page 93 5 4 5 SSL VPN Use SSL VPN to provide secure network access to remote users MENU ITEM S Network Interface except Network Interface Trunk PREREQUISITES Port groups configured in the Interface...

Страница 85: ...Edit icon and add the DMZ interface and click Apply 5 4 8 DDNS Dynamic DNS maps a domain name to a dynamic IP address The ZyWALL helps maintain this mapping 5 4 9 Policy Routes Use policy routes to c...

Страница 86: ...width FTP traffic can use You may also want to set a low priority for FTP traffic The ZyWALL checks the policy routes in the order that they are listed So make sure that your custom policy route comes...

Страница 87: ...d to specify the destination address Leave the Access field set to Allow and the Log field set to No The ZyWALL checks the firewall rules in order Make sure each rule is in the correct place in the se...

Страница 88: ...the virtual server Add an entry 2 Name the entry 3 Select the WAN interface that the FTP traffic is to come in through in this example wan1 or wan2 4 Specify the public WAN IP address where the ZyWALL...

Страница 89: ...this table when you want to delete an object because you have to delete references to the object first PREREQUISITES Interfaces MENU ITEM S Network ALG Table 27 Objects Overview OBJECT WHERE USED user...

Страница 90: ...se HTTPS to manage the ZyWALL from the WAN 1 Create an administrator account User Group 2 Create an address object for the administrator s computer Object Address 3 Click System WWW to configure the H...

Страница 91: ...or large repetitive configuration changes for example creating a lot of VPN tunnels and for troubleshooting You can edit configuration files and shell scripts in any text editor 5 6 3 Logs and Reports...

Страница 92: ...Chapter 5 Configuration Basics ZyWALL USG 50 H User s Guide 92...

Страница 93: ...ZyWALL See also Chapter 25 on page 369 for an example of configuring L2TP 6 1 How to Configure an Ethernet Interface You need to assign the ZyWALL s WAN1 a static IP address of 1 2 3 4 Click Network...

Страница 94: ...an1 6 2 How to Configure Port Roles You can configure to which interface a physical port belongs Here is how to remove the LAN1 DMZ port 4 P6 from the dmz interface and add it to the lan2 interface 1...

Страница 95: ...connected to each of the ZyWALL s two USB ports Table 227 on page 591 lists the compatible 3G devices In this example you install or connect the 3G card before you configure the cellular interfaces bu...

Страница 96: ...security settings Leaving Zone blank has the ZyWALL not apply any security settings to the 3G connection Enter the PIN Code provided by the cellular 3G service provider 0000 in this example In Relate...

Страница 97: ...le test disconnect all of the ZyWALL s wired WAN connections If you can still access the Internet your cellular interface is properly configured and your cellular device is working To fine tune the lo...

Страница 98: ...d Click OK Figure 49 Object User Group User Add 3 Use the Add icon in the Object User Group User screen to set up the remaining user accounts in similar fashion 6 4 2 How to Create the WLAN Interface...

Страница 99: ...pe otherwise select WPA Enterprise Set the Authentication Type to Auth Method The ZyWALL can use its default authentication method the local user database and its default certificate to authenticate t...

Страница 100: ...to configure ZyXEL s wireless client utility not included with the ZyWALL to use the WLAN interface See Section 6 4 3 2 on page 103 instead for how to use Funk Odyssey s wireless client software if y...

Страница 101: ...ect WPA2 as the security type and click Next Figure 55 ZyXEL Wireless Client Profile Security Type 4 Set the encryption type to TKIP and the EAP type to TTLS Configure wlan_user as the Login Name and...

Страница 102: ...6 ZyXEL Wireless Client Profile Security Settings 5 Confirm your settings and click Save Figure 57 ZyXEL Wireless Client Profile Save 6 Click Activate Now Figure 58 ZyXEL Wireless Client Profile Activ...

Страница 103: ...nk Odyssey Wireless Client This example shows how to configure Funk s Odyssey Access Client Manager wireless client software not included with the ZyWALL to use the WLAN interface 1 Open the Odyssey w...

Страница 104: ...104 Figure 61 Odyssey Access Client Manager Profiles User Info 3 Click the Authentication tab and select Validate server certificate Figure 62 Odyssey Access Client Manager Profiles Authentication 4...

Страница 105: ...iles Authentication 5 Click Networks Add Figure 64 Odyssey Access Client Manager Networks 6 Enter the name of the wireless network ZYXEL_WPA in this example or click Scan to look for it Then select Au...

Страница 106: ...4 3 3 How the Wireless Clients Import the ZyWALL s Certificate You must import the ZyWALL s certificate into the wireless clients if they are to validate the ZyWALL s certificate Use the My Certifica...

Страница 107: ...k the Certificates button Figure 66 Internet Explorer Tools Internet Options Content 2 Click Import Figure 67 Internet Explorer Tools Internet Options Content Certificates 3 Use the wizard screens to...

Страница 108: ...default setting Figure 69 Internet Explorer Certificate Import Wizard Certificate Store Screen 5 If you get a security warning screen click Yes to proceed Figure 70 Internet Explorer Certificate Impo...

Страница 109: ...followed by a hyphen to indicate what type of information is being displayed such as Common Name CN Organizational Unit OU Organization O and Country C Figure 72 Object Certificate My Certificates Re...

Страница 110: ...peer IPSec router Y 172 16 1 0 24 6 5 1 How to Set Up the VPN Gateway The VPN gateway manages the IKE SA You do not have to set up any other objects before you configure the VPN gateway because this V...

Страница 111: ...dress Click the Add icon 2 Give the new address object a name VPN_REMOTE_SUBNET change the Address Type to SUBNET Set up the Network field to 172 16 1 0 and the Netmask to 255 255 255 0 Click OK Figur...

Страница 112: ...unnel 1 Click Network Routing Policy Route You want this policy route to have higher priority than the default policy route for the trunk so click the Add icon at the top of the column not the one nex...

Страница 113: ...the VPN connection screen s Connect icon 6 5 4 How to Configure Security Policies for the VPN Tunnel You configure security policies based on zones The new VPN connection was assigned to the IPSec_VP...

Страница 114: ...unt for each user account in the RADIUS server If it is possible to export user names from the RADIUS server to a text file then you might create a script to create the user accounts instead This exam...

Страница 115: ...the RADIUS Server This step sets up user authentication using the RADIUS server First configure the settings for the RADIUS server Then set up the authentication method and configure the ZyWALL to us...

Страница 116: ...en select force in the Authentication field Keep the rest of the default settings and click OK The users will have to log in using the web configurator login screen before they can use HTTP or MSN Fig...

Страница 117: ...the Common tab and then the Edit icon next to the default http service Figure 87 AppPatrol BWM Common 3 Click the Default policy s Edit icon Figure 88 AppPatrol BWM Common http 4 Change the access to...

Страница 118: ...OK Repeat this process to add exceptions for all the other user groups that are allowed to browse the web Figure 90 AppPatrol BWM Common http Edit Default 6 6 5 How to Set Up MSN Policies Set up a re...

Страница 119: ...you configure the policy for the Sales group s MSN access 6 6 6 How to Set Up Firewall Rules Use the firewall to control access from LAN1 to the DMZ 1 Click Firewall In From Zone select LAN1 in To Zo...

Страница 120: ...e 94 Firewall Add 5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ 6 7 How to Configure Load Balancing The following example shows how to set...

Страница 121: ...available bandwidth 1000 kbps in the Egress Bandwidth field Click OK Figure 96 Network Interface Ethernet Edit wan1 2 Click the Edit icon for wan2 and enter the available bandwidth 512 kbps in the Eg...

Страница 122: ...to any kind of HTTP or HTTPS connection to the ZyWALL They do not distinguish between administrator management access and user access If you configure service control to allow management or user HTTP...

Страница 123: ...99 System WWW Service Control Rule Edit 4 Click the new rule s Add icon Figure 100 System WWW First Example Admin Service Rule Configured 5 Set the Zone to ALL and set the Action to Deny Click OK Fig...

Страница 124: ...PN for example 6 9 How to Allow Incoming H 323 Peer to peer Calls Suppose you have a H 323 device on LAN1 for VoIP calls and you want it to be able to receive peer to peer calls from the WAN Here is a...

Страница 125: ...323 In this example you need a virtual server policy to forward H 323 TCP port 1720 traffic received on the ZyWALL s 10 0 0 8 WAN IP address to LAN1 IP address 192 168 1 56 1 Use Object Address Add t...

Страница 126: ...ss 192 168 1 56 1 Click Firewall In From Zone select WAN in To Zone select LAN1 2 The default rule for WAN to LAN1 traffic drops all traffic You want to allow H 323 access through IP address 10 0 0 8...

Страница 127: ...e the screen as follows and click OK Figure 110 Firewall WAN to LAN Add Now people can call the H 323 device through the Internet 6 10 How to Allow Public Access to a Server This is an example of maki...

Страница 128: ...ddress 6 10 2 How to Configure a Virtual Server You need a virtual server to send HTTP traffic coming to IP address 1 1 1 2 on wan2 to the HTTP server s private IP address of 192 168 3 7 In the Networ...

Страница 129: ...e NAT 1 1 Example on page 261 for details Select Add corresponding Policy Route rule for NAT Loopback to allow local users to use a domain name to access the HTTP server See NAT Loopback Example on pa...

Страница 130: ...Chapter 6 Tutorials ZyWALL USG 50 H User s Guide 130...

Страница 131: ...7 2 5 on page 138 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Port Statistics screen see Section 7 2 6 on page 139 t...

Страница 132: ...where you can change it See Section 36 2 on page 514 Model Name This field displays the model name of this ZyWALL Serial Number This field displays the serial number of this ZyWALL MAC Address Range T...

Страница 133: ...firmware upgrade System default configuration The ZyWALL applied the system default configuration Fallback to lastgood configuration The ZyWALL was unable to apply the startup config conf configuratio...

Страница 134: ...Table 55 on page 177 for the status that can appear For wireless LAN WLAN interfaces Down The wireless LAN feature or the interface is disabled Up The wireless LAN feature is enabled and the interfac...

Страница 135: ...s recent memory RAM usage To access this screen click Memory Usage in the Status screen Table 31 Status CPU Usage LABEL DESCRIPTION 100 The y axis represents the percentage of CPU usage time The x axi...

Страница 136: ...ecent traffic session usage To access this screen click Session Usage in the Status screen Table 32 Status Memory Usage LABEL DESCRIPTION 100 The y axis represents the percentage of RAM usage time The...

Страница 137: ...e currently established To access this screen click VPN Status in the Status screen Table 33 Status Session Usage LABEL DESCRIPTION Sessions The y axis represents the number of session time The x axis...

Страница 138: ...Status LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec...

Страница 139: ...ntify this device on the network the computer name The ZyWALL learns these from the DHCP client requests You can use CLI commands to set this value for static DHCP entries MAC Address This field displ...

Страница 140: ...ets transmitted from the ZyWALL on the physical port since it was last connected RxPkts This field displays the number of packets received by the ZyWALL on the physical port since it was last connecte...

Страница 141: ...this to stop the window from updating automatically You can start it again by setting the Poll Interval and clicking Set Interval Table 36 Status Port Statistics continued LABEL DESCRIPTION Table 37...

Страница 142: ...d System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on Refresh Interval Enter how often you want this window to be automatically updated Ref...

Страница 143: ...of the signal The signal strength mainly depends on the antenna output power and the distance between your ZyWALL and the service provider s base station You can see a signal strength indication even...

Страница 144: ...SN Electronic Serial Number of the inserted CDMA 3G card The ESN is the serial number of a CDMA 3G card and is similar to the IMEI on a GSM or UMTS 3G card SIM Card IMSI This displays the Internationa...

Страница 145: ...145 PART II Network Interface 147 Trunks 217 Policy and Static Routes 225 Routing Protocols 237 Zones 247 DDNS 251 Virtual Servers 257 HTTP Redirect 269 ALG 273...

Страница 146: ...146...

Страница 147: ...es RIP and OSPF are also configured in these interfaces Use the PPP screens Section 8 6 on page 166 for PPPoE or PPTP Internet connections Use the Cellular screens Section 8 7 on page 171 to configure...

Страница 148: ...N interfaces are for wireless LAN IEEE 802 11b g n connections VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associat...

Страница 149: ...ing the same port role The relationships between interfaces are explained in the following table You cannot set up a PPPoE PPTP interface virtual Ethernet interface or virtual VLAN interface if the St...

Страница 150: ...rface screens See Section 8 16 on page 213 for background information on interfaces See Section 6 1 on page 93 for an example of configuring Ethernet interfaces See Section 6 2 on page 94 for an examp...

Страница 151: ...rface is disabled Zone This field displays the zone to which the interface is currently assigned IP Addr Netmask This field displays the current IP address and subnet mask assigned to the interface If...

Страница 152: ...e 126 Network Interface Port Role Status This field displays the current status of the interface Down The interface is not connected Speed Duplex The interface is connected This field displays the por...

Страница 153: ...icient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management The ZyWALL supports two rout...

Страница 154: ...the current IP address of the interface If the IP address is 0 0 0 0 the interface does not have an IP address yet This screen also shows whether the IP address is a static IP address STATIC or dynami...

Страница 155: ...on is exchanged The ZyWALL can receive routing information send routing information or do both Select which version of RIP to support in each direction The ZyWALL supports RIP 1 RIP 2 and both version...

Страница 156: ...Chapter 8 Interface ZyWALL USG 50 H User s Guide 156 Figure 128 Network Interface Ethernet Edit wan2...

Страница 157: ...Chapter 8 Interface ZyWALL USG 50 H User s Guide 157 Figure 129 Network Interface Ethernet Edit lan1...

Страница 158: ...on is available for the WAN interfaces The LAN and DMZ interfaces always use static IP addresses Select this if you want to specify the IP address subnet mask and gateway manually Enter the IP address...

Страница 159: ...last address broadcast address and the interface s IP address Pool Size Enter the number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For...

Страница 160: ...AN interfaces The interface can regularly check the connection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wai...

Страница 161: ...face Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interface sends and receives routing information In Only This interface recei...

Страница 162: ...ters and the underscore and it can be up to eight characters long MD5 Authentication ID This field is available if the Authentication is MD5 Type the ID for MD5 authentication The ID can be between 1...

Страница 163: ...rt as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP Back Click Back to return to the previous screen Next Click Next to continue...

Страница 164: ...be blank Retype to Confirm Type your password again for confirmation Nailed Up Select Nailed Up if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before...

Страница 165: ...order to access it DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP add...

Страница 166: ...the static IP address assigned to you by your ISP IP Subnet Mask This field only appears for a PPTP interface It displays the subnet mask assigned to you by your ISP if you entered one Server IP This...

Страница 167: ...screen The PPP interface Edit Configuration screen is shown here as an example You can click the Wizard tab instead to configure just the key settings See Section 8 5 on page 162 for details Table 50...

Страница 168: ...to enable this interface Clear this to disable this interface Interface Properties Interface Name This field is read only and displays the name of the PPP interface The format is the name of the phys...

Страница 169: ...ISP account Password Retype to Confirm Type your password Then re to make sure that you have entered is correctly Service Name This field is optional It displays the PPPoE service name specified in th...

Страница 170: ...the connection check Check Method Select the method that the gateway allows Select icmp to have the ZyWALL regularly ping the gateway you specify to make sure it is still available Select tcp to have...

Страница 171: ...EIA 95 Slow Fast 2 5G Packet switched GPRS General Packet Radio Services High Speed Circuit Switched Data HSCSD etc CDMA2000 is a hybrid 2 5G 3G protocol of mobile telecommunications standards that u...

Страница 172: ...ys the profile of ISP settings that this cellular interface is set to use Add icon This column lets you create edit remove activate and deactivate cellular interfaces To create an interface click the...

Страница 173: ...173 8 7 1 Cellular Add Edit Screen To change your 3G settings click Network Interface Cellular Add or Edit In the pop up window that displays select the slot that you want to configure The following s...

Страница 174: ...server Zero disables the idle timeout ISP Settings Profile Selection Select Device to use one of the 3G device s profiles of device settings Then select the profile use Profile 1 unless your ISP instr...

Страница 175: ...d before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the...

Страница 176: ...lect auto to have the ZyWALL automatically detect the type of card Band Selection This field appears if you selected a 3G device that allows you to select the type of network to use Select the type of...

Страница 177: ...Table 55 Interface Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen This field is a sequential value and it is not associated with any interface Exte...

Страница 178: ...Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is applying your configuration to the 3G device Inactive The 3G int...

Страница 179: ...IPTV server Figure 141 GRE Tunnel Example You can use tunnel interfaces in configuring Static Routes Policy Routes Zones Trunks Connectivity Checking 8 9 1 Configuring the Tunnel Screen This screen li...

Страница 180: ...omain name of the remote gateway to which this interface tunnels traffic Add icon This column lets you create edit remove activate and deactivate interfaces To create a tunnel interface click the Add...

Страница 181: ...Clear this to disable this interface Interface Properties Interface Name This field is read only and displays the name used to identify the interface within the ZyWALL Zone Use this field to select t...

Страница 182: ...ALL divides it into smaller fragments Allowed values are 576 1500 Usually this value is 1500 Connectivity Check The interface can regularly check the connection to the gateway you specified to make su...

Страница 183: ...networks in the same area should use different channels Related Setting Add this interface to TRUNK for WAN load balance Select this option to use the interface as part of a WAN trunk for load balanci...

Страница 184: ...option to turn on the wireless LAN It is recommended that you configure the wireless security settings before you use this option to turn on the wireless LAN 802 11 Band Select how wireless clients ca...

Страница 185: ...units of MSDUs called Aggregate MSDUs A MSDU The resulting larger MAC frames mean fewer frame headers and gaps between frames to deal with This can improve the efficiency of traffic types that send m...

Страница 186: ...the Security Type to none Add icon This column lets you create edit remove activate and deactivate WLAN interfaces To create an interface click the Add icon at the top of the column To activate or de...

Страница 187: ...ork Interface WLAN Add No Security The following table describes the general wireless LAN labels in this screen Table 60 Network Interface WLAN Add No Security LABEL DESCRIPTION General Settings Enabl...

Страница 188: ...ity types 802 1x Authentication server IEEE 802 1x settings are available when you use no security or WEP security and click Advanced Select the check box to enable wireless user authentication throug...

Страница 189: ...number of IP addresses to allocate This number must be at least one and is limited by the interface s Subnet Mask For example if the Subnet Mask is 255 255 255 0 and IP Pool Start Address is 10 10 10...

Страница 190: ...e RIP Select this to enable RIP in this interface Direction This field is effective when RIP is enabled Select the RIP direction from the drop down list box BiDir This interface sends and receives rou...

Страница 191: ...to stop forwarding OSPF routing information from the selected interface As a result this interface only receives routing information Authentication Select an authentication method or disable authentic...

Страница 192: ...WPA PSK WPA2 PSK Security Table 61 Network Interface WLAN Add WEP Security LABEL DESCRIPTION WEP Encryption WEP Wired Equivalent Privacy provides data encryption to prevent unauthorized wireless stat...

Страница 193: ...are the same The only difference between the two is that WPA PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters i...

Страница 194: ...n the My Certificates screen EAP TTLS Tunneled Transport Layer Service is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secu...

Страница 195: ...ing to have the router allow or deny access to wireless stations based on MAC addresses Disable MAC address filtering to have the router not perform MAC filtering on the wireless stations Association...

Страница 196: ...the wireless clients connected to or trying to connect to a IEEE 802 11b g card installed in the ZyWALL To open the station monitor click Network Interface WLAN Station Monitor The screen appears as...

Страница 197: ...in XX XX XX XX XX XX format of a connected wireless station Strength This displays the strength of the wireless client s radio signal The signal strength mainly depends on the antenna output power an...

Страница 198: ...inside the sales department faster than the router does In addition broadcasts are limited to smaller more logical groups of users Higher security If each computer has a separate physical connection t...

Страница 199: ...work Interface VLAN Each field is explained in the following table Table 67 Network Interface VLAN LABEL DESCRIPTION This field is a sequential value and it is not associated with any interface Name T...

Страница 200: ...umn The VLAN Add Edit screen appears To create a virtual VLAN interface click the Add icon next to the corresponding VLAN interface The Virtual Interface Add Edit screen appears See Section 8 15 on pa...

Страница 201: ...1 Figure 157 Network Interface VLAN Edit Each field is explained in the following table Table 68 Network Interface VLAN Edit LABEL DESCRIPTION General Settings Enable Interface Select this to enable t...

Страница 202: ...his interface Subnet Mask This field is enabled if you select Use Fixed IP Address Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP address...

Страница 203: ...ddress for the connectivity check Enter that domain name or IP address in the field next to it Check Port This field only displays when you set the Check Method to tcp Specify the port number to use f...

Страница 204: ...ify these IP addresses Custom Defined enter a static IP address From ISP select the DNS server that another interface received from its DHCP server ZyWALL the ZyWALL uses the IP address of this interf...

Страница 205: ...he destination MAC address in the table If the bridge knows on which port the destination MAC address is located it sends the packet to that port If the destination MAC address is not in the table the...

Страница 206: ...routing table when lan1 is added to br0 Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed 8 14 1 Configuring the Bridge...

Страница 207: ...d WLAN interfaces in the bridge interface It is blank for virtual interfaces Add icon This column lets you create edit remove activate and deactivate interfaces To create a bridge interface click the...

Страница 208: ...Chapter 8 Interface ZyWALL USG 50 H User s Guide 208 Figure 161 Network Interface Bridge Add...

Страница 209: ...this interface is a DHCP client In this case the DHCP server configures the IP address subnet mask and gateway automatically Use Fixed IP Address Select this if you want to specify the IP address sub...

Страница 210: ...elds appear if the ZyWALL is a DHCP Server IP Pool Start Address Enter the IP address from which the ZyWALL begins allocating IP addresses If you want to assign a static IP address to a specific compu...

Страница 211: ...igns the corresponding IP address Otherwise the ZyWALL assigns the IP address dynamically using the IP Pool Start Address and Pool Size Note You must click OK in the Static DHCP screen and then click...

Страница 212: ...t change the MTU The virtual interface uses the same MTU that the underlying interface uses Unlike other interfaces virtual interfaces do not provide DHCP services and they do not verify that the gate...

Страница 213: ...55 255 255 because it is a point to point interface For these interfaces you can only enter the IP address IP Address Assignment IP Address Enter the IP address for this interface Subnet Mask Enter th...

Страница 214: ...irst entry in the routing table In PPPoE PPTP interfaces the other computer is the gateway for the interface by default In this case you should specify the metric If the interface gets its IP address...

Страница 215: ...e DHCP client s MAC address is in the ZyWALL s static DHCP table the interface assigns the corresponding IP address If not the interface assigns IP addresses from a pool defined by the starting addres...

Страница 216: ...this way WINS is similar to DNS although WINS does not use a hierarchy unlike DNS A network can have more than one WINS server Samba can also serve as a WINS server PPPoE PPTP Overview Point to Point...

Страница 217: ...end the VoIP traffic through a trunk with the interface connected to the VoIP service provider set to active and another interface connected to another ISP set to passive This way VoIP traffic goes th...

Страница 218: ...now that the desired file is actually on file server C At the same time register server B informs file server C that a computer located at the WAN1 s IP address will download a file 3 The ZyWALL is us...

Страница 219: ...ng index meaning that it is less utilized than WAN 1 the ZyWALL will send the subsequent new session traffic through WAN 2 Weighted Round Robin The Weighted Round Robin WRR algorithm is best suited fo...

Страница 220: ...ace when the traffic load exceeds the threshold on the first interface This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface In thi...

Страница 221: ...me from a different WAN IP address the file server would deny the request See Link Sticking on page 218 for an example This setting applies when you use load balancing and have multiple WAN interfaces...

Страница 222: ...of the connections set to active are down You can only set one of a group s interfaces to passive mode Weight This field displays with the weighted round robin load balancing algorithm Specify the we...

Страница 223: ...looping fashion until a queue is empty Add icon This column lets you add remove and move trunk members To add an interface to the trunk click an Add icon The Trunk Member Select screen appears To remo...

Страница 224: ...Chapter 9 Trunks ZyWALL USG 50 H User s Guide 224...

Страница 225: ...nnect to services offered by your ISP behind router R2 You create another policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 171 Example of Policy...

Страница 226: ...d recommended for TCP and UDP traffic Use policy routes to manage other types of traffic like ICMP traffic and send traffic through VPN tunnels Bandwidth management in policy routes has priority over...

Страница 227: ...service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state in...

Страница 228: ...k Routing Policy Route LABEL DESCRIPTION Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL You must enable this setting to have individual policy routes...

Страница 229: ...ns the ZyWALL sets the DSCP value of the route s outgoing packets to 0 SNAT This is the source IP address that the route uses It displays none if the ZyWALL does not perform NAT for this route BWM Thi...

Страница 230: ...for details Incoming Interface Click Change to select an interface or VPN tunnel through which the incoming packets are received Source Address Select a source IP address object or select Create Objec...

Страница 231: ...n the same segment as your ZyWALL s interface s VPN Tunnel This field displays when you select VPN Tunnel in the Type field Select a VPN tunnel through which the packets are sent to the remote network...

Страница 232: ...ng rule from the ZyWALL A window displays asking you to confirm that you want to delete the rule In a numbered list click the Move to N icon to display a field to type a number for where you want to p...

Страница 233: ...olicy routes OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 82 Network Routing Policy Route Edit continued LABEL DESCRIPTION Table 83...

Страница 234: ...he host ID Subnet Mask Enter the IP subnet mask here Gateway IP Select the radio button and enter the IP address of the next hop gateway The gateway is a router or switch on the same segment as your Z...

Страница 235: ...rule for each client computer Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service The ZyWALL records...

Страница 236: ...maximize bandwidth usage the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment Next the ZyWALL divides up an interface s available bandwidth bandwidth that is unbudgete...

Страница 237: ...F Screens Use the RIP screen see Section 11 2 on page 238 to configure the ZyWALL to use RIP to receive and or send routing information Use the OSPF screen see Section 11 3 on page 239 to configure ge...

Страница 238: ...nd static routes to the RIP network Costs might be calculated differently however so you use the Metric field to specify the cost in RIP terms RIP uses UDP port 520 Use the RIP screen to specify the a...

Страница 239: ...essed as an integer or as an IP address There are several types of areas The backbone is the transit area that routes packets between other areas All other areas are connected to the backbone MD5 Auth...

Страница 240: ...l connected to it Area 1 is a normal area It has routing information about the OSPF AS and networks X and Y Area 2 is a stub area It has routing information about the OSPF AS but it depends on a defau...

Страница 241: ...ed router DR and a backup designated router BDR All of the routers only exchange information with the DR and the BDR instead of exchanging information with all of the other routers in the group The DR...

Страница 242: ...OSPF on the ZyWALL 1 Enable OSPF 2 Set up the OSPF areas 3 Configure the appropriate interfaces See Section 8 4 1 on page 154 4 Set up virtual links as needed 11 3 1 Configuring the OSPF Screen Use t...

Страница 243: ...culates the cost associated with routing information from the indicated source Choices are Type 1 and Type 2 Type 1 cost OSPF AS cost external cost Metric Type 2 cost external cost Metric the OSPF AS...

Страница 244: ...ext uses a plain text password that is sent over the network not very secure MD5 uses an MD5 password and authentication ID most secure Text Authentication Key This field is available if the Authentic...

Страница 245: ...thentication ID of the interface that received it Authentication Select which authentication method to use in the virtual link This authentication protects the integrity but not the confidentiality of...

Страница 246: ...ports a default authentication type by area If you want to use this default in an interface or virtual link you set the associated Authentication Type field to Same as Area As a result you only have t...

Страница 247: ...oE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 183 Example Zones 12 1 1 W...

Страница 248: ...e Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone Traffic Extra zone traffic is traffic to or from any interface or VPN tunnel that...

Страница 249: ...edit zones To edit a zone click the Edit icon next to the zone The Zone Add Edit screen appears Table 92 Network Zone Edit LABEL DESCRIPTION Name This is the name of the zone Block Intra zone Traffic...

Страница 250: ...Chapter 12 Zones ZyWALL USG 50 H User s Guide 250...

Страница 251: ...nd vice versa Similarly dynamic DNS maps a domain name to a dynamic IP address As a result anyone can use the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web...

Страница 252: ...configuration for existing domain names and delete domain names To access this screen login to the web configurator When the main screen appears click Network DDNS The following screen appears provid...

Страница 253: ...name The ZyWALL uses the backup interface and IP address when the primary interface is disabled its link is down or its ping check fails from interface The IP address comes from the specified interfa...

Страница 254: ...the underscore Spaces are not allowed For a Dynu DDNS entry this user name is the one you use for logging into the service not the name recorded in your personal information in the Dynu website Passwo...

Страница 255: ...ovider Interface The ZyWALL uses the IP address of the specified interface This option appears when you select a specific interface in the Backup Binding Address Interface field Auto The DDNS server c...

Страница 256: ...r changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving Table 95 Network DDNS Add continued LABEL DESCRIPTION Table 96 Network DDNS Status LABEL DESCRIPTION Profile Name Th...

Страница 257: ...lt server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure...

Страница 258: ...configured in the ZyWALL entries per page Select how many virtual server entries to display per page in the screen Page x of x This is the number of the page of entries currently displayed and the to...

Страница 259: ...al server To edit a virtual server click the Edit icon next to the virtual server The Virtual Server Add Edit screen appears To delete a virtual server click on the Remove icon next to the virtual ser...

Страница 260: ...tual server supports a range of destination ports You might use a range of destination ports for unknown services or when one server supports more than one service See Appendix B on page 637 for some...

Страница 261: ...o use a domain name to access this virtual server By default this virtual server entry only applies this address mapping to packets coming in from the WAN Or you can click Policy Route to go to the sc...

Страница 262: ...AN_EG in the Object Address screen as shown next Figure 193 Create Address Objects Figure 194 Address Objects NAT 1 1 Virtual Server This section sets up a virtual server rule that changes the destina...

Страница 263: ...1 21 defined in the LAN_SMTP object In this example the SMTP server also uses port 25 so the Mapped Port is set to 25 The following sections describe how to manually configure corresponding policy rou...

Страница 264: ...ful of where you create the route as routes are ordered in descending priority Figure 198 Create a Policy Route NAT 1 1 Firewall Rule Create a firewall rule to allow access from the WAN zone to the ma...

Страница 265: ...address to the private IP address of a LAN1 SMTP mail server to allow users to access the SMTP mail server from the WAN LAN1 users can also use an IP address to access the mail server However you nee...

Страница 266: ...ack Virtual Server Click Network Virtual Server and the symbol and create the virtual server rule as shown next This virtual server rule is the same as in NAT 1 1 Virtual Server on page 262 except you...

Страница 267: ...nfigure a policy route to use the IP address of the ZyWALL s LAN1 interface 192 168 1 1 as the source address of the traffic going to the LAN1 SMTP server from the LAN1 users This way the LAN1 SMTP se...

Страница 268: ...P address and the ZyWALL changes the source address to 1 1 1 1 before sending it to the LAN1 user s computer The source in the return traffic matches the original destination address 1 1 1 1 and the L...

Страница 269: ...nected to the lan1 zone wants to open a web page its HTTP request is redirected to proxy server A first If proxy server A cannot find the web page in its cache a policy route allows it to access the I...

Страница 270: ...rules first and forwards HTTP traffic to a proxy server if matched You need to make sure there is no firewall rule s blocking the HTTP requests from the client to the proxy server You also need to man...

Страница 271: ...of a rule Interface This is the interface on which the request must be received Proxy Server This is the IP address of the proxy server Port This is the service port number used by the proxy server A...

Страница 272: ...y use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be rece...

Страница 273: ...rnet H 323 A teleconferencing protocol suite that provides audio data and video conferencing FTP File Transfer Protocol an Internet file transfer service The following example shows SIP signaling 1 an...

Страница 274: ...through NAT or routing Examples would be calls between LAN IP addresses that are on the same subnet The H 323 ALG allows calls to go out through NAT For example you could make a call from a private IP...

Страница 275: ...orward the return traffic for the calls initiated from the LAN IP addresses For example you configure the firewall and virtual server to allow LAN IP address A to receive calls from the Internet throu...

Страница 276: ...IP Addresses Finding Out More See Section 5 4 16 on page 89 for related information on these screens See Section 6 9 on page 124 for a tutorial showing how to use the ALG for peer to peer H 323 traffi...

Страница 277: ...ffic before dropping it If no voice packets go through the SIP ALG before the timeout period expires the ZyWALL deletes the audio session You cannot hear anything and you will need to make a new call...

Страница 278: ...a H 323 device or server that will modify IP addresses and port numbers embedded in the H 323 data payload H 323 Signaling Port If you are using a custom TCP port number not 1720 for H 323 traffic ent...

Страница 279: ...ds to the server for uploading and downloading files H 323 H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point an...

Страница 280: ...Chapter 16 ALG ZyWALL USG 50 H User s Guide 280...

Страница 281: ...s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 192 168 1 27 with another MAC address Figure 215 IP MAC Binding Example 17 1 1 Wha...

Страница 282: ...owing table describes the labels in this screen 17 2 1 IP MAC Binding Edit Click Network IP MAC Binding Edit to open the IP MAC Binding Edit screen Use this screen to configure an interface s IP to MA...

Страница 283: ...resses Enable Logs for IP MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this interface attempts to use an IP address not assigned by the ZyWALL St...

Страница 284: ...erface within the ZyWALL and the interface s IP address and subnet mask IP Address Enter the IP address that the ZyWALL is to assign to a device with the entry s MAC address MAC Address Enter the MAC...

Страница 285: ...window displays asking you to confirm that you want to delete it Apply Click Apply to save your changes back to the ZyWALL Table 105 Network IP MAC Binding Exempt List continued LABEL DESCRIPTION Tab...

Страница 286: ...Chapter 17 IP MAC Binding ZyWALL USG 50 H User s Guide 286...

Страница 287: ...287 PART III Firewall Firewall 289...

Страница 288: ...288...

Страница 289: ...nitiated from the WAN or DMZ zone and destined for the LAN1 zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Fig...

Страница 290: ...ewall rule is allowed This includes traffic to or from interfaces or VPN tunnels that are not assigned to any zone extra zone traffic From WAN to LAN Traffic from the WAN to the LAN is denied From WAN...

Страница 291: ...ZyWALL source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the ZyWALL takes the actio...

Страница 292: ...fy a schedule since you need the firewall rule to always be in effect The following figure shows the results of this rule Figure 222 Blocking All LAN to WAN IRC Traffic Example Your firewall would hav...

Страница 293: ...omputer 192 168 1 7 for example to go to any destination address You do not need to specify a schedule since you want the firewall rule to always be in effect The following figure shows the results of...

Страница 294: ...eck any other firewall rules 18 1 4 Firewall Rule Configuration Example The following Internet firewall rule example allows a hypothetical MyService from the WAN to IP addresses 192 168 1 10 through 1...

Страница 295: ...ress Object 4 Select Create Object in the Service drop down list box 5 The screen for configuring a service object opens Configure it as follows and click OK Figure 227 Firewall Example Create a Servi...

Страница 296: ...ll Example MyService Example Rule in Summary 18 2 The Firewall Screen Asymmetrical Routes If an alternate gateway on LAN1 has an IP address in the same subnet as the ZyWALL s LAN1 IP address return tr...

Страница 297: ...s the packet to gateway A which is in Subnet 2 3 The reply from the WAN goes to the ZyWALL 4 The ZyWALL then sends it to the computer on LAN1 in Subnet 1 Figure 230 Using Virtual Interfaces to Avoid A...

Страница 298: ...e LAN without passing through the ZyWALL A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets From Zone To Zone This is the direction of travel o...

Страница 299: ...or user group name to which this firewall rule applies Source This displays the source address object to which this firewall rule applies Destination This displays the destination address object to wh...

Страница 300: ...rule Select a user name or user group to which to apply the rule Select Create Object to configure a new user account see Section 28 2 1 on page 446 for details The firewall rule is activated only whe...

Страница 301: ...ether to have the ZyWALL generate a log log log and alert log alert or not no when the rule is matched See Chapter 38 on page 563 for more on logs OK Click OK to save your customized settings and exit...

Страница 302: ...rule on the ZyWALL Click the Add icon in an entry to add a rule below the current entry Click the Remove icon to delete an existing rule from the ZyWALL A window displays asking you to confirm that y...

Страница 303: ...address should be within the IP address range Address Select a source address or address group for whom this rule applies Select Create Object to configure a new one Select any if the policy is effect...

Страница 304: ...Chapter 18 Firewall ZyWALL USG 50 H User s Guide 304...

Страница 305: ...305 PART IV VPN IPSec VPN 307 SSL VPN 341 SSL User Screens 349 SSL User Application Screens 357 L2TP VPN 363 L2TP VPN Example 369...

Страница 306: ...306...

Страница 307: ...d authentication at the IP layer The following figure is an example of an IPSec VPN tunnel Figure 235 IPSec VPN Example The VPN tunnel connects the ZyWALL X and the remote peer IPSec router Y These ro...

Страница 308: ...ablishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router...

Страница 309: ...outer can also initiate the VPN tunnel if this ZyWALL has a static IP address or a domain name Choose this if the remote IPSec router has a dynamic IP address You don t specify the remote IPSec router...

Страница 310: ...nticate each other Make sure the ZyWALL and the remote IPSec router will trust each other s certificates See Chapter 34 on page 489 19 2 The VPN Connection Screen Click VPN IPSec VPN to open the VPN C...

Страница 311: ...number to go to or use the arrows to navigate the pages of entries This field is a sequential value and it is not associated with a specific connection Name This field displays the name of the IPSec...

Страница 312: ...creen allows you to create a new VPN connection policy or edit an existing one To access this screen go to the VPN Connection screen see Section 19 2 on page 310 and click either the Add icon or an Ed...

Страница 313: ...Chapter 19 IPSec VPN ZyWALL USG 50 H User s Guide 313 Figure 238 VPN IPSec VPN VPN Connection Edit IKE...

Страница 314: ...er can initiate the VPN tunnel Remote Access Server Role Choose this to allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users Only...

Страница 315: ...bit key with the DES encryption algorithm 3DES a 168 bit key with the DES encryption algorithm AES128 a 128 bit key with the AES encryption algorithm AES192 a 192 bit key with the AES encryption algor...

Страница 316: ...ures allowed before the ZyWALL disconnects the VPN tunnel The ZyWALL resumes using the first peer gateway address when the VPN connection passes the connectivity check Check this Address Select this t...

Страница 317: ...tial value and it is not associated with a specific NAT record However the order of records is the sequence in which conditions are checked and executed Original IP Select the address object that repr...

Страница 318: ...y This is useful if you have problems with IKE key management To access this screen go to the VPN Connection summary screen see Section 19 2 on page 310 and click either the Add icon or an existing ma...

Страница 319: ...tion Active Protocol Select which protocol you want to use in the IPSec SA Choices are AH RFC 2402 provides integrity authentication sequence integrity replay resistance and non repudiation but not en...

Страница 320: ...as listed above The remote IPSec router must have the same encryption key The ZyWALL ignores any characters above the minimum number of characters required by the algorithm For example if you enter 12...

Страница 321: ...alue and it is not associated with a specific VPN gateway Name This field displays the name of the VPN gateway My address This field displays the interface or a domain name the ZyWALL uses for the VPN...

Страница 322: ...er This value is case sensitive Gateway Settings My Address Select how the IP address of the ZyWALL in the IKE SA is defined If you select Interface select the Ethernet interface VLAN interface virtua...

Страница 323: ...remote IPsec router If this certificate is signed by a CA the remote IPsec router must trust that CA Note The IPSec routers must trust each other s certificates The ZyWALL uses one of its Trusted Cert...

Страница 324: ...rnative name field see the note at the end of this description DNS subject alternative name field E mail subject alternative name field Subject Name subject name maximum 255 ASCII characters including...

Страница 325: ...are one or more NAT routers between the ZyWALL and remote IPSec router and these routers do not support IPSec pass thru or a similar feature The remote IPSec router must also enable NAT traversal and...

Страница 326: ...n occasionally maintenance for example There is also more burden on the hub router It receives VPN traffic from one spoke decrypts it inspects it to find out to which spoke to route it encrypts it and...

Страница 327: ...ble Table 121 VPN IPSec VPN Concentrator LABEL DESCRIPTION Name This field displays the name of the VPN concentrator Add icon This column provides icons to add edit and remove VPN concentrators To add...

Страница 328: ...entrator and click the right arrow button to add them The VPN concentrator s member VPN connections appear on the right Select any VPN connections that you want to remove from the VPN concentrator and...

Страница 329: ...he arrows to navigate the pages of entries This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displ...

Страница 330: ...remote IPSec router You can usually enter a static IP address or a domain name for either or both IP addresses Sometimes your ZyWALL might offer another alternative such as using the IP address of a p...

Страница 331: ...tes three times with three separate keys effectively tripling the strength of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bi...

Страница 332: ...r identities In main mode the ZyWALL and remote IPSec router authenticate each other in steps 5 and 6 as illustrated below The identities are also encrypted using the encryption algorithm and encrypti...

Страница 333: ...essfully In contrast in Table 125 on page 333 the ZyWALL and the remote IPSec router cannot authenticate each other and therefore cannot establish an IKE SA It is also possible to configure the ZyWALL...

Страница 334: ...ng example there is another router A between router X and router Y Figure 250 VPN NAT Example If router A does NAT it might change the IP addresses port numbers or both If router X and router Y try to...

Страница 335: ...certificates provide this information instead Instead of using the pre shared key the ZyWALL and remote IPSec router check the signatures on each other s certificates Unlike pre shared keys the signa...

Страница 336: ...ol The active protocol controls the format of each packet It also specifies how much of each packet is protected by the encryption and authentication algorithms IPSec VPN includes two active protocols...

Страница 337: ...similar to an IKE SA proposal see IKE SA Proposal on page 330 except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec...

Страница 338: ...he authentication key the ZyWALL and remote IPSec router use The ZyWALL and remote IPSec router must use the same encryption key and authentication key Authentication and the Security Parameter Index...

Страница 339: ...M s network Destination the original destination address the remote network B SNAT the translated source address the local network A Source Address in Inbound Packets Inbound Traffic Source NAT You ca...

Страница 340: ...rotocol TCP UDP or both used by the service requesting the connection Original Port the original destination port or range of destination ports in Figure 252 on page 339 it might be port 25 for SMTP T...

Страница 341: ...e SSL VPN connections and delete an active connection Use the Click VPN SSL VPN Global Setting screen see Section 20 4 on page 346 to set the IP address of the ZyWALL or a gateway device on your netwo...

Страница 342: ...cy To delete the object you must first unassociate the object from the SSL access policy Web Mail File Share Web based Application https Application Server Non Web LAN 192 168 1 X 192 168 1 100 Table...

Страница 343: ...N Access Privilege LABEL DESCRIPTION This field displays the index number of the entry Name This field displays the descriptive name of the SSL access policy for identification purposes User Group Thi...

Страница 344: ...this SSL access policy Name Enter a descriptive name to identify this policy You can enter up to 15 characters a z A Z 0 9 with no spaces allowed Join SSL_VPN Zone Select this check box to add the SS...

Страница 345: ...ion Select this option to create a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on the same local ne...

Страница 346: ...e remote user screen Table 129 VPN SSL VPN Connection Monitor LABEL DESCRIPTION This field displays the index number User This field displays the account user name used to establish this SSL VPN conne...

Страница 347: ...0 9 with spaces allowed Update Client Virtual Desktop Logo You can upload a graphic logo to be displayed on the web browser on the remote user computer The ZyXEL company logo is the default logo Speci...

Страница 348: ...graphic Make sure the file is in GIF JPG or PNG format 3 Click Apply to start the file transfer process 4 Log in as a user to verify that the new logo displays properly The following shows an example...

Страница 349: ...Methods As a remote user you can access resources on the local network using a supported web browser Once you have successfully logged in through the ZyWALL you can access any intranet site web based...

Страница 350: ...LL or your network administrator Refer to Appendix C on page 641 for more information Finding Out More See Chapter 20 on page 341 for how to configure SSL VPN on the ZyWALL 21 2 Remote User Login This...

Страница 351: ...ts establishing a secure connection to the ZyWALL after a successful login This may take up to two minutes If you get a message about needing Java download and install it and restart your browser and...

Страница 352: ...have to click some pop ups to get your browser to allow the installation Figure 264 ActiveX Object Installation Blocked by Browser 6 The ZyWALL tries to install the SecuExtender client You may need to...

Страница 353: ...allow this In Internet Explorer click Run Figure 266 SecuExtender Progress 8 Click Next to use the setup wizard to install the SecuExtender client on your computer Figure 267 SecuExtender Progress 9...

Страница 354: ...r screens Figure 269 Remote User Screen The following table describes the various parts of a remote user screen 2 3 4 5 1 6 Table 131 Remote User Screen Overview DESCRIPTION 1 This menu identifies the...

Страница 355: ...e default name in the Name field or enter a descriptive name to identify this link 3 Click OK to create a bookmark in your web browser Figure 270 Add Favorite 21 5 Logging Out of the SSL VPN User Scre...

Страница 356: ...Chapter 21 SSL User Screens ZyWALL USG 50 H User s Guide 356...

Страница 357: ...me field displays the descriptive name for an application The Type field shows that the application is for accessing a web site a Weblink To access a web site represented by a weblink simply click a l...

Страница 358: ...Chapter 22 SSL User Application Screens ZyWALL USG 50 H User s Guide 358...

Страница 359: ...SecuExtender Icon The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel s connection status Figure 274 ZyWALL SecuExtender Icon Red the SSL VPN tunnel is not connected You cannot connect to...

Страница 360: ...ess of a computer before you can access it Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection WINS Server 1 2 These are th...

Страница 361: ...All Programs ZyXEL ZyWALL SecuExtender Uninstall 2 In the confirmation screen click Yes 2009 03 12 13 35 50 SecuExtender Agent DETAIL Build Datetime Feb 24 2009 10 25 07 2009 03 12 13 35 50 SecuExten...

Страница 362: ...23 ZyWALL SecuExtender ZyWALL USG 50 H User s Guide 362 Figure 277 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender Figure 278 ZyWALL SecuExtender Uninsta...

Страница 363: ...e Section 24 3 on page 366 to display and manage the ZyWALL s connected L2TP VPN sessions 24 1 2 What You Need to Know About L2TP VPN The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link...

Страница 364: ...t type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirement...

Страница 365: ...on the ZyWALL uses for L2TP VPN All of the configured VPN connections display here but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN on page 363 Note M...

Страница 366: ...these IP addresses two ways Custom Defined enter a static IP address From ISP use the IP address of a DNS server that another interface received from its DHCP server First WINS Server Second WINS Ser...

Страница 367: ...H User s Guide 367 Disconnect Click the Disconnect icon next to an L2TP VPN connection to disconnect it Refresh Click Refresh to update the information in the display Table 134 VPN L2TP VPN Session Mo...

Страница 368: ...Chapter 24 L2TP VPN ZyWALL USG 50 H User s Guide 368...

Страница 369: ...ternet You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote...

Страница 370: ...elect Pre Shared Key and configure a password This example uses top secret Click OK 2 Click the Default_L2TP_VPN_GW entry s Enable icon and click Apply to turn on the entry Figure 285 VPN IPSec VPN VP...

Страница 371: ...ntains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses the wan1 interface s IP address 172 16 1 2 and is named L2TP_IFACE For the Remot...

Страница 372: ...VPN connection Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 It is called L2TP_POOL here This example uses the default authentication method the ZyWALL s local user data...

Страница 373: ...Windows XP and 2000 The following sections cover how to configure L2TP in remote user computers using Windows XP and Windows 2000 The example settings in these sections go along with the L2TP VPN con...

Страница 374: ...come screen 3 Select Connect to the network at my workplace and click Next Figure 290 New Connection Wizard Network Connection Type 4 Select Virtual Private Network connection and click Next Figure 29...

Страница 375: ...Connection Name 6 Select Do not dial the initial connection and click Next Figure 293 New Connection Wizard Public Network 7 Enter the domain name or WAN IP address configured as the My Address in th...

Страница 376: ...376 Figure 294 New Connection Wizard VPN Server Selection 8 Click Finish 9 The Connect L2TP to ZyWALL screen appears Click Properties Security Figure 295 Connect L2TP to ZyWALL 10 Click Security selec...

Страница 377: ...L2TP to ZyWALL Security 11 Select Optional encryption connect even if no encryption and the Allow these protocols radio button Select Unencrypted password PAP and clear all of the other check boxes Cl...

Страница 378: ...x and enter the pre shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN Click OK Figure 299 L2TP to ZyWALL Properties Security IPSec Settings 14 Click Networking Sel...

Страница 379: ...L2TP range you specified on the ZyWALL 192 168 10 10 192 168 10 20 Figure 303 ZyWALL L2TP Status Details 19 Access a server or other network resource behind the ZyWALL to make sure your access works 2...

Страница 380: ...ile and save a backup copy of your registry You can go back to using this backup if you misconfigure the registry settings 3 Select HKEY_LOCAL_MACHINE System CurrentControlSet Services Rasman Parame t...

Страница 381: ...the Windows 2000 IPSec Policy After you have created the registry entry and restarted the computer use these directions to configure an IPSec policy for the computer to use 1 Click Start Run Type mmc...

Страница 382: ...re 310 Add IP Security Policy Management Finish 4 Right click IP Security Policies on Local Machine and click Create IP Security Policy Click Next in the welcome screen Figure 311 Create IP Security P...

Страница 383: ...Policy Name 6 Clear the Activate the default response rule check box and click Next Figure 313 IP Security Policy Request for Secure Communication 7 Leave the Edit Properties check box selected and c...

Страница 384: ...4 8 In the properties dialog box click Add Next Figure 315 IP Security Policy Properties Add 9 Select This rule does not specify a tunnel and click Next Figure 316 IP Security Policy Properties Tunnel...

Страница 385: ...uide 385 Figure 317 IP Security Policy Properties Network Type 11 Select Use this string to protect the key exchange preshared key type password in the text box and click Next Figure 318 IP Security P...

Страница 386: ...erties IP Filter List Add 14 Configure the following in the Addressing tab Select My IP Address in the Source address drop down list box Select A specific IP Address in the Destination address drop do...

Страница 387: ...Properties Addressing 15 Configure the following in the Filter Properties window s Protocol tab Set the protocol type to UDP from port 1701 Select To any port Click Apply OK and then Close Figure 322...

Страница 388: ...curity Policy Properties IP Filter List 17 Select Require Security and click Next Then click Finish and Close Figure 324 IP Security Policy Properties IP Filter List 18 In the Console window right cli...

Страница 389: ...Settings Network and Dial up connections Make New Connection In the wizard welcome screen click Next Figure 326 Start New Connection Wizard 2 Select Connect to a private network through the Internet...

Страница 390: ...ure 328 New Connection Wizard Destination Address 4 Select For all users and click Next Figure 329 New Connection Wizard Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish F...

Страница 391: ...curity and select Advanced custom settings and click Settings Figure 332 Connect L2TP to ZyWALL Security 8 Select Optional encryption allowed connect even if no encryption and the Allow these protocol...

Страница 392: ...urity Advanced 9 Click Networking and select Layer 2 Tunneling Protocol L2TP from the drop down list box Click OK Figure 334 Connect L2TP to ZyWALL Networking 10 Enter your user name and password and...

Страница 393: ...ick it to open a status screen Figure 336 ZyWALL L2TP System Tray Icon 12 Click Details and scroll down to see the address that you received is from the L2TP range you specified on the ZyWALL 192 168...

Страница 394: ...Chapter 25 L2TP VPN Example ZyWALL USG 50 H User s Guide 394...

Страница 395: ...395 PART V Application Patrol Application Patrol BWM 397...

Страница 396: ...396...

Страница 397: ...s Use the General summary screen see Section 26 2 on page 405 to enable and disable application patrol and bandwidth management Use the Common Instant Messenger Peer to Peer VoIP and Streaming see Sec...

Страница 398: ...on information Your custom policies take priority over the policy s default settings Classification of Applications There are two ways the ZyWALL can identify the application The first is called auto...

Страница 399: ...tion responder to the connection initiator For example a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN Outbound traffic goes from a LAN1 zone device to a WAN zone device Bandwidth...

Страница 400: ...ndwidth usage allows applications with maximize bandwidth usage enabled to borrow any unused bandwidth on the out going interface After each application gets its configured bandwidth rate the ZyWALL u...

Страница 401: ...ts its configured rate of 300 kbps and server B gets its configured rate of 200 kbps Then the ZyWALL divides the remaining bandwidth 1000 500 500 equally between the two 500 2 250 kbps for each The pr...

Страница 402: ...an ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection The following sections give some simplified examples of using application patrol policies to manage applications competing f...

Страница 403: ...limit before sending the traffic to the WAN Inbound traffic to the LAN and DMZ from the WAN is also limited to 200 kbps The ZyWALL applies this limit before sending the traffic to LAN or DMZ Highest...

Страница 404: ...connection supports this Second highest priority 2 Set policies for other applications except SIP to lower priorities so the local users HTTP traffic gets sent before non SIP traffic Enable maximize...

Страница 405: ...tbound and inbound traffic to 50 Mbps Fourth highest priority 4 Disable maximize bandwidth usage since you do not want to give FTP more bandwidth Figure 345 FTP LAN to DMZ Bandwidth Management Example...

Страница 406: ...l policies apply bandwidth management This same setting also appears in the Network Routing Policy Route screen Enabling or disabling it in one screen also enables or disables it in the other screen E...

Страница 407: ...DESCRIPTION This field is a sequential value and it is not associated with a specific application Service This field displays the name of the application Default Access This field displays what the Zy...

Страница 408: ...it is not associated with a specific condition Note The ZyWALL checks conditions in the order they appear in the list While this sequence does not affect the functionality you might improve the perfor...

Страница 409: ...und bandwidth in kilobits per second this policy allows the application to use Outbound refers to the traffic the ZyWALL sends out from a connection s initiator If no displays here this policy does no...

Страница 410: ...n page 446 for details Select any to apply the policy for every user From Select the source zone of the traffic to which this policy applies To Select the destination zone of the traffic to which this...

Страница 411: ...gement Configure these fields to set the amount of bandwidth the application can use These fields only apply when Access is set to forward You must also enable bandwidth management in the main applica...

Страница 412: ...er the number the higher the priority The ZyWALL gives traffic of an application with higher priority bandwidth before traffic of an application with lower priority The ZyWALL uses a fairness based ro...

Страница 413: ...displays the policy is effective for every source Destination This is the destination address or address group for whom this policy applies If any displays the policy is effective for every destinatio...

Страница 414: ...traffic with a lower priority The ZyWALL ignores this number if the incoming and outgoing limits are both set to 0 In this case the traffic is automatically treated as being set to the lowest priority...

Страница 415: ...the policy for every user From Select the source zone of the traffic to which this policy applies To Select the destination zone of the traffic to which this policy applies Access This field controls...

Страница 416: ...d this policy allows the traffic to use Outbound refers to the traffic the ZyWALL sends out from a connection s initiator If you enter 0 here this policy does not apply bandwidth management for the ma...

Страница 417: ...atistics The middle of the AppPatrol BWM Statistics screen displays a bandwidth usage line graph for the selected protocols OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to e...

Страница 418: ...s incoming bandwidth usage This is the protocol s traffic that the ZyWALL sends to the initiator of the connection A dotted line represents a protocol s outgoing bandwidth usage This is the protocol...

Страница 419: ...s is how much of the application s traffic the ZyWALL has discarded without notifying the client in kilobytes This traffic was dropped because it matched an application policy set to drop Rejected Dat...

Страница 420: ...s out from the initiator of the connection So for a connection initiated from the LAN to the WAN the traffic sent from the LAN to the WAN is the outbound traffic Forwarded Data KB This is how much of...

Страница 421: ...421 PART VI Anti X ADP 423...

Страница 422: ...422...

Страница 423: ...ly rules look for abnormal behavior or events such as port scanning sweeping or network flooding It operates at OSI layer 2 and layer 3 Traffic anomaly rules may be updated when you upload new firmwar...

Страница 424: ...ections Figure 355 Anti X ADP General The following table describes the screens in this screen Table 147 Anti X ADP General LABEL DESCRIPTION General Settings Enable Anomaly Detection Select this chec...

Страница 425: ...ing entry from the ZyWALL A window displays asking you to confirm that you want to delete the entry Note that subsequent entries move up by one when you take this action In a numbered list click the M...

Страница 426: ...from a computer on one LAN subnet to a computer on another LAN subnet via the ZyWALL s LAN zone interfaces The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on th...

Страница 427: ...tisfied that they have been reduced to an acceptable level you could then create an inline profile whereby you configure appropriate actions to be taken when a packet matches a rule Table 149 Base Pro...

Страница 428: ...rules and then edit the default log options and actions 27 3 4 Traffic Anomaly Profiles The traffic anomaly screen is the second screen in an ADP profile Traffic anomaly detection looks for abnormal...

Страница 429: ...Chapter 27 ADP ZyWALL USG 50 H User s Guide 429 Figure 359 Profiles Traffic Anomaly...

Страница 430: ...t traffic anomaly attacks will be detected however you will have more logs and false positives Block Period Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim des...

Страница 431: ...col Anomaly Configuration In the Anti X ADP Profile screen click the Edit icon or click the Add icon and choose a base profile then select the Protocol Anomaly tab If you made changes to other screens...

Страница 432: ...Chapter 27 ADP ZyWALL USG 50 H User s Guide 432 Figure 360 Profiles Protocol Anomaly...

Страница 433: ...ame123456789012 HTTP Inspection TCP Decoder UDP Decoder ICMP Decoder Name This is the name of the protocol anomaly rule Click the Name column heading to sort in ascending or descending order according...

Страница 434: ...n services This may be used to evade intrusion detection These are distributed port scan types TCP Distributed Portscan UDP Distributed Portscan IP Distributed Portscan Port Sweeps Many different conn...

Страница 435: ...l hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If an attacker A spoofs the source IP address of the ICMP echo request pack...

Страница 436: ...rs flood SYN packets into a network with a spoofed source IP address of the network itself This makes it appear as if the computers in the network sent the packets to themselves so the network is unav...

Страница 437: ...t information or privileges from a web server DIRECTORY TRAVERSAL ATTACK This rule normalizes directory traversals and self referential directories So abc this_is_not_a_real_dir xyz get normalized to...

Страница 438: ...sitives than the directory option because it doesn t alert on directory traversals that stay within the web server directory structure It only alerts when the directory traversals go past the web serv...

Страница 439: ...This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP address header length This may cause some applications to crash TRUNCATED HEADER ATTACK This is when an ICM...

Страница 440: ...Chapter 27 ADP ZyWALL USG 50 H User s Guide 440...

Страница 441: ...441 PART VII Objects User Group 443 Addresses 457 Services 463 Schedules 469 AAA Server 475 Authentication Method 485 Certificates 489 SSL Application 507...

Страница 442: ...442...

Страница 443: ...28 4 on page 449 controls default settings login settings lockout settings and other user settings for the ZyWALL You can also use this screen to specify when users must log in to the ZyWALL before it...

Страница 444: ...xt User using the local database the attempt always fails Once an Ext User user has been authenticated the ZyWALL tries to get the user type see Table 154 on page 443 from the external server If the e...

Страница 445: ...ware login example Forced User Authentication Instead of making users for which user aware policies have been configured go to the ZyWALL Login screen manually you can configure the ZyWALL to display...

Страница 446: ...unt settings used for BOB not bob User names have to be different than user group names Reserved user names are listed in the following table Table 155 Object User Group LABEL DESCRIPTION This field i...

Страница 447: ...ser this user has access to the ZyWALL s services but cannot look at the configuration Guest this user has access to the ZyWALL s services but cannot look at the configuration Ext User this user accou...

Страница 448: ...ires Reauthentication Time Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again You can specify 1 to 1440 minutes You can enter 0 to ma...

Страница 449: ...Group Group Add LABEL DESCRIPTION Name Type the name for this user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case...

Страница 450: ...default settings You can still manually configure any user account s authentication timeout settings User Type These are the kinds of user account the ZyWALL supports admin this user can look at and c...

Страница 451: ...once the User idle timeout has been reached User idle timeout This is applicable for access users This field is effective when Enable user idle detection is checked Type the number of minutes each acc...

Страница 452: ...plies Source This field displays the source address object of traffic to which this condition applies It displays any if this condition applies to traffic from all source addresses Destination This fi...

Страница 453: ...User this user has access to the ZyWALL s services but cannot look at the configuration Guest this user has access to the ZyWALL s services but cannot look at the configuration Ext User this user acco...

Страница 454: ...to be active Description Enter a description for this condition It can be up to 60 printable ASCII characters long Authentication Select whether users must log in force or whether users do not have to...

Страница 455: ...yWALL sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 28 2 1 on page 446 Lease time field in the Setting...

Страница 456: ...web configurator to create the accounts Extract the user names from the LDAP or RADIUS server and create a shell script that creates the user accounts See Chapter 37 on page 553 for more information a...

Страница 457: ...used in dynamic routes firewall rules application patrol and VPN connection policies Please see the respective sections for more information about how address objects and address groups are used in ea...

Страница 458: ...plays the configured name of each address object Type This field displays the type of each address object INTERFACE means the object uses the settings of one of the ZyWALL s interfaces Address This fi...

Страница 459: ...is field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only available if the Addre...

Страница 460: ...ach address group Description This field displays the description of each address group if any Add icon This column provides icons to add edit and remove address groups To add an address group click t...

Страница 461: ...d click the right arrow to add them to the member list Member This field displays the names of the address and address group objects that have been added to the address group The order of members is n...

Страница 462: ...Chapter 29 Addresses ZyWALL USG 50 H User s Guide 462...

Страница 463: ...and more complex Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data O...

Страница 464: ...ules for each service Service groups may consist of services and other service groups The sequence of members in the service group is not important Finding Out More See Section 5 5 on page 89 for rela...

Страница 465: ...ith a specific service Name This field displays the name of each service Content This field displays a description of each service Add icon This column provides icons to add edit and remove services T...

Страница 466: ...This field appears if the IP Protocol is ICMP Type Select the ICMP message used by this service This field displays the message text not the message number IP Protocol Number This field appears if the...

Страница 467: ...roup click on the Remove icon next to the service group The web configurator confirms that you want to delete the service group Table 171 Object Service Service Group continued LABEL DESCRIPTION Table...

Страница 468: ...WALL USG 50 H User s Guide 468 OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 172 Object Service Service Group Edit conti...

Страница 469: ...create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 31 2 2 on page 472 to create or edit a recurring schedule 31 1 2 What You Need to Know About Schedules One time S...

Страница 470: ...click the Add icon at the top of the column The Schedule Add Edit screen appears To edit a schedule click the Edit icon next to the schedule The Schedule Add Edit screen appears To delete a schedule...

Страница 471: ...refer to the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time Start Type the year mo...

Страница 472: ...175 Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the f...

Страница 473: ...Days Select each day of the week the recurring schedule is effective OK Click OK to save your changes back to the ZyWALL Cancel Click Cancel to exit this screen without saving your changes Table 175...

Страница 474: ...Chapter 31 Schedules ZyWALL USG 50 H User s Guide 474...

Страница 475: ...Figure 385 Example Directory Service Client and Server The following describes the user authentication procedure via an LDAP AD server 1 A user logs in with a user name and password pair 2 The ZyWALL...

Страница 476: ...ZyWALL s web configurator or network access users logging into the network through the ZyWALL You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightwei...

Страница 477: ...s that have the same parent DN cn domain1 com ou Sales o MyCompany in the following examples cn domain1 com ou Sales o MyCompany c US cn domain1 com ou Sales o MyCompany c JP Base DN A base DN specifi...

Страница 478: ...pecify the bind DN for logging into the LDAP server Enter up to 63 alphanumerical characters For example cn zywallAdmin specifies zywallAdmin as the user name Password If required enter the password u...

Страница 479: ...tive Directory or LDAP Group to display the Active Directory or LDAP Group screen Figure 389 Object AAA Server Active Directory or LDAP Group The following table describes the labels in this screen 32...

Страница 480: ...es to log into the AD or LDAP server s Base DN Specify the top level directory in the directory For example o ZyXEL c US CN Identifier Specify the unique common name that uniquely identifies a record...

Страница 481: ...IP address in dotted decimal notation or the domain name up to 63 alphanumeric characters of a RADIUS server Authentication Port The default port of the RADIUS server for authentication is 1812 You ne...

Страница 482: ...Group The following table describes the labels in this screen 32 5 1 Adding a RADIUS Server Member Click Object AAA Server RADIUS Group to display the RADIUS Group screen Click the Add icon or an Edit...

Страница 483: ...the RADIUS server In this case user authentication fails Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down Host Members The ordering of th...

Страница 484: ...Chapter 32 AAA Server ZyWALL USG 50 H User s Guide 484...

Страница 485: ...ction 33 3 on page 487 to create a new authentication method object Finding Out More See Section 6 6 3 on page 115 for an example of how to set up user authentication using a radius server 33 1 2 Befo...

Страница 486: ...on method objects Figure 395 Object Auth Method The following table describes the labels in this screen Table 182 Object Auth Method LABEL DESCRIPTION This field displays the index number Method Name...

Страница 487: ...List drop down list box 6 You can add up to four server objects to the table The ordering of the Method List column is important The ZyWALL authenticates the users using the databases in the local us...

Страница 488: ...n the AAA Server screen see Chapter 32 on page 475 for more information The ZyWALL authenticates the users using the databases in the local user database or the external authentication server in the o...

Страница 489: ...hentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates...

Страница 490: ...ory server s list of revoked certificates The framework of servers software procedures and policies that handles keys is called PKI public key infrastructure Advantages of Certificates Certificates of...

Страница 491: ...ny programs use text files by default Finding Out More See Section 5 5 on page 89 for related information on these screens See Section 34 4 on page 505 for certificate background information 34 1 3 Ve...

Страница 492: ...open the My Certificates screen This is the ZyWALL s summary list of certificates and certification requests Figure 399 Object Certificate My Certificates The following table describes the labels in...

Страница 493: ...ying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or company and country With self signed certificates this...

Страница 494: ...rtificate It is recommended that each certificate have unique subject information Common Name Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type...

Страница 495: ...ately online to have the ZyWALL generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority s certificate already imported i...

Страница 496: ...You can use this screen to view in depth certificate information and change the certificate s name Request Authentication When you select Create a certification request and enroll for a certificate i...

Страница 497: ...splay the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certificatio...

Страница 498: ...ion request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the ZyWALL uses RSA encryption and the length of the key set in bits 1024 bits...

Страница 499: ...the File Download screen The Save As screen opens browse to the location that you want to use and click Save Export Certificate Only Use this button to save a copy of the certificate without its priv...

Страница 500: ...ord that was created when the PKCS 12 file was exported OK Click OK to save the certificate on the ZyWALL Cancel Click Cancel to quit and return to the My Certificates screen Table 188 Object Certific...

Страница 501: ...ssage if the certificate has expired icons Click the Edit icon to open a screen with an in depth list of information about the certificate The ZyWALL keeps all of your certificates unless you specific...

Страница 502: ...n Path Click the Refresh button to have this read only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification author...

Страница 503: ...from the entity maintaining the server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the CRL directory server usually a certificati...

Страница 504: ...ificate For example Subject Type CA means that this is a certification authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate...

Страница 505: ...mation The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify not a huge list When the ZyWALL requests certificate status infor...

Страница 506: ...Chapter 34 Certificates ZyWALL USG 50 H User s Guide 506...

Страница 507: ...es 35 1 2 What You Need to Know About SSL Application Objects Weblinks You can configure weblink SSL applications to allow remote users to access web sites Remote User Screen Links Available SSL appli...

Страница 508: ...application click the Add or Edit button in the SSL Application screen to display the configuration screen as shown Figure 408 Object SSL Application Add Edit Table 191 Object SSL Application LABEL DE...

Страница 509: ...re allowed URL Enter the Fully Qualified Domain Name FQDN or IP address of the application server Note You must enter the http or https prefix Remote users are restricted to access only files in this...

Страница 510: ...Chapter 35 SSL Application ZyWALL USG 50 H User s Guide 510...

Страница 511: ...511 PART VIII System System 513...

Страница 512: ...512...

Страница 513: ...re SHell used to securely access the ZyWALL s command line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen Figure 446...

Страница 514: ...server To change your ZyWALL s time based on your local time zone and date click System Date Time The screen displays as shown You can manually set the ZyWALL s time and date or have the ZyWALL get th...

Страница 515: ...This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply Ne...

Страница 516: ...ast Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The tim...

Страница 517: ...s will display the appropriate settings if the synchronization is successful If the synchronization was not successful a log displays in the View Log screen Try reconfiguring the Date Time screen To m...

Страница 518: ...es in the following ways The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses manually enter them in the D...

Страница 519: ...t s fully qualified domain name IP Address This is the IP address of a host Add icon Click the Add icon in the heading row to open a screen where you can add a new address PTR record Refer to Table 19...

Страница 520: ...ail server that handles the mail for a particular domain This is the index number of the MX record Domain Name This is the domain name where the mail is destined for IP FQDN This is the IP address or...

Страница 521: ...d is also called a reverse record or a reverse lookup record It is a mapping of an IP address to a domain name 36 5 5 Adding an Address PTR Record Click the Add icon in the Address PTR Record table to...

Страница 522: ...he Domain Zone Forwarder table to add a domain zone forwarder record Figure 415 System DNS Domain Zone Forwarder Add Table 198 System DNS Address PTR Record Edit LABEL DESCRIPTION FQDN Type a fully qu...

Страница 523: ...ified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP...

Страница 524: ...ystem DNS MX Record Add continued LABEL DESCRIPTION Table 201 System DNS Service Control Rule Add LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to send DNS queries to the Z...

Страница 525: ...rvice Access Limitations A service cannot be used to access the ZyWALL when 1 You have disabled that service in the corresponding screen 2 The allowed IP address address object in the Service Control...

Страница 526: ...is used so that you can securely access the ZyWALL using the web configurator The SSL protocol specifies that the HTTPS server the ZyWALL must always authenticate itself to the HTTPS client the comput...

Страница 527: ...eals with management access to the web configurator User Service Control deals with user access to the ZyWALL logging into SSL VPN for example Figure 420 System WWW Service Control The following table...

Страница 528: ...ure a rule that traffic will match so the ZyWALL will not have to use the default policy Zone This is the zone on the ZyWALL the user is allowed or denied to access Address This is the object name of...

Страница 529: ...e ZyWALL zone s configured in the Zone field Accept or not Deny Add icon Click the Add icon in the heading row to open a screen where you can add a new rule Refer to Table 203 on page 530 for informat...

Страница 530: ...dit LABEL DESCRIPTION Address Object Select ALL to allow or deny any computer to communicate with the ZyWALL using this service Select a predefined address object to just allow or deny the computer wi...

Страница 531: ...hoose Enter the name of the desired color Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black Enter rgb followed by red g...

Страница 532: ...Page Use this section to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Message Color Specif...

Страница 533: ...Internet Explorer 36 6 7 2 Netscape Navigator Warning Messages When you attempt to access the ZyWALL HTTPS server a Website Certified by an Unknown Authority screen pops up asking if you trust the ser...

Страница 534: ...s The issuing certificate authority of the ZyWALL s factory default certificate is the ZyWALL itself since the certificate is a self signed certificate For the browser to trust a self signed certifica...

Страница 535: ...Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyWALL see the ZyWALL s Trusted CA web confi...

Страница 536: ...pendix 36 6 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal cert...

Страница 537: ...lick Browse if you wish to import a different certificate Figure 432 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA Figure 433 Personal Certificate Import Wizard 3 4...

Страница 538: ...te Import Wizard 4 5 Click Finish to complete the wizard and begin the import process Figure 435 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is corr...

Страница 539: ...web address field Figure 437 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL the following screen asks you to select a personal certificate to send to the...

Страница 540: ...f the ZyWALL for a management session Figure 440 SSH Communication Over the WAN Example 36 7 1 How SSH Works The following figure is an example of how a secure connection is established between two re...

Страница 541: ...SH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for management using port 22 by default 36 7 3 Requi...

Страница 542: ...ce for remote management Server Certificate Select the certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections You must have certificates already configure...

Страница 543: ...SH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the ZyWALL using SSH version 1 If this is the first time you are connecting to the ZyWALL using SSH a messag...

Страница 544: ...h a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that does not match any other configured rule It is not an editable rule To apply othe...

Страница 545: ...lnet continued LABEL DESCRIPTION Table 207 System FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service...

Страница 546: ...ccess Address This is the object name of the IP address es with which the computer is allowed or denied to access Action This displays whether the computer with the IP address specified above can acce...

Страница 547: ...ariables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the pu...

Страница 548: ...g events occurs 36 10 3 Configuring SNMP To change your ZyWALL s SNMP settings click System SNMP tab The screen appears as shown Use this screen to configure your SNMP settings including from which zo...

Страница 549: ...which ZyWALL zones This the index number of the service control rule The entry with a hyphen instead of a number is the ZyWALL s non configurable default policy The ZyWALL applies this to traffic that...

Страница 550: ...Table 210 System Language LABEL DESCRIPTION Language Setting Select a display language for the ZyWALL s web configurator screens You also need to open a new browser session to display the screens in...

Страница 551: ...551 PART IX Maintenance Troubleshooting Specifications File Manager 553 Logs 563 Reports 575 Diagnostics 583 Reboot 585 Troubleshooting 587 Product Specifications 591...

Страница 552: ...552...

Страница 553: ...nfiguration File screen see Section 37 2 on page 555 to store and name configuration files You can also download configuration files from the ZyWALL to your computer and upload configuration files fro...

Страница 554: ...ing of a single to have the ZyWALL exit sub command mode Figure 451 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin pas...

Страница 555: ...e configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off in the configuration file or shell scri...

Страница 556: ...s and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file as a back up file If there is an error the ZyWALL generates a log and copies the startu...

Страница 557: ...me of another configuration file in the ZyWALL Click a configuration file s row to select it and click Rename to open the Rename File screen Figure 454 Maintenance File Manager Configuration File Rena...

Страница 558: ...management session the changes are applied to this configuration file The ZyWALL applies configuration changes made in the web configurator to the configuration file when you click Apply or OK It appl...

Страница 559: ...ng a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 213 Maintenance File Manager Firmware Package LABEL DESCRIPTION Boot Module This is the...

Страница 560: ...LL use commands that you specify Use a text editor to create the shell script files They must use a zysh filename extension Click Maintenance File Manager Shell Script to open the Shell Script screen...

Страница 561: ...s including a zA Z0 9 _ Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file Delete Click a shell script file s row to select it and...

Страница 562: ...r s Guide 562 Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may take up to several minutes Table 214 Maintenance File Manage...

Страница 563: ...log and you can also clear the log in this screen Use the Maintenance Log Settings screen Section 38 4 on page 565 to specify which log messages are e mailed where they are e mailed and how often they...

Страница 564: ...he whole log regardless of what is currently displayed on the screen Filter These fields are displayed when you show the filter When the filter is shown the filter criteria are not applied until you c...

Страница 565: ...rded in the ZyWALL entries per page Select the number of log messages you would like to see on one screen Choices are 30 50 and 80 Page x of x This is the number of the page of entries currently displ...

Страница 566: ...Setting LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific log Name This field displays the name of the log system log or one of the remote servers Log Format...

Страница 567: ...includes the e mail profiles Go to the Log Settings Summary screen see Section 38 4 1 on page 566 and click the system log Edit icon Active Log Summary Click this button to open the Active Log Summary...

Страница 568: ...Chapter 38 Logs ZyWALL USG 50 H User s Guide 568 Figure 464 Maintenance Log Log Setting Edit System Log...

Страница 569: ...user name to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when t...

Страница 570: ...og tab the text count x where x is the number of original log messages is appended at the end of the Message field when multiple log messages were aggregated Log Consolidation Interval Type how often...

Страница 571: ...ribes the labels in this screen Table 219 Maintenance Log Log Setting Edit Remote Server LABEL DESCRIPTION Log Settings for Remote Server 1 Active Select this check box to send log information accordi...

Страница 572: ...ifferent files in the syslog server Please see the documentation for your syslog program for more information Active Log Log Category This field displays each category of messages It is the same value...

Страница 573: ...discussed The Default category includes debugging messages generated by open source software The following table describes the fields in this screen Table 220 Maintenance Log Log Setting Active Log Su...

Страница 574: ...information and alerts from this category enable all logs yellow checkmark log regular information alerts and debugging information from this category If you check one of the check boxes for All Logs...

Страница 575: ...how to send daily reports and what reports to send 39 2 The Traffic Statistics Screen Click Maintenance Report Traffic Statistics to display the Traffic Statistics screen This screen provides basic in...

Страница 576: ...on to update it Apply Click Apply to save your changes back to the ZyWALL Reset Click Reset to begin configuring this screen afresh Statistics Interface Select the interface from which to collect info...

Страница 577: ...imum number of services and service ports in this report is indicated in Table 222 on page 578 Protocol This field indicates what protocol the service was using Direction This field indicates whether...

Страница 578: ...ource address Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all the active sessions by user or by service or you can filter the...

Страница 579: ...ll sessions is selected Type the user whose sessions you want to view It is not possible to type part of the user name or use wildcards in this field you must enter the whole user name Service This fi...

Страница 580: ...tive session If you are looking at the sessions by services report click the blue plus sign next to each protocol to look at detailed session information by user Source This field displays the source...

Страница 581: ...ect Append date time to add the ZyWALL s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type...

Страница 582: ...tems Select which information you want included in the report Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period Reset All Counters Click t...

Страница 583: ...nostics screen Figure 470 Maintenance Diagnostics The following table describes the labels in this screen Table 225 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most rece...

Страница 584: ...Chapter 40 Diagnostics ZyWALL USG 50 H User s Guide 584...

Страница 585: ...write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 42 1 on page 589 reset returns the device to its defau...

Страница 586: ...Chapter 41 Reboot ZyWALL USG 50 H User s Guide 586...

Страница 587: ...computer at the other Before doing so ensure that both computers have Internet access via the IPSec routers It is also helpful to have a way to look at the packets that are being sent and received by...

Страница 588: ...is not a firewall or NAT router between the ZyWALL and the remote users 4 Make sure the remote users are using public IP addresses V The VPN connection is up but VPN traffic cannot be transmitted thro...

Страница 589: ...ed in the cellular device 2 Make sure the cellular device is properly connected to the correct slot The USB port for which you configured the corresponding cellular interface You may need to remove th...

Страница 590: ...sure the SYS LED is on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the ZyWALL...

Страница 591: ...ces 6 The WAN interfaces are Fast Ethernet 10 100 Mbps full duplex RJ 45 connectors auto negotiation auto MDI MDIX auto crossover The LAN DMZ Ethernet interfaces are Gigabit Ethernet full duplex RJ 45...

Страница 592: ...ack mountable rack mount kit not included Wall mounting The ZyWALL has wall mounting holes on the bottom panel The centers of the holes are located 156 mm apart Table 227 Hardware Specifications conti...

Страница 593: ...ice object in one group 500 Schedule Objects 64 Maximum Number of LDAP Groups 4 Maximum Number of LDAP Servers for Each LDAP Group 2 Maximum Number of RADIUS Groups 4 Maximum Number of RADIUS Servers...

Страница 594: ...E 802 1d standard Interface RFCs 2131 2132 1541 Interface PPP RFCs 1144 1321 1332 1334 1661 1662 2472 Interface PPTP RFCs 2637 3078 Interface PPPOE RFC 2516 Interface VLAN IEEE 802 1Q Dynamic Route Sh...

Страница 595: ...1 4252 4253 4254 Used by Time service RFCs 3339 Used by Telnet service RFCs 318 854 1413 Used by SIP ALG RFCs 3261 3264 DHCP relay RFC 1541 ZySH W3C XML standard ARP RFC 826 IP IPv4 RFC 791 TCP RFC 79...

Страница 596: ...Chapter 43 Product Specifications ZyWALL USG 50 H User s Guide 596...

Страница 597: ...597 PART X Appendices and Index Log Descriptions 599 Common Services 637 Importing Certificates 641 Wireless LANs 647 Open Software Announcements 661 Legal Information 687 Index 689...

Страница 598: ...598...

Страница 599: ...SL user SSL tunnel is disconnected An SSL tunnel has been disconnected The source is the login IP address The destination is the IP address given to the SSL user The s address object is invalid IP in...

Страница 600: ...r setting has been modified in the specified SSL VPN policy s The IP pool is same subnet with s in SSL VPN policy s So s will not be injected to client side The IP pool is in the same subnet as the sp...

Страница 601: ...the user s user name The third s is the name of the service the user is using HTTP or HTTPS Failed login attempt to SSLVPN from s login on a lockout address An SSL VPN login attempt from the listed u...

Страница 602: ...specified user name s was denied access to the L2TP over IPSec service because the correct password was not provided User s has been denied from L2TP service Incorrect Username or Password A user with...

Страница 603: ...me can t print entry s 1st zysh entry name s cannot retrieve entries from list 1st zysh list name can t get name for entry d 1st zysh entry index can t get reference count s 1st zysh list name can t p...

Страница 604: ...http inspection attack tcp decoder attack The message gives details about the attack although the message is dropped if the log is more than 128 characters The action is what the ZyWALL did with the p...

Страница 605: ...TTP HTTPS FTP Telnet SSH or console s s from s has been logged out ZyWALL re auth timeout The ZyWALL is signing the specified user out due to a re authentication timeout 1st s The type of user account...

Страница 606: ...1st s Protocol Name 2nd s port less or port base 3rd s Rule Index 4th s forward drop or reject Service s Rule s Action s Access drop Special packet logging for IM action 1st s Protocol Name 2nd s port...

Страница 607: ...device failed to initiate XML System fatal error 60011004 The device failed to turn application patrol off while the system was initiating Table 237 IKE Logs LOG MESSAGE DESCRIPTION Peer has not annou...

Страница 608: ...the tunnel name When negotiating Phase 1 the authentication method did not match SA Tunnel s Phase 1 encryption algorithm mismatch s is the tunnel name When negotiating Phase 1 the encryption algorit...

Страница 609: ...sal in phase 1 the engine could not get the correct secure gateway address Could not dial dynamic tunnel s s is the tunnel name The tunnel is a dynamic tunnel and the device cannot dial it Could not d...

Страница 610: ...d the VPN gateway VPN gateway s was enabled s is the gateway name An administrator enabled the VPN gateway XAUTH fail My name s s is the my xauth name This indicates that my name is invalid XAUTH fail...

Страница 611: ...context Get outbound transform fail When outgoing packet need to be transformed the engine cannot obtain the transform context Inbound transform operation fail After encryption or hardware accelerate...

Страница 612: ...ll rule d has been deleted d is the global index of rule Firewall rules have been flushed Firewall rules were flushed Firewall rule d was s d is the global index of rule s is appended inserted modifie...

Страница 613: ...fail Allocating policy routing rule fails insufficient memory d the policy route rule number The policy route d uses empty user group Use an empty object group d the policy route rule number The polic...

Страница 614: ...P port has changed to default port An administrator changed the port number for HTTP back to the default 80 SSH port has been changed to port s An administrator changed the port number for SSH s is po...

Страница 615: ...nistrator changed the time zone s is time zone value Set timezone to default An administrator changed the time zone back to the default 0 Enable daylight saving An administrator turned on daylight sav...

Страница 616: ...ave reached the maximum number of 32 Wizard apply DNS server fail because the device already has the maximum number of DNS records configured s is IP address of the DNS server Access control rules of...

Страница 617: ...Partition name file system usage reaches d disk threshold max When memory usage drops below threshold min System Memory usage drops below the threshold of d mem threshold min When local storage usage...

Страница 618: ...e device was not able to synchronize with the NTP time server successfully Device is rebooted by administrator An administrator restarted the device Insufficient memory Cannot allocate system memory C...

Страница 619: ...d because of dyndns internal error Update profile failed because of a dynsdns internal error s is the profile name Update the profile s has failed because the feature requested is only available to do...

Страница 620: ...dated because the IP of WAN iface is 0 0 0 0 1st s is the profile name Update the profile s has failed because ping check of WAN interface has failed DDNS profile cannot be updated because the ping ch...

Страница 621: ...ocess can t execute isalive function from module for check link status s the connectivity module currently only ICMP available Create socket error The connectivity check process can t get socket to se...

Страница 622: ...s been activated s Interface Name RIP direction on interface s has been changed to In Only RIP direction on interface s has been changed to In Only s Interface Name RIP direction on interface s has be...

Страница 623: ...me RIP receive version on interface s has been changed to s RIP receive version on interface s has been changed to version 1 or 2 or both 1 2 2nd s Interface Name RIP send version on interface s has b...

Страница 624: ...ion same as area however the area has invalid text authentication configuration s Interface Name Table 246 NAT Logs LOG MESSAGE DESCRIPTION The NAT range is full The NAT mapping table is full s FTP AL...

Страница 625: ...Generate certificate request s failed errno d The router was not able to create a certificate request with the specified name See Table 249 on page 627 for details about the error number Generate PKCS...

Страница 626: ...e certificate request name Decode imported certificate s failed The device was not able to decode an imported certificate s is certificate the request name Export PKCS 12 certificate s from My Certifi...

Страница 627: ...as not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9...

Страница 628: ...t work correctly An administrator configured ethernet vlan or bridge and this interface is base interface of PPP interface PPP interface MTU base interface MTU 8 PPP interface may not run correctly be...

Страница 629: ...CHAP CHAP interface name Interface s is connected A PPP interface connected successfully s interface name Interface s is disconnected A PPP interface disconnected successfully s interface name Interf...

Страница 630: ...serted Please remove the device then check the SIM card The SIM card for the cellular device associated with the listed cellular interface d cannot be detected The SIM card may be missing not inserted...

Страница 631: ...e You need to manually enter the password for the listed cellular interface d Table 249 WLAN Logs LOG MESSAGE DESCRIPTION Wlan s is enabled The WLAN IEEE 802 11 b and or g feature has been turned on s...

Страница 632: ...Interface s MAC s A wireless client used an incorrect WPA or WPA2 user password and failed authentication by the ZyWALL s local user database while trying to connect to the specified WLAN interface fi...

Страница 633: ...in its group In this case the DHCP client will renew s interface name Port Grouping s has been changed An administrator configured port grouping s interface name Table 252 Force Authentication Logs L...

Страница 634: ...HCP client s request for the specified IP address DHCP released s with s s A DHCP client released the specified IP address The DHCP client s hostname and MAC address are listed Sending ACK to s The DH...

Страница 635: ...2X 02X The IP MAC binding feature dropped an Ethernet packet The interface the packet came in through and the sender s IP address and MAC address are also shown Cannot bind ip mac from dhcpd s u u u u...

Страница 636: ...Appendix A Log Descriptions ZyWALL USG 50 H User s Guide 636...

Страница 637: ...l is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used Table 257 Commonly Used Servi...

Страница 638: ...ogram NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP...

Страница 639: ...midrange systems UNIX systems and network servers SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a...

Страница 640: ...Appendix B Common Services ZyWALL USG 50 H User s Guide 640...

Страница 641: ...creen to do this Figure 472 Security Certificate Importing the ZyWALL s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyWALL simply import the se...

Страница 642: ...ZyWALL USG 50 H User s Guide 642 Figure 473 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 474 Certificate General Information before Import 3 Click Next to beg...

Страница 643: ...LL USG 50 H User s Guide 643 Figure 475 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 476 Certificate Import Wizard 2 5 Click Finish to...

Страница 644: ...Appendix C Importing Certificates ZyWALL USG 50 H User s Guide 644 Figure 477 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store Figure 478 Root Certificate Store...

Страница 645: ...Appendix C Importing Certificates ZyWALL USG 50 H User s Guide 645 Figure 479 Certificate General Information after Import...

Страница 646: ...Appendix C Importing Certificates ZyWALL USG 50 H User s Guide 646...

Страница 647: ...ependent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 480 Peer to Peer Communication in an Ad hoc N...

Страница 648: ...wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired netw...

Страница 649: ...rtially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 ch...

Страница 650: ...requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if...

Страница 651: ...support it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the ZyWALL uses long p...

Страница 652: ...f IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management o...

Страница 653: ...oint and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stoppe...

Страница 654: ...e wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exch...

Страница 655: ...at defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireles...

Страница 656: ...ta has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more dif...

Страница 657: ...is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants...

Страница 658: ...PA 2 PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC ad...

Страница 659: ...tdoor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how...

Страница 660: ...and in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on...

Страница 661: ...ain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following...

Страница 662: ...is without express or implied warranty This Product includes expat 1 95 6 software under the Expat License Expat License Copyright c 1998 1999 2000 Thai Open Source Software Center Ltd Permission is h...

Страница 663: ...is Product includes openssl 0 9 8d ocf software under the OpenSSL License OpenSSL The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay...

Страница 664: ...License Copyright C 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to con...

Страница 665: ...d xinetd 2 3 14 software under the a 3 clause BSD License a 3 clause BSD style license This license is compatible with The GNU General Public License Version 1 This license is compatible with The GNU...

Страница 666: ...notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND ISC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY...

Страница 667: ...d any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Enti...

Страница 668: ...nd do not modify the License You may add Your own attribution notices within Derivative Works that You distribute alongside or as an addendum to the NOTICE text from the Work provided that such additi...

Страница 669: ...ights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain th...

Страница 670: ...sure the software is free for all its users This license the Lesser General Public License applies to some specially designated software packages typically libraries of the Free Software Foundation an...

Страница 671: ...criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It a...

Страница 672: ...keep intact all the notices that refer to this License and to the absence of any warranty and distribute a copy of this License along with the Library You may charge a fee for the physical act of tran...

Страница 673: ...s no derivative of any portion of the Library but is designed to work with the Library by being compiled or linked with it is called a work that uses the Library Such a work in isolation is not a deri...

Страница 674: ...eady sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a s...

Страница 675: ...ts or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented...

Страница 676: ...NY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUST...

Страница 677: ...ssion to copy distribute and or modify the software Also for each author s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the...

Страница 678: ...nt an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and sepa...

Страница 679: ...or modifying the Program or works based on it 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to cop...

Страница 680: ...by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivative...

Страница 681: ...REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EV...

Страница 682: ...provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a...

Страница 683: ...S ACQUIRED AND YOUR MONEY WILL BE REFUNDED 1 Grant of License for Personal Use ZyXEL Communications Corp ZyXEL grants you a non exclusive non sublicense non transferable license to use the program wit...

Страница 684: ...uch material are contained in the online electronic documentation for the Software and your use of such material is governed by their respective terms ZyXEL has provided as part of the Software packag...

Страница 685: ...S REGULATIONS ORDERS OR OTHER RESTRICTIONS ON THE EXPORT OF THE SOFTWARE OR INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME YOU SHALL NOT EXPORT THE SOFTWARE DOCUMENTATION OR IN...

Страница 686: ...C Taiwan This License Agreement shall constitute the entire Agreement between the parties hereto This License Agreement the rights granted hereunder the Software and Documentation shall not be assigne...

Страница 687: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does i...

Страница 688: ...t shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher va...

Страница 689: ...encapsulation 341 ESP 340 active sessions 133 136 582 AD 479 AD Active Directory 480 address groups 461 and firewall 304 and force user authentication policies 458 and FTP 550 and SNMP 553 and SSH 546...

Страница 690: ...unidentified applications 416 vs firewall 293 295 applications 37 ASCII encoding 441 asymmetrical routes 301 allowing through the firewall 302 vs virtual interfaces 301 attacks Denial of Service DoS...

Страница 691: ...9 serial number 502 507 storage space 496 504 thumbprint algorithms 495 thumbprints 495 used for authentication 494 verifying fingerprints 495 where used 89 certification requests 499 certifications n...

Страница 692: ...91 Distinguished Name DN 481 distributed port scans 438 DNS 189 522 address records 525 domain name forwarders 526 domain name to IP address 525 IP address to domain name 525 L2TP VPN 370 Mail eXchang...

Страница 693: ...ration overview 86 global rules 295 prerequisites 87 priority 303 rule criteria 295 see also to ZyWALL firewall 294 session limits 305 to ZyWALL See also to ZyWALL firewall triangle routes 301 302 vs...

Страница 694: ...c router 334 IP address ZyXEL device 334 local identity 337 main mode 334 337 338 NAT traversal 338 negotiation mode 334 password 339 peer identity 337 pre shared key 336 proposal 334 see also VPN use...

Страница 695: ...y 319 PFS 319 phase 2 settings 318 policy enforcement 318 policy routes 314 proposals 319 remote access 318 remote IPSec router 311 remote network 311 remote policy 318 replay detection 318 SA life ti...

Страница 696: ...21 algorithms 222 226 least load first 223 See also trunks 221 session oriented 222 spillover 224 tutorial 120 weighted round robin 223 local user database 480 log messages and alerts 569 categories 5...

Страница 697: ...P 509 vs CRL 509 Open Shortest Path First See OSPF OSPF 161 243 and Ethernet interfaces 155 and RIP 245 and static routes 245 and to ZyWALL firewall 243 area 0 244 areas See OSPF areas authentication...

Страница 698: ...and firewall 236 and policy routes 236 and service groups 236 and services 236 power off 33 power on 33 PPP 216 PPP interfaces 166 basic characteristics 148 gateway 167 ISP account 167 subnet mask 16...

Страница 699: ...TP 283 RTS Request To Send 654 threshold 653 654 S safety warnings 8 schedules 473 and current date time 473 and firewall 304 414 417 419 and force user authentication policies 458 and policy routes 2...

Страница 700: ...names 349 connection monitor 349 full tunnel mode 349 global setting 350 IP pool 349 network list 349 remote user login 354 remote user logout 359 See also SSL VPN 345 user screen bookmarks 359 user s...

Страница 701: ...1 to ZyWALL firewall 294 and NAT traversal VPN 591 and OSPF 243 and remote management 295 and RIP 242 and service control 529 and virtual servers 265 and VPN 591 global rules 294 See also firewall 294...

Страница 702: ...licy routes 234 412 414 417 419 and RADIUS 448 and service control 529 and shell scripts 460 attributes for Ext User 448 attributes for LDAP 460 attributes for RADIUS 460 attributes in AAA servers 460...

Страница 703: ...s 274 see also HTTP redirect web based SSL application configuration example 511 create 512 webroot directory traversal attack 442 weighted round robin for load balancing 223 Wi Fi Protected Access 65...

Страница 704: ...294 302 and FTP 550 and interfaces 80 251 and SNMP 553 and SSH 546 and Telnet 548 and VPN 80 251 and WWW 534 block intra zone traffic 253 301 configuration overview 85 default 81 extra zone traffic 25...

Результаты поиска

Содержание ZyWall USG 50-H Series

Отзывы:

Похожие инструкции для ZyWall USG 50-H Series

Бренды по названию

Популярные бренды

ZyXEL Communications ZyWall USG 50-H Series, Руководство пользователя

Результаты поиска

Содержание ZyWall USG 50-H Series

Отзывы:

Похожие инструкции для ZyWall USG 50-H Series

Бренды по названию

Популярные бренды