Zyxel zywall usg 50 инструкция на русском

ZyXEL Communications ZyWALL USG 50 User Manual

  • Contents

  • Table of Contents

  • Troubleshooting

  • Bookmarks

Quick Links

ZyWALL USG 50

Unified Security Gateway

Default Login Details

LAN Port

IP Address

https://192.168.1.1

User Name

Password

www.zyxel.com

Version 2.21

Edition 4, 4/2011

www.zyxel.com

P3, P4

admin

1234

Copyright © 2011

ZyXEL Communications Corporation

loading

Related Manuals for ZyXEL Communications ZyWALL USG 50

Summary of Contents for ZyXEL Communications ZyWALL USG 50

  • Page 1
    ZyWALL USG 50 Unified Security Gateway Default Login Details LAN Port P3, P4 IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Version 2.21 Edition 4, 4/2011 www.zyxel.com Copyright © 2011 ZyXEL Communications Corporation…
  • Page 3: About This User’s Guide

    • CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the ZyWALL. Note: It is recommended you use the Web Configurator to configure the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 4
    • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. ZyWALL USG 50 User’s Guide…
  • Page 5
    Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL USG 50 User’s Guide…
  • Page 6: Document Conventions

    For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on. • “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”. ZyWALL USG 50 User’s Guide…

  • Page 7
    Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 50 User’s Guide…
  • Page 8: Safety Warnings

    Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. ZyWALL USG 50 User’s Guide…

  • Page 9: Table Of Contents

    SSL User Application Screens ………………..437 ZyWALL SecuExtender ………………….439 Application Patrol ……………………443 Anti-Virus ……………………..469 IDP ……………………….485 ADP ……………………….519 Content Filtering ……………………539 Content Filter Reports ………………….565 Anti-Spam ……………………..573 User/Group ……………………..591 ZyWALL USG 50 User’s Guide…

  • Page 10
    Endpoint Security ……………………673 System ……………………….. 681 Log and Report ……………………731 File Manager ……………………..745 Diagnostics ……………………..757 Packet Flow Explore …………………… 767 Reboot ……………………….. 775 Shutdown ……………………..777 Troubleshooting ……………………779 Product Specifications ………………….795 ZyWALL USG 50 User’s Guide…
  • Page 11: Table Of Contents

    2.2.4 Multiple WAN Interfaces ………………… 43 Chapter 3 Web Configurator……………………45 3.1 Web Configurator Requirements ………………45 3.2 Web Configurator Access ………………..45 3.3 Web Configurator Screens Overview ……………… 47 3.3.1 Title Bar ……………………48 3.3.2 Navigation Panel ………………….49 ZyWALL USG 50 User’s Guide…

  • Page 12
    Configuration Basics………………….89 6.1 Object-based Configuration ………………..89 6.2 Zones, Interfaces, and Physical Ports …………….. 90 6.2.1 Interface Types ………………….91 6.2.2 Default Interface and Zone Configuration …………..91 6.3 Terminology in the ZyWALL ………………..93 ZyWALL USG 50 User’s Guide…
  • Page 13
    7.1 How to Configure Interfaces, Port Roles, and Zones …………111 7.1.1 Configure a WAN Ethernet Interface ……………..112 7.1.2 Configure Port Roles ………………..113 7.1.3 Configure the DMZ Interface for a Local Network ………….113 7.1.4 Configure Zones ………………….114 7.2 How to Configure a Cellular Interface ……………..115 ZyWALL USG 50 User’s Guide…
  • Page 14
    7.12 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic ….154 7.12.1 Create the Public IP Address Range Object …………154 7.12.2 Configure the Policy Route ………………155 Part II: Technical Reference …………..157 Chapter 8 Dashboard ……………………..159 ZyWALL USG 50 User’s Guide…
  • Page 15
    9.16 The Content Filter Statistics Screen …………….201 9.17 Content Filter Cache Screen ………………. 203 9.18 The Anti-Spam Statistics Screen ………………206 9.19 The Anti-Spam Status Screen ………………208 9.20 Log Screen ……………………209 Chapter 10 Registration ……………………… 213 ZyWALL USG 50 User’s Guide…
  • Page 16
    12.4 Trunk Technical Reference ………………..285 Chapter 13 Policy and Static Routes …………………. 287 13.1 Policy and Static Routes Overview ……………… 287 13.1.1 What You Can Do in this Chapter …………….287 13.1.2 What You Need to Know ………………288 ZyWALL USG 50 User’s Guide…
  • Page 17
    17.1.1 What You Can Do in this Chapter …………….327 17.1.2 What You Need to Know ………………328 17.2 The NAT Screen ………………….328 17.2.1 The NAT Add/Edit Screen ………………330 17.3 NAT Technical Reference ………………..333 ZyWALL USG 50 User’s Guide…
  • Page 18
    22.1.1 What You Can Do in this Chapter …………….363 22.1.2 What You Need to Know ………………364 22.1.3 Firewall Rule Example Applications …………… 366 22.1.4 Firewall Rule Configuration Example …………..369 22.2 The Firewall Screen ………………….371 ZyWALL USG 50 User’s Guide…
  • Page 19
    25.4 Bookmarking the ZyWALL ………………..434 25.5 Logging Out of the SSL VPN User Screens …………..434 Chapter 26 SSL User Application Screens ……………….. 437 26.1 SSL User Application Screens Overview ……………. 437 26.2 The Application Screen ………………..437 ZyWALL USG 50 User’s Guide…
  • Page 20
    30.1 Overview …………………….. 485 30.1.1 What You Can Do in this Chapter …………….485 30.1.2 What You Need To Know ………………485 30.1.3 Before You Begin ………………..486 30.2 The IDP General Screen ………………..487 ZyWALL USG 50 User’s Guide…
  • Page 21
    31.4 ADP Technical Reference ………………..531 Chapter 32 Content Filtering ……………………539 32.1 Overview …………………….. 539 32.1.1 What You Can Do in this Chapter …………….539 32.1.2 What You Need to Know ………………539 32.1.3 Before You Begin ………………..541 ZyWALL USG 50 User’s Guide…
  • Page 22
    35.3.1 Group Add/Edit Screen ………………598 35.4 Setting Screen …………………… 599 35.4.1 Default User Authentication Timeout Settings Edit Screens ……..602 35.4.2 User Aware Login Example ………………604 35.5 User /Group Technical Reference ………………. 605 Chapter 36 Addresses……………………..607 ZyWALL USG 50 User’s Guide…
  • Page 23
    39.2 Active Directory or LDAP Server Summary …………..629 39.2.1 Adding an Active Directory or LDAP Server …………629 39.3 RADIUS Server Summary ………………..631 39.3.1 Adding a RADIUS Server ………………633 Chapter 40 Authentication Method ………………….635 40.1 Overview …………………….. 635 ZyWALL USG 50 User’s Guide…
  • Page 24
    43.2.1 Creating/Editing a Web-based SSL Application Object ……… 670 Chapter 44 Endpoint Security ……………………. 673 44.1 Overview …………………….. 673 44.1.1 What You Can Do in this Chapter …………….674 44.1.2 What You Need to Know ………………674 44.2 Endpoint Security Screen ………………..675 ZyWALL USG 50 User’s Guide…
  • Page 25
    45.8.5 Secure Telnet Using SSH Examples …………..717 45.9 Telnet ……………………..718 45.9.1 Configuring Telnet ………………..719 45.10 FTP ……………………..720 45.10.1 Configuring FTP ………………..720 45.11 SNMP ……………………..722 45.11.1 Supported MIBs ………………..724 ZyWALL USG 50 User’s Guide…
  • Page 26
    48.4.1 Core Dump Files Screen ………………765 48.5 The System Log Screen ………………..766 Chapter 49 Packet Flow Explore ………………….767 49.1 Overview …………………….. 767 49.1.1 What You Can Do in this Chapter …………….767 ZyWALL USG 50 User’s Guide…
  • Page 27
    Appendix A Log Descriptions ………………..803 Appendix B Common Services………………… 861 Appendix C Displaying Anti-Virus Alert Messages in Windows……….865 Appendix D Importing Certificates………………871 Appendix E Open Software Announcements …………… 897 Appendix F Legal Information ………………..943 Index……………………….947 ZyWALL USG 50 User’s Guide…
  • Page 28
    Table of Contents ZyWALL USG 50 User’s Guide…
  • Page 29: User’s Guide

    User’s Guide…

  • Page 31: Introducing The Zywall

    The ZyWALL also provides two separate LAN networks. You can set ports to be part of the LAN1, or DMZ. Alternatively, you can deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration. ZyWALL USG 50 User’s Guide…

  • Page 32: Rack-Mounted Installation

    Align one bracket with the holes on one side of the ZyWALL and secure it with the included bracket screws (smaller than the rack-mounting screws). Attach the other bracket in a similar fashion. Figure 1 Attaching Mounting Brackets and Screws ZyWALL USG 50 User’s Guide…

  • Page 33: Front Panel

    There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 1.5 on page 35). If the LED turns red again, then please contact your vendor. ZyWALL USG 50 User’s Guide…

  • Page 34: Management Overview

    The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI. ZyWALL USG 50 User’s Guide…

  • Page 35: Starting And Stopping The Zywall

    Disconnecting the Power off occurs when you turn off the power to the ZyWALL. The power ZyWALL simply turns off. It does not stop the system processes or write cached data to local storage. ZyWALL USG 50 User’s Guide…

  • Page 36
    Chapter 1 Introducing the ZyWALL The ZyWALL does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources. ZyWALL USG 50 User’s Guide…
  • Page 37: Features And Applications

    Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ZyWALL. You can create your own custom zones. You can add interfaces and VPN tunnels to zones. ZyWALL USG 50 User’s Guide…

  • Page 38
    ZyWALL to check web sites against an external database of dynamically-updated ratings of millions of web sites. You then simply select categories to block or monitor, such as pornography or racial intolerance, from a pre-defined list. ZyWALL USG 50 User’s Guide…
  • Page 39: Applications

    SIP priority over all other traffic. This maximizes SIP traffic throughput for improved VoIP call sound quality. 2.2 Applications These are some example applications for your ZyWALL. See also Chapter 7 on page 111 for configuration tutorial examples. ZyWALL USG 50 User’s Guide…

  • Page 40: Vpn Connectivity

    You can also set up additional connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. ZyWALL USG 50 User’s Guide…

  • Page 41
    Figure 6 Network Access Mode: Full Tunnel Mode 192.168.1.100 LAN (192.168.1.X) https;// Web Mail File Share Web-based Application Application Non-Web Server ZyWALL USG 50 User’s Guide…
  • Page 42: User-Aware Access Control

    Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 7 Applications: User-Aware Access Control ZyWALL USG 50 User’s Guide…

  • Page 43: Multiple Wan Interfaces

    Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 8 Applications: Multiple WAN Interfaces ZyWALL USG 50 User’s Guide…

  • Page 44
    Chapter 2 Features and Applications ZyWALL USG 50 User’s Guide…
  • Page 45: Web Configurator

    • Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.2 Web Configurator Access Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. ZyWALL USG 50 User’s Guide…

  • Page 46
    Click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 10 on page 46) appears. Otherwise, the dashboard (Figure 11 on page 47) appears. Figure 10 Update Admin Info Screen ZyWALL USG 50 User’s Guide…
  • Page 47: Web Configurator Screens Overview

    3.3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated in Figure 11 on page 47): • A — title bar • B — navigation panel • C — main window ZyWALL USG 50 User’s Guide…

  • Page 48: Title Bar

    (CLI). See the CLI Reference Guide for details on the commands. Click this to open a popup window that displays the CLI commands sent by the Web Configurator. 3.3.1.1 About Click this to display basic information about the ZyWALL. Figure 13 Title Bar ZyWALL USG 50 User’s Guide…

  • Page 49: Navigation Panel

    The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 8 on page 159 for details on the dashboard. ZyWALL USG 50 User’s Guide…

  • Page 50: Monitor Menu

    Lists log entries. 3.3.2.3 Configuration Menu Use the configuration menu screens to configure the ZyWALL’s features. Table 7 Configuration Menu Screens Summary FOLDER OR FUNCTION LINK Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing ZyWALL USG 50 User’s Guide…

  • Page 51
    Configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. Auth. Policy Define rules to force user authentication. Firewall Firewall Create and manage level-3 traffic rules. Session Limit Limit the number of concurrent client NAT/firewall sessions. ZyWALL USG 50 User’s Guide…
  • Page 52
    Turn anti-spam on or off and manage anti-spam policies. Black/White List Set up a black list to identify spam and a white list to identify legitimate e-mail. DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Object ZyWALL USG 50 User’s Guide…
  • Page 53
    Configure the settings for the connected USB devices. Date/Time Configure the current date, time, and time zone in the ZyWALL. Console Set the console speed. Speed Configure the DNS server and address records for the ZyWALL. ZyWALL USG 50 User’s Guide…
  • Page 54
    SNAT Status View a clear picture on how the ZyWALL converts a packet’s source IP address and check the related settings. Reboot Restart the ZyWALL. Shutdown Turn off the ZyWALL. ZyWALL USG 50 User’s Guide…
  • Page 55: Main Window

    Figure 16 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration ZyWALL USG 50 User’s Guide…

  • Page 56
    This field identifies the configuration item that references the object. Description If the referencing configuration item has a description configured, it displays here. Refresh Click this to update the information in this screen. Cancel Click Cancel to close the screen. ZyWALL USG 50 User’s Guide…
  • Page 57: Tables And Lists

    Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do: ZyWALL USG 50 User’s Guide…

  • Page 58
    • Filter by mathematical operators (<, >, or =) or searching for text Figure 20 Common Table Column Options Select a column heading cell’s right border and drag to re-size the column. Figure 21 Resizing a Table Column ZyWALL USG 50 User’s Guide…
  • Page 59: Working With Table Entries

    The tables have icons for working with table entries. A sample is shown next. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 24 Common Table Icons ZyWALL USG 50 User’s Guide…

  • Page 60
    In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 25 Working with Lists ZyWALL USG 50 User’s Guide…
  • Page 61: Installation Setup Wizard

    Internet access. 4.1.1 Internet Access Setup — WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface’s type of encapsulation and method of IP address assignment. ZyWALL USG 50 User’s Guide…

  • Page 62: Internet Access: Ethernet

    Select Static if the ISP assigned a fixed IP address. 4.1.2 Internet Access: Ethernet This screen is read-only if you set the previous screen’s IP Address Assignment field to Auto. Use this screen to configure your IP address settings. ZyWALL USG 50 User’s Guide…

  • Page 63
    The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. ZyWALL USG 50 User’s Guide…
  • Page 64: Internet Access: Pppoe

    [] and ?. This field can be blank. • Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server. ZyWALL USG 50 User’s Guide…

  • Page 65: Internet Access: Pptp

    DNS server, you must know the IP address of a machine in order to access it. 4.1.4 Internet Access: PPTP Note: Enter the Internet access information exactly as given to you by your ISP. Figure 30 Internet Access: PPTP Encapsulation ZyWALL USG 50 User’s Guide…

  • Page 66: Isp Parameters

    The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. ZyWALL USG 50 User’s Guide…

  • Page 67: Internet Access Setup — Second Wan Interface

    Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 61). Figure 31 Internet Access: Step 3: Second WAN Interface ZyWALL USG 50 User’s Guide…

  • Page 68: Internet Access — Finish

    ZyWALL is already registered this screen displays your user name and which trial services are activated (if any). You can still activate any un-activated trial services. Note: You must be connected to the Internet to register. ZyWALL USG 50 User’s Guide…

  • Page 69
    Spaces are not allowed. Type it again in the Confirm Password field. • E-Mail Address: Enter your e-mail address. Use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. • Country Code: Select your country from the drop-down box list. ZyWALL USG 50 User’s Guide…
  • Page 70
    After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. Figure 33 Registraton: Registered Device ZyWALL USG 50 User’s Guide…
  • Page 71: Quick Setup

    ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 5.2 on page • VPN SETUP Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for a secure connection to another computer or network. See Section 5.4 on page ZyWALL USG 50 User’s Guide…

  • Page 72: Wan Interface Quick Setup

    Figure 36 Choose an Ethernet Interface 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. ZyWALL USG 50 User’s Guide…

  • Page 73: Configure Wan Settings

    Figure 38 WAN Interface Setup: Step 2 • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. ZyWALL USG 50 User’s Guide…

  • Page 74: Wan And Isp Connection Settings

    Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring. ZyWALL USG 50 User’s Guide…

  • Page 75
    This field displays to which security zone this interface and Internet connection will belong. IP Address This field is read-only when the WAN interface uses a dynamic IP address. If your WAN interface uses a static IP address, enter it in this field. ZyWALL USG 50 User’s Guide…
  • Page 76: Quick Setup Interface Wizard: Summary

    This field is read-only and only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account. Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. ZyWALL USG 50 User’s Guide…

  • Page 77: Vpn Quick Setup

    Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you can use later in configuring more VPN connections or other features. Click Next. Figure 41 VPN Quick Setup Wizard ZyWALL USG 50 User’s Guide…

  • Page 78: Vpn Setup Wizard: Wizard Type

    ZyWALL using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device. ZyWALL USG 50 User’s Guide…

  • Page 79: Vpn Express Wizard — Scenario

    Only the clients can initiate the VPN tunnel. • Remote Access (Client Role) — Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. ZyWALL USG 50 User’s Guide…

  • Page 80: Vpn Express Wizard — Configuration

    If this field is configurable, type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device. ZyWALL USG 50 User’s Guide…

  • Page 81: Vpn Express Wizard — Summary

    “.zysh” filename extension. Then you can use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list. ZyWALL USG 50 User’s Guide…

  • Page 82: Vpn Express Wizard — Finish

    Figure 46 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. ZyWALL USG 50 User’s Guide…

  • Page 83: Vpn Advanced Wizard — Scenario

    • Remote Access (Server Role) — Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. ZyWALL USG 50 User’s Guide…

  • Page 84: Vpn Advanced Wizard — Phase 1 Settings

    The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES ZyWALL USG 50 User’s Guide…

  • Page 85
    IPSec device. If it responds, the ZyWALL transmits the data. If it does not respond, the ZyWALL shuts down the IKE SA. • Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the ZyWALL’s certificates. ZyWALL USG 50 User’s Guide…
  • Page 86: Vpn Advanced Wizard — Phase 2

    IP address configured on the remote IPSec device. • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. ZyWALL USG 50 User’s Guide…

  • Page 87: Vpn Advanced Wizard — Summary

    IPSec device that can use the tunnel. • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL’s command line interface. • Click Save to save the VPN rule. ZyWALL USG 50 User’s Guide…

  • Page 88: Vpn Advanced Wizard — Finish

    Figure 51 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. ZyWALL USG 50 User’s Guide…

  • Page 89: Configuration Basics

    You can create address objects based on an interface’s IP address, subnet, or gateway. The ZyWALL automatically updates every rule or setting that uses these objects whenever the interface’s IP address settings change. For example, if you ZyWALL USG 50 User’s Guide…

  • Page 90: Zones, Interfaces, And Physical Ports

    Port roles combine physical ports into interfaces. The physical port is where you connect a cable. In configuration, you Physical use physical ports when configuring port groups. You use interfaces Ethernet Ports and zones in configuring other features. (P1, P2, …) ZyWALL USG 50 User’s Guide…

  • Page 91: Interface Types

    6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL’s default zone member physical interfaces and the default configuration of those interfaces. The following figure uses letters to denote public IP addresses or part of a private IP address. ZyWALL USG 50 User’s Guide…

  • Page 92
    Chapter 6 Configuration Basics Table 14 Default Network Topology ZyWALL USG 50 Default Port, Interface, and Zone Configuration IP ADDRESS AND DHCP SUGGESTED USE WITH PORT INTERFACE ZONE SETTINGS DEFAULT SETTINGS P1, P2 wan1, wan2 DHCP clients Connections to the Internet…
  • Page 93: Terminology In The Zywall

    Here is the order in which the ZyWALL applies its features and checks. Traffic in > Defragmentation > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification > IDP > Anti-virus > Application Patrol > Content ZyWALL USG 50 User’s Guide…

  • Page 94
    • You do not need to set up policy routes for 1:1 NAT entries. • You can create Many 1:1 NAT entries to translate a range of private network addresses to a range of public IP addresses • Static and dynamic routes have their own category. ZyWALL USG 50 User’s Guide…
  • Page 95: Routing Table Checking Flow

    If a private network server will initiate sessions to the outside clients, create a 1 to 1 NAT entry to have the ZyWALL translate the source IP address of the server’s outgoing traffic to the same public IP address that the outside clients use ZyWALL USG 50 User’s Guide…

  • Page 96: Nat Table Checking Flow

    The checking flow is from top to bott om. As soon as the packets match an entry in one of the sections, the ZyWALL stops checking the packets against the NAT table and moves on to bandwidth management. Figure 55 NAT Table Checking Flow ZyWALL USG 50 User’s Guide…

  • Page 97: Feature Configuration Overview

    VPN tunnel before you can delete the VPN tunnel. Example: This provides a simple example to show you how to configure this feature. The example is usually based on the network topology in Figure 14 on page ZyWALL USG 50 User’s Guide…

  • Page 98: Licensing Registration

    NAT, application patrol Example: The dmz interface is in the DMZ zone and uses a private IP address. To configure dmz’s settings, click Network > Interface > Ethernet and then the dmz’s Edit icon. ZyWALL USG 50 User’s Guide…

  • Page 99: Trunks

    Select the interface that the traffic comes in through (P3 in this example). Select the FTP server’s address as the source address. You don’t need to specify the destination address or the schedule. For the service, select FTP. ZyWALL USG 50 User’s Guide…

  • Page 100: Static Routes

    MENU ITEM(S) Interfaces, IPSec VPN, SSL VPN PREREQUISITES Firewall, IDP, remote management, anti-virus, ADP, application patrol WHERE USED Example: For example, to create the DMZ-2 zone, click Network > Zone and then the Add icon. ZyWALL USG 50 User’s Guide…

  • Page 101: Ddns

    This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next time one of your users needs to access that page. ZyWALL USG 50 User’s Guide…

  • Page 102: Alg

    (require them to log in) and even perform Endpoint Security (EPS) checking to make sure users’ computers comply with defined corporate policies before they can access the network. Configuration > Auth. Policy MENU ITEM(S) Addresses, services, endpoint security objects, users, authentication PREREQUISITES methods ZyWALL USG 50 User’s Guide…

  • Page 103: Firewall

    • Leave the Access field set to Allow and the Log field set to No. Note: The ZyWALL checks the firewall rules in order. Make sure each rule is in the correct place in the sequence. ZyWALL USG 50 User’s Guide…

  • Page 104: Ipsec Vpn

    PREREQUISITES only used as criteria in exceptions and conditions. Example: Suppose you want to allow vice president Bob to use BitTorrent and block everyone else from using it. Create a user account for Bob (User/Group). ZyWALL USG 50 User’s Guide…

  • Page 105: Anti-Virus

    Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You ZyWALL USG 50 User’s Guide…

  • Page 106: Anti-Spam

    10 Add a policy that uses the schedule, the filtering profile and the user that you created. 6.5.22 Anti-Spam Use anti-spam to detect and take action on spam mail. Configuration > Anti-X > Anti-Spam MENU ITEM(S) Zones PREREQUISITES ZyWALL USG 50 User’s Guide…

  • Page 107: Objects

    Use these screens to configure the ZyWALL’s administrator and user accounts. The ZyWALL provides the following user types. Table 17 User Types TYPE ABILITIES admin Change ZyWALL configuration (web, CLI) limited-admin Look at ZyWALL configuration (web) user Access network services, browse user-mode commands (CLI) ZyWALL USG 50 User’s Guide…

  • Page 108: System

    Example: Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN. Create an administrator account (Configuration > Object > User/Group). Create an address object for the administrator’s computer (Configuration > Object > Address). ZyWALL USG 50 User’s Guide…

  • Page 109: Logs And Reports

    It can also capture packets going through the ZyWALL’s interfaces so you can analyze them to identify network problems. Maintenance > Diagnostics MENU ITEM(S) 6.7.5 Shutdown Use this to shutdown the device in preparation for disconnecting the power. ZyWALL USG 50 User’s Guide…

  • Page 110
    Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. Maintenance > Shutdown MENU ITEM(S) ZyWALL USG 50 User’s Guide…
  • Page 111: Tutorials

    • You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone. • The wan1 interface uses a static IP address of 1.2.3.4. ZyWALL USG 50 User’s Guide…

  • Page 112: Configure A Wan Ethernet Interface

    Add it to the LAN zone so all of the LAN zone’s security policies apply to it. Figure 56 Ethernet Interface, Port Roles, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL’s wan1 interface a static IP address of 1.2.3.4. ZyWALL USG 50 User’s Guide…

  • Page 113: Configure Port Roles

    Here is how to set the dmz interface (created in the previous section) for a separate local network. It uses 192.168.4.1 as its IP address and has a DHCP server to distribute IP addresses to connected DHCP clients. ZyWALL USG 50 User’s Guide…

  • Page 114: Configure Zones

    Set DHCP to DHCP Server and click OK. Figure 59 Configuration > Network > Interface > Ethernet > Edit lan2 7.1.4 Configure Zones Do the following to create a VPN zone. Click Configuration > Network > Zone and then the Add icon. ZyWALL USG 50 User’s Guide…

  • Page 115: How To Configure A Cellular Interface

    Connect the 3G device to one of the ZyWALL’s USB ports. Click Configuration > Network > Interface > Cellular. Select the 3G device’s entry and click Edit. Figure 61 Configuration > Network > Interface > Cellular ZyWALL USG 50 User’s Guide…

  • Page 116
    ISP. Go to the Dashboard. The Interface Status Summary section should contain a “cellular” entry. When its connection status is Connected you can use the 3G connection to access the Internet. Figure 63 Status ZyWALL USG 50 User’s Guide…
  • Page 117: How To Configure Load Balancing

    WAN_TRUNK trunk’s load balancing settings. 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. ZyWALL USG 50 User’s Guide…

  • Page 118: Configure The Wan Trunk

    Figure 65 Configuration > Network > Interface > Ethernet > Edit (wan1) Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. 7.3.2 Configure the WAN Trunk Click Configuration > Network > Interface > Trunk. Click the Add icon. ZyWALL USG 50 User’s Guide…

  • Page 119
    Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add wan2 and enter 1 in the Weight column. Click OK. Figure 66 Configuration > Network > Interface > Trunk > Add ZyWALL USG 50 User’s Guide…
  • Page 120: How To Set Up An Ipsec Vpn Tunnel

    This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 78 for details on the VPN quick setup wizard. Figure 68 VPN Example 2.2.2.2 1.2.3.4 192.168.1.0/24 172.16.1.0/24 ZyWALL USG 50 User’s Guide…

  • Page 121: Set Up The Vpn Gateway

    Interface and wan1. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in the Primary field. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. Figure 69 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 50 User’s Guide…

  • Page 122: Set Up The Vpn Connection

    Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 70 Configuration > Object > Address > Add Click Configuration > VPN > IPSec VPN > VPN Connection. Click the Add icon. ZyWALL USG 50 User’s Guide…

  • Page 123: Configure Security Policies For The Vpn Tunnel

    ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500. ZyWALL USG 50 User’s Guide…

  • Page 124: How To Configure User-Aware Access Control

    RADIUS server to a text file, then you might create a script to create the user accounts instead. This example uses the Web Configurator. Click Configuration > Object > User/Group > User. Click the Add icon. ZyWALL USG 50 User’s Guide…

  • Page 125: Set Up User Groups

    Repeat this process to set up the remaining user accounts. 7.5.2 Set Up User Groups Set up the user groups and assign the users to the user groups. Click Configuration > Object > User/Group > Group. Click the Add icon. ZyWALL USG 50 User’s Guide…

  • Page 126: Set Up User Authentication Using The Radius Server

    RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method. Finally, force users to log in to the ZyWALL before it routes traffic for them. ZyWALL USG 50 User’s Guide…

  • Page 127
    Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK. ZyWALL USG 50 User’s Guide…
  • Page 128: Web Surfing Policies With Bandwidth Restrictions

    Use application patrol (AppPatrol) to enforce the web surfing and MSN policies. You must have already subscribed for the application patrol service. You can subscribe using the Configuration > Licensing > Registration screens or using one of the wizards. ZyWALL USG 50 User’s Guide…

  • Page 129
    Click Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 77 Configuration > AppPatrol > General Click the Common tab and double-click the http entry. Figure 78 Configuration > AppPatrol > Common ZyWALL USG 50 User’s Guide…
  • Page 130
    Figure 79 Configuration > AppPatrol > Common > http Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Figure 80 Configuration > AppPatrol > Common > http > Edit Default ZyWALL USG 50 User’s Guide…
  • Page 131: Set Up Msn Policies

    7.5.5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days. Click Configuration > Object > Schedule. Click the Add icon for recurring schedules. ZyWALL USG 50 User’s Guide…

  • Page 132: Set Up Firewall Rules

    Click Configuration > Firewall > Add. Set the From field as LAN1 and the To field as DMZ. Set the Access field to deny, and click OK. Figure 83 Configuration > Firewall > LAN to DMZ > Add ZyWALL USG 50 User’s Guide…

  • Page 133: How To Use A Radius Server To Authenticate User Accounts Based On Groups

    RADIUS server authenticate groups of user accounts defined in the RADIUS server. ZyWALL USG 50 User’s Guide…

  • Page 134
    Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. Figure 85 Configuration > Object > AAA Server > RADIUS > Add ZyWALL USG 50 User’s Guide…
  • Page 135: How To Use Endpoint Security And Authentication Policies

    Click Configuration > Object > Endpoint Security > Add to open the Endpoint Security Edit screen. • Select Endpoint must comply with all checking items. • Set the Endpoint Operating System to Windows and the Window Version to Windows 7. ZyWALL USG 50 User’s Guide…

  • Page 136
    • Select Endpoint must have Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list. The following figure shows the configuration screen example. Figure 87 Configuration > Object > Endpoint Security > Add ZyWALL USG 50 User’s Guide…
  • Page 137: Configure The Authentication Policy

    ZyWALL’s login screen. • Enable EPS checking and move the EPS objects you created to the selected list. • Click OK. Figure 88 Configuration > Auth. Policy > Add ZyWALL USG 50 User’s Guide…

  • Page 138: How To Configure Service Control

    Figure 90 Example: Endpoint Security Error Message 7.8 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access (to the Web Configurator) and separate rules that control HTTP and HTTPS ZyWALL USG 50 User’s Guide…

  • Page 139: Allow Https Administrator Access Only From The Lan

    In HTTPS Admin Service Control, click the Add icon. Figure 91 Configuration > System > WWW In the Zone field select LAN1 and click OK. Figure 92 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 50 User’s Guide…

  • Page 140
    Figure 93 Configuration > System > WWW (First Example Admin Service Rule Configured) In the Zone field select ALL and set the Action to Deny. Click OK. Figure 94 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 50 User’s Guide…
  • Page 141: How To Allow Incoming H.323 Peer-To-Peer Calls

    Suppose you have a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN. Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H.323 traffic destined ZyWALL USG 50 User’s Guide…

  • Page 142: Turn On The Alg

    7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56. ZyWALL USG 50 User’s Guide…

  • Page 143
    Use Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device’s private LAN1 IP address (called LAN_H323 here). Figure 98 Create Address Objects ZyWALL USG 50 User’s Guide…
  • Page 144: Set Up A Firewall Rule For H.323

    The default firewall rule for WAN-to-LAN traffic drops all traffic. Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56. ZyWALL USG 50 User’s Guide…

  • Page 145: How To Allow Public Access To A Web Server

    Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the wan1 interface and map to the HTTP server’s private IP address of 192.168.3.7. Figure 101 Public Server Example Network Topology 192.168.3.7 1.1.1.1 ZyWALL USG 50 User’s Guide…

  • Page 146: Create The Address Objects

    • HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the Port Mapping Type to Port, the Protocol Type to TCP, and the original and mapped ports to 80. ZyWALL USG 50 User’s Guide…

  • Page 147: Set Up A Firewall Rule

    HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. ZyWALL USG 50 User’s Guide…

  • Page 148: How To Use An Ippbx On The Dmz

    7.11 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP ZyWALL USG 50 User’s Guide…

  • Page 149
    Chapter 7 Tutorials address 1.1.1.2 that you will use on the wan1 interface and map to the IPPBX’s private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 106 IPPBX Example Network Topology ZyWALL USG 50 User’s Guide…
  • Page 150: Turn On The Alg

    Use Configuration > Object > Address > Add to create the address objects. Create a host address object named IPPBX-DMZ for the IPPBX’s private DMZ IP address of 192.168.3.9. Figure 108 Creating the Address Object for the IPPBX’s Private IP Address ZyWALL USG 50 User’s Guide…

  • Page 151: Setup A Nat Policy For The Ippbx

    • Set the Port Mapping Type to Port, the Protocol Type to UDP and the original and mapped ports to 5060. • Keep Enable NAT Loopback selected to allow the LAN users to use the IPPBX (see NAT Loopback on page 333 for details). ZyWALL USG 50 User’s Guide…

  • Page 152: Set Up A Wan To Dmz Firewall Rule For Sip

    SIP traffic to the IPPBX. If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls. ZyWALL USG 50 User’s Guide…

  • Page 153: Set Up A Dmz To Lan Firewall Rule For Sip

    The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. ZyWALL USG 50 User’s Guide…

  • Page 154: How To Use Multiple Static Public Wan Ip Addresses For Lan To Wan Traffic

    Click Configuration > Object > Address > Add to create the address object that represents the range of static public IP addresses. In this example you name it Public-IPs and it goes from 1.1.1.10 to 1.1.1.17. Figure 113 Creating the Public IP Address Range Object ZyWALL USG 50 User’s Guide…

  • Page 155: Configure The Policy Route

    Although adding a description is optional, it is recommended. This example uses LAN-to-WAN-Range. Specifying a Source Address is also optional although recommended. This example uses LAN_SUBNET1. Set the Source Network Address Translation to Public-IPs and click OK. Figure 114 Configuring the Policy Route ZyWALL USG 50 User’s Guide…

  • Page 156
    Chapter 7 Tutorials ZyWALL USG 50 User’s Guide…
  • Page 157: Technical Reference

    Technical Reference…

  • Page 159: Dashboard

    8.2 The Dashboard Screen The Dashboard screen displays when you log into the ZyWALL or click Dashboard in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and ZyWALL USG 50 User’s Guide…

  • Page 160
    An unconnected interface or slot appears grayed out. The following front and rear panel labels display when you hover your cursor over a connected interface or slot. Name This field displays the name of each interface. ZyWALL USG 50 User’s Guide…
  • Page 161
    This field displays the current date and time in the ZyWALL. The format Date/Time is yyyy-mm-dd hh:mm:ss. VPN Status Click this to look at the VPN tunnels that are currently established. See Section 8.2.1 on page 165. ZyWALL USG 50 User’s Guide…
  • Page 162
    Click the Detail icon to go to the Session Monitor screen to see details about the active sessions. Click the Show Active Sessions icon to display a chart of ZyWALL’s recent session usage. ZyWALL USG 50 User’s Guide…
  • Page 163
    Section 9.10 on page 188 for the status that can appear. Licensed Service Status This shows how many licensed services there are. Status This is the current status of the license. Name This identifies the licensed service. ZyWALL USG 50 User’s Guide…
  • Page 164
    Table 147 on page 496 more information. Severity This is the level of threat that the intrusions may pose. Occurrence This is how many times the ZyWALL has detected the event described in the entry. ZyWALL USG 50 User’s Guide…
  • Page 165: The Cpu Usage Screen

    The x-axis shows the time period over which the CPU usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 50 User’s Guide…

  • Page 166: The Memory Usage Screen

    The x-axis shows the time period over which the RAM usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 50 User’s Guide…

  • Page 167: The Active Sessions Screen

    The x-axis shows the time period over which the session usage occurred Refresh Enter how often you want this window to be automatically updated. Interval Refresh Click this to update the information in the window right away. ZyWALL USG 50 User’s Guide…

  • Page 168: The Vpn Status Screen

    Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the dashboard. Figure 120 Dashboard > DHCP Table ZyWALL USG 50 User’s Guide…

  • Page 169: The Number Of Login Users Screen

    Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click the dashboard’s Number of Login Users icon. Figure 121 Dashboard > Number of Login Users ZyWALL USG 50 User’s Guide…

  • Page 170
    This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user’s session. ZyWALL USG 50 User’s Guide…
  • Page 171: Monitor

    Section 9.11 on page 189) to see a bandwidth usage graph and statistics for each protocol. • Use the VPN Monitor > IPSec screen (Section 9.12 on page 194) to display and manage active IPSec SAs. ZyWALL USG 50 User’s Guide…

  • Page 172: The Port Statistics Screen

    9.2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Monitor > System Status > Port Statistics. Figure 122 Monitor > System Status > Port Statistics ZyWALL USG 50 User’s Guide…

  • Page 173
    Up Time This field displays how long the physical port has been connected. System Up This field displays how long the ZyWALL has been running since it last Time restarted or was turned on. ZyWALL USG 50 User’s Guide…
  • Page 174: The Port Statistics Graph Screen

    This line represents traffic transmitted from the ZyWALL on the physical port since it was last connected. This line represents the traffic received by the ZyWALL on the physical port since it was last connected. ZyWALL USG 50 User’s Guide…

  • Page 175: Interface Status Screen

    Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface. ZyWALL USG 50 User’s Guide…

  • Page 176
    PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. Interface This table provides packet statistics for each interface. Statistics ZyWALL USG 50 User’s Guide…
  • Page 177: The Traffic Statistics Screen

    • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL USG 50 User’s Guide…

  • Page 178
    Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge and PPPoE/PPTP interfaces. ZyWALL USG 50 User’s Guide…
  • Page 179
    This field indicates whether the indicated protocol or service port is sending or receiving traffic. Ingress — traffic is coming into the router through the interface Egress — traffic is going out from the router through the interface ZyWALL USG 50 User’s Guide…
  • Page 180: The Session Monitor Screen

    It is not possible to manage sessions in this screen. The following information is displayed. • User who started the session • Protocol or service port used • Source address • Destination address • Number of bytes received (so far) ZyWALL USG 50 User’s Guide…

  • Page 181
    The User, Service, Source Address, and Destination Address fields display if you view all sessions. Select your desired filter criteria and click the Search button to filter the list of sessions. ZyWALL USG 50 User’s Guide…
  • Page 182
    This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. ZyWALL USG 50 User’s Guide…
  • Page 183: The Ddns Status Screen

    Click Monitor > System Status > IP/MAC Binding to open the IP/MAC Binding Monitor screen. This screen lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled and have ever ZyWALL USG 50 User’s Guide…

  • Page 184: The Login Users Screen

    Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click Monitor > System Status > Login Users. Figure 129 Monitor > System Status > Login Users ZyWALL USG 50 User’s Guide…

  • Page 185: Cellular Status Screen

    3G device attached and activated on your ZyWALL. Refer to Section 9.9.1 on page 187. This field is a sequential value, and it is not associated with any interface. Extension Slot This field displays where the entry’s cellular card is located. ZyWALL USG 50 User’s Guide…

  • Page 186
    Need auth-password — You need to enter the password for the 3G card in the cellular edit screen. Device ready — The ZyWALL successfully applied all of your configuration and you can use the 3G connection. ZyWALL USG 50 User’s Guide…
  • Page 187: More Information

    Monitor > System Status > More Information to display this screen. Note: This screen is only available when the 3G device is attached to and activated on the ZyWALL. Figure 131 Monitor > System Status > More Information ZyWALL USG 50 User’s Guide…

  • Page 188: Usb Storage Screen

    9.10 USB Storage Screen This screen displays information about a connected USB storage device. Click Monitor > System Status > USB Storage to display this screen. Figure 132 Monitor > System Status > USB Storage ZyWALL USG 50 User’s Guide…

  • Page 189: Application Patrol Statistics

    — the USB device is operating normally or not connected. 9.11 Application Patrol Statistics This screen displays a bandwidth usage graph and statistics for selected protocols. Click Monitor > AppPatrol Statistics to open the following screen. ZyWALL USG 50 User’s Guide…

  • Page 190: Application Patrol Statistics: General Setup

    Select the protocols for which to display statistics. Protocols Select All selects all of the protocols. Clear All clears all of the protocols. Click Expand to display individual protocols. Collapse hides them. Statistics for the selected protocols display after you click Apply. ZyWALL USG 50 User’s Guide…

  • Page 191: Application Patrol Statistics: Bandwidth Statistics

    ZyWALL sends to the initiator of the connection. • A dotted line represents a protocol’s outgoing bandwidth usage. This is the protocol’s traffic that the ZyWALL sends out from the initiator of the connection. • Different colors represent different protocols. ZyWALL USG 50 User’s Guide…

  • Page 192: Application Patrol Statistics: Protocol Statistics

    This is how much of the application’s traffic the ZyWALL identified by Connection examining the IP payload. Matched This is how much of the application’s traffic the ZyWALL identified by Service Ports examining OSI level-3 information such as IP addresses and port Connection numbers. ZyWALL USG 50 User’s Guide…

  • Page 193: Application Patrol Statistics: Individual Protocol Statistics By Rule

    The bottom of the Monitor > AppPatrol Statistics screen displays statistics for each of the selected protocols. Click a service’s name to display this screen with statistics for each of the service’s application patrol rules. Figure 136 Monitor > AppPatrol Statistics > Service ZyWALL USG 50 User’s Guide…

  • Page 194: The Ipsec Monitor Screen

    SAs. To access this screen, click Monitor > VPN Monitor > IPSec. The following screen appears. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 137 Monitor > VPN Monitor > IPSec ZyWALL USG 50 User’s Guide…

  • Page 195: Regular Expressions In Searching Ipsec Sas

    9.12.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use “a?c” (without the quotation marks) to specify abc, acc and so on. ZyWALL USG 50 User’s Guide…

  • Page 196: The Ssl Connection Monitor Screen

    Table 42 Monitor > VPN Monitor > SSL LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user’s connection and delete corresponding session information from the ZyWALL. This field displays the index number. ZyWALL USG 50 User’s Guide…

  • Page 197: The Anti-Virus Statistics Screen

    Click Refresh to update this screen. 9.14 The Anti-Virus Statistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to display the following screen. This screen displays anti-virus statistics. Figure 139 Monitor > Anti-X Statistics > Anti-Virus: Virus Name ZyWALL USG 50 User’s Guide…

  • Page 198
    This field displays how many times the ZyWALL has detected the event described in the entry. The statistics display as follows when you display the top entries by source. Figure 140 Monitor > Anti-X Statistics > Anti-Virus: Source IP ZyWALL USG 50 User’s Guide…
  • Page 199: The Idp Statistics Screen

    Click Reset to return the screen to its last-saved settings. Refresh Click this button to update the report display. Flush Data Click this button to discard all of the screen’s statistics and update the report display. ZyWALL USG 50 User’s Guide…

  • Page 200
    This field displays how many times the ZyWALL has detected the event described in the entry. The statistics display as follows when you display the top entries by source. Figure 143 Monitor > Anti-X Statistics > IDP: Source ZyWALL USG 50 User’s Guide…
  • Page 201: The Content Filter Statistics Screen

    Figure 144 Monitor > Anti-X Statistics > IDP: Destination 9.16 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 145 Monitor > Anti-X Statistics > Content Filter ZyWALL USG 50 User’s Guide…

  • Page 202
    Features features configuration. Forbidden This is the number of web pages to which the ZyWALL did not allow Web Sites access because they matched the content filtering custom service’s forbidden web sites list. ZyWALL USG 50 User’s Guide…
  • Page 203: Content Filter Cache Screen

    You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site’s category has been changed. ZyWALL USG 50 User’s Guide…

  • Page 204
    Click this button to clear all web site addresses from the cache manually. Remove Select one or more URL entries and click Delete to remove them from the cache. This is the index number of a categorized web site address record. ZyWALL USG 50 User’s Guide…
  • Page 205
    ZyWALL to reflect changes in the external content filtering database. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 206: The Anti-Spam Statistics Screen

    Total Mails This field displays the number of e-mails that the ZyWALL’s anti-spam Scanned feature has checked. Clear Mails This is the number of e-mails that the ZyWALL has determined to not be spam. ZyWALL USG 50 User’s Guide…

  • Page 207
    This column displays when you display the entries by Sender Mail Address Address. This column displays the e-mail addresses from which the ZyWALL has detected the most spam. Occurrence This field displays how many spam e-mails the ZyWALL detected from the sender. ZyWALL USG 50 User’s Guide…
  • Page 208: The Anti-Spam Status Screen

    This is the average for how long it takes to receive a reply from this Time (sec) DNSBL. No Response This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 50 User’s Guide…

  • Page 209: Log Screen

    Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 149 Monitor > Log ZyWALL USG 50 User’s Guide…

  • Page 210
    Click this button to clear the whole log, regardless of what is currently displayed on the screen. This field is a sequential value, and it is not associated with a specific log message. Time This field displays the time the log message was recorded. ZyWALL USG 50 User’s Guide…
  • Page 211
    Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL USG 50 User’s Guide…
  • Page 212
    Chapter 9 Monitor ZyWALL USG 50 User’s Guide…
  • Page 213: Registration

    ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on-line help for details. Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 214
    Service screen. You must use the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. If you were already using an iCard anti-virus subscription, any remaining time on your earlier subscription is automatically added to the new subscription. ZyWALL USG 50 User’s Guide…
  • Page 215: The Registration Screen

    Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 150 Configuration > Licensing > Registration ZyWALL USG 50 User’s Guide…

  • Page 216
    The ZyWALL’s anti-virus packet scanner uses the signature files on the ZyWALL to detect virus files. After the service is activated, the ZyWALL can download the up-to- date signature files for the selected anti-virus engine from the update server (http://myupdate.zywall.zyxel.com). ZyWALL USG 50 User’s Guide…
  • Page 217
    (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status. Figure 151 Configuration > Licensing > Registration: Registered Device ZyWALL USG 50 User’s Guide…
  • Page 218: The Service Screen

    You can continue to use IDP/AppPatrol or Anti-Virus after the registration expires, you just won’t receive updated signatures. Count This field displays how many VPN tunnels you can use with your current license. This field does not apply to the other services. License Upgrade ZyWALL USG 50 User’s Guide…

  • Page 219
    (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Click this button to renew service license information (such as the Refresh registration status and expiration day). ZyWALL USG 50 User’s Guide…
  • Page 220
    Chapter 10 Registration ZyWALL USG 50 User’s Guide…
  • Page 221: Interfaces

    Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunk screens (Chapter 12 on page 277) to configure load balancing. ZyWALL USG 50 User’s Guide…

  • Page 222: What You Need To Know

    Port groups and trunks have a lot of characteristics that are specific to each type of interface. See Section 11.2 on page 224 Chapter 12 on page 277 details. The other types of interfaces—Ethernet, PPP, cellular, VLAN, bridge, and ZyWALL USG 50 User’s Guide…

  • Page 223: Relationships Between Interfaces

    The relationships between interfaces are explained in the following table. Table 53 Relationships Between Different Types of Interfaces REQUIRED PORT / INTERFACE INTERFACE port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface bridge interface Ethernet interface* VLAN interface* ZyWALL USG 50 User’s Guide…

  • Page 224: Port Role

    (data link, MAC address) level. This provides wire-speed throughput but no security. Note the following if you are configuring from a computer connected to a lan1, lan2 or dmz port and change the port’s role: ZyWALL USG 50 User’s Guide…

  • Page 225: Ethernet Summary Screen

    Click this button to change the port groups to their current configuration (last-saved values). 11.3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Configuration > Network > Interface > Ethernet. ZyWALL USG 50 User’s Guide…

  • Page 226
    The ZyWALL supports two routing protocols, RIP and OSPF. See Chapter 14 on page 303 for background information about these routing protocols. Figure 154 Configuration > Network > Interface > Ethernet (USG 20W) ZyWALL USG 50 User’s Guide…
  • Page 227: Ethernet Edit

    IP address settings change. For example, if you change LAN1’s IP address, the ZyWALL automatically updates the corresponding interface-based, LAN1 subnet address object. With RIP, you can use Ethernet interfaces to do the following things. ZyWALL USG 50 User’s Guide…

  • Page 228
    • Select in which direction(s) routing information is exchanged — The ZyWALL can receive routing information, send routing information, or do both. • Set the priority used to identify the DR or BDR if one does not exist. ZyWALL USG 50 User’s Guide…
  • Page 229
    Chapter 11 Interfaces Figure 155 Configuration > Network > Interface > Ethernet > Edit (WAN) ZyWALL USG 50 User’s Guide…
  • Page 230
    Click this button to display a greater or lesser number of configuration Settings / Hide fields. Advance Settings General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface Interface Properties ZyWALL USG 50 User’s Guide…
  • Page 231
    General. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 50 User’s Guide…
  • Page 232
    Select this to use the default gateway for the connectivity check. Gateway Check this Select this to specify a domain name or IP address for the address connectivity check. Enter that domain name or IP address in the field next to it. ZyWALL USG 50 User’s Guide…
  • Page 233
    From ISP — select the DNS server that another interface received from its DHCP server. ZyWALL — the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL USG 50 User’s Guide…
  • Page 234
    RIP packets. Choices are 1, 2, and 1 and 2. Receive This field is effective when RIP is enabled. Select the RIP version(s) Version used for receiving RIP packets. Choices are 1, 2, and 1 and 2. ZyWALL USG 50 User’s Guide…
  • Page 235
    Use Default Select this option to have the interface use the factory assigned MAC Address default MAC address. By default, the ZyWALL uses the factory assigned MAC address to identify itself. ZyWALL USG 50 User’s Guide…
  • Page 236: Object References

    This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. This field is a sequential value, and it is not associated with any entry. ZyWALL USG 50 User’s Guide…

  • Page 237: Ppp Interfaces

    ZyWALL always treats the ISP as a gateway. At the time of writing, it is possible to set up the IP address of the gateway (ISP) using CLI commands but not in the Web Configurator. ZyWALL USG 50 User’s Guide…

  • Page 238: Ppp Interface Summary

    Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 236 for an example. This field is a sequential value, and it is not associated with any interface. ZyWALL USG 50 User’s Guide…

  • Page 239: Ppp Interface Add Or Edit

    Note: You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen. ZyWALL USG 50 User’s Guide…

  • Page 240
    Chapter 11 Interfaces Figure 160 Configuration > Network > Interface > PPP > Add ZyWALL USG 50 User’s Guide…
  • Page 241
    Select this if this interface is a DHCP client. In this case, the DHCP Automatically server configures the IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces. Use Fixed IP Select this if you want to specify the IP address manually. Address ZyWALL USG 50 User’s Guide…
  • Page 242
    Enter that domain name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. ZyWALL USG 50 User’s Guide…
  • Page 243: Cellular Configuration Screen (3G)

    • You can set the 3G device to connect only to the home network, which is the network to which you are originally subscribed. • You can set the 3G device to connect to other networks if the signal strength of the home network is too low or it is unavailable. ZyWALL USG 50 User’s Guide…

  • Page 244
    Note: Install (or connect) a compatible 3G USB to use a cellular connection. See Chapter 53 on page 795 for details. Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. ZyWALL USG 50 User’s Guide…
  • Page 245: Cellular Add/Edit Screen

    To change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. ZyWALL USG 50 User’s Guide…

  • Page 246
    Chapter 11 Interfaces Figure 162 Configuration > Network > Interface > Cellular > Add ZyWALL USG 50 User’s Guide…
  • Page 247
    GSM or HSDPA 3G card. Enter the APN from your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method. You can enter up to 63 ASCII printable characters. Spaces are allowed. ZyWALL USG 50 User’s Guide…
  • Page 248
    PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet. If your ISP disabled PIN code authentication, enter an arbitrary number. Interface Parameters ZyWALL USG 50 User’s Guide…
  • Page 249
    Configure Click Policy Route to go to the policy route summary screen where Policy Route you can configure a policy route to override the default routing and SNAT behavior for the interface. IP Address Assignment ZyWALL USG 50 User’s Guide…
  • Page 250
    Select this to set a monthly limit for the user account of the installed Control 3G card. You can set a limit on the total traffic and/or call time. The ZyWALL takes the actions you specified when a limit is exceeded during the month. ZyWALL USG 50 User’s Guide…
  • Page 251
    If you set New 3G connection to Disallow and Current 3G connection to Keep, the ZyWALL allows you to transmit data using the current connection, but you cannot build a new connection if the existing connection is disconnected. ZyWALL USG 50 User’s Guide…
  • Page 252: Vlan Interfaces

    In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. ZyWALL USG 50 User’s Guide…

  • Page 253
    In this example, the new switch handles the following types of traffic: • Inside VLAN 2. • Between the router and VLAN 1. • Between the router and VLAN 2. ZyWALL USG 50 User’s Guide…
  • Page 254: Vlan Summary Screen

    To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. Create To open the screen where you can create a virtual interface, select an Virtual interface and click Create Virtual Interface. Interface ZyWALL USG 50 User’s Guide…

  • Page 255: Vlan Add/Edit

    DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears. ZyWALL USG 50 User’s Guide…

  • Page 256
    Chapter 11 Interfaces Figure 166 Configuration > Network > Interface > VLAN > Edit ZyWALL USG 50 User’s Guide…
  • Page 257
    Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 50 User’s Guide…
  • Page 258
    This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces. ZyWALL USG 50 User’s Guide…
  • Page 259
    DHCP clients. The WINS server WINS Server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 50 User’s Guide…
  • Page 260
    RIP packets. Choices are 1, 2, and 1 and 2. V2-Broadcast This field is effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the ZyWALL uses multicasting. ZyWALL USG 50 User’s Guide…
  • Page 261
    Click Policy Route to go to the screen where you can manually Policy Route configure a policy route to associate traffic with this VLAN. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…
  • Page 262: Bridge Interfaces

    0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4. Table 65 Example: Bridge Table After Computer A Sends a Packet to Computer B MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A ZyWALL USG 50 User’s Guide…

  • Page 263
    In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed. ZyWALL USG 50 User’s Guide…
  • Page 264: Bridge Summary

    This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…

  • Page 265: Bridge Add/Edit

    DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 50 User’s Guide…

  • Page 266
    Chapter 11 Interfaces Figure 168 Configuration > Network > Interface > Bridge > Add ZyWALL USG 50 User’s Guide…
  • Page 267
    This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. ZyWALL USG 50 User’s Guide…
  • Page 268
    Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. ZyWALL USG 50 User’s Guide…
  • Page 269
    Configure a list of static IP addresses the ZyWALL assigns to Table computers connected to the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the interface’s IP Pool Start Address and Pool Size. ZyWALL USG 50 User’s Guide…
  • Page 270: Virtual Interfaces Add/Edit

    Click Cancel to exit this screen without saving. 11.7.3 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click an Add icon next to an Ethernet ZyWALL USG 50 User’s Guide…

  • Page 271
    ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first. Interface Parameters ZyWALL USG 50 User’s Guide…
  • Page 272: Interface Technical Reference

    200.200.200.200, it routes the packet to interface wan1. In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 ZyWALL USG 50 User’s Guide…

  • Page 273
    • Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 50 User’s Guide…
  • Page 274
    DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously. As a DHCP server, the interface provides the following information to DHCP clients. ZyWALL USG 50 User’s Guide…
  • Page 275
    IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. ZyWALL USG 50 User’s Guide…
  • Page 276
    The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. ZyWALL USG 50 User’s Guide…
  • Page 277: Trunks

    • Use the Trunk Edit screen (Section 12.3 on page 283) to configure which interfaces belong to each trunk and the load balancing algorithm each trunk uses. ZyWALL USG 50 User’s Guide…

  • Page 278: What You Need To Know

    WAN IP address, the server would deny them. Here is an example. Figure 171 Link Sticking wan1 wan2 LAN user A logs into server B on the Internet. The ZyWALL uses wan1 to send the request to server B. ZyWALL USG 50 User’s Guide…

  • Page 279
    (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The ZyWALL calculates the load balancing index as shown in the table below. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. ZyWALL USG 50 User’s Guide…
  • Page 280
    Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage. Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first ZyWALL USG 50 User’s Guide…
  • Page 281
    Trunk screens. • See Section 7.3 on page 117 for an example of how to configure load balancing. • See Section 12.4 on page 285 for more background information on trunks. ZyWALL USG 50 User’s Guide…
  • Page 282: The Trunk Summary Screen

    This setting applies when you use load balancing and have multiple WAN interfaces set to active mode. Timeout Specify the time period during which sessions from one source to the same destination are to use the same link. ZyWALL USG 50 User’s Guide…

  • Page 283: Configuring A Trunk

    Click Configuration > Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry. Figure 176 Configuration > Network > Interface > Trunk > Add (or Edit) ZyWALL USG 50 User’s Guide…

  • Page 284
    Select Active to have the ZyWALL always attempt to use this connection. Select Passive to have the ZyWALL only use this connection when all of the connections set to active are down. You can only set one of a group’s interfaces to passive mode. ZyWALL USG 50 User’s Guide…
  • Page 285: Trunk Technical Reference

    The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 50 User’s Guide…

  • Page 286
    Chapter 12 Trunks ZyWALL USG 50 User’s Guide…
  • Page 287: Policy And Static Routes

    RIP or OSPF to propagate routing information to other routers. 13.1.1 What You Can Do in this Chapter • Use the Policy Route screens (see Section 13.2 on page 290) to list and configure policy routes. ZyWALL USG 50 User’s Guide…

  • Page 288: What You Need To Know

    Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 14 on page 303 for more on RIP and OSPF. ZyWALL USG 50 User’s Guide…

  • Page 289
    DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies. ZyWALL USG 50 User’s Guide…
  • Page 290: Policy Route Screen

    • Limiting the amount of bandwidth available and setting a priority for traffic. IPPR follows the existing packet filtering facility of RAS in style and in implementation. Figure 178 Configuration > Network > Routing > Policy Route ZyWALL USG 50 User’s Guide…

  • Page 291
    This is the interface on which the packets are received. Source This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses. ZyWALL USG 50 User’s Guide…
  • Page 292
    This is the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 293: Policy Route Edit Screen

    Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. ZyWALL USG 50 User’s Guide…

  • Page 294
    HOST address object. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your ZyWALL’s interface(s). ZyWALL USG 50 User’s Guide…
  • Page 295
    Use this field to specify a custom DSCP value. Defined DSCP Code Address Use this section to configure NAT for the policy route. This section does Translation not apply to policy routes that use a VPN tunnel as the next hop. ZyWALL USG 50 User’s Guide…
  • Page 296
    This allows you to allocate bandwidth to a route and prioritize traffic that Shaping matches the routing policy. You must also enable bandwidth management in the main policy route screen (Network > Routing > Policy Route) in order to apply bandwidth shaping. ZyWALL USG 50 User’s Guide…
  • Page 297: Ip Static Route Screen

    Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. Figure 180 Configuration > Network > Routing > Static Route ZyWALL USG 50 User’s Guide…

  • Page 298: Static Route Add/Edit Screen

    255.255.255.255 in the subnet mask field to force the network number to be identical to the host Subnet Mask Enter the IP subnet mask here. ZyWALL USG 50 User’s Guide…

  • Page 299: Policy Routing Technical Reference

    If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the ZyWALL USG 50 User’s Guide…

  • Page 300: Port Triggering

    1 using port 1234. The ZyWALL records the IP address of computer A when the packets match a policy with SNAT configured. Game server 1 responds using a port number ranging between 5670 — 5678. The ZyWALL allows and forwards the traffic to computer A. ZyWALL USG 50 User’s Guide…

  • Page 301: Maximize Bandwidth Usage

    The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 50 User’s Guide…

  • Page 302
    Chapter 13 Policy and Static Routes ZyWALL USG 50 User’s Guide…
  • Page 303: Routing Protocols

    Network Size Small (with up to 15 routers) Large Metric Hop count Bandwidth, hop count, throughput, round trip time and reliability. Convergence Slow Fast Finding Out More Section 14.4 on page 314 for background information on routing protocols. ZyWALL USG 50 User’s Guide…

  • Page 304: The Rip Screen

    Use the RIP screen to specify the authentication method and maintain the policies for redistribution. Click Configuration > Network > Routing > RIP to open the following screen. Figure 183 Configuration > Network > Routing > RIP ZyWALL USG 50 User’s Guide…

  • Page 305: The Ospf Screen

    Click this button to return the screen to its last-saved settings. 14.3 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous ZyWALL USG 50 User’s Guide…

  • Page 306
    • A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS. ZyWALL USG 50 User’s Guide…
  • Page 307
    • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. ZyWALL USG 50 User’s Guide…
  • Page 308
    BDR in another group, and neither in a third group all at the same time. Virtual Links In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area ZyWALL USG 50 User’s Guide…
  • Page 309: Configuring The Ospf Screen

    Use the first OSPF screen to specify the OSPF router the ZyWALL uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. ZyWALL USG 50 User’s Guide…

  • Page 310
    OSPF AS, and it can be between 1 and 16777214. Active Static Select this to advertise routes that were learned from static routes. Route The ZyWALL advertises routes learned from static routes to all types of areas. ZyWALL USG 50 User’s Guide…
  • Page 311
    Type field above. Authentication This field displays the default authentication method in the area. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 312: Ospf Area Add/Edit Screen

    None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). ZyWALL USG 50 User’s Guide…

  • Page 313: Virtual Link Add/Edit Screen

    14.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 14.3.2 on page ZyWALL USG 50 User’s Guide…

  • Page 314: Routing Protocol Technical Reference

    Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 14.4 Routing Protocol Technical Reference Here is more detailed information about RIP and OSPF. ZyWALL USG 50 User’s Guide…

  • Page 315
    Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 50 User’s Guide…
  • Page 316
    Chapter 14 Routing Protocols ZyWALL USG 50 User’s Guide…
  • Page 317: Zones

    Figure 190 Example: Zones 15.1.1 What You Can Do in this Chapter Use the Zone screens (see Section 15.2 on page 319) to manage the ZyWALL’s zones. ZyWALL USG 50 User’s Guide…

  • Page 318: What You Need To Know

    Finding Out More • See Section 6.5.8 on page 100 for related information on these screens. • See Section 7.1 on page 111 for an example of configuring Ethernet interfaces, port groups, and zones. ZyWALL USG 50 User’s Guide…

  • Page 319: The Zone Screen

    This field displays the name of the zone. Block Intra- This field indicates whether or not the ZyWALL blocks network traffic zone between members in the zone. Member This field displays the names of the interfaces that belong to each zone. ZyWALL USG 50 User’s Guide…

  • Page 320: Zone Edit

    Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…

  • Page 321: Ddns

    Table 90 DDNS Service Providers PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.org ZyWALL USG 50 User’s Guide…

  • Page 322: The Ddns Screen

    Profile Name This field displays the descriptive profile name for this entry. DDNS Type This field displays which DDNS service you are using. Domain Name This field displays each domain name the ZyWALL can route. ZyWALL USG 50 User’s Guide…

  • Page 323
    ZyWALL for the IP address to use for the domain name. custom — The IP address is static. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 324: The Dynamic Dns Add/Edit Screen

    ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. This field is read-only when you are editing an entry. DDNS Type Select the type of DDNS service you are using. ZyWALL USG 50 User’s Guide…

  • Page 325
    Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 50 User’s Guide…
  • Page 326
    Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…
  • Page 327: Nat

    Use the NAT screens (see Section 17.2 on page 328) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. ZyWALL USG 50 User’s Guide…

  • Page 328: What You Need To Know

    Table 93 Configuration > Network > NAT LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. ZyWALL USG 50 User’s Guide…

  • Page 329
    This field displays the new destination port(s) for the pack et. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 330: The Nat Add/Edit Screen

    Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 50 User’s Guide…

  • Page 331
    ZyWALL. If you select one of them, this NAT rule supports the IP address specified by the address object. User Defined This field is available if Mapped IP is User Defined. Type the translated Original IP destination IP address that this NAT rule supports. ZyWALL USG 50 User’s Guide…
  • Page 332
    LAN interface’s IP address as the source address for the traffic it sends to the LAN server. See NAT Loopback on page 333 for more details. If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule’s specified incoming interface. ZyWALL USG 50 User’s Guide…
  • Page 333: Nat Technical Reference

    Suppose a NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server. ZyWALL USG 50 User’s Guide…

  • Page 334
    The LAN SMTP server replies to the ZyWALL’s LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original destination address (1.1.1.1). If the ZyWALL USG 50 User’s Guide…
  • Page 335
    LAN user’s computer to shut down the session. Figure 199 LAN to LAN Return Traffic Source 192.168.1.21 Source 1.1.1.1 SMTP SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 50 User’s Guide…
  • Page 336
    Chapter 17 NAT ZyWALL USG 50 User’s Guide…
  • Page 337: Http Redirect

    Figure 200 HTTP Redirect Example LAN1 18.1.1 What You Can Do in this Chapter Use the HTTP Redirect screens (see Section 18.2 on page 339) to display and edit the HTTP redirect rules. ZyWALL USG 50 User’s Guide…

  • Page 338: What You Need To Know

    • a HTTP redirect rule to forward HTTP traffic from lan1 to proxy server A. For HTTP traffic between dmz and wan1: • a from DMZ to WAN firewall rule (default) to allow HTTP requests from dmz to wan1. Responses to these requests are allowed automatically. ZyWALL USG 50 User’s Guide…

  • Page 339: The Http Redirect Screen

    This icon is lit when the entry is active and dimmed when the entry is inactive. Name This is the descriptive name of a rule. Interface This is the interface on which the request must be received. Proxy Server This is the IP address of the proxy server. ZyWALL USG 50 User’s Guide…

  • Page 340: The Http Redirect Edit Screen

    Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…

  • Page 341: Alg

    The ALG feature is only needed for traffic that goes through the ZyWALL’s NAT. 19.1.1 What You Can Do in this Chapter Use the ALG screen (Section 19.2 on page 345) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 50 User’s Guide…

  • Page 342: What You Need To Know

    Figure 204 H.323 ALG Example SIP ALG • SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can be in the same network or different networks. ZyWALL USG 50 User’s Guide…

  • Page 343
    LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A ZyWALL USG 50 User’s Guide…
  • Page 344
    ALG for peer- to-peer H.323 traffic. • See Section 7.11 on page 148 for an example of making an IPPBX using SIP or a SIP server in the DMZ zone accessible from the Internet (the WAN zone). ZyWALL USG 50 User’s Guide…
  • Page 345: Before You Begin

    SIP ALG time outs. Note: If the ZyWALL provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service’s traffic. Figure 207 Configuration > Network > ALG ZyWALL USG 50 User’s Guide…

  • Page 346
    If you are using a custom TCP port number (not 1720) for H.323 Port traffic, enter it here. Additional H.323 If you are also using H.323 on an additional TCP port number, enter it Signaling Port here. Transformations ZyWALL USG 50 User’s Guide…
  • Page 347: Alg Technical Reference

    ALG-managed traffic uses. You could also have a trunk with one interface set to active and a second interface set to passive. The ZyWALL does not automatically change ALG-managed ZyWALL USG 50 User’s Guide…

  • Page 348
    SIP handles telephone calls and can interface with traditional circuit- switched telephone networks. When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG 50 User’s Guide…
  • Page 349: Ip/Mac Binding

    (Section 20.2 on page 350) to bind IP addresses to MAC addresses. • Use the Exempt List screen (Section 20.3 on page 353) to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 50 User’s Guide…

  • Page 350: What You Need To Know

    To turn off an entry, select it and click Inactivate. This field is a sequential value, and it is not associated with a specific entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 50 User’s Guide…

  • Page 351: Ip/Mac Binding Edit

    This table lists the bound IP and MAC addresses. The ZyWALL checks this Bindings table when it assigns IP addresses. If the computer’s MAC address is in the table, the ZyWALL assigns the corresponding IP address. You can also access this table from the interface’s edit screen. ZyWALL USG 50 User’s Guide…

  • Page 352: Static Dhcp Edit

    Enter the MAC address of the device to which the ZyWALL assigns the entry’s IP address. Description Enter up to 64 printable ASCII characters to help identify the entry. For example, you may want to list the computer’s owner. ZyWALL USG 50 User’s Guide…

  • Page 353: Ip/Mac Binding Exempt List

    Click the Add icon to add a new entry. Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 354
    Chapter 20 IP/MAC Binding ZyWALL USG 50 User’s Guide…
  • Page 355: Authentication Policy

    Figure 213 Authentication Policy Using Endpoint Security 21.1.1 What You Can Do in this Chapter Use the Configuration > Auth. Policy screens (Section 21.2 on page 356) to create and manage authentication policies. ZyWALL USG 50 User’s Guide…

  • Page 356: What You Need To Know

    Section 7.7 on page 135 for an example of how to use endpoint security and authentication policies. 21.2 Authentication Policy Screen The Authentication Policy screen displays the authentication policies you have configured on the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 357
    Chapter 21 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 214 Configuration > Auth. Policy ZyWALL USG 50 User’s Guide…
  • Page 358
    To turn off an entry, select it and click Inactivate. Move To move an entry to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface. ZyWALL USG 50 User’s Guide…
  • Page 359: Creating/Editing An Authentication Policy

    Click this button to return the screen to its last-saved settings. 21.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy. ZyWALL USG 50 User’s Guide…

  • Page 360
    Destination Select a destination address or address group for whom this policy Address applies. Select any if the policy is effective for every destination. This is any and not configurable for the default policy. ZyWALL USG 50 User’s Guide…
  • Page 361
    Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…
  • Page 362
    Chapter 21 Authentication Policy ZyWALL USG 50 User’s Guide…
  • Page 363: Firewall

    371) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 22.3 on page 376) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 50 User’s Guide…

  • Page 364: What You Need To Know

    (extra-zone traffic). To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN, or WAN computers to access or manage the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 365
    To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules before the application patrol rules for traffic going through the ZyWALL. ZyWALL USG 50 User’s Guide…
  • Page 366: Firewall Rule Example Applications

    (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need ZyWALL USG 50 User’s Guide…

  • Page 367
    • Has a static IP address, • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 274 for information on DHCP). ZyWALL USG 50 User’s Guide…
  • Page 368
    CEO) to allow IRC traffic from any source IP address to go to any destination address. Your firewall would have the following configuration. Table 107 Limited LAN1 to WAN IRC Traffic Example 2 USER SOURCE DESTINATION SCHEDULE SERVICE ACTION Allow Deny Allow ZyWALL USG 50 User’s Guide…
  • Page 369: Firewall Rule Configuration Example

    At the top of the screen, click Create new Object > Address. The screen for configuring an address object opens. Configure it as follows and click OK. Figure 221 Firewall Example: Create an Address Object Click Create new Object > Service. ZyWALL USG 50 User’s Guide…

  • Page 370
    Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 223 Firewall Example: Edit a Firewall Rule ZyWALL USG 50 User’s Guide…
  • Page 371: The Firewall Screen

    A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN. The ZyWALL reroutes the packet to gateway A, which is in Subnet 2. The reply from the WAN goes to the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 372: Configuring The Firewall Screen

    So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as the destination. See Section 7.9 on page 141 for an example. ZyWALL USG 50 User’s Guide…

  • Page 373
    Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. Firewall Rule Summary ZyWALL USG 50 User’s Guide…
  • Page 374
    This is the user name or user group name to which this firewall rule applies. Source This displays the source address object to which this firewall rule applies. Destination This displays the destination address object to which this firewall rule applies. ZyWALL USG 50 User’s Guide…
  • Page 375: The Firewall Add/Edit Screen

    Select this check box to activate the firewall rule. From For through-ZyWALL rules, select the direction of travel of packets to which the rule applies. any means all interfaces or VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. ZyWALL USG 50 User’s Guide…

  • Page 376: The Session Limit Screen

    Click Configuration > Firewall > Session Limit to display the Firewall Session Limit screen. Use this screen to limit the number of concurrent NAT/ firewall sessions a client can use. You can apply a default limit for all users and ZyWALL USG 50 User’s Guide…

  • Page 377
    [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 50 User’s Guide…
  • Page 378: The Session Limit Add/Edit Screen

    Use to configure any new settings objects that you need to use in this Object screen. Enable Rule Select this check box to turn on this session limit rule. Description Enter information to help you identify this rule. Use up to 64 printable ASCII characters. Spaces are allowed. ZyWALL USG 50 User’s Guide…

  • Page 379
    For this rule’s users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…
  • Page 380
    Chapter 22 Firewall ZyWALL USG 50 User’s Guide…
  • Page 381: Ipsec Vpn

    VPN gateway a VPN connection policy uses and which devices (behind the IPSec routers) can use the VPN tunnel and the IPSec SA settings (phase 2 settings). You can also activate / deactivate and connect / disconnect each VPN connection (each IPSec SA). ZyWALL USG 50 User’s Guide…

  • Page 382: What You Need To Know

    Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG 50 User’s Guide…

  • Page 383
    Only the clients can initiate the VPN Only this ZyWALL initiate the VPN tunnel. can initiate the VPN tunnel. tunnel. Finding Out More • See Section 6.5.15 on page 104 for related information on these screens. ZyWALL USG 50 User’s Guide…
  • Page 384: Before You Begin

    The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. In addition, it also lets you activate / deactivate and connect / disconnect each VPN connection (each IPSec ZyWALL USG 50 User’s Guide…

  • Page 385
    To connect an IPSec SA, select it and click Connect. Disconnect To disconnect an IPSec SA, select it and click Disconnect. This field is a sequential value, and it is not associated with a specific connection. ZyWALL USG 50 User’s Guide…
  • Page 386: The Vpn Connection Add/Edit (Ike) Screen

    384), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. ZyWALL USG 50 User’s Guide…

  • Page 387
    Chapter 23 IPSec VPN Figure 233 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 50 User’s Guide…
  • Page 388
    This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. VPN Gateway Select the VPN gateway this VPN connection is to use or select Create Object to add another VPN gateway for this VPN connection to use. ZyWALL USG 50 User’s Guide…
  • Page 389
    Transport — this mode only encrypts the data. The ZyWALL and remote IPSec router must use the same encapsulation. Proposal Click this to create a new entry. Edit Select an entry and click this to be able to modify it. ZyWALL USG 50 User’s Guide…
  • Page 390
    VPN connection policy. Connectivity The ZyWALL can regularly check the VPN connection to the gateway Check you specified to make sure it is still available. Enable Select this to turn on the VPN connection check. Connectivity Check ZyWALL USG 50 User’s Guide…
  • Page 391
    (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). ZyWALL USG 50 User’s Guide…
  • Page 392
    The size of the original port range must be the same size as the size of the mapped port range. Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. ZyWALL USG 50 User’s Guide…
  • Page 393: The Vpn Connection Add/Edit Manual Key Screen

    Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. ZyWALL USG 50 User’s Guide…

  • Page 394
    Select which hash algorithm to use to authenticate packet data in the Algorithm IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. The ZyWALL and remote IPSec router must use the same algorithm. ZyWALL USG 50 User’s Guide…
  • Page 395
    12345678901234567890 for a MD5 authentication key, the ZyWALL only uses 1234567890123456. The ZyWALL still stores the longer key. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…
  • Page 396: The Vpn Gateway Screen

    This field displays the interface or a domain name the Z yWALL uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway. ZyWALL USG 50 User’s Guide…

  • Page 397: The Vpn Gateway Add/Edit Screen

    The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 23.3 on page 396), and click either the Add icon or an Edit icon. ZyWALL USG 50 User’s Guide…

  • Page 398
    Type the name used to identify this VPN gateway. You may use 1-31 Name alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Gateway Settings ZyWALL USG 50 User’s Guide…
  • Page 399
    “0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. The ZyWALL and remote IPSec router must use the same pre-shared key. ZyWALL USG 50 User’s Guide…
  • Page 400
    E-mail — the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG 50 User’s Guide…
  • Page 401
    Any — the ZyWALL does not check the identity of the remote IPSec router If the ZyWALL and remote IPSec router use certificates, there is one more choice. Subject Name — the remote IPSec router is identified by the subject name in the certificate ZyWALL USG 50 User’s Guide…
  • Page 402
    Type the maximum number of seconds the IKE SA can last. When (Seconds) this time has passed, the ZyWALL and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. ZyWALL USG 50 User’s Guide…
  • Page 403
    DH5 — use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. ZyWALL USG 50 User’s Guide…
  • Page 404
    IPSec router. The password can be 1-31 ASCII characters. It is case- sensitive, but spaces are not allowed. Click OK to save your settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…
  • Page 405: Ipsec Vpn Background Information

    IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next. Figure 237 IKE SA: Main Negotiation Mode, Steps 1 — 2: IKE SA Proposal One or more proposals, each one consisting of: — encryption algorithm — authentication algorithm — Diffie-Hellman key group ZyWALL USG 50 User’s Guide…

  • Page 406
    DH key groups. Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption ZyWALL USG 50 User’s Guide…
  • Page 407
    You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 50 User’s Guide…
  • Page 408
    It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your ZyWALL provides another way to check ZyWALL USG 50 User’s Guide…
  • Page 409
    For example, the remote IPSec router may be a telecommuter who does not have a static IP address. VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Figure 240 VPN/NAT Example ZyWALL USG 50 User’s Guide…
  • Page 410
    If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode). ZyWALL USG 50 User’s Guide…
  • Page 411: Ipsec Sa Overview

    (Encapsulating Security Payload, RFC 2406). Note: The ZyWALL and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. ZyWALL USG 50 User’s Guide…

  • Page 412
    405), except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS). ZyWALL USG 50 User’s Guide…
  • Page 413
    For authentication, the ZyWALL and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The ZyWALL and remote IPSec router must use the same SPI. ZyWALL USG 50 User’s Guide…
  • Page 414
    M through the IPSec SA because computer M’s IP address is not part of its local policy. To set up this NAT, you have to specify the following information: • Source — the original source address; most likely, computer M’s network. ZyWALL USG 50 User’s Guide…
  • Page 415
    IP address of the mail server in the local network (A). • Mapped Port — the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 50 User’s Guide…
  • Page 416
    Chapter 23 IPSec VPN ZyWALL USG 50 User’s Guide…
  • Page 417: Ssl Vpn

    Figure 243 Network Access Mode: Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: ZyWALL USG 50 User’s Guide…

  • Page 418
    ZyWALL (after you have configured the SSL VPN settings on the ZyWALL). • See Chapter 44 on page 673 for details on endpoint security objects. • See Chapter 43 on page 667 for details on SSL application objects. ZyWALL USG 50 User’s Guide…
  • Page 419: The Ssl Access Privilege Screen

    This field displays the user account or user group name(s) associated to an SSL access policy. This field displays up to three names. Access Policy This field displays details about the SSL application object this policy Summary uses including its name, type, and address. ZyWALL USG 50 User’s Guide…

  • Page 420: The Ssl Access Policy Add/Edit Screen

    24.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 245 VPN > SSL VPN > Access Privilege > Add/Edit ZyWALL USG 50 User’s Guide…

  • Page 421
    Operating System (OS) and security requirements of one of the SSL access policy’s selected endpoint security objects before granting access. Periodical Select this and specify a number of minutes to have the ZyWALL repeat checking time the endpoint security check at a regular interval. ZyWALL USG 50 User’s Guide…
  • Page 422
    Address Objects list and click <<. Click Ok to save the changes and return to the main Access Privilege screen. Cancel Click Cancel to discard all changes and return to the main Access Privilege screen. ZyWALL USG 50 User’s Guide…
  • Page 423: The Ssl Global Setting Screen

    For example, www.zyxel.com is a fully qualified domain name where “www” is the host; so you would just use “zyxel.com”. The ZyWALL displays the normal login screen without the button for logging into the Web Configurator. ZyWALL USG 50 User’s Guide…

  • Page 424: How To Upload A Custom Logo

    Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG format. Click Apply to start the file transfer process. Log in as a user to verify that the new logo displays properly. ZyWALL USG 50 User’s Guide…

  • Page 425: Establishing An Ssl Vpn Connection

    SSL VPN button to establish an SSL VPN connection. See the User’s Guide Section 25.2 on page 428 for details. Display the ZyWALL’s login screen and enter your user account information (the user name and password). Click SSL VPN. Figure 248 Login Screen ZyWALL USG 50 User’s Guide…

  • Page 426
    Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 25 on page 427. ZyWALL USG 50 User’s Guide…
  • Page 427: Ssl User Screens

    ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. See Chapter 27 on page 439 for more on the ZyWALL SecuExtender. ZyWALL USG 50 User’s Guide…

  • Page 428: Remote User Login

    SSL VPN on the ZyWALL. 25.2 Remote User Login This section shows you how to access and log into the network through the ZyWALL. Example screens for Internet Explorer are shown. ZyWALL USG 50 User’s Guide…

  • Page 429
    If a token password is also required, enter it in the One-Time Password field. Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources. Figure 253 Login Screen ZyWALL USG 50 User’s Guide…
  • Page 430
    Figure 254 Java Needed Message The ZyWALL tries to install the SecuExtender client. As shown next, you may have to click some pop-ups to get your browser to allow the installation. Figure 255 ActiveX Object Installation Blocked by Browser ZyWALL USG 50 User’s Guide…
  • Page 431
    In Internet Explorer, click Run. Figure 257 SecuExtender Progress Click Next to use the setup wizard to install the SecuExtender client on your computer. Figure 258 SecuExtender Progress ZyWALL USG 50 User’s Guide…
  • Page 432
    11 The Application screen displays showing the list of resources available to you. Figure 260 on page 433 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. ZyWALL USG 50 User’s Guide…
  • Page 433: The Ssl Vpn User Screens

    Select your preferred language for the interface. This part of the screen displays a list of the resources available to you. In the Application screen, click on a link to access or display the access method. ZyWALL USG 50 User’s Guide…

  • Page 434: Bookmarking The Zywall

    To properly terminate a connection, click on the Logout icon in any remote user screen. Click the Logout icon in any remote user screen. A prompt window displays. Click OK to continue. Figure 262 Logout: Prompt ZyWALL USG 50 User’s Guide…

  • Page 435
    Chapter 25 SSL User Screens An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 263 Logout: Connection Termination Progress ZyWALL USG 50 User’s Guide…
  • Page 436
    Chapter 25 SSL User Screens ZyWALL USG 50 User’s Guide…
  • Page 437: Ssl User Application Screens

    Virtual Network Computing (VNC) or Remote Desktop Protocol (RDP). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 264 Application ZyWALL USG 50 User’s Guide…

  • Page 438
    Chapter 26 SSL User Application Screens ZyWALL USG 50 User’s Guide…
  • Page 439: Zywall Secuextender

    • Gray: the SSL VPN tunnel’s connection is suspended. This means the SSL VPN tunnel is connected, but the ZyWALL SecuExtender will not send any traffic through it until you right-click the icon and resume the connection. ZyWALL USG 50 User’s Guide…

  • Page 440: Statistics

    IP addresses that they are currently using. Network 1~4 These are the networks (including netmask) that you can access through the SSL VPN connection. Activity Connected Time This is how long the computer has been connected to the SSL VPN tunnel. ZyWALL USG 50 User’s Guide…

  • Page 441: View Log

    27.4 Suspend and Resume the Connection When the ZyWALL SecuExtender icon in the system tray is green, you can right- click the icon and select Suspend Connection to keep the SSL VPN tunnel ZyWALL USG 50 User’s Guide…

  • Page 442: Stop The Connection

    Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. In the confirmation screen, click Yes. Figure 268 Uninstalling the ZyWALL SecuExtender Confirmation Windows uninstalls the ZyWALL SecuExtender. Figure 269 ZyWALL SecuExtender Uninstallation ZyWALL USG 50 User’s Guide…

  • Page 443: Application Patrol

    ZyWALL does when it does not recognize the application, and it identifies the conditions that refine this. It also lets you open the Other Configuration Add/ Edit screen to create new conditions or edit existing ones. ZyWALL USG 50 User’s Guide…

  • Page 444: What You Need To Know

    Custom Ports for SIP and the SIP ALG Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG (see Chapter 19 on page 341) to use the same port ZyWALL USG 50 User’s Guide…

  • Page 445
    A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel. ZyWALL USG 50 User’s Guide…
  • Page 446
    • Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN1 so outbound means the traffic traveling from the LAN1 to the WAN. Each of the WAN zone’s two interfaces can send the limit of 200 kbps of traffic. ZyWALL USG 50 User’s Guide…
  • Page 447
    The following sections show how bandwidth management behaves with various settings. For example, you configure DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum ZyWALL USG 50 User’s Guide…
  • Page 448
    200 kbps. Then the ZyWALL divides the remaining bandwidth (1000 — 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets. ZyWALL USG 50 User’s Guide…
  • Page 449: Application Patrol Bandwidth Management Examples

    • SIP traffic from VIP users must get through with the least possible delay regardless of if it is an outgoing call or an incoming call. The VIP users must be able to make and receive SIP calls no matter which interface they are connected ZyWALL USG 50 User’s Guide…

  • Page 450: Sip Any To Wan Bandwidth Management Example

    • Inbound traffic (to the LAN and DMZ from the WAN) is also limited to 200 kbps. The ZyWALL applies this limit before sending the traffic to LAN or DMZ. • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. ZyWALL USG 50 User’s Guide…

  • Page 451: Sip Wan To Any Bandwidth Management Example

    HTTP traffic gets sent before non-SIP traffic. • Enable maximize bandwidth usage so the HTTP traffic can borrow unused bandwidth. Figure 275 HTTP Any to WAN Bandwidth Management Example Outbound: 200 kbps Inbound: 500 kbps ZyWALL USG 50 User’s Guide…

  • Page 452: Ftp Wan To Dmz Bandwidth Management Example

    • Fourth highest priority (4). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 277 FTP LAN to DMZ Bandwidth Management Example Inbound: 50 Mbps Outbound: 50 Mbps ZyWALL USG 50 User’s Guide…

  • Page 453: Application Patrol General Screen

    This same setting also appears in the Network > Routing > Policy Route screen. Enabling or disabling it in one screen also enables or disables it in the other screen. ZyWALL USG 50 User’s Guide…

  • Page 454: Application Patrol Applications

    Use the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen to manage traffic of individual applications. Use the Common screen (shown here as an example) to manage traffic of the most commonly used web, file transfer and e-mail protocols. ZyWALL USG 50 User’s Guide…

  • Page 455: The Application Patrol Edit Screen

    Click Reset to return the screen to its last-saved settings. 28.3.1 The Application Patrol Edit Screen Use this screen to edit the settings for an application. To access this screen, go to the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or ZyWALL USG 50 User’s Guide…

  • Page 456
    Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. ZyWALL USG 50 User’s Guide…
  • Page 457
    If any displays, the policy is effective for every source. Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. ZyWALL USG 50 User’s Guide…
  • Page 458
    (7) regardless of this field’s configuration. This field shows whether the ZyWALL generates a log (log), a log and alert (log alert) or neither (no) when the application’s traffic matches this policy. ZyWALL USG 50 User’s Guide…
  • Page 459: The Application Patrol Policy Edit Screen

    Select this check box to turn on this policy for the application. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 50 User’s Guide…

  • Page 460
    PHB for DiffServ on page 299 for more details. Select preserve to have the ZyWALL keep the packets’ original DSCP value. Select default to have the ZyWALL set the DSCP value of the packets to ZyWALL USG 50 User’s Guide…
  • Page 461
    If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 50 User’s Guide…
  • Page 462: The Other Applications Screen

    ZyWALL should do more precisely. You can also control the bandwidth used by these other applications.This screen also allows you to add, edit, and remove conditions to this default policy. ZyWALL USG 50 User’s Guide…

  • Page 463
    This is the destination zone of the traffic to which this policy applies. Source This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. ZyWALL USG 50 User’s Guide…
  • Page 464
    0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration. ZyWALL USG 50 User’s Guide…
  • Page 465: The Other Applications Add/Edit Screen

    Select this check box to turn on this policy. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 50 User’s Guide…

  • Page 466
    Select default to have the ZyWALL set the DSCP value of the packets to Bandwidth Configure these fields to set the amount of bandwidth the application Management can use. These fields only apply when Access is set to forward. ZyWALL USG 50 User’s Guide…
  • Page 467
    Chapter 46 on page 731 for more on logs. no — the ZyWALL does not record anything log — the ZyWALL creates a record in the log log alert — the ZyWALL creates an alert ZyWALL USG 50 User’s Guide…
  • Page 468
    Chapter 28 Application Patrol Table 135 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 469: Anti-Virus

    477) to set up anti- virus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 29.6 on page 480) to search signatures to get more information about signatures. ZyWALL USG 50 User’s Guide…

  • Page 470: What You Need To Know

    The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports. If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets. ZyWALL USG 50 User’s Guide…

  • Page 471: Before You Begin

    • Before using anti-virus, see Section 10.1 on page 213 for how to register for the anti-virus service. • You may need to customize the zones (in the Network > Zone) used for the anti-virus scanning direction. ZyWALL USG 50 User’s Guide…

  • Page 472: Anti-Virus Summary Screen

    Select this check box to check traffic for viruses and spyware. The Virus and Anti- following table lists policies that define which traffic the ZyWALL scans Spyware and the action it takes upon finding a virus. ZyWALL USG 50 User’s Guide…

  • Page 473
    IMAP4 applies to traffic using TCP port 143. License The following fields display information about the current state of your subscription for virus signatures. License This field displays whether a service is activated (Licensed) or not (Not Status Licensed) or expired (Expired). ZyWALL USG 50 User’s Guide…
  • Page 474
    Click this link to go to the screen you can use to download signatures Signatures from the update server. Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 475: Anti-Virus Policy Add Or Edit Screen

    FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. ZyWALL USG 50 User’s Guide…

  • Page 476
    “zip” or “rar” file extension). The ZyWALL first (ZIP and RAR) decompresses the ZIP file and then scans the contents for viruses. Note: The ZyWALL decompresses a ZIP file once. The ZyWALL does NOT decompress any ZIP file(s) within a ZIP file. ZyWALL USG 50 User’s Guide…
  • Page 477: Anti-Virus Black List

    (blocked) list of virus file patterns. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 287 Configuration > Anti-X > Anti-Virus > Black/White List > Black List ZyWALL USG 50 User’s Guide…

  • Page 478: Anti-Virus Black List Or White List Add/Edit

    • For a white list entry, enter a file pattern that should cause the ZyWALL to allow a file. Figure 288 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add ZyWALL USG 50 User’s Guide…

  • Page 479: Anti-Virus White List

    Click Configuration > Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next. Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a ZyWALL USG 50 User’s Guide…

  • Page 480: Signature Searching

    Click Reset to return the screen to its last-saved settings. 29.6 Signature Searching Click Configuration > Anti-X > Anti-Virus > Signature to display this screen. Use this screen to locate signatures and display details about them. ZyWALL USG 50 User’s Guide…

  • Page 481
    No to continue. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 290 Configuration > Anti-X > Anti-Virus > Signature: Search by Severity ZyWALL USG 50 User’s Guide…
  • Page 482
    Category This column displays whether the signature is for identifying a virus or spyware. Click the column heading to sort your search results by category. ZyWALL USG 50 User’s Guide…
  • Page 483: Anti-Virus Technical Reference

    Once the virus is spread through the network, the number of infected networked computers can grow exponentially. Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and network- based. ZyWALL USG 50 User’s Guide…

  • Page 484
    • NAV scanners stops virus threats at the network edge before they enter or exit a network. • NAV scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL USG 50 User’s Guide…
  • Page 485: Idp

    Section 31.1 on page 519). Zone A zone is a combination of ZyWALL interfaces and VPN connections used for configuring security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. ZyWALL USG 50 User’s Guide…

  • Page 486: Before You Begin

    When the trial subscription expires, purchase and enter a license key using the same screens to continue the subscription. • Configure zones on the ZyWALL — see Chapter 15 on page 317 for more information. ZyWALL USG 50 User’s Guide…

  • Page 487: The Idp General Screen

    If you don’t have a standard license, you can register for Detection a once-off trial one. Policies Use this list to specify which IDP profile the ZyWALL uses for traffic flowing in a specific direction. Edit the policies directly in the table. ZyWALL USG 50 User’s Guide…

  • Page 488
    IDP services or not or your registration has expired. License Type This field shows Trial, Standard or None depending on whether you subscribed to the IDP trial, bought an iCard for IDP service or neither. ZyWALL USG 50 User’s Guide…
  • Page 489: Introducing Idp Profiles

    You need to subscribe for IDP service in order to be able to download new signatures. In general, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior (see Section 31.1 on page 519 information on anomaly detection). ZyWALL USG 50 User’s Guide…

  • Page 490: Base Profiles

    Signatu res with a low or medium severity level (two or three) generate logs (not log alerts) and no action is taken on packets that trigger them. Signatures with a very low severity level (one) are disabled. ZyWALL USG 50 User’s Guide…

  • Page 491: The Profile Summary Screen

    Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This is the entry’s index number in the list. ZyWALL USG 50 User’s Guide…

  • Page 492: Creating New Profiles

    Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. Type a new profile name Enable or disable individual signatures. Edit the default log options and actions. ZyWALL USG 50 User’s Guide…

  • Page 493: Profiles: Packet Inspection

    Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 30.6.1 Profile > Group View Screen Figure 294 Configuration > Anti-X > IDP > Profile > Edit: Group View ZyWALL USG 50 User’s Guide…

  • Page 494
    An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). ZyWALL USG 50 User’s Guide…
  • Page 495
    Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc. Policy Type This is the attack type as defined on the ZyWALL. See Table 147 on page for a description of each type. ZyWALL USG 50 User’s Guide…
  • Page 496: Policy Types

    Internet. A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system. ZyWALL USG 50 User’s Guide…

  • Page 497: Idp Service Groups

    Web attacks refer to attacks on web servers such as IIS (Internet Information Services). 30.6.3 IDP Service Groups An IDP service group is a set of related packet inspection signatures. Table 148 IDP Service Groups WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE WEB_CGI WEB_ATTACKS TFTP TELNET ZyWALL USG 50 User’s Guide…

  • Page 498
    If you select original setting for service group logs and/or actions, all signatures within that group are returned to their last-saved settings. Figure 295 Configuration > Anti-X > IDP > Profile > Edit > IDP Service Group ZyWALL USG 50 User’s Guide…
  • Page 499: Profile > Query View Screen

    ID fields are left blank, then all custom signatures are displayed. Name Type the name or part of the name of the signature(s) you want to find. Signature Type the ID or part of the ID of the signature(s) you want to find. ZyWALL USG 50 User’s Guide…

  • Page 500
    Click Save to save the configuration to the ZyWALL, but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. ZyWALL USG 50 User’s Guide…
  • Page 501: Query Example

    Chapter 30 IDP 30.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any ZyWALL USG 50 User’s Guide…

  • Page 502
    Chapter 30 IDP • Actions: Any Figure 297 Query Example Search Criteria Figure 298 Query Example Search Results ZyWALL USG 50 User’s Guide…
  • Page 503: Introducing Idp Custom Signatures

    Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver. Fragment Offset This is a byte count from the start of the original sent packet. ZyWALL USG 50 User’s Guide…

  • Page 504: Configuring Custom Signatures

    Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can also delete custom signatures here or save them to your computer. ZyWALL USG 50 User’s Guide…

  • Page 505
    This is the name of your custom signature. Duplicate names can exist, but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. ZyWALL USG 50 User’s Guide…
  • Page 506: Creating Or Editing A Custom Signature

    Figure 300 on page 505. A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger. ZyWALL USG 50 User’s Guide…

  • Page 507
    Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 301 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 50 User’s Guide…
  • Page 508
    If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses. ZyWALL USG 50 User’s Guide…
  • Page 509
    The following fields vary depending on whether you choose TCP, UDP or ICMP. Transport Protocol: TCP Port Select the check box and then enter the source and destination TCP port numbers that will trigger this signature. ZyWALL USG 50 User’s Guide…
  • Page 510
    Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. ZyWALL USG 50 User’s Guide…
  • Page 511
    %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer. For example, the URI: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver will get normalized into: /winnt/system32/cmd.exe?/c+ver ZyWALL USG 50 User’s Guide…
  • Page 512: Custom Signature Example

    As an example, say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic. ZyWALL USG 50 User’s Guide…

  • Page 513
    From the details about DNS query you see that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern. ZyWALL USG 50 User’s Guide…
  • Page 514: Applying Custom Signatures

    After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999. ZyWALL USG 50 User’s Guide…

  • Page 515: Verifying Custom Signatures

    All IDP signatures come under the IDP category. The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The ZyWALL USG 50 User’s Guide…

  • Page 516: Idp Technical Reference

    Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems. ZyWALL USG 50 User’s Guide…

  • Page 517
    These are some equivalent Snort terms in the ZyWALL. Table 153 ZyWALL — Snort Equivalent Terms ZYWALL TERM SNORT EQUIVALENT TERM Type Of Service Identification Fragmentation fragbits Fragmentation Offset fragoffset Time to Live IP Options ipopts ZyWALL USG 50 User’s Guide…
  • Page 518
    Payload Size dsize Offset (relative to start of offset payload) Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Note: Not all Snort functionality is supported in the ZyWALL. ZyWALL USG 50 User’s Guide…
  • Page 519: Adp

    Traffic anomaly rules look for abnormal behavior or events such as port scanning, sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic anomaly rules may be updated when you upload new firmware. ZyWALL USG 50 User’s Guide…

  • Page 520: Before You Begin

    IDP-related term definitions. • See Section 31.4 on page 531 for background information on these screens. 31.1.4 Before You Begin Configure the ZyWALL’s zones — see Chapter 15 on page 317 for more information. ZyWALL USG 50 User’s Guide…

  • Page 521: The Adp General Screen

    [ENTER] to move the entry to the number that you typed. This is the entry’s index number in the list. Priority This is the rank in the list of anomaly profile policies. The list is applied in order of priority. ZyWALL USG 50 User’s Guide…

  • Page 522: The Profile Summary Screen

    Click Reset to return the screen to its last-saved settings. 31.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile ZyWALL USG 50 User’s Guide…

  • Page 523: Base Profiles

    Cancel Click Cancel to exit this screen without saving your changes. 31.3.2 Configuring The ADP Profile Summary Screen Select Configuration > Anti-X > ADP > Profile. Figure 308 Configuration > Anti-X > ADP > Profile ZyWALL USG 50 User’s Guide…

  • Page 524: Creating New Adp Profiles

    In the Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile. If you made changes to other screens ZyWALL USG 50 User’s Guide…

  • Page 525
    Chapter 31 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 309 Profiles: Traffic Anomaly ZyWALL USG 50 User’s Guide…
  • Page 526
    The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. This is the entry’s index number in the list. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG 50 User’s Guide…
  • Page 527: Protocol Anomaly Profiles

    Add icon and choose a base profile, then select the Protocol Anomaly tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 50 User’s Guide…

  • Page 528
    Chapter 31 ADP Figure 310 Profiles: Protocol Anomaly ZyWALL USG 50 User’s Guide…
  • Page 529
    To edit an item’s log option, select it and use the Log icon. Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule. See Chapter 46 on page 731 for more on logs. ZyWALL USG 50 User’s Guide…
  • Page 530
    Select what the ZyWALL should do when a packet matches a rule. none: The ZyWALL takes no action when a packet matches the signature(s). block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. ZyWALL USG 50 User’s Guide…
  • Page 531: Adp Technical Reference

    IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router. ZyWALL USG 50 User’s Guide…

  • Page 532
    • UDP Filtered Portscan • IP Filtered Portscan Portscan • TCP Filtered Decoy • UDP Filtered Decoy • IP Filtered Decoy Portscan Portscan Portscan • TCP Filtered • UDP Filtered Portsweep • IP Filtered Portsweep Portsweep ZyWALL USG 50 User’s Guide…
  • Page 533
    Figure 311 Smurf Attack TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then ZyWALL USG 50 User’s Guide…
  • Page 534
    In a LAND attack, hackers flood SYN packets into a network with a spoofed source IP address of the network itself. This makes it appear as if the computers in the network sent the packets to themselves, so the network is unavailable while they try to respond to themselves. ZyWALL USG 50 User’s Guide…
  • Page 535
    “/abc/xyz”. Also, “/abc/./xyz” gets normalized to “/abc/xyz”. If a user wants to configure an alert, then specify “yes”, otherwise “no”. This alert may give false positives since some web sites refer to files using directory traversals. ZyWALL USG 50 User’s Guide…
  • Page 536
    % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. ZyWALL USG 50 User’s Guide…
  • Page 537
    ICMP Decoder TRUNCATED-ADDRESS- This is when an ICMP packet is sent which has an ICMP HEADER ATTACK datagram length of less than the ICMP address header length. This may cause some applications to crash. ZyWALL USG 50 User’s Guide…
  • Page 538
    TRUNCATED- This is when an ICMP packet is sent which has an ICMP TIMESTAMP-HEADER datagram length of less than the ICMP Time Stamp header ATTACK length. This may cause some applications to crash. ZyWALL USG 50 User’s Guide…
  • Page 539: Content Filtering

    • Use schedule objects to define when to apply a content filter profile. • Use address and/or user/group objects to define to whose web access to apply the content filter profile. • Apply a content filter profile that you have custom-tailored. ZyWALL USG 50 User’s Guide…

  • Page 540
    URL. For example, with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. ZyWALL USG 50 User’s Guide…
  • Page 541: Before You Begin

    Licensing > Registration screens). 32.2 Content Filter General Screen Click Configuration > Anti-X > Content Filter > General to open the Content Filter General screen. Use this screen to enable content filtering, view and order ZyWALL USG 50 User’s Guide…

  • Page 542
    Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL USG 50 User’s Guide…
  • Page 543
    The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0-9a- zA-Z;/?:@&=+$.-_!~*'()%). For example, http://192.168.1.17/ blocked access. ZyWALL USG 50 User’s Guide…
  • Page 544: Content Filter Policy Add Or Edit Screen

    32.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content ZyWALL USG 50 User’s Guide…

  • Page 545
    Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 546: Content Filter Profile Screen

    Note: You must register for external content filtering before you can use it. See Section 10.2 on page 215 for how to register. ZyWALL USG 50 User’s Guide…

  • Page 547
    Chapter 32 Content Filtering Chapter 33 on page 565 for how to view content filtering reports. Figure 317 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 50 User’s Guide…
  • Page 548
    Chapter 32 Content Filtering Figure 318 Configuration > Anti-X > Content Filter > Filter Profile > Add (Continue) ZyWALL USG 50 User’s Guide…
  • Page 549
    The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page. ZyWALL USG 50 User’s Guide…
  • Page 550
    Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG 50 User’s Guide…
  • Page 551
    (that is, it alerts that it will send personal information, be installed, or that it will log keystrokes). Note: Sites rated as spyware should have a second category assigned with them. ZyWALL USG 50 User’s Guide…
  • Page 552
    This category includes pages that contain images or offer the Swimsuit sale of swimsuits or intimate apparel or other types of suggestive clothing. It does not include pages selling undergarments as a subsection of other products offered. ZyWALL USG 50 User’s Guide…
  • Page 553
    It does not include pages that promote collecting weapons, or groups that either support or oppose weapons use. ZyWALL USG 50 User’s Guide…
  • Page 554
    Software Downloads This category includes pages that are dedicated to the electronic download of software packages, whether for payment or at no charge. Society/Government ZyWALL USG 50 User’s Guide…
  • Page 555
    This category includes pages that offer access to Usenet news Pages groups or other messaging or bulletin board systems. Also, blog specific sites or an individual with his own blog. This does not include social networking communities with blogs. ZyWALL USG 50 User’s Guide…
  • Page 556
    Internet Telephony This category includes pages that facilitate Internet telephony or provide Internet telephony services such as voice over IP (VoIP). Health Related ZyWALL USG 50 User’s Guide…
  • Page 557
    It also includes pages dedicated to selling board games as well as journals and magazines dedicated to game playing. It includes pages that support or host online sweepstakes and giveaways. ZyWALL USG 50 User’s Guide…
  • Page 558
    Web Advertisements This category includes pages that provide online advertisements or banners. This does not include advertising servers that serve adult-oriented advertisements. Technology Computers/Internet This category includes pages that sponsor or provide information on computers, technology, the Internet and technology-related organizations and companies. ZyWALL USG 50 User’s Guide…
  • Page 559
    Click this button to see the category recorded in the external Filter Category Server content filter server’s database for the web page you specified. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 560: Content Filter Blocked And Warning Messages

    > Customization to open the Customization screen. You can create a list of good (allowed) web site addresses and a list of bad (blocked) web site addresses. You can also block web sites based on whether the web site’s address contains a ZyWALL USG 50 User’s Guide…

  • Page 561
    Restricted Web Features Select the check box(es) to restrict a feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. ZyWALL USG 50 User’s Guide…
  • Page 562
    Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. ZyWALL USG 50 User’s Guide…
  • Page 563: Content Filter Technical Reference

    (such as Bad for example). Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 32.7 Content Filter Technical Reference This section provides content filtering background information. ZyWALL USG 50 User’s Guide…

  • Page 564
    ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site’s address and category are then stored in the ZyWALL’s content filter cache. ZyWALL USG 50 User’s Guide…
  • Page 565: Content Filter Reports

    You need to register your iCard before you can view content filtering reports. Alternatively, you can also view content filtering reports during the free trial (up to 30 days). Go to http://www.myZyXEL.com. ZyWALL USG 50 User’s Guide…

  • Page 566
    Chapter 33 Content Filter Reports Fill in your myZyXEL.com account information and click Login. Figure 321 myZyXEL.com: Login ZyWALL USG 50 User’s Guide…
  • Page 567
    Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 323 on page 568). Figure 322 myZyXEL.com: Welcome ZyWALL USG 50 User’s Guide…
  • Page 568
    In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 323 myZyXEL.com: Service Management In the Web Filter Home screen, click the Reports tab. Figure 324 Content Filter Reports Main Screen ZyWALL USG 50 User’s Guide…
  • Page 569
    Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. ZyWALL USG 50 User’s Guide…
  • Page 570
    Chapter 33 Content Filter Reports A chart and/or list of requested web site categories display in the lower half of the screen. Figure 326 Global Report Screen Example ZyWALL USG 50 User’s Guide…
  • Page 571
    Chapter 33 Content Filter Reports You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 327 Requested URLs Example ZyWALL USG 50 User’s Guide…
  • Page 572
    Chapter 33 Content Filter Reports ZyWALL USG 50 User’s Guide…
  • Page 573: Anti-Spam

    The white list can also increases the ZyWALL’s anti-spam speed and efficiency by not having the ZyWALL perform the full anti-spam checking process on legitimate e-mail. ZyWALL USG 50 User’s Guide…

  • Page 574
    For example, in Microsoft’s Outlook Express, select a mail and click File > Properties > Details. This displays the e-mail’s header. Click Message Source to see the source for the entire mail including both the header and the body. ZyWALL USG 50 User’s Guide…
  • Page 575: Before You Begin

    Configure your zones before you configure anti-spam. 34.3 The Anti-Spam General Screen Click Configuration > Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti- ZyWALL USG 50 User’s Guide…

  • Page 576
    Click this to create a new entry . Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. ZyWALL USG 50 User’s Guide…
  • Page 577: The Anti-Spam Policy Add Or Edit Screen

    Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configuration screen as shown next. Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to ZyWALL USG 50 User’s Guide…

  • Page 578
    To zone. Protocols to Select which protocols of traffic to scan for spam. Scan SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. ZyWALL USG 50 User’s Guide…
  • Page 579: The Anti-Spam Black List Screen

    Configure the black list to identify spam e-mail. You can create black list entries based on the sender’s or relay server’s IP address or e-mail address. You can also create entries that check for particular e-mail header fields with specific values or ZyWALL USG 50 User’s Guide…

  • Page 580
    This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 581: The Anti-Spam Black Or White List Add/Edit Screen

    This field displays when you select the Subject type. Enter up to 63 Keyword ASCII characters of text to check for in e-mail headers. Spaces are not allowed, although you could substitute a question mark (?). See Section 34.4.2 on page 582 for more details. ZyWALL USG 50 User’s Guide…

  • Page 582: Regular Expressions In Black Or White List Entries

    You cannot use two wildcards side by side, there must be other characters between them. • The ZyWALL checks the first header with the name you specified in the entry. So if the e-mail has more than one “Received” header, the ZyWALL checks the first one. ZyWALL USG 50 User’s Guide…

  • Page 583: The Anti-Spam White List Screen

    To turn off an entry, select it and click Inactivate. Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. This is the entry’s index number in the list. ZyWALL USG 50 User’s Guide…

  • Page 584: The Dnsbl Screen

    DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 333 Configuration > Anti-X > Anti-Spam > DNSBL ZyWALL USG 50 User’s Guide…

  • Page 585
    Enter a message or label (up to 15 ASCII characters) to add to the mail subject of e-mails that the ZyWALL forwards if queries to the DNSBL domains time out. DNSBL Domain List Click this to create a new entry. ZyWALL USG 50 User’s Guide…
  • Page 586: Anti-Spam Technical Reference

    • The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours. The ZyWALL checks an e-mail’s sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache. ZyWALL USG 50 User’s Guide…

  • Page 587
    In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 50 User’s Guide…
  • Page 588
    Now that the ZyWALL has received at least one non-spam reply for each of the e- mail’s routing IP addresses, the ZyWALL immediately classifies the e-mail as legitimate and forwards it. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 50 User’s Guide…
  • Page 589
    In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 50 User’s Guide…
  • Page 590
    Chapter 34 Anti-Spam ZyWALL USG 50 User’s Guide…
  • Page 591: User/Group

    User Types These are the types of user accounts the ZyWALL uses. Table 172 Types of User Accounts TYPE ABILITIES LOGIN METHOD(S) Admin Users admin Change ZyWALL configuration (web, CLI) WWW, TELNET, SSH, FTP, Console ZyWALL USG 50 User’s Guide…

  • Page 592
    User account in the remote server. User account (Ext-User) in the ZyWALL. Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the ZyWALL. ZyWALL USG 50 User’s Guide…
  • Page 593
    • See Section 7.6 on page 133 for an example of how to use a RADIUS server to authenticate user accounts based on groups. ZyWALL USG 50 User’s Guide…
  • Page 594: User Summary Screen

    35.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] ZyWALL USG 50 User’s Guide…

  • Page 595
    To access this screen, go to the User screen (see Section 35.2 on page 594), and click either the Add icon or an Edit icon. Figure 338 Configuration > User/Group > User > Add ZyWALL USG 50 User’s Guide…
  • Page 596
    (see Section 35.4 on page 599), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. ZyWALL USG 50 User’s Guide…
  • Page 597: User Group Summary Screen

    Object Select an entry and click Object References to open a screen that References shows which settings use the entry. See Section 11.3.2 on page 236 an example. ZyWALL USG 50 User’s Guide…

  • Page 598: Group Add/Edit Screen

    This value is case-sensitive. User group names have to be different than user names. Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. ZyWALL USG 50 User’s Guide…

  • Page 599: Setting Screen

    The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. ZyWALL USG 50 User’s Guide…

  • Page 600
    Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. This field is a sequential value, and it is not associated with a specific entry. ZyWALL USG 50 User’s Guide…
  • Page 601
    This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user. User Logon Settings ZyWALL USG 50 User’s Guide…
  • Page 602: Default User Authentication Timeout Settings Edit Screens

    These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings. ZyWALL USG 50 User’s Guide…

  • Page 603
    Unlike Lease Time, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 604: User Aware Login Example

    Remaining This field displays the amount of time that remains before the ZyWALL time before automatically logs the access user out, regardless of the lease time. auth. timeout ZyWALL USG 50 User’s Guide…

  • Page 605: User /Group Technical Reference

    Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 47 on page 745 for more information about shell scripts. ZyWALL USG 50 User’s Guide…

  • Page 606
    Chapter 35 User/Group ZyWALL USG 50 User’s Guide…
  • Page 607: Addresses

    WAN IP addresses for LAN to WAN traffic. 36.2 Address Summary Screen The address screens are used to create, maintain, and remove addresses. There are the types of address objects. • HOST — a host address is defined by an IP Address. ZyWALL USG 50 User’s Guide…

  • Page 608
    This field displays the IP addresses represented by each address object. If the object’s settings are based on one of the ZyWALL’s interfaces, the name of the interface displays first followed by the object’s current address settings. ZyWALL USG 50 User’s Guide…
  • Page 609: Address Add/Edit Screen

    This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format. ZyWALL USG 50 User’s Guide…

  • Page 610: Address Group Summary Screen

    This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. Description This field displays the description of each address group, if any. ZyWALL USG 50 User’s Guide…

  • Page 611: Address Group Add/Edit Screen

    Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User’s Guide…

  • Page 612
    Chapter 36 Addresses ZyWALL USG 50 User’s Guide…
  • Page 613: Services

    Then, the connection is terminated. In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all. ZyWALL USG 50 User’s Guide…

  • Page 614: The Service Summary Screen

    In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table ZyWALL USG 50 User’s Guide…

  • Page 615
    This field is a sequential value, and it is not associated with a specific service. Name This field displays the name of each service. Content This field displays a description of each service. ZyWALL USG 50 User’s Guide…
  • Page 616: The Service Add/Edit Screen

    Click Cancel to exit this screen without saving your changes. 37.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. ZyWALL USG 50 User’s Guide…

  • Page 617
    This field displays the name of each service group. By default, the ZyWALL uses services starting with “Default_Allow_” in the firewall rules to allow certain services to connect to the ZyWALL. Description This field displays the description of each service group, if any. ZyWALL USG 50 User’s Guide…
  • Page 618: The Service Group Add/Edit Screen

    Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User’s Guide…

  • Page 619: Schedules

    (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. ZyWALL USG 50 User’s Guide…

  • Page 620: The Schedule Summary Screen

    This field displays the name of the schedule, which is used to refer to the schedule. Start Day / This field displays the date and time at which the schedule begins. Time Stop Day / This field displays the date and time at which the schedule ends. Time ZyWALL USG 50 User’s Guide…

  • Page 621: The One-Time Schedule Add/Edit Screen

    Name Type the name used to refer to the one-time schedule. You may use 1- 31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 50 User’s Guide…

  • Page 622: The Recurring Schedule Add/Edit Screen

    Click Cancel to exit this screen without saving your changes. 38.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen ZyWALL USG 50 User’s Guide…

  • Page 623
    Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 624
    Chapter 38 Schedules ZyWALL USG 50 User’s Guide…
  • Page 625: Aaa Server

    The ZyWALL tries to bind (or log in) to the LDAP/AD server. When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair. If it matches, the user is allowed access. Otherwise, access is blocked. ZyWALL USG 50 User’s Guide…

  • Page 626: Radius Server

    39.1.4 What You Can Do in this Chapter • Use the Configuration > Object > AAA Server > Active Directory (or LDAP) screens (Section 39.2 on page 629) to configure Active Directory or LDAP server objects. ZyWALL USG 50 User’s Guide…

  • Page 627: What You Need To Know

    RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location. Directory Structure The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or ZyWALL USG 50 User’s Guide…

  • Page 628
    If the bind password is incorrect, the login will fail. Finding Out More • See Section 7.5.3 on page 126 for an example of how to set up user authentication using a radius server. ZyWALL USG 50 User’s Guide…
  • Page 629: Active Directory Or Ldap Server Summary

    39.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the ZyWALL USG 50 User’s Guide…

  • Page 630
    Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP se rver(s) in this group. ZyWALL USG 50 User’s Guide…
  • Page 631: Radius Server Summary

    Click OK to save the changes. Cancel Click Cancel to discard the changes. 39.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL can use in authenticating users. ZyWALL USG 50 User’s Guide…

  • Page 632
    Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 633: Adding A Radius Server

    If the RADIUS server has a backup server, enter its address here. Address Backup Specify the port number on the RADIUS server to which the ZyWALL Authentication sends authentication requests. Enter a number between 1 and 65535. Port ZyWALL USG 50 User’s Guide…

  • Page 634
    “sales”, “RD”, and “management”. Then you could also create a ext- group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 50 User’s Guide…
  • Page 635: Authentication Method

    Follow the steps below to specify the authentication method for a VPN connection. Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. Click Show Advance Setting and select Enable Extended Authentication. ZyWALL USG 50 User’s Guide…

  • Page 636: Authentication Method Objects

    Select an entry and click Object References to open a screen that shows References which settings use the entry. See Section 11.3.2 on page 236 for an example. This field displays the index number. Method Name This field displays a descriptive name for identification purposes. ZyWALL USG 50 User’s Guide…

  • Page 637: Creating An Authentication Method Object

    ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Note: You can NOT select two server objects of the same type. ZyWALL USG 50 User’s Guide…

  • Page 638
    If two accounts with the same username exist on two authentication servers you specify, the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. ZyWALL USG 50 User’s Guide…
  • Page 639
    Click Add to add a new entry. Click Edit to edit the settings of an entry. Click Delete to delete an entry. Click OK to save the changes. Cancel Click Cancel to discard the changes. ZyWALL USG 50 User’s Guide…
  • Page 640
    Chapter 40 Authentication Method ZyWALL USG 50 User’s Guide…
  • Page 641: Certificates

    Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). ZyWALL USG 50 User’s Guide…

  • Page 642
    • Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys. Self-signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates. ZyWALL USG 50 User’s Guide…
  • Page 643: Verifying A Certificate

    MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. Browse to where you have the certificate saved on your computer. ZyWALL USG 50 User’s Guide…

  • Page 644
    Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. ZyWALL USG 50 User’s Guide…
  • Page 645: The My Certificates Screen

    This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. ZyWALL USG 50 User’s Guide…

  • Page 646: The My Certificates Add Screen

    Click Refresh to display the current validity status of the certificates. 41.2.1 The My Certificates Add Screen Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ZyWALL USG 50 User’s Guide…

  • Page 647
    Chapter 41 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 370 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 50 User’s Guide…
  • Page 648
    Create a self- Select this to have the ZyWALL generate the certificate and act as signed certificate the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. ZyWALL USG 50 User’s Guide…
  • Page 649
    You must have the certification authority’s certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL’s list of certificates of trusted certification authorities. ZyWALL USG 50 User’s Guide…
  • Page 650
    Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online. ZyWALL USG 50 User’s Guide…
  • Page 651: The My Certificates Edit Screen

    Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 371 Configuration > Object > Certificate > My Certificates > Edit ZyWALL USG 50 User’s Guide…

  • Page 652
    “none” displays for a certification request. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. ZyWALL USG 50 User’s Guide…
  • Page 653
    Private Key Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. ZyWALL USG 50 User’s Guide…
  • Page 654: The My Certificates Import Screen

    Type in the location of the file you want to upload in this field or click Browse to find it. You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Browse Click Browse to find the certificate file you want to upload. ZyWALL USG 50 User’s Guide…

  • Page 655: The Trusted Certificates Screen

    Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action. ZyWALL USG 50 User’s Guide…

  • Page 656: The Trusted Certificates Edit Screen

    Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ZyWALL to check a certification ZyWALL USG 50 User’s Guide…

  • Page 657
    Chapter 41 Certificates authority’s list of revoked certificates before trusting a certificate issued by the certification authority. Figure 374 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 50 User’s Guide…
  • Page 658
    (usually a certification authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority). Certificate These read-only fields display detailed information about the Information certificate. ZyWALL USG 50 User’s Guide…
  • Page 659
    This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL USG 50 User’s Guide…
  • Page 660: The Trusted Certificates Import Screen

    ZyWALL. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 375 Configuration > Object > Certificate > Trusted Certificates > Import ZyWALL USG 50 User’s Guide…

  • Page 661: Certificates Technical Reference

    The second is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a “expired”, “current” or “unknown” response. ZyWALL USG 50 User’s Guide…

  • Page 662
    Chapter 41 Certificates ZyWALL USG 50 User’s Guide…
  • Page 663: Isp Accounts

    ISP accounts in the ZyWALL. 42.2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL. To access this screen, click Configuration > Object > ISP Account. Figure 376 Configuration > Object > ISP Account ZyWALL USG 50 User’s Guide…

  • Page 664: Isp Account Edit

    Account screen. (See Section 42.2 on page 663.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. Figure 377 Configuration > Object > ISP Account > Edit ZyWALL USG 50 User’s Guide…

  • Page 665
    If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank. If this ISP account uses the PPTP protocol, this field is not displayed. ZyWALL USG 50 User’s Guide…
  • Page 666
    ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). ZyWALL USG 50 User’s Guide…
  • Page 667: Ssl Application

    Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. ZyWALL USG 50 User’s Guide…

  • Page 668: Example: Specifying A Web Site For Access

    This example shows you how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. Click Configuration > Object > SSL Application in the navigation panel. ZyWALL USG 50 User’s Guide…

  • Page 669: The Ssl Application Screen

    43.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figure 380 Configuration > Object > SSL Application ZyWALL USG 50 User’s Guide…

  • Page 670: Creating/Editing A Web-Based Ssl Application Object

    To configure a web-based application, click the Add or Edit button in the SSL Application screen and select Web Application in the Type field to display the configuration screen as shown. Figure 381 Configuration > Object > SSL Application > Add/Edit: Web Application ZyWALL USG 50 User’s Guide…

  • Page 671
    If a link contains a file that is not within this domain, then remote users cannot access it. Preview This field displays if the Server Type is set to Web Server, OWA or Weblink. Click Preview to access the URL you specified in a new IE web browser. ZyWALL USG 50 User’s Guide…
  • Page 672
    Select this option to prevent users from saving the web content. Encryption Click Ok to save the changes and return to the main SSL Application Configuration screen. Cancel Click Cancel to discard the changes and return to the main SSL Application Configuration screen. ZyWALL USG 50 User’s Guide…
  • Page 673: Endpoint Security

    SSL VPN access policy; in this example a web server. SSL VPN user C fails all of the SSL VPN’s endpoint security check and is not given any access. Figure 382 Endpoint Security ZyWALL USG 50 User’s Guide…

  • Page 674: What You Can Do In This Chapter

    User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. Finding Out More Section 7.7 on page 135 for an example of how to use endpoint security and authentication policies. ZyWALL USG 50 User’s Guide…

  • Page 675: Endpoint Security Screen

    Enter a message to display when a user’s computer fails the endpoint Failure security check. Use up to 1023 characters (0-9a-zA-Z;/?:@=+$.- Message _!*'()%,”). For example, “Endpoint Security checking failed. Please contact your network administrator for help.”. ZyWALL USG 50 User’s Guide…

  • Page 676: Endpoint Security Add/Edit

    Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. Figure 384 Configuration > Object > Endpoint Security > Add ZyWALL USG 50 User’s Guide…

  • Page 677
    Chapter 44 Endpoint Security ZyWALL USG 50 User’s Guide…
  • Page 678
    The user’s computer must have one of the listed personal firewalls to pass this checking item. For some personal firewalls the ZyWALL can also detect whether or not the firewall is activated; in those cases it must also be activated. ZyWALL USG 50 User’s Guide…
  • Page 679
    The user’s computer must not have any of the listed applications running to pass this checking item. Include the filename extension for Linux operating systems. Click Add to create a new entry. Select one or more entries and click Remove to delete it or them. ZyWALL USG 50 User’s Guide…
  • Page 680
    The user’s computer must pass one of the listed file information checks to pass this checking item. Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 User’s Guide…
  • Page 681: System

    IP addresses the access can come. You can upload and download the ZyWALL’s firmware and configuration files using FTP. Please also see Chapter 47 on page 745 for more information about firmware and configuration files. ZyWALL USG 50 User’s Guide…

  • Page 682: Host Name

    254 alphanumeric characters long. Spaces are not allowed, but dashes “-” are accepted. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…

  • Page 683: Usb Storage

    Click Reset to return the screen to its last-saved settings. 45.4 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL’s Real Time Chip (RTC) keeps track of the time and date. There is also ZyWALL USG 50 User’s Guide…

  • Page 684
    When you enter the time settings manually, the ZyWALL uses the new setting once you click Apply. ZyWALL USG 50 User’s Guide…
  • Page 685
    European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany’s time zone is one hour ahead of GMT or UTC (GMT+1). ZyWALL USG 50 User’s Guide…
  • Page 686: Pre-Defined Ntp Time Servers List

    If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. ZyWALL USG 50 User’s Guide…

  • Page 687: Time Server Synchronization

    Select Get from Time Server under Time and Date Setup. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. ZyWALL USG 50 User’s Guide…

  • Page 688: Console Port Speed

    DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. ZyWALL USG 50 User’s Guide…

  • Page 689: Dns Server Address Assignment

    You can also configure the ZyWALL to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices. Figure 390 Configuration > System > DNS ZyWALL USG 50 User’s Guide…

  • Page 690
    A “*” means all domain zones. Type This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined). ZyWALL USG 50 User’s Guide…
  • Page 691
    DNS queries. Action This displays whether the ZyWALL accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny). ZyWALL USG 50 User’s Guide…
  • Page 692: Address Record

    IP address to a domain name. 45.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 391 Configuration > System > DNS > Address/PTR Record Edit ZyWALL USG 50 User’s Guide…

  • Page 693: Domain Zone Forwarder

    45.6.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 392 Configuration > System > DNS > Domain Zone Forwarder Add ZyWALL USG 50 User’s Guide…

  • Page 694: Mx Record

    Each host or domain can have only one MX record, that is, one domain is mapping to one host. ZyWALL USG 50 User’s Guide…

  • Page 695: Adding A Mx Record

    Click Cancel to exit this screen without saving 45.6.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 394 Configuration > System > DNS > Service Control Rule Add ZyWALL USG 50 User’s Guide…

  • Page 696: Www Overview

    HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen. 45.7.1 Service Access Limitations A service cannot be used to access the ZyWALL when: ZyWALL USG 50 User’s Guide…

  • Page 697: System Timeout

    Certificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 698: Configuring Www Service Control

    Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. ZyWALL USG 50 User’s Guide…

  • Page 699
    Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. ZyWALL USG 50 User’s Guide…
  • Page 700
    This is the object name of the IP address(es) with which the computer is allowed or denied to access. Action This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL USG 50 User’s Guide…
  • Page 701
    ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Authentication Client Select a method the HTTPS or HTTP server uses to authenticate a Authentication client. Method You must have configured the authentication methods in the Auth. method screen. ZyWALL USG 50 User’s Guide…
  • Page 702: Service Control Rules

    Click Cancel to exit this screen without saving 45.7.6 Customizing the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can ZyWALL USG 50 User’s Guide…

  • Page 703
    Web Configurator to access network services like the Internet. See Chapter 35 on page for more on access user accounts. Figure 398 Configuration > System > WWW > Login Page ZyWALL USG 50 User’s Guide…
  • Page 704
    Note Message (last line of text) Figure 400 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: ZyWALL USG 50 User’s Guide…
  • Page 705
    Web Configurator to access network services like the Internet. Title Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen’s text. ZyWALL USG 50 User’s Guide…
  • Page 706: Https Example

    You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the Web Configurator login screen; if you select No, then Web Configurator access is blocked. Figure 401 Security Alert Dialog Box (Internet Explorer) ZyWALL USG 50 User’s Guide…

  • Page 707: Netscape Navigator Warning Messages

    Figure 403 Security Certificate 2 (Netscape) 45.7.7.3 Avoiding Browser Warning Messages Here are the main reasons your browser displays warnings about the ZyWALL’s HTTPS server certificate and what you can do to avoid seeing the warnings: ZyWALL USG 50 User’s Guide…

  • Page 708: Login Screen

    The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). ZyWALL USG 50 User’s Guide…

  • Page 709
    45.7.7.5.1 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Figure 406 CA Certificate Example Click Install Certificate and follow the wizard as shown earlier in this appendix. ZyWALL USG 50 User’s Guide…
  • Page 710
    The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 408 Personal Certificate Import Wizard 2 ZyWALL USG 50 User’s Guide…
  • Page 711
    Figure 409 Personal Certificate Import Wizard 3 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 410 Personal Certificate Import Wizard 4 ZyWALL USG 50 User’s Guide…
  • Page 712: Using A Certificate When Accessing The Zywall Example

    45.7.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 413 Access the ZyWALL Via HTTPS ZyWALL USG 50 User’s Guide…

  • Page 713: Ssh

    Figure 415 Secure Web Configurator Login Screen 45.8 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. ZyWALL USG 50 User’s Guide…

  • Page 714: How Ssh Works

    The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. ZyWALL USG 50 User’s Guide…

  • Page 715: Ssh Implementation On The Zywall

    Click Configuration > System > SSH to change your ZyWALL’s Secure Shell settings. Use this screen to specify from which zones SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 50 User’s Guide…

  • Page 716
    Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL USG 50 User’s Guide…
  • Page 717: Secure Telnet Using Ssh Examples

    Configure the SSH client to accept connection using SSH version 1. A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 419 SSH Example 1: Store Host Key ZyWALL USG 50 User’s Guide…

  • Page 718: Telnet

    Administrator@192.168.1.1’s password: The CLI screen displays next. 45.9 Telnet You can use Telnet to access the ZyWALL’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. ZyWALL USG 50 User’s Guide…

  • Page 719: Configuring Telnet

    To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. ZyWALL USG 50 User’s Guide…

  • Page 720: Ftp

    45.10.1 Configuring FTP To change your ZyWALL’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can ZyWALL USG 50 User’s Guide…

  • Page 721
    Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL USG 50 User’s Guide…
  • Page 722: Snmp

    Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) ZyWALL USG 50 User’s Guide…

  • Page 723
    SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get — Allows the manager to retrieve an object variable from the agent. ZyWALL USG 50 User’s Guide…
  • Page 724: Supported Mibs

    This trap is sent when an SNMP request comes from non-authenticated hosts. 45.11.3 Configuring SNMP To change your ZyWALL’s SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP ZyWALL USG 50 User’s Guide…

  • Page 725
    SNMP manager. The default is public and allows all requests. Destination Type the IP address of the station to send your SNMP traps to. Service This specifies from which computers you can access which ZyWALL Control zones. ZyWALL USG 50 User’s Guide…
  • Page 726: Vantage Cnm

    If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the Web Configurator or commands) without notifying the Vantage CNM administrator. ZyWALL USG 50 User’s Guide…

  • Page 727: Configuring Vantage Cnm

    If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). ZyWALL USG 50 User’s Guide…

  • Page 728
    Select the Vantage CNM server’s certificate. This applies when you Certificate enable HTTPS authentication. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…
  • Page 729: Language Screen

    You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User’s Guide…

  • Page 730
    Chapter 45 System ZyWALL USG 50 User’s Guide…
  • Page 731: Log And Report

    46.2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your ZyWALL. Note: Data collection may decrease the ZyWALL’s traffic throughput rate. ZyWALL USG 50 User’s Guide…

  • Page 732
    Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 428 Configuration > Log & Report > Email Daily Report ZyWALL USG 50 User’s Guide…
  • Page 733: Log Setting Screens

    The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers. ZyWALL USG 50 User’s Guide…

  • Page 734: Log Setting Summary

    Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL USG 50 User’s Guide…

  • Page 735: Edit System Log Settings

    The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 46.3.1 on page 734), and click the system log Edit icon. ZyWALL USG 50 User’s Guide…

  • Page 736
    Chapter 46 Log and Report Figure 430 Configuration > Log & Report > Log Setting > Edit (System Log) ZyWALL USG 50 User’s Guide…
  • Page 737
    2 also has normal logs enabled, the ZyWALL will e-mail logs to them. enable normal logs and debug logs (yellow check mark) — create log messages, alerts, and debugging information for all categories. The ZyWALL does not e-mail debugging information, even if this setting is selected. ZyWALL USG 50 User’s Guide…
  • Page 738
    (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation ZyWALL USG 50 User’s Guide…
  • Page 739
    Message field. Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 740: Edit Remote Server Log Settings

    (syslog). Go to the Log Settings Summary screen (see Section 46.3.1 on page 734), and click a remote server Edit icon. Figure 431 Configuration > Log & Report > Log Setting > Edit (Remote Server) ZyWALL USG 50 User’s Guide…

  • Page 741
    (yellow check mark) — log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 742: Active Log Summary Screen

    This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 46.3.2 on page 735, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG 50 User’s Guide…

  • Page 743
    This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL USG 50 User’s Guide…
  • Page 744
    (yellow check mark) — log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 50 User’s Guide…
  • Page 745: File Manager

    When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 50 User’s Guide…

  • Page 746: Comments In Configuration Files Or Shell Scripts

    Comments in Configuration Files or Shell Scripts In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ZyWALL treat the line as a comment. ZyWALL USG 50 User’s Guide…

  • Page 747
    The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands. The ZyWALL still generates a log for any errors. ZyWALL USG 50 User’s Guide…
  • Page 748: The Configuration File Screen

    The ZyWALL still generates a log for any errors. Figure 434 Maintenance > File Manager > Configuration File Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 50 User’s Guide…

  • Page 749
    Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file. Download Click a configuration file’s row to select it and click Download to save the configuration to your computer. ZyWALL USG 50 User’s Guide…
  • Page 750
    Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL USG 50 User’s Guide…
  • Page 751
    The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. ZyWALL USG 50 User’s Guide…
  • Page 752: The Firmware Package Screen

    47.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 753
    Browse… Click Browse… to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. ZyWALL USG 50 User’s Guide…
  • Page 754: The Shell Script Screen

    Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the ZyWALL at the same time. ZyWALL USG 50 User’s Guide…

  • Page 755
    Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file. Download Click a shell script file’s row to select it and click Download to save the configuration to your computer. ZyWALL USG 50 User’s Guide…
  • Page 756
    Type in the location of the file you want to upload in this field or click Browse … to find it. Browse… Click Browse… to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG 50 User’s Guide…
  • Page 757: Diagnostics

    48.2 The Diagnostic Screen The Diagnostic screen provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. ZyWALL USG 50 User’s Guide…

  • Page 758: The Diagnostics Files Screen

    This screen lists the files of diagnostic information the ZyWALL has collected and stored in a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 446 Maintenance > Diagnostics > Files ZyWALL USG 50 User’s Guide…

  • Page 759: The Packet Capture Screen

    Use this screen to capture network traffic going through the ZyWALL’s interfaces. Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. ZyWALL USG 50 User’s Guide…

  • Page 760
    Select User Defined to be able to enter an IP address. Host Port This field is configurable when you set the IP Type to any, tcp, or udp. Specify the port number of traffic to capture. ZyWALL USG 50 User’s Guide…
  • Page 761
    Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name. The file name format is “interface name-file suffix.cap”, for example “vlan2-packet-capture.cap”. ZyWALL USG 50 User’s Guide…
  • Page 762: The Packet Capture Files Screen

    ZyWALL or a connected USB storage device. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. Figure 448 Maintenance > Diagnostics > Packet Capture > Files ZyWALL USG 50 User’s Guide…

  • Page 763: Example Of Viewing A Packet Capture File

    Notice that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The ZyWALL truncated the frame because the capture screen’s Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. ZyWALL USG 50 User’s Guide…

  • Page 764: Core Dump Screen

    USB storage device if the process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics > Core Dump to open the following screen. Figure 450 Maintenance > Diagnostics > Core Dump ZyWALL USG 50 User’s Guide…

  • Page 765: Core Dump Files Screen

    This column displays the number for each packet capture file entry. The total number of packet capture files that you can save depends on the file sizes and the available flash storage space. File Name This column displays the label that identifies the file. ZyWALL USG 50 User’s Guide…

  • Page 766: The System Log Screen

    This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last This column displays the date and time that the individual files were saved. Modified ZyWALL USG 50 User’s Guide…

  • Page 767: Packet Flow Explore

    • use policy routes to control 1-1 NAT by using the policy control-virtual- server-rules activate command. • select use policy routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection screen. ZyWALL USG 50 User’s Guide…

  • Page 768
    Figure 454 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 455 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 456 Maintenance > Packet Flow Explore > Routing Status (SitetoSite VPN) ZyWALL USG 50 User’s Guide…
  • Page 769
    Figure 458 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 459 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 460 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL USG 50 User’s Guide…
  • Page 770
    This is the DSCP value of incoming packets to which this policy route applies. See Section 13.2 on page 290 for more information. Next Hop This is the type of the next hop to which packets are directed. Type ZyWALL USG 50 User’s Guide…
  • Page 771: The Snat Status Screen

    Maintenance > Packet Flow Explore > SNAT Status. The order of the SNAT flow may vary depending on whether you: • select use default SNAT in the CONFIGURATION > Network > Interface > Trunk screen. ZyWALL USG 50 User’s Guide…

  • Page 772
    Figure 462 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 463 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 464 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) ZyWALL USG 50 User’s Guide…
  • Page 773
    This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the ZyWALL uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. ZyWALL USG 50 User’s Guide…
  • Page 774
    Chapter 49 Packet Flow Explore ZyWALL USG 50 User’s Guide…
  • Page 775: Reboot

    Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 776
    Chapter 50 Reboot ZyWALL USG 50 User’s Guide…
  • Page 777: Shutdown

    Click the Shutdown button to shut down the ZyWALL. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the ZyWALL. ZyWALL USG 50 User’s Guide…

  • Page 778
    Chapter 51 Shutdown ZyWALL USG 50 User’s Guide…
  • Page 779: Troubleshooting

    5 seconds (or until the PWR LED starts to blink), then release it. It returns the ZyWALL to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.; see your User’s Guide for details). ZyWALL USG 50 User’s Guide…

  • Page 780
    I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyWALL not re-booted yet? The ZyWALL does not have to reboot when you upload new signatures. The content filter category service is not working. ZyWALL USG 50 User’s Guide…
  • Page 781
    You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface. ZyWALL USG 50 User’s Guide…
  • Page 782
    53 on page 795 for details. • Make sure you have the cellular interface enabled. • Make sure the cellular interface has the correct user name, password, and PIN code configured with the correct casing. ZyWALL USG 50 User’s Guide…
  • Page 783
    The scanning engine checks the contents of the packets for virus. If a virus pattern is matched, the ZyWALL removes the infected portion of the file along with the rest of the file. The un-infected portion of the file before a virus pattern was ZyWALL USG 50 User’s Guide…
  • Page 784
    I uploaded a custom signature file and now all of my earlier custom signatures are gone. The name of the complete custom signature file on the ZyWALL is ‘custom.rules’. If you import a file named ‘custom.rules’, then all custom signatures on the ZyWALL USG 50 User’s Guide…
  • Page 785
    • You may need to configure the DDNS entry’s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the ZyWALL and the DDNS server. ZyWALL USG 50 User’s Guide…
  • Page 786
    LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. See Asymmetrical Routes on page 371 and the chapter about interfaces for more information. ZyWALL USG 50 User’s Guide…
  • Page 787
    Check the configuration for the following ZyWALL features. • The ZyWALL does not put IPSec SAs in the routing table. You must create a policy route for each VPN tunnel. See Chapter 13 on page 287. ZyWALL USG 50 User’s Guide…
  • Page 788
    127 x 57 pixels. The file size must be 100 kilobytes or less. Transparent background is recommended. I logged into the SSL VPN but cannot see some of the resource links. ZyWALL USG 50 User’s Guide…
  • Page 789
    The ZyWALL allows the first eight packets to go through the firewall, regardless of the application patrol policy for the application. The ZyWALL examines these first eight packets to identify the application. ZyWALL USG 50 User’s Guide…
  • Page 790
    I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. Make sure the ZyWALL’s current date and time are correct. ZyWALL USG 50 User’s Guide…
  • Page 791
    I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. ZyWALL USG 50 User’s Guide…
  • Page 792
    I cannot get the firmware uploaded using the commands. The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. ZyWALL USG 50 User’s Guide…
  • Page 793: Resetting The Zywall

    Note: This procedure removes the current configuration. If you want to reboot the device without changing the current configuration, see Chapter 50 on page 775. Make sure the SYS LED is on and not blinking. ZyWALL USG 50 User’s Guide…

  • Page 794: Getting More Troubleshooting Help

    Release the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 52.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 50 User’s Guide…

  • Page 795: Product Specifications

    Humidity: 20% to 95% (non-condensing) Storage Environment Temperature: -30 C to 60 C Humidity: 20% to 95% (non-condensing) MTBF Mean Time Between Failures: 323,823 hours Dimensions 242 (W) x 175 (D) x 35.5 (H) mm Weight 1.2 kg ZyWALL USG 50 User’s Guide…

  • Page 796
    1000 APPLICATION PATROL Maximum Rules for Other Protocols Maximum Rules for Each Protocol Default Ports USER PROFILES Maximum Local Users Maximum Admin Users Maximum User Groups Maximum Users in One User Group OBJECTS Address Objects ZyWALL USG 50 User’s Guide…
  • Page 797
    8 per service Maximum DHCP Host Pool Maximum Number of DDNS Profiles DHCP Relay 2 per interface CENTRALIZED LOG Log Entries Debug Log Entries 1024 Admin E-mail Addresses Syslog Servers Maximum Number of IDP Profiles ZyWALL USG 50 User’s Guide…
  • Page 798
    Maximum Number of White List Entries Maximum Number of Black List Entries Maximum Number of Anti-Virus Statistics Maximum Anti-Virus Statistics Ranking SSL VPN Maximum SSL VPN Connections 2 (license upgradable to 5) OTHERS Maximum Number of OSPF Areas ZyWALL USG 50 User’s Guide…
  • Page 799
    Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264 DHCP relay RFC 1541 ZySH W3C XML standard RFC 826 IP/IPv4 RFC 791 RFC 793 ZyWALL USG 50 User’s Guide…
  • Page 800: Power Adaptor Specifications

    INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 3.5A POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS Table 258 China Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 3.5A ZyWALL USG 50 User’s Guide…

  • Page 801
    Chapter 53 Product Specifications Table 258 China Plug Standards POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS ZyWALL USG 50 User’s Guide…
  • Page 802
    Chapter 53 Product Specifications ZyWALL USG 50 User’s Guide…
  • Page 803: Appendix A Log Descriptions

    %s: website host The device allowed access to a web site. The content filtering %s: Service is not service is unregistered and the default policy is not set to registered block. %s: website host ZyWALL USG 50 User’s Guide…

  • Page 804: Appendix A Log Descriptions

    The web site contains Java applet and access was blocked %s: Contains Java according to a profile. applet %s: website host The web site contains a cookie and access was blocked %s: Contains cookie according to a profile. %s: website host ZyWALL USG 50 User’s Guide…

  • Page 805
    The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned on. been activated. The anti-spam white list rule with the specified index number White List rule %d has (%d) has been turned off. been deactivated. ZyWALL USG 50 User’s Guide…
  • Page 806
    %s) and Subject (second %s) header values are listed. From:%s Subject:%s The number of concurrent e-mail sessions has exceeded the Mail sessions have maximum number of concurrent e-mail sessions that the reached the maximum anti-spam feature can handle (%d). threshold of %d. ZyWALL USG 50 User’s Guide…
  • Page 807
    The listed address object (first %s) is not the right kind for The %s address-object the second WINS server specified in the listed SSL VPN is wrong type for policy (second %s). ‘2nd-wins’ in SSL Policy %s. ZyWALL USG 50 User’s Guide…
  • Page 808
    SSL VPN policy rule %s position (%d) in the list of SSL VPN policies. has been moved to %d. The listed SSL VPN policy has been removed. SSL VPN policy rule %s has been deleted. ZyWALL USG 50 User’s Guide…
  • Page 809
    SSLVPN from %s exist. (incorrect password or inexistent username) Messages were not received from the UAM daemon. %s: Failed to receive messages from uam daemon. ZyWALL USG 50 User’s Guide…
  • Page 810
    Can’t append entry: %s! 1st:zysh entry name 1st:zysh entry name Can’t set entry: %s! Can’t define entry: %s! 1st:zysh entry name 1st:zysh list name %s: list is full! 1st:zysh list name Can’t undefine %s ZyWALL USG 50 User’s Guide…
  • Page 811
    1st:zysh entry num Unable to move entry #%d! 1st:zysh table name %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! ZyWALL USG 50 User’s Guide…
  • Page 812
    The ZyWALL’s ADP feature detected traffic with the same IP LAND attack packet. address set as both the source and the destination. Source IP is the same as Destination IP. ZyWALL USG 50 User’s Guide…
  • Page 813
    A file matched a file pattern in the anti-virus black list. %s, %s matched the Black-List %s 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. 3rd %s: The file pattern that the file matched. ZyWALL USG 50 User’s Guide…
  • Page 814
    (2nd %d). been moved to %d All of the anti-virus rules have been deleted. Anti-Virus rules have been flushed. The anti-virus rule of the specified number has been Anti-Virus rule %d has deleted. been deleted. ZyWALL USG 50 User’s Guide…
  • Page 815
    2nd %s: The filename of the related file. 3rd %s: Whether the file was deleted (DESTROY) or forwarded (PASS). Updating of the signature file information failed due to an Update signature info internal error. has failed. ZyWALL USG 50 User’s Guide…
  • Page 816
    Too many failed login attempts were made from an IP Address %u.%u.%u.%u has address so the ZyWALL is blocking login attempts from that been put into lockout IP address. state %u.%u.%u.%u: the source address of the user’s login attempt ZyWALL USG 50 User’s Guide…
  • Page 817
    Device registration failed, an error message returned by the Device registration MyZyXEL.com server will be appended to this log. has failed:%s. %s: error message returned by the myZyXEL.com server The device registered successfully with the myZyXEL.com Device registration server. has succeeded. ZyWALL USG 50 User’s Guide…
  • Page 818
    The device could not connect to the MyZyXEL.com server. Connect to MyZyXEL.com server has failed. The device started to check whether or not the user name in Do account check. MyZyXEL.com’s database. ZyWALL USG 50 User’s Guide…
  • Page 819
    File download to the update server again. after %d seconds. The device already has the latest version of the file so no Device has latest update is needed. file. No need to update. ZyWALL USG 50 User’s Guide…
  • Page 820
    Some information was missing in the packets that the device Build query message sent to the server. has failed. The device could not process an HTTPS connection because it Verify server’s could not verify the server’s certificate. certificate has failed. ZyWALL USG 50 User’s Guide…
  • Page 821
    Load trusted root the device can verify a server’s certificate. This log displays if certificates has the device failed to load it. failed. Verification of a server’s certificate failed because it has Certificate has expired. expired. ZyWALL USG 50 User’s Guide…
  • Page 822
    The device turned off the use of the IDP signature file. Disable IDP succeeded. The device failed to turn on the IDP engine. Enable IDP engine failed. The device failed to turn off the IDP engine. Disable IDP engine failed. ZyWALL USG 50 User’s Guide…
  • Page 823
    (second num), and the number of the custom signature is <num. Adding custom (third num) that was not added display. signature number is <num>. The device failed to get the custom IDP signature number. Get custom signature number error. ZyWALL USG 50 User’s Guide…
  • Page 824
    The setting for IDP Out of memory. IDP activation has not changed. activation unchanged. Activation of the IDP system-protect function failed due to System-protect error. an internal system error. Create IDP proc failed. IDP activation failed. ZyWALL USG 50 User’s Guide…
  • Page 825
    Checking for duplicated signature IDs failed. There was an Check duplicate sid error while allocating memory. failed. Allocate memory error. Checking for duplicated signature IDs failed. Opening a Check duplicate sid temporary file failed. failed. Open file error. ZyWALL USG 50 User’s Guide…
  • Page 826
    An application patrol rule has been modified. 1st %s: Rule %s:%s has been Protocol Name, 2nd: Rule Index. modified Application patrol was turned on. App. Patrol has been activated. Application patrol was turned off. App. Patrol has been deactivated. ZyWALL USG 50 User’s Guide…
  • Page 827
    System fatal error: 60011003. The device failed to turn application patrol off while the System fatal error: system was initiating. 60011004. The specified MSN user has logged in or logged out. MSN user %s has logged ZyWALL USG 50 User’s Guide…
  • Page 828
    [SA] : Tunnel [%s] authentication method did not match. Phase 1 authentication method mismatch %s is the tunnel name. When negotiating Phase-1, the [SA] : Tunnel [%s] encryption algorithm did not match. Phase 1 encryption algorithm mismatch ZyWALL USG 50 User’s Guide…
  • Page 829
    %s is the tunnel name. The tunnel is a dynamic tunnel and Could not dial dynamic the device cannot dial it. tunnel «%s» %s is the tunnel name. The tunnel setting is not complete. Could not dial incomplete tunnel «%s» ZyWALL USG 50 User’s Guide…
  • Page 830
    %s is the tunnel name. When IKE request is already sent but Tunnel [%s] IKE still attempting to dial a tunnel. Negotiation is in process %s is the gateway name. An administrator disabled the VPN VPN gateway %s was gateway. disabled ZyWALL USG 50 User’s Guide…
  • Page 831
    An outgoing packet needed to be transformed but was longer Encapsulated packet than 65535. too big with length When performing inbound processing for incoming IPSEC Get inbound transform packets and ICMPs related to them, the engine cannot obtain fail the transform context. ZyWALL USG 50 User’s Guide…
  • Page 832
    %d is the global index of rule Firewall rule %d has been deleted. Firewall rules were flushed Firewall rules have been flushed. %d is the global index of rule, %s is appended/inserted/ Firewall rule %d was modified ZyWALL USG 50 User’s Guide…
  • Page 833
    Failed to send control message to policy routing manager. To send message to policy route daemon failed! Allocating policy routing rule fails: insufficient memory. The policy route %d allocates memory fail! %d: the policy route rule number ZyWALL USG 50 User’s Guide…
  • Page 834
    A trunk went down so the ZyWALL will stop using the related Trunk %s dead, related policy route rules. policy route rules will be disabled ZyWALL USG 50 User’s Guide…
  • Page 835
    FTP port has been changed to port %s. %s is port number assigned by user An administrator changed the port number for FTP back to FTP port has been the default (21). changed to default port. ZyWALL USG 50 User’s Guide…
  • Page 836
    An administrator modified the rule %u. DNS access control rule %u has been %u is rule number modified An administrator removed the rule %u. DNS access control rule %u has been %u is rule number deleted. ZyWALL USG 50 User’s Guide…
  • Page 837
    %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. An access control rule was inserted successfully. Access control rule %u of %s was inserted. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. ZyWALL USG 50 User’s Guide…
  • Page 838
    Memory usage drops below the threshold of %d%%: mem- threshold-min. When local storage usage drops below threshold-min, %s: partition_name file system drops below the threshold of %d%%: disk-threshold-min. DHCP Server executed with cautious mode enabled. DHCP Server executed with cautious mode enabled ZyWALL USG 50 User’s Guide…
  • Page 839
    The device successfully synchronized with a NTP time server . NTP update successful, current time is %s %s is the date and time. The device was not able to synchronize with the NTP time NTP update failed server successfully. ZyWALL USG 50 User’s Guide…
  • Page 840
    Update profile failed because of a dynsdns internal error, %s Update the profile %s is the profile name. has failed because of dyndns internal error ZyWALL USG 50 User’s Guide…
  • Page 841
    DDNS profile cannot be updated because the ping-check for Update the profile %s WAN iface failed , %s is the profile name. has failed because ping-check of WAN interface has failed. Disable DDNS. Disable DDNS has succeeded. Enable DDNS. Enable DDNS has succeeded. ZyWALL USG 50 User’s Guide…
  • Page 842
    Cannot recover routing status which is link-down. Can’t open link_up2 Cannot open connectivity check process ID file. Can not open %s.pid %s: interface name Cannot open configuration file for connectivity check process. Can not open %s.arg %s: interface name ZyWALL USG 50 User’s Guide…
  • Page 843
    The connectivity check process can’t use multicast address to Can’t use MULTICAST IP check link-status. for destination The connectivity check process can’t use broadcast address to The destination is check link-status. invalid, because destination IP is broadcast IP ZyWALL USG 50 User’s Guide…
  • Page 844
    RIP global version has been changed to version 1 or 2. RIP global version has been changed to %s. RIP redistribute OSPF routes has been enabled. RIP redistribute OSPF routes has been enabled. ZyWALL USG 50 User’s Guide…
  • Page 845
    Interface Name interface %s has been disabled. One or more interfaces are still using this area, so area %s Area %s cannot be cannot be removed. %s: OSPF Area removed. This area is in use. ZyWALL USG 50 User’s Guide…
  • Page 846
    %s H.323 ALG has Disable succeeded. Extra H.323 ALG port has been changed. Extra signal port of H.323 ALG has been modified. Default H.323 ALG port has been changed. Signal port of H.323 ALG has been modified. ZyWALL USG 50 User’s Guide…
  • Page 847
    «%s» successfully The router was not able to create anPKCS#12 format Generate PKCS#12 certificate with the specified name. See Table 282 on page certificate «%s» for details about the error number. failed, errno %d ZyWALL USG 50 User’s Guide…
  • Page 848
    Certificates. %s is the certificate request name. certificate «%s» from «My Certificate» successfully The device was not able to export a PKCS#12 format Export PKCS#12 certificate from My Certificates. %s is the certificate request certificate «%s» from name. «My Certificate» failed ZyWALL USG 50 User’s Guide…
  • Page 849
    Certificate decoding failed. Certificate was not found (anywhere). Certificate chain looped (did not find trusted root). Certificate contains critical extension that was not handled. Certificate issuer was not valid (CA specific information missing). (Not used) ZyWALL USG 50 User’s Guide…
  • Page 850
    MTU > (base interface MTU — 8), PPP interface may not run %s may not work correctly because PPP packets will be fragmented by base correctly. interface and the peer will not receive correct PPP packets. 1st %s: PPP interface name, 2nd %s: ethernet interface name. ZyWALL USG 50 User’s Guide…
  • Page 851
    CHAP cases where the server does not support CHAP). CHAP: authentication interface name. failed. A PPP interface connected successfully. %s: interface name. Interface %s is connected. ZyWALL USG 50 User’s Guide…
  • Page 852
    You entered an incorrect PUK code so you were not able to «Incorrect PUK code of unlock the SIM card for the cellular device associated with the interface cellular%d. listed cellular interface (%d). Please check the PUK code setting. ZyWALL USG 50 User’s Guide…
  • Page 853
    %s] has been inserted into %s. The cellular device (identified by its manufacturer and model) «Cellular device [%s has been removed from the specified slot. %s] has been removed from %s. ZyWALL USG 50 User’s Guide…
  • Page 854
    A reserved word was not permitted to be used in an interface Configured interface name. name is reserved word. A reserved pre-fix was not permitted to be used in an Configured interface interface name. name match reserved prefix. ZyWALL USG 50 User’s Guide…
  • Page 855
    The interface does not support port grouping. Port-grouping is not support This type of interface does not support setting a third DNS This interface type server setting. can not set 3rd-dns. ZyWALL USG 50 User’s Guide…
  • Page 856
    DHCP client and has more than one member in its client. group. In this case the DHCP client will renew. %s: interface name. An administrator configured port-grouping, %s: interface Port Grouping %s has name. been changed. ZyWALL USG 50 User’s Guide…
  • Page 857
    2nd %s is warning message when apply CLI command. Before apply configuration file. Resetting system… After the system reset, it started to apply the configuration System resetted. Now file. apply %s.. %s is configuration file name. ZyWALL USG 50 User’s Guide…
  • Page 858
    The (listed) SMTP address configured for the daily e-mail Cannot resolve mail report function is incorrect. server address %s. The user name or password configured for authenticating Mail server with the e-mail server is incorrect. authentication failed. ZyWALL USG 50 User’s Guide…
  • Page 859
    The EPS object of the specified Auth. policy has changed. has been changed ‘EPS’ value. EPS’ signature data of The EPS object used by the specified Auth. policy was updated. Auth. policy %d has been updated. ZyWALL USG 50 User’s Guide…
  • Page 860
    %s A user’s computer did not match the Windows version check in Windows version the specified EPS object. check fail in %s A user’s computer passed the EPS check. EPS checking result is pass. ZyWALL USG 50 User’s Guide…
  • Page 861: Appendix B Common Services

    Border Gateway Protocol. BOOTP_CLIENT DHCP Client. BOOTP_SERVER DHCP Server. CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. ZyWALL USG 50 User’s Guide…

  • Page 862
    ICMP echo requests to test whether or not a remote host is reachable. POP3 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). ZyWALL USG 50 User’s Guide…
  • Page 863
    Telnet is the login and terminal emulation protocol common on the Internet and in UNIX en vironments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. ZyWALL USG 50 User’s Guide…
  • Page 864
    PROTOCOL PORT(S) DESCRIPTION TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 Another videoconferencing solution. ZyWALL USG 50 User’s Guide…
  • Page 865: Appendix C Displaying Anti-Virus Alert Messages In Windows

    Windows XP Click Start > Control Panel > Administrative Tools > Services. Figure 467 Windows XP: Opening the Services Window ZyWALL USG 50 User’s Guide…

  • Page 866
    Figure 468 Windows XP: Starting the Messenger Service Close the window when you are done. Windows 2000 Click Start > Settings > Control Panel > Administrative Tools > Services. Figure 469 Windows 2000: Opening the Services Window ZyWALL USG 50 User’s Guide…
  • Page 867
    WinPopup window displays as shown. Figure 471 Windows 98 SE: WinPopup If you want to display the WinPopup window at startup, follow the steps below for Windows 98 SE (steps are similar for Windows Me). ZyWALL USG 50 User’s Guide…
  • Page 868
    Right-click on the program task bar and click Properties. Figure 472 WIndows 98 SE: Program Task Bar Click the Start Menu Programs tab and click Advanced … Figure 473 Windows 98 SE: Task Bar Properties Double-click Programs and click StartUp. ZyWALL USG 50 User’s Guide…
  • Page 869
    Right-click in the StartUp pane and click New, Shortcut. Figure 474 Windows 98 SE: StartUp A Create Shortcut window displays. Enter “winpopup” in the Command line field and click Next. Figure 475 Windows 98 SE: Startup: Create Shortcut ZyWALL USG 50 User’s Guide…
  • Page 870
    A shortcut is created in the StartUp pane. Restart the computer when prompted. Figure 477 Windows 98 SE: Startup: Shortcut Note: The WinPopup window displays after the computer finishes the startup process (see Figure 471 on page 867). ZyWALL USG 50 User’s Guide…
  • Page 871: Appendix D Importing Certificates

    • Opera on page 885 • Konqueror on page 892 Internet Explorer The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista. ZyWALL USG 50 User’s Guide…

  • Page 872: Appendix D Importing Certificates

    Figure 478 Internet Explorer 7: Certification Error Click Continue to this website (not recommended). Figure 479 Internet Explorer 7: Certification Error In the Address Bar, click Certificate Error > View certificates. Figure 480 Internet Explorer 7: Certificate Error ZyWALL USG 50 User’s Guide…

  • Page 873
    Appendix D Importing Certificates In the Certificate dialog box, click Install Certificate. Figure 481 Internet Explorer 7: Certificate In the Certificate Import Wizard, click Next. Figure 482 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 50 User’s Guide…
  • Page 874
    Next again and then go to step 9. Figure 483 Internet Explorer 7: Certificate Import Wizard Otherwise, select Place all certificates in the following store and then click Browse. Figure 484 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 50 User’s Guide…
  • Page 875
    In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 485 Internet Explorer 7: Select Certificate Store In the Completing the Certificate Import Wizard screen, click Finish. Figure 486 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 50 User’s Guide…
  • Page 876
    12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information. Figure 489 Internet Explorer 7: Website Identification ZyWALL USG 50 User’s Guide…
  • Page 877
    Refer to steps 4-12 in the Internet Explorer procedure beginning on page 871 complete the installation process. Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer ZyWALL USG 50 User’s Guide…
  • Page 878
    Appendix D Importing Certificates Open Internet Explorer and click Tools > Internet Options. Figure 492 Internet Explorer 7: Tools Menu In the Internet Options dialog box, click Content > Certificates. Figure 493 Internet Explorer 7: Internet Options ZyWALL USG 50 User’s Guide…
  • Page 879
    Figure 494 Internet Explorer 7: Certificates In the Certificates confirmation, click Yes. Figure 495 Internet Explorer 7: Certificates In the Root Certificate Store dialog box, click Yes. Figure 496 Internet Explorer 7: Root Certificate Store ZyWALL USG 50 User’s Guide…
  • Page 880
    If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Select Accept this certificate permanently and click OK. Figure 497 Firefox 2: Website Certified by an Unknown Authority ZyWALL USG 50 User’s Guide…
  • Page 881
    Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. ZyWALL USG 50 User’s Guide…
  • Page 882
    Appendix D Importing Certificates Open Firefox and click Tools > Options. Figure 499 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 500 Firefox 2: Options ZyWALL USG 50 User’s Guide…
  • Page 883
    Figure 502 Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information. ZyWALL USG 50 User’s Guide…
  • Page 884
    This section shows you how to remove a public key certificate in Firefox 2. Open Firefox and click Tools > Options. Figure 503 Firefox 2: Tools Menu In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 504 Firefox 2: Options ZyWALL USG 50 User’s Guide…
  • Page 885
    The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Opera The following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. ZyWALL USG 50 User’s Guide…
  • Page 886
    Figure 507 Opera 9: Certificate signer not found The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Figure 508 Opera 9: Security information ZyWALL USG 50 User’s Guide…
  • Page 887
    Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Open Opera and click Tools > Preferences. Figure 509 Opera 9: Tools Menu ZyWALL USG 50 User’s Guide…
  • Page 888
    Appendix D Importing Certificates In Preferences, click Advanced > Security > Manage certificates. Figure 510 Opera 9: Preferences ZyWALL USG 50 User’s Guide…
  • Page 889
    Appendix D Importing Certificates In the Certificates Manager, click Authorities > Import. Figure 511 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open. Figure 512 Opera 9: Import certificate ZyWALL USG 50 User’s Guide…
  • Page 890
    The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9. ZyWALL USG 50 User’s Guide…
  • Page 891
    Appendix D Importing Certificates Open Opera and click Tools > Preferences. Figure 515 Opera 9: Tools Menu In Preferences, Advanced > Security > Manage certificates. Figure 516 Opera 9: Preferences ZyWALL USG 50 User’s Guide…
  • Page 892
    Konqueror 3.5 on all Linux KDE distributions. If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. ZyWALL USG 50 User’s Guide…
  • Page 893
    Click Forever when prompted to accept the certificate. Figure 519 Konqueror 3.5: Server Authentication Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 520 Konqueror 3.5: KDE SSL Information ZyWALL USG 50 User’s Guide…
  • Page 894
    Figure 521 Konqueror 3.5: Public Key Certificate File In the Certificate Import Result — Kleopatra dialog box, click OK. Figure 522 Konqueror 3.5: Certificate Import Result The public key certificate appears in the KDE certificate manager, Kleopatra. Figure 523 Konqueror 3.5: Kleopatra ZyWALL USG 50 User’s Guide…
  • Page 895
    Figure 524 Konqueror 3.5: Settings Menu In the Configure dialog box, select Crypto. On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 525 Konqueror 3.5: Configure ZyWALL USG 50 User’s Guide…
  • Page 896
    The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. ZyWALL USG 50 User’s Guide…
  • Page 897: Appendix E Open Software Announcements

    Open Software Announcements End-User License Agreement for “ZyWALL USG 50” WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AS INSTALLING THE SOFTWARE WILL INDICATE YOUR ASSENT TO THEM.

  • Page 898
    Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products. 5. Confidentiality ZyWALL USG 50 User’s Guide…
  • Page 899
    OTHERWISE SHALL BE EQUAL TO THE PURCHASE PRICE, BUT SHALL IN NO EVENT EXCEED THE PRODUCT’S PRICE. BECAUSE SOME STATES/COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 8. Export Restrictions ZyWALL USG 50 User’s Guide…
  • Page 900
    If any part of this License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties. ZyWALL USG 50 User’s Guide…
  • Page 901
    Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: ZyWALL USG 50 User’s Guide…
  • Page 902
    OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl- core@openssl.org. OpenSSL License ZyWALL USG 50 User’s Guide…
  • Page 903
    OpenSSL Toolkit. (http://www.openssl.org/)» * 4. The names «OpenSSL Toolkit» and «OpenSSL Project» must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. ZyWALL USG 50 User’s Guide…
  • Page 904
    * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. ================================================== ZyWALL USG 50 User’s Guide…
  • Page 905
    * Copyright remains Eric Young’s, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution ZyWALL USG 50 User’s Guide…
  • Page 906
    (application code) you must include an acknowledgement: «This product includes software written by Tim Hudson (tjh@cryptsoft.com)» * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG «AS IS» AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ZyWALL USG 50 User’s Guide…
  • Page 907
    License a 3-clause BSD-style license This is a Free Software License This license is compatible with The GNU General Public License, Version 1 This license is compatible with The GNU General Public License, Version 2 ZyWALL USG 50 User’s Guide…
  • Page 908
    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING ZyWALL USG 50 User’s Guide…
  • Page 909
    «Derivative Works» shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original ZyWALL USG 50 User’s Guide…
  • Page 910
    Derivative Works hereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and ZyWALL USG 50 User’s Guide…
  • Page 911
    TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. ZyWALL USG 50 User’s Guide…
  • Page 912
    For written permission, please contact apache@apache.org. Products derived from this software may not be called ìApacheî, nor may ìApacheî appear in their name, without prior written permission of the Apache Software Foundation. ZyWALL USG 50 User’s Guide…
  • Page 913
    Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General ZyWALL USG 50 User’s Guide…
  • Page 914
    General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a ZyWALL USG 50 User’s Guide…
  • Page 915
    A «library» means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The «Library», below, refers to any such ZyWALL USG 50 User’s Guide…
  • Page 916
    License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as ZyWALL USG 50 User’s Guide…
  • Page 917
    When a «work that uses the Library» uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially ZyWALL USG 50 User’s Guide…
  • Page 918
    For an executable, the required form of the «work that uses the Library» must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not ZyWALL USG 50 User’s Guide…
  • Page 919
    (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this ZyWALL USG 50 User’s Guide…
  • Page 920
    Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. ZyWALL USG 50 User’s Guide…
  • Page 921
    This General Public License applies to most of the Free Software Foundation’s software and to any other program whose authors ZyWALL USG 50 User’s Guide…
  • Page 922
    Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term «modification».) Each licensee is addressed as «you». Activities other than ZyWALL USG 50 User’s Guide…
  • Page 923
    Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the ZyWALL USG 50 User’s Guide…
  • Page 924
    These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and ZyWALL USG 50 User’s Guide…
  • Page 925
    License which applies to it and «any later version», you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the ZyWALL USG 50 User’s Guide…
  • Page 926
    All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. This Product includes ppp, libpcap, tcpdump, unzip, zip, libnet, net-snmp, openssh, and ftp-tls software under BSD license Copyright (c) [dates as appropriate to package] ZyWALL USG 50 User’s Guide…
  • Page 927
    Software. THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ZyWALL USG 50 User’s Guide…
  • Page 928
    Software without specific, written prior permission.Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. ZyWALL USG 50 User’s Guide…
  • Page 929
    0.97, January 1998, through 1.0.6, March 20, 2000, are Copyright (c) 1998, 1999 Glenn Randers-Pehrson, and are distributed according to the same ZyWALL USG 50 User’s Guide…
  • Page 930
    Permission is hereby granted to use, copy, modify, and distribute this source code, or portions hereof, for any purpose, without fee, subject to the following restrictions: 1. The origin of this source code must not be misrepresented. ZyWALL USG 50 User’s Guide…
  • Page 931
    2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. ZyWALL USG 50 User’s Guide…
  • Page 932
    Initial Developer in the Source Code notice required by Exhibit A. 1.7. «Larger Work» means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. 1.8. «License» means this document. ZyWALL USG 50 User’s Guide…
  • Page 933
    «control» means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. Source Code License. ZyWALL USG 50 User’s Guide…
  • Page 934
    Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. 3. Distribution Obligations. 3.1. Application of License. ZyWALL USG 50 User’s Guide…
  • Page 935
    Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. ZyWALL USG 50 User’s Guide…
  • Page 936
    Source Code version from the rights set forth in this License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are offered by You ZyWALL USG 50 User’s Guide…
  • Page 937
    If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases «Mozilla», ZyWALL USG 50 User’s Guide…
  • Page 938
    Your past and future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and ZyWALL USG 50 User’s Guide…
  • Page 939
    «commercial computer software documentation,» as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein. ZyWALL USG 50 User’s Guide…
  • Page 940
    Software distributed under the License is distributed on an «AS IS» basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. ZyWALL USG 50 User’s Guide…
  • Page 941
    NOTE: The text of this Exhibit A may differ slightly from the text of the notices in the Source Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. ZyWALL USG 50 User’s Guide…
  • Page 942
    Appendix E Open Software Announcements ZyWALL USG 50 User’s Guide…
  • Page 943: Appendix F Legal Information

    ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.

  • Page 944: Appendix F Legal Information

    Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. FCC Radiation Exposure Statement • This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. ZyWALL USG 50 User’s Guide…

  • Page 945: Zyxel Limited Warranty

    This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. ZyWALL USG 50 User’s Guide…

  • Page 946
    To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. ZyWALL USG 50 User’s Guide…
  • Page 947: Index

    360, 376 access and FTP access control attacks and NAT 296, 331 Access Point Name, see APN and policy routes access users and SNMP 592, 593 custom page and SSH forcing login and Telnet ZyWALL USG 50 User’s Guide…

  • Page 948
    VoIP pass through signatures statistics tutorial trial service activation Anomaly Detection and Prevention, see ADP troubleshooting 780, 783 anti-spam 573, 579 troubleshooting signatures update ZyWALL USG 50 User’s Guide…
  • Page 949
    TTCP-detected types of ASAS (Authenex Strong Authentication System) u-encoding undersize-len ASCII-encoding undersize-offset ASCII-encoding attacks UTF-8-encoding asymmetrical routes virus 470, 497 allowing through the firewall worm vs virtual interfaces Authenex Strong Authentication System attack (ASAS) ZyWALL USG 50 User’s Guide…
  • Page 950
    SIM examples CEF (Common Event Format) 735, 741 in application patrol cellular 115, 243 interface, outbound, see interfaces interface’s bandwidth band selection maximize bandwidth usage 297, 301, 447, 448, interfaces 449, 462, 467 ZyWALL USG 50 User’s Guide…
  • Page 951
    FTP use without restart Challenge Handshake Authentication Protocol (CHAP) connection CHAP (Challenge Handshake Authentication troubleshooting Protocol) connection monitor (in SSL) ZyWALL USG 50 User’s Guide…
  • Page 952
    45, 562 and domain name copyright and interfaces CPU usage 162, 165 client list current date/time pool 161, 683 and schedules static DHCP daylight savings diagnostics 757, 764 setting manually Differentiated Services Code Point (DSCP) ZyWALL USG 50 User’s Guide…
  • Page 953
    EPC (End Point Control), see also end-point DHCP. security dynamic peers in IPSec 389, 411 DynDNS and transport mode DynDNS see also DDNS Ethernet interfaces 111, 222 and OSPF Dynu and RIP and routing protocols ZyWALL USG 50 User’s Guide…
  • Page 954
    Transport Layer Security (TLS) and services full tunnel mode 41, 417, 422 and SIP (ALG) Fully-Qualified Domain Name, see FQDN and user groups 376, 379 ZyWALL USG 50 User’s Guide…
  • Page 955
    139, 697 reject sender 495, 530 and certificates reject-both 495, 530 authenticating clients reject-receiver 495, 530 avoiding warning messages service group example severity vs HTTP signature categories with Internet Explorer signature ID with Netscape Navigator signatures ZyWALL USG 50 User’s Guide…
  • Page 956
    VLAN, see also VLAN interfaces. IMAP where used iMesh Internet access incoming bandwidth troubleshooting 780, 789 ingress bandwidth Internet Control Message Protocol, see ICMP inline profile Internet Explorer 492, 524 inspection signatures Internet Message Access Protocol, see IMAP ZyWALL USG 50 User’s Guide…
  • Page 957
    IKE SA is disconnected manual key IPSec VPN NetBIOS configuration overview peer prerequisites 102, 104 Perfect Forward Secrecy see also IPSec ZyWALL USG 50 User’s Guide…
  • Page 958
    SSL user Distinguished Name, see DN Web Configurator 628, 629, 631, 632 logs password and firewall 361, 376 port 630, 633 configuration overview search time limit descriptions e-mail profiles user attributes e-mailing log messages 210, 737 ZyWALL USG 50 User’s Guide…
  • Page 959
    145, 148 NBNS 234, 259, 269, 275, 422 monitor profile NetBIOS Broadcast over IPSec Name Server, see NBNS. mounting NetBIOS Name Server, see NBNS rack ZyWALL USG 50 User’s Guide…
  • Page 960
    (patterns) chunk-encoding attack One-Time Password (OTP) len attack Online Certificate Status Protocol (OCSP) offset attack vs CRL request-uri-directory attack Open Shortest Path First, see OSPF order of feature application OSI (Open System Interconnection) 485, 489 ZyWALL USG 50 User’s Guide…
  • Page 961
    Post Office Protocol, see POP Point-to-Point Protocol over Ethernet, see PPPoE. power off 35, 777 Point-to-Point Tunneling Protocol, see PPTP power on policy enforcement in IPSec troubleshooting policy route troubleshooting PPP interfaces 781, 790 ZyWALL USG 50 User’s Guide…
  • Page 962
    FTP, see FTP prerequisites see also service control rack-mounting Telnet RADIUS to-ZyWALL firewall 626, 627 advantages WWW, see WWW and IKE SA remote network and PPPoE remote user screen links and users replay detection ZyWALL USG 50 User’s Guide…
  • Page 963
    OSPF and to-ZyWALL firewall Rivest, Shamir and Adleman public-key and users algorithm (RSA) limitations round robin timeouts routing service groups troubleshooting and firewall and port triggering Routing Information Protocol, see RIP in IDP routing protocols ZyWALL USG 50 User’s Guide…
  • Page 964
    Source Network Address Translation, see SNAT spam spam 496, 573 virus/worm specifications Web attack device signature ID 495, 505, 508 feature signatures hardware anti-virus spillover (for load balancing) spyware packet inspection SQL slammer SIM card ZyWALL USG 50 User’s Guide…
  • Page 965
    ZyWALL 35, 36 types streaming protocols management web-based 667, 670 strict source routing web-based example stub area where used STUN SSL policy and ALG ZyWALL USG 50 User’s Guide…
  • Page 966
    757, 764, 779 portscan admin user portsweep anti-virus 780, 783 anti-virus signatures update SYN (synchronize) application patrol 780, 786, 789 SYN flood application patrol signatures update window size bandwidth limit technical reference bandwidth management cellular Telnet ZyWALL USG 50 User’s Guide…
  • Page 967
    537, 538 shell scripts truncated-options attack URI (Uniform Resource Identifier) truncated-timestamp-header attack usage trunks 222, 277 162, 165 and ALG flash and policy routes 278, 295 memory 162, 166 configuration overview ZyWALL USG 50 User’s Guide…
  • Page 968
    293, 294, 457, 460, 463, 466 life cycle and RADIUS macro and service control mutation and shell scripts polymorphic attributes for Ext-User scan attributes for LDAP attributes for RADIUS VLAN attributes in AAA servers advantages ZyWALL USG 50 User’s Guide…
  • Page 969
    139, 698 www.zyxel.com warm start warning message popup warranty zipped files note troubleshooting Web attack zones 90, 317 Web Configurator 34, 45 and firewall 364, 374 access and FTP access users and interfaces 90, 317 ZyWALL USG 50 User’s Guide…
  • Page 970
    SSH and Telnet and VPN 90, 317 and WWW block intra-zone traffic 320, 372 configuration overview default extra-zone traffic inter-zone traffic intra-zone traffic prerequisites types of traffic where used ZyWALL terminology differences ZyXEL web site ZyWALL USG 50 User’s Guide…


  • Products

    Security

    Networking

    Service and License

    Home Connectivity

    Success Stories

    Discover how we help leading brands unlock their business potential.

    eBook Download

    Success Stories eBook Download


  • Solutions

    What’s New?

    Just Connect Campaign – Powerful, effortless and scalable network connectivity.

    See More

    Just Connect


  • Support & Training

    Support

    Community

    Discuss with your peers and Zyxel specialists to ask for help.

    Security Advisories

    Check the latest information and remediation available for vulnerabilities that are reported in Zyxel products.

    Training

    Education Center

    Design to provide you with in-depth knowledge on how to install, configure and manage Zyxel products.

    Certification Programs

    Learn extensive technology foundations, instructor-led courses and get rewarded by becoming certified.


  • Where to Buy

    Buy Online

    Zyxel Store

    Shop the latest range of networking and security devices from Zyxel official store.

    Zyxel Marketplace

    Shop the full selection of licenses and services to easily renew and deploy licenses.

    Locate Partners

    Resellers

    Our partners all over the country who provide better products and services for local market.

    Retail Stores

    Contact information for Zyxel authorized retail stores.

Toggle navigation



  • Products

    • Security

      • Next-Gen Firewall
      • VPN Firewall
    • Networking

      • Switch
      • Wireless
      • Mobile Broadband
      • In-Building Coverage
    • Service and License

      • Security
      • Management and Reporting
      • Endpoint and Connectivity
    • Home Connectivity

      • WiFi Router
      • WiFi System
      • WiFi Extender
      • DSL CPE
      • Powerline
      • Personal Cloud Storage

  • Solutions

    • Organization Sizes

      • Home
      • Startup/Small Business
      • Medium Business
      • Large Business
    • Use Cases

      • Nebula Cloud
      • IP Surveillance
      • Hospitality
      • Networked AV
    • Technologies

      • Network Security
      • WiFi 6E
      • 5G FWA

  • Support & Training

    • SUPPORT
      • Community
      • Download Library
      • Security Advisories
      • Warranty Information
      • See all support
    • TRAINING
      • Education Center
      • Certification Programs

  • Where to Buy

    • BUY ONLINE
      • Zyxel Store
      • Zyxel Marketplace
      • Zyxel Circle
      • eCommerce Partners
    • LOCATE PARTNERS
      • Resellers
      • Retail Stores
      • Distributors

Global (English)

Select Your Location
  • Global (English)
Asia
  • Azerbaijan (Русский)
  • China (简体中文)
  • India (English)
  • Kazakhstan (Русский)
  • Kyrgyzstan (Русский)
  • Malaysia (English)
  • Pakistan (English)
  • Philippines (English)
  • Singapore (English)
  • South Korea (한국어)
  • Taiwan (繁體中文)
  • Tajikistan (Русский)
  • Thailand (ภาษาไทย)
  • Uzbekistan (Русский)
  • Vietnam (Việt)
Europe
  • Belgium (Nederlands)
  • Belgium (Français)
  • Bulgaria (Български)
  • Czechia (Čeština)
  • Denmark (Dansk)
  • Estonia (English)
  • Finland (Suomi)
  • France (Français)
  • Georgia (Русский)
  • Germany (Deutsch)
  • Greece (English)
  • Hungary (Magyar)
  • Ireland (English)
  • Italy (Italiano)
  • Latvia (English)
  • Lithuania (English)
  • Netherlands (Nederlands)
  • Norway (Norsk)
  • Poland (Polski)
  • Romania (România)
  • CIS (Русский)
  • Slovakia (Slovenčina)
  • Spain (Español)
  • Sweden (Svenska)
  • Switzerland (Français)
  • Switzerland (Deutsch)
  • Turkiye (Türkiye)
  • Ukraine (Українська)
  • United Kingdom (English)
South America
  • Argentina (Español)
  • Bolivia (Español)
  • Brazil (Português)
  • Chile (Español)
  • Colombia (Español)
  • Ecuador (Español)
  • Paraguay (Español)
  • Peru (Español)
  • Uruguay (Español)

В представленном списке руководства для конкретной модели Маршрутизатора илт коммутатора — ZyXEL ZyWALL USG 50. Вы можете скачать инструкции к себе на компьютер или просмотреть онлайн на страницах сайта бесплатно или распечатать.

В случае если инструкция на русском не полная или нужна дополнительная информация по этому устройству, если вам нужны
дополнительные файлы: драйвера, дополнительное руководство пользователя (производители зачастую для каждого
продукта делают несколько различных документов технической помощи и руководств), свежая версия прошивки, то
вы можете задать вопрос администраторам или всем пользователям сайта, все постараются оперативно отреагировать
на ваш запрос и как можно быстрее помочь. Ваше устройство имеет характеристики:Тип устройства: маршрутизатор (router), Объем оперативной памяти: 256 Мб, Объем флеш-памяти: 256 Мб, Количество портов коммутатора: 4 x Ethernet 10/100/1000 Мбит/сек, Консольный порт: есть, Web-интерфейс: есть, полные характеристики смотрите в следующей вкладке.

Для многих товаров, для работы с ZyXEL ZyWALL USG 50 могут понадобиться различные дополнительные файлы: драйвера, патчи, обновления, программы установки. Вы можете скачать онлайн эти файлы для конкретнй модели ZyXEL ZyWALL USG 50 или добавить свои для бесплатного скачивания другим посетителями.

Если вы не нашли файлов и документов для этой модели то можете посмотреть интсрукции для похожих товаров и моделей, так как они зачастую отличаются небольшим изменениями и взаимодополняемы.

Обязательно напишите несколько слов о преобретенном вами товаре, чтобы каждый мог ознакомиться с вашим отзывом или вопросом. Проявляйте активность что как можно бльше людей смогли узнать мнение настоящих людей которые уже пользовались ZyXEL ZyWALL USG 50.

Основные и самые важные характеристики модели собраны из надежных источников и по характеристикам можно найти похожие модели.

Общие характеристики
Тип устройства маршрутизатор (router)
Объем оперативной памяти 256 Мб
Объем флеш-памяти 256 Мб
LAN
Количество портов коммутатора 4 x Ethernet 10/100/1000 Мбит/сек
Управление
Консольный порт есть
Web-интерфейс есть
Поддержка Telnet есть
Поддержка SNMP есть
Маршрутизатор
WAN-порт 2xEthernet 10/100/1000 Мбит/сек
Межсетевой экран (FireWall) есть
NAT есть
SPI есть
DHCP-сервер есть
Поддержка Dynamic DNS есть
Демилитаризованная зона (DMZ) есть
Протоколы динамической маршрутизации RIP v1, RIP v2, OSPF
Дополнительно
Поддержка IPv6 есть
Поддержка стандартов Auto MDI/MDIX, IEEE 802.1q (VLAN)
USB-порт есть
Размеры (ШxВxГ) 242 x 36 x 167 мм
Вес 1.2 кг
Дополнительная информация Управление полосой пропускания (BWM), потоковый антивирус Касперского/ZyXEL, обнаружение и предотвращение вторжений, контентная фильтрация Blue Coat и Commtouch, анти-спам Commtouch, 2 порта USB 2.0 для модемов 3G, VoIP поверх VPN

Здесь представлен список самых частых и распространенных поломок и неисправностей у Маршрутизаторов и коммутаторов. Если у вас такая поломка то вам повезло, это типовая неисправность для ZyXEL ZyWALL USG 50 и вы можете задать вопрос о том как ее устранить и вам быстро ответят или же прочитайте в вопросах и ответах ниже.

Название поломки Описание поломки Действие
Сгорание Порта
Сгорел Блок Питания
Не Работают Sfp Порты Комбо Порты Только Медные Работают,При Подключении Сфп Медь Тухнет А Оптика Невключается
Горит Индикатор Alm
Не Работают Вентиляторы Полная Тишина, Устройство Работает Без Вентиляции

В нашей базе сейчас зарегестрированно 18 353 сервиса в 513 города России, Беларусии, Казахстана и Украины.

Скачать

Страница из 970

www.zyxel.com

www.zyxel.com

ZyWALL USG 50

Unified Security Gateway

Copyright © 2011 
ZyXEL Communications Corporation

Version 2.21

Edition 4, 4/2011

Default Login Details

LAN Port

P3, P4

IP Address https://192.168.1.1
User Name

admin

Password

1234

Понравилась статья? Поделить с друзьями:
  • Капотен 25 мг инструкция по применению дозировка взрослым таблетки
  • Руководство по лит айс скачать
  • Пао иркут официальный сайт руководство
  • Трихопол инструкция по применению цена в москве таблетки взрослым
  • Lanmaster lan pro l tpk poe 8r инструкция