ZyXEL USG FLEX 100 User Guide
ZyXEL USG FLEX 100 Manual
 |
View all ZyXEL USG FLEX 100 manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL USG FLEX 100 manual content summary:
- ZyXEL USG FLEX 100 | User Guide - Page 1
User's Guide ZyWALL USG FLEX Series Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Version 4.55 Edition 1, 6/2020 Copyright © 2020 Zyxel Communications Corporation - ZyXEL USG FLEX 100 | User Guide - Page 2
Configurator to configure the Zyxel Device. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • More Information Go to support.zyxel.com to find other information on Zyxel Device. ZyWALL USG FLEX Series User's Guide 2 - ZyXEL USG FLEX 100 | User Guide - Page 3
Figures in this user guide may use the following generic icons. The Zyxel Device icon is not an exact representation of your device. Zyxel Device Generic Router Wireless Router / Access Point Switch Internet Firewall Server Network Cloud Smartphone USB Dongle ZyWALL USG FLEX Series User - ZyXEL USG FLEX 100 | User Guide - Page 4
121 Licensing ...188 Wireless ...193 Interfaces ...216 Routing ...313 DDNS ...340 NAT ...346 Redirect Service ...354 ALG ...360 UPnP ...367 IP/MAC Binding ...382 Layer 2 Isolation ...387 DNS Inbound ...636 SSL Inspection ...647 IP Exception ...659 Object ...662 ZyWALL USG FLEX Series User's Guide 4 - ZyXEL USG FLEX 100 | User Guide - Page 5
Contents Overview Device HA ...765 Cloud CNM ...772 System ...780 Log and Report ...841 File Manager ...854 Diagnostics ...869 Packet Flow Explore ...888 Shutdown ...895 Troubleshooting ...897 ZyWALL USG FLEX Series User's Guide 5 - ZyXEL USG FLEX 100 | User Guide - Page 6
57 2.1.7 Internet Access: Congratulations 58 2.1.8 Date and Time Settings ...59 2.1.9 Register Device ...59 2.1.10 Activate Service ...61 2.1.11 Service Settings ...62 2.1.12 Service Settings: SecuReporter 63 2.1.13 Wireless Settings: Management Mode 64 ZyWALL USG FLEX Series User's Guide 6 - ZyXEL USG FLEX 100 | User Guide - Page 7
3.2.3 Wall-mounting ...73 3.3 Default Zones, Interfaces, and Ports 75 3.4 Stopping the Zyxel Device ...75 Chapter 4 Quick Setup Wizards...76 4.1 Quick Setup Overview ...76 4.2 98 4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario 99 ZyWALL USG FLEX Series User's Guide 7 - ZyXEL USG FLEX 100 | User Guide - Page 8
6.3 Interface Status Screen ...125 6.4 The Traffic Statistics Screen ...129 6.5 The Session Monitor Screen ...131 6.6 The Login Users Screen ...133 6.7 Dynamic Guest ...135 6.8 IGMP Statistics ...136 ZyWALL USG FLEX Series User's Guide 8 - ZyXEL USG FLEX 100 | User Guide - Page 9
6.37 Log Screens ...183 6.37.1 View Log ...184 6.37.2 View AP Log ...185 Chapter 7 Licensing ...188 7.1 Registration Overview ...188 7.1.1 What you Need to Know ...188 ZyWALL USG FLEX Series User's Guide 9 - ZyXEL USG FLEX 100 | User Guide - Page 10
193 8.2.1 Connecting an AP to the Zyxel Device 194 8.2.2 Connecting an AP to the Zyxel Device Manually 194 8.2.3 Connecting an AP to the Zyxel Device Using DHCP Option 138 194 8.3 Ethernet Edit ...225 9.4.2 Proxy ARP ...241 9.4.3 Virtual Interfaces ...242 ZyWALL USG FLEX Series User's Guide 10 - ZyXEL USG FLEX 100 | User Guide - Page 11
Technical Reference 324 10.5 Routing Protocols Overview ...324 10.5.1 What You Need to Know 325 10.6 The RIP Screen ...325 10.7 The OSPF Screen ...327 ZyWALL USG FLEX Series User's Guide 11 - ZyXEL USG FLEX 100 | User Guide - Page 12
Enter the Zyxel Device Service Screen ...357 13.2.1 The Redirect Service Edit Screen 358 Chapter 14 ALG...360 14.1 ALG Overview ...360 14.1.1 What You Need to Know 360 14.1.2 Before You Begin ...363 14.2 The ALG Screen ...363 14.3 ALG Technical Reference ...365 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 13
/Edit Screen 393 18.2.2 The DNS Inbound LB Add/Edit Member Screen 395 Chapter 19 IPSec VPN ...397 19.1 Virtual Private Networks (VPN) Overview 397 ZyWALL USG FLEX Series User's Guide 13 - ZyXEL USG FLEX 100 | User Guide - Page 14
439 21.1.2 What You Need to Know 439 21.2 L2TP VPN Screen ...440 21.2.1 Example: L2TP and Zyxel Device Behind a NAT Router 442 Chapter 22 BWM (Bandwidth Management 445 22.1 Overview ...445 22.1.1 What You ...461 23.1.1 What You Can Do in this Chapter 461 ZyWALL USG FLEX Series User's Guide 14 - ZyXEL USG FLEX 100 | User Guide - Page 15
Zyxel Device Configuration 483 23.4.1 Configuration Overview 484 23.4.2 Configure the Zyxel 497 24.4.2 The Account Redeem Screen 500 24.4.3 The Billing Profile Add/Edit The Billing > Payment Service Screen 505 24.6.1 The Payment Service > Desktop / Mobile ZyWALL USG FLEX Series User's Guide 15 - ZyXEL USG FLEX 100 | User Guide - Page 16
...546 30.4.1 Configuring the Security Policy Control Screen 547 30.4.2 The Security Policy Control Add/Edit Screen 551 30.5 Anomaly Detection and Prevention Overview 552 ZyWALL USG FLEX Series User's Guide 16 - ZyXEL USG FLEX 100 | User Guide - Page 17
a Security Policy 578 32.2.2 Content Filter Add Profile Category Service 581 32.2.3 Content Filter Add Filter Profile Custom Service 594 32.3 Content Filter Trusted Web Sites Screen 596 32 -Malware Technical Reference 612 Chapter 34 Reputation Filter ...614 ZyWALL USG FLEX Series User's Guide 17 - ZyXEL USG FLEX 100 | User Guide - Page 18
37.1.2 What You Need To Know 647 37.1.3 Before You Begin ...648 37.2 The SSL Inspection Profile Screen 648 37.2.1 Apply to a Security Policy 649 ZyWALL USG FLEX Series User's Guide 18 - ZyXEL USG FLEX 100 | User Guide - Page 19
704 39.6.2 Address Summary Screen 704 39.6.3 Address Group Summary Screen 708 39.6.4 Geo IP Summary Screen 710 39.7 Service Overview ...713 39.7.1 What You Need to Know 713 39.7.2 The Service Summary Screen 714 39.7.3 The Service Group Summary Screen 716 ZyWALL USG FLEX Series User's Guide 19 - ZyXEL USG FLEX 100 | User Guide - Page 20
Schedule Screen ...719 39.8.3 The Schedule Group Screen 722 39.9 AAA Server Overview ...723 39.9.1 Directory Service (AD/LDAP 724 39.9.2 RADIUS Server ...724 39.9.3 ASAS ...724 39.9.4 What You Need To Know ...772 41.1.1 What You Can Do in this Chapter 772 ZyWALL USG FLEX Series User's Guide 20 - ZyXEL USG FLEX 100 | User Guide - Page 21
Example ...807 42.8 SSH ...814 42.8.1 How SSH Works ...815 42.8.2 SSH Implementation on the Zyxel Device 816 42.8.3 Requirements for Using SSH 816 42.8.4 Configuring SSH ...816 42.8.5 Service Control Rules ...817 42.8.6 Secure Telnet Using SSH Examples 818 ZyWALL USG FLEX Series User's Guide 21 - ZyXEL USG FLEX 100 | User Guide - Page 22
Supported MIBs ...825 42.11.3 SNMP Traps ...825 42.11.4 Configuring SNMP ...825 42.11.5 Add SNMPv3 User ...828 42.11.6 Service 42.17 Zyxel One Network (ZON) Utility 835 42.17.1 Requirements ...836 42.17.2 Run the ZON Utility ...836 42.17.3 Zyxel One Network ZyWALL USG FLEX Series User's Guide 22 - ZyXEL USG FLEX 100 | User Guide - Page 23
Screen ...892 Chapter 47 Shutdown ...895 47.1 Overview ...895 47.1.1 What You Need To Know 895 47.2 The Shutdown Screen ...895 Part III: Appendices and Troubleshooting 896 Chapter 48 Troubleshooting...897 48.1 Resetting the Zyxel Device ...910 ZyWALL USG FLEX Series User's Guide 23 - ZyXEL USG FLEX 100 | User Guide - Page 24
Table of Contents 48.2 Getting More Troubleshooting Help 911 Appendix A Customer Support ...912 Appendix B Product Features ...918 Appendix C Legal Information ...921 Index ...929 ZyWALL USG FLEX Series User's Guide 24 - ZyXEL USG FLEX 100 | User Guide - Page 25
PART I User's Guide 25 - ZyXEL USG FLEX 100 | User Guide - Page 26
1 year USG FLEX 500 YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES 1 year For information on interface names by model, default port / interface name mapping, and default interface / zone mapping please see Section 3.3 on page 75. ZyWALL USG FLEX Series User's Guide 26 - ZyXEL USG FLEX 100 | User Guide - Page 27
expires. Services will continue to work in this period during which you will receive notifications to renew your license(s). New license(s) are valid for 1 year from the date of purchase. 1.2.2 Applications These are some Zyxel Device application scenarios. ZyWALL USG FLEX Series User's Guide 27 - ZyXEL USG FLEX 100 | User Guide - Page 28
) firewall. Figure 2 Applications: Security Router Applications: Security Router IPv6 Routing The Zyxel Device supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 to your network. AS is an Authentication Server in the below figure. ZyWALL USG FLEX Series User's Guide 28 - ZyXEL USG FLEX 100 | User Guide - Page 29
use VPN solution. A user just browses to the Zyxel Device's web address and enters his user name and password to securely connect to the Zyxel Device's network. Here full tunnel mode creates a file server. Figure 6 Applications: User-Aware Access Control ZyWALL USG FLEX Series User's Guide 29 - ZyXEL USG FLEX 100 | User Guide - Page 30
manage the Zyxel Device in the following ways. Web Configurator The Web Configurator allows easy Zyxel Device setup and management using an Internet browser. This User's Guide provides information about the Web Configurator. Figure 8 Managing the Zyxel Device: Web Configurator ZyWALL USG FLEX Series - ZyXEL USG FLEX 100 | User Guide - Page 31
(see Section 42.15 on page 834) to enable and configure management of the Zyxel Device by a Central Network Management system. Management Authentication Managers must be authenticated with a ) • Allow pop-up windows (blocked by default in some browsers) ZyWALL USG FLEX Series User's Guide 31 - ZyXEL USG FLEX 100 | User Guide - Page 32
Most screen shots in this guide come from the USG110 and USG60W. 1.4.1 Web Configurator Access 1 Make sure your Zyxel Device hardware is properly connected. See the Quick Start Guide. 2 In your browser browser, the Terms of Use will be downloaded automatically. ZyWALL USG FLEX Series User's Guide 32 - ZyXEL USG FLEX 100 | User Guide - Page 33
Chapter 1 Introduction 6 The Network Risk Warning screen displays any unregistered or disabled security services. If your Zyxel Device is not registered, you will see a prompt to register it. Select how often to display the screen and click OK. ZyWALL USG FLEX Series User's Guide 33 - ZyXEL USG FLEX 100 | User Guide - Page 34
Setup Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears. 1.4.2 Web Configurator Screens Overview The Web Configurator screen is divided into these parts: • A - title bar • B - navigation panel • C - main window ZyWALL USG FLEX Series User's Guide 34 - ZyXEL USG FLEX 100 | User Guide - Page 35
the Web Configurator screens. Go to https://businessforum.zyxel.com for product discussions. Click this to open the help page for the current screen. Click this to display basic information about the Zyxel Device. Click this to log out of the Web Configurator. ZyWALL USG FLEX Series User's Guide 35 - ZyXEL USG FLEX 100 | User Guide - Page 36
Released Date OK DESCRIPTION This shows the firmware version of the Zyxel Device. This shows the date (yyyy-mm-dd) and time Guide for information about the commands. Logging in to the Zyxel Device with HTTPS, so you can open one or multiple console windows. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 37
screen. Table 5 Reference LABEL DESCRIPTION Type Select an object type to see the services. Name This identifies the object for which the configuration settings that use it are configuration item has a description configured, it displays here. ZyWALL USG FLEX Series User's Guide 37 - ZyXEL USG FLEX 100 | User Guide - Page 38
in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the Zyxel Device's navigation panel menus and their screens. Figure 16 Navigation Panel ZyWALL USG FLEX Series User's Guide 38 - ZyXEL USG FLEX 100 | User Guide - Page 39
and number. (For Zyxel Device model names containing 'W'.) Top N APs Lists managed APs with the most wireless traffic usage and most associated wireless stations. Single AP Lists APs wireless traffic usage and associated wireless stations for a managed AP. ZyWALL USG FLEX Series User's Guide 39 - ZyXEL USG FLEX 100 | User Guide - Page 40
clients associated with the APs managed by the Zyxel Device. Top N Stations Lists wireless stations services. Service View the licensed service status and upgrade licensed services. Signature Update Signature Update signatures immediately or by a schedule. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 41
and manage port forwarding rules. Redirect Service Redirect Service Set up and manage HTTP and SMTP redirection rules. ALG ALG Configure SIP, H.323, and FTP pass-through settings. UPnP UPnP Configure interfaces that allow UPnP and NAT-PMP connections. ZyWALL USG FLEX Series User's Guide 41 - ZyXEL USG FLEX 100 | User Guide - Page 42
on the Zyxel Device and the internal interface(s). Walled Garden Walled Garden Create walled garden links that display in the login screen. Advertisement Security Policy General/URL Base/ Domain/IP Base Advertisement Enable and set advertisement links. ZyWALL USG FLEX Series User's Guide 42 - ZyXEL USG FLEX 100 | User Guide - Page 43
Service Zyxel Device won't intercept nor inspect the incoming packets that match the rules in the IP exception list for the anti-malware and/ or IDP (Intrusion, Detection, and Prevention) features. Object Zone Zone Configure zone template(s) used to define various policies. ZyWALL USG FLEX - ZyXEL USG FLEX 100 | User Guide - Page 44
and manually configure country-to-IP address mappings for geographic address objects that can be used in security policies. Service Service Create and manage TCP and UDP services. Schedule Service . View Log See logs of the active and passive devices ZyWALL USG FLEX Series User's Guide 44 - ZyXEL USG FLEX 100 | User Guide - Page 45
and address records for the Zyxel Device. WWW Service Control Configure HTTP, HTTPS, Zyxel Device. View the current firmware version and upload firmware. Reboot with your choice of firmware. Shell Script Manage and run shell script files for the Zyxel Device. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 46
problems. Routing Traces Configure traceroute to identify where packets are dropped for troubleshooting. Wireless Frame Capture Capture wireless frames from APs for analysis. Routing Status Check how the Zyxel columns to display • Group entries by field ZyWALL USG FLEX Series User's Guide 46 - ZyXEL USG FLEX 100 | User Guide - Page 47
table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 22 Common Table Icons ZyWALL USG FLEX Series User's Guide 47 - ZyXEL USG FLEX 100 | User Guide - Page 48
that you have not yet applied. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it to move them to the other list. Figure 23 Working with Lists ZyWALL USG FLEX Series User's Guide 48 - ZyXEL USG FLEX 100 | User Guide - Page 49
4.25 or later, you have to register your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device). This chapter provides information on configuring the Web interface's type of encapsulation and method of IP address assignment. ZyWALL USG FLEX Series User's Guide 49 - ZyXEL USG FLEX 100 | User Guide - Page 50
screen. The following fields display if you selected static IP address assignment. • IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address. ZyWALL USG FLEX Series User's Guide 50 - ZyXEL USG FLEX 100 | User Guide - Page 51
before you can access it. The Zyxel Device uses these (in the order Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 52
must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 53
remote node. • Chap - Your Zyxel Device accepts CHAP only. • PAP - Your Zyxel Device accepts PAP only. • MSCHAP - Your Zyxel Device accepts MSCHAP only. • MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only. • Server IP: Type the IP address of the PPTP server. ZyWALL USG FLEX Series User's Guide 53 - ZyXEL USG FLEX 100 | User Guide - Page 54
must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 55
node. • Chap - Your Zyxel Device accepts CHAP only. • PAP - Your Zyxel Device accepts PAP only. • MSCHAP - Your Zyxel Device accepts MSCHAP only. • MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only. Base IP Address (static) assigned to you by your ISP. ZyWALL USG FLEX Series User's Guide 55 - ZyXEL USG FLEX 100 | User Guide - Page 56
must know the IP address of a computer before you can access it. The Zyxel Device uses these (in the order you specify here) to resolve domain names service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 57
, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 2.1.1 on page 49). ZyWALL USG FLEX Series User's Guide 57 - ZyXEL USG FLEX 100 | User Guide - Page 58
Access: Step 3: Second WAN Interface 2.1.7 Internet Access: Congratulations You have set up your Zyxel Device to access the Internet. A screen displays with your settings. Click Connection Test to ISP or network administrator. Figure 31 Internet Access: Summary ZyWALL USG FLEX Series User's Guide 58 - ZyXEL USG FLEX 100 | User Guide - Page 59
. Figure 32 Date and Time Settings 2.1.9 Register Device Click the Register button in this screen to register your device at portal.myzyxel.com. Note: The Zyxel Device must be connected to the Internet in order to register. ZyWALL USG FLEX Series User's Guide 59 - ZyXEL USG FLEX 100 | User Guide - Page 60
it at myZyxel if you have not already done so. Refer to the label at the back of the Zyxel Device's for details. Figure 34 myZyxel Login Click Refresh or use the Configuration > Licensing > Registration screen to update your Zyxel Device registration status. ZyWALL USG FLEX Series User's Guide 60 - ZyXEL USG FLEX 100 | User Guide - Page 61
-spam signatures to mark or discard spam (unsolicited commercial or junk email). • SecuReporter: collect and analyze logs from your Zyxel Device in order to identify anomalies, notify you of potential internal or external threats, and report on network usage. ZyWALL USG FLEX Series User's Guide 61 - ZyXEL USG FLEX 100 | User Guide - Page 62
Chapter 2 Initial Setup Wizard Figure 36 USG FLEX 500 Activate Service Click Refresh and wait a few moments for analyze logs from your Zyxel Device in order to identify anomalies, notify you of potential internal or external threats, and report on network usage. ZyWALL USG FLEX Series User's Guide 62 - ZyXEL USG FLEX 100 | User Guide - Page 63
USG FLEX Service Settings 2.1.12 Service Settings: SecuReporter Use this screen to add the Zyxel Device to a new or existing organization, and choose the level of data protection for traffic going through this Zyxel , will be identifiable in downloaded logs. ZyWALL USG FLEX Series User's Guide 63 - ZyXEL USG FLEX 100 | User Guide - Page 64
. Select Built-in AP if you want WiFi clients to access your Zyxel Device wirelessly. Select AP Controller to allow the Zyxel Device to manage APs in the same network as the Zyxel Device. Both modes cannot work simultaneously. Click Next to continue the wizard. ZyWALL USG FLEX Series User's Guide 64 - ZyXEL USG FLEX 100 | User Guide - Page 65
an AP Controller that can manage APs in the same network as the Zyxel Device. Select Yes if you want your Zyxel Device to manage APs in your network; otherwise select No. Figure 41 ASCII characters (including spaces and symbols) or 64 hexadecimal characters. ZyWALL USG FLEX Series User's Guide 65 - ZyXEL USG FLEX 100 | User Guide - Page 66
broadcast domain as devices in the AP wireless network. Figure 42 Wireless Settings: SSID & Security 2.1.16 Remote Management Select this to allow access to the Zyxel Device using HTTP or HTTPS from the Internet. ZyWALL USG FLEX Series User's Guide 66 - ZyXEL USG FLEX 100 | User Guide - Page 67
Chapter 2 Initial Setup Wizard Figure 43 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object > Service > Service Group screen when you enable Remote Management. Figure 44 Object > Service > Service Group - HTTPS ZyWALL USG FLEX Series User's Guide 67 - ZyXEL USG FLEX 100 | User Guide - Page 68
mapping, and default interface / zone mapping please see Section 3.3 on page 75. 3.1.1 Front Panels The LED indicators are located on the front panel. Figure 45 USG FLEX 100 Front Panel Figure 46 USG FLEX 200 Front Panel Figure 47 USG FLEX 500 Front Panel ZyWALL USG FLEX Series User's Guide 68 - ZyXEL USG FLEX 100 | User Guide - Page 69
port. The Zyxel Device is Zyxel Device is sending or receiving packets on this port at 1000 Mbps. There is no connection on this port. This port has a successful 10/100 Mbps link. The Zyxel Device is sending or receiving packets on this port at 10/100 Mbps. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 70
are located on the rear panel. Figure 48 USG FLEX 100 Rear Panel Figure 49 USG FLEX 200 Rear Panel Figure 50 USG FLEX 500 Rear Panel Note: Make sure you connect the Zyxel Device's power cord to a socket-outlet with an earthing connection or its equivalent. ZyWALL USG FLEX Series User's Guide 70 - ZyXEL USG FLEX 100 | User Guide - Page 71
for the ventilation holes to prevent your Zyxel Device from overheating. Do not store things on the Zyxel Device. Do not place a Zyxel Device on another high temperature device. Overheating could affect the performance of your Zyxel Device, or even damage it. ZyWALL USG FLEX Series User's Guide 71 - ZyXEL USG FLEX 100 | User Guide - Page 72
Attaching Rubber Feet 4 Set the Zyxel Device on a smooth, level surface strong enough to support the weight of the Zyxel Device and the connected cables. Make Zyxel Device and secure it with the included bracket screws (smaller than the rack-mounting screws). ZyWALL USG FLEX Series User's Guide 72 - ZyXEL USG FLEX 100 | User Guide - Page 73
DISTANCE "X" USG FLEX 100 174 mm (6.85") USG FLEX 200 206 mm (8.11") 1 Drill into a wall two holes 3 mm - 4 mm (0.12" - 0.16") wide, 20 mm - 30 mm (0.79" - 1.18") deep and a distance X (see the preceding table) apart. Place two screw anchors in the holes. ZyWALL USG FLEX Series User's Guide 73 - ZyXEL USG FLEX 100 | User Guide - Page 74
the screw slots and the connection cables to run down the back of the Zyxel Device. Note: Make sure the screws are securely fixed to the wall and strong enough to hold the the wall to allow air circulation and the attachment of cables and the power cord. ZyWALL USG FLEX Series User's Guide 74 - ZyXEL USG FLEX 100 | User Guide - Page 75
NO DEFAULT ZONE GE7 GE7_PPP GE8 GE8_PPP 3.4 Stopping the Zyxel Device Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the Zyxel Device or remove the power. Not doing so can cause the firmware to become corrupt. ZyWALL USG FLEX Series User's Guide 75 - ZyXEL USG FLEX 100 | User Guide - Page 76
to enter a user name, password and the IP address of the Zyxel Device in the IPSec VPN Client to get all VPN settings automatically from the Zyxel Device. See Section 4.3 on page 83. Use VPN Settings for L2TP VPN Settings to configure the L2TP VPN for clients. ZyWALL USG FLEX Series User's Guide 76 - ZyXEL USG FLEX 100 | User Guide - Page 77
Quick Setup Wizard 4.2.1 Choose an Ethernet Interface Select a WAN interface (names vary by model) that you want to configure for a WAN connection and click Next. ZyWALL USG FLEX Series User's Guide 77 - ZyXEL USG FLEX 100 | User Guide - Page 78
your ISP gave it to you. 4.2.3 Configure WAN IP Settings Use this screen to select whether the interface should use a fixed or dynamic IP address. ZyWALL USG FLEX Series User's Guide 78 - ZyXEL USG FLEX 100 | User Guide - Page 79
Internet access information exactly as your ISP gave it to you. Note: Enter the Internet access information exactly as your ISP gave it to you. ZyWALL USG FLEX Series User's Guide 79 - ZyXEL USG FLEX 100 | User Guide - Page 80
Chapter 4 Quick Setup Wizards Figure 62 WAN and ISP Connection Settings: (PPTP) Figure 63 WAN and ISP Connection Settings: (PPPoE) ZyWALL USG FLEX Series User's Guide 80 - ZyXEL USG FLEX 100 | User Guide - Page 81
PPPoE service name if you were given one by your ISP. • Authentication Type: Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: • CHAP/PAP - Your Zyxel Device the (static) IP address assigned to you by your ISP. ZyWALL USG FLEX Series User's Guide 81 - ZyXEL USG FLEX 100 | User Guide - Page 82
displays an example WAN interface's settings. Figure 65 Interface Wizard: Summary WAN • Encapsulation: This displays what encapsulation this interface uses to connect to the Internet. ZyWALL USG FLEX Series User's Guide 82 - ZyXEL USG FLEX 100 | User Guide - Page 83
a PPPoE interface. It displays the PPPoE service name specified in the ISP account. • Server Up: If No displays the connection will not time out. Yes means the Zyxel Device uses the idle timeout. • Idle Timeout: This is how many to another computer or network. ZyWALL USG FLEX Series User's Guide 83 - ZyXEL USG FLEX 100 | User Guide - Page 84
connect to another ZLD-based Zyxel Device using a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. Figure 68 VPN Setup Wizard: Wizard Type ZyWALL USG FLEX Series User's Guide 84 - ZyXEL USG FLEX 100 | User Guide - Page 85
derived. IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP The remote IPSec device has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. • Site-to-site with Dynamic Peer - The ZyWALL USG FLEX Series User's Guide 85 - ZyXEL USG FLEX 100 | User Guide - Page 86
Address (interface): Select an interface from the drop-down list box to use on your Zyxel Device. • Secure Gateway: Any displays in this field if it is not configurable for and paste into another ZLD-based Zyxel Device's command line interface to configure it. ZyWALL USG FLEX Series User's Guide 86 - ZyXEL USG FLEX 100 | User Guide - Page 87
in this list. 4.3.6 VPN Express Wizard - Finish Now the rule is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. ZyWALL USG FLEX Series User's Guide 87 - ZyXEL USG FLEX 100 | User Guide - Page 88
- Scenario Click the Advanced radio button as shown in Figure 68 on page 84 to display the following screen. Figure 73 VPN Advanced Wizard: Scenario ZyWALL USG FLEX Series User's Guide 88 - ZyXEL USG FLEX 100 | User Guide - Page 89
. IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth remote IPSec device has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. • Site-to-site with Dynamic Peer Security Association). ZyWALL USG FLEX Series User's Guide 89 - ZyXEL USG FLEX 100 | User Guide - Page 90
the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices). ZyWALL USG FLEX Series User's Guide 90 - ZyXEL USG FLEX 100 | User Guide - Page 91
in the main IPSec VPN screens for more information. • Dead Peer Detection (DPD) has the Zyxel Device make sure the remote IPSec device is there before transmitting data through the IKE SA. If match the remote IP address configured on the remote IPSec device. ZyWALL USG FLEX Series User's Guide 91 - ZyXEL USG FLEX 100 | User Guide - Page 92
. • Local Policy: IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel. • Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. ZyWALL USG FLEX Series User's Guide 92 - ZyXEL USG FLEX 100 | User Guide - Page 93
the IKE SA. • Aggressive is faster but does not encrypt the identities. The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through security. • SHA1 gives higher security. • SHA256 gives the highest security. ZyWALL USG FLEX Series User's Guide 93 - ZyXEL USG FLEX 100 | User Guide - Page 94
is configured on the Zyxel Device. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Figure 77 VPN Wizard: Finish Click Close to exit the wizard. ZyWALL USG FLEX Series User's Guide 94 - ZyXEL USG FLEX 100 | User Guide - Page 95
Provisioning to set up a VPN rule that can be retrieved with the Zyxel Device IPSec VPN Client. VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must not contain the as shown in the previous screen to display the following screen. ZyWALL USG FLEX Series User's Guide 95 - ZyXEL USG FLEX 100 | User Guide - Page 96
are derived. • IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important Zyxel Device IPSec VPN Client. 4.4.2 Configuration Provisioning VPN Express Wizard - Configuration Click Next to continue the wizard. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 97
(interface): Select an interface from the drop-down list box to use on your Zyxel Device. • Secure Gateway: Any displays in this field because it is not configurable can copy and paste into another ZLD-based Zyxel Device's command line interface to configure it. ZyWALL USG FLEX Series User's Guide 97 - ZyXEL USG FLEX 100 | User Guide - Page 98
Gateway screen and the Phase 2 rule settings appear in the Configuration > VPN > IPSec VPN > VPN Connection screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device. ZyWALL USG FLEX Series User's Guide 98 - ZyXEL USG FLEX 100 | User Guide - Page 99
radio button as shown in Figure 78 on page 95 to display the following screen. Figure 83 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings ZyWALL USG FLEX Series User's Guide 99 - ZyXEL USG FLEX 100 | User Guide - Page 100
supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports from the Zyxel Device ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 101
Diffie-Hellman Group 5 a 1536 bit random number. • SA Life Time: Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the . The stronger the algorithm, the slower it is. ZyWALL USG FLEX Series User's Guide 101 - ZyXEL USG FLEX 100 | User Guide - Page 102
client role scenarios. Select this to have the Zyxel Device automatically renegotiate the IPSec SA when the SA life time expires. 4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard Summary This is a read-only summary of the VPN tunnel settings. ZyWALL USG FLEX Series User's Guide 102 - ZyXEL USG FLEX 100 | User Guide - Page 103
: IP address and subnet mask of the computers on the network behind your Zyxel Device that can use the tunnel. • Remote Policy: Any displays in this encrypts the ZyWALL/USG's and remote IPSec router's identities but takes more time to establish the IKE SA. ZyWALL USG FLEX Series User's Guide 103 - ZyXEL USG FLEX 100 | User Guide - Page 104
gives minimal security. • SHA1 gives higher security. • SHA256 gives the highest security. The Configuration for Secure Gateway displays the configuration that the Zyxel Device IPSec VPN Client will get from the Zyxel Device. Click Save to save the VPN rule. ZyWALL USG FLEX Series User's Guide 104 - ZyXEL USG FLEX 100 | User Guide - Page 105
screen. Enter the IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device. Figure 87 VPN for Configuration Provisioning Advanced for L2TP VPN Settings to see the following screen. ZyWALL USG FLEX Series User's Guide 105 - ZyXEL USG FLEX 100 | User Guide - Page 106
a number. This value is case-sensitive. • My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. ZyWALL USG FLEX Series User's Guide 106 - ZyXEL USG FLEX 100 | User Guide - Page 107
can access it. The Zyxel Device uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. 4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary This is a read-only summary of the L2TP VPN settings. ZyWALL USG FLEX Series User's Guide 107 - ZyXEL USG FLEX 100 | User Guide - Page 108
): This displays the interface to use on your Zyxel Device for the L2TP tunnel. • IP Address Pool: This displays the IP address pool used to assign to the L2TP VPN clients. Click Save to complete the L2TP VPN Setting and the following screen will show. ZyWALL USG FLEX Series User's Guide 108 - ZyXEL USG FLEX 100 | User Guide - Page 109
Settings for L2TP VPN Settings Wizard: Finish Te rule is now configured on the Zyxel Device. The L2TP VPN rule settings appear in the Configuration > VPN > L2TP VPN screen and also in the Configuration > VPN > IPSec VPN > VPN Connection and VPN Gateway screen. ZyWALL USG FLEX Series User's Guide 109 - ZyXEL USG FLEX 100 | User Guide - Page 110
, and close individual widgets. Click on the icon to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. The following screen is an example of a Brand 2.0 web configurator web style. ZyWALL USG FLEX Series User's Guide 110 - ZyXEL USG FLEX 100 | User Guide - Page 111
to display status details. Front Panel Click this to view details about the status of the Zyxel Device's front panel LEDs and connections. See Section 3.1.1 on page 68 for LED descriptions. An slot. Name This field displays the name of each interface. ZyWALL USG FLEX Series User's Guide 111 - ZyXEL USG FLEX 100 | User Guide - Page 112
Name screen where you can edit and make changes to the system and domain name. Serial Number This field displays the serial number of this Zyxel Device. The serial number is used for device tracking and control. ZyWALL USG FLEX Series User's Guide 112 - ZyXEL USG FLEX 100 | User Guide - Page 113
so on. Firmware Version This field displays the version number and date of the firmware the Zyxel Device is currently running. Click the link to open the Firmware Package screen where you can displays a line graph of packet statistics for each physical port. ZyWALL USG FLEX Series User's Guide 113 - ZyXEL USG FLEX 100 | User Guide - Page 114
displays the destination address (if any) in the packet that generated the log. 5.2.5 System Resources Screen Click the bar to see a graphic on that resource. ZyWALL USG FLEX Series User's Guide 114 - ZyXEL USG FLEX 100 | User Guide - Page 115
to display a chart of Zyxel Device's recent session usage. 5.2.6 DHCP Table Screen Click on the number to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. The following screen will show. ZyWALL USG FLEX Series User's Guide 115 - ZyXEL USG FLEX 100 | User Guide - Page 116
This field displays the name used to identify this device on the network (the computer name). The Zyxel Device learns these from the DHCP client requests. "None" shows here for a static DHCP entry. This Number of Login Users link to see the following screen. ZyWALL USG FLEX Series User's Guide 116 - ZyXEL USG FLEX 100 | User Guide - Page 117
. This field displays the user name of each user who is currently logged in to the Zyxel Device. This field displays the amount of reauthentication time remaining and the amount of lease time that are currently established. Figure 102 Dashboard > VPN Status ZyWALL USG FLEX Series User's Guide 117 - ZyXEL USG FLEX 100 | User Guide - Page 118
5.3 The Advanced Threat Protection Screen Use the Advanced Threat Protection screen to check security status information about the Zyxel Device. Figure 104 Dashboard > Advanced Threat Protection - USG FLEX Series This screen gives the following information: ZyWALL USG FLEX Series User's Guide 118 - ZyXEL USG FLEX 100 | User Guide - Page 119
detected the most • Reputation filter reports • URL Threat filter reports • Threat statistics Click the Refresh icon to update the information in the window right away. ZyWALL USG FLEX Series User's Guide 119 - ZyXEL USG FLEX 100 | User Guide - Page 120
PART II Technical Reference 120 - ZyXEL USG FLEX 100 | User Guide - Page 121
Status > Session Monitor screen (see Section 6.5 on page 131) to view sessions by user or service. • Use the System Status > IGMP Statistics screen (see Section 6.8 on page 136) to view 147) to display which APs are currently connected to the Zyxel Device. ZyWALL USG FLEX Series User's Guide 121 - ZyXEL USG FLEX 100 | User Guide - Page 122
you can also clear the log in this screen. • Use the Log > View AP Log screen (see Section 6.37.2 on page 185) to view the Zyxel Device's current wireless AP log messages. ZyWALL USG FLEX Series User's Guide 122 - ZyXEL USG FLEX 100 | User Guide - Page 123
). This field displays the number of packets transmitted from the Zyxel Device on the physical port since it was last connected. This field displays the number This field displays how long the Zyxel Device has been running since it last restarted or was turned on. ZyWALL USG FLEX Series User's Guide 123 - ZyXEL USG FLEX 100 | User Guide - Page 124
port since it was last connected. RX This line represents the traffic received by the Zyxel Device on the physical port since it was last connected. Last Update This field displays the date and time the information in the window was last updated. ZyWALL USG FLEX Series User's Guide 124 - ZyXEL USG FLEX 100 | User Guide - Page 125
6 Monitor 6.3 Interface Status Screen This screen lists all of the Zyxel Device's interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Summary to access this screen. Figure 107 Monitor > System Status > Interface Summary ZyWALL USG FLEX Series User's Guide 125 - ZyXEL USG FLEX 100 | User Guide - Page 126
its IP address from a DHCP server. This field lists which services the interface provides to the network. Examples include DHCP relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface does not provide any services to the network. ZyWALL USG FLEX Series User's Guide 126 - ZyXEL USG FLEX 100 | User Guide - Page 127
This is the IP address of the interface. If the interface is active (and connected), the Zyxel Device tunnels local traffic sent to this IP address to the Remote Gateway Address. My Address This . Port This field displays the physical port number. ZyWALL USG FLEX Series User's Guide 127 - ZyXEL USG FLEX 100 | User Guide - Page 128
DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface does not provide any services to the network. Action Use this field to get or to update the IP address for the interface statistics for virtual interfaces on top of this interface. ZyWALL USG FLEX Series User's Guide 128 - ZyXEL USG FLEX 100 | User Guide - Page 129
the Zyxel Device when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually on the Traffic Statistics screen. Figure 108 Monitor > System Status > Traffic Statistics ZyWALL USG FLEX Series User's Guide 129 - ZyXEL USG FLEX 100 | User Guide - Page 130
using. This field indicates whether the indicated protocol or service port is sending or receiving traffic. • Ingress - traffic is coming into the Zyxel Devicethrough the interface • Egress - traffic is going out from the Zyxel Device through the interface ZyWALL USG FLEX Series User's Guide 130 - ZyXEL USG FLEX 100 | User Guide - Page 131
all established sessions that pass through the Zyxel Device for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. • User who started the session • Protocol or service port used ZyWALL USG FLEX Series User's Guide 131 - ZyXEL USG FLEX 100 | User Guide - Page 132
View is set to all sessions. Select the service or service group whose sessions you want to view. The Zyxel Device identifies the service by comparing the protocol and destination port of each packet to the protocol and port of each services that is defined. ZyWALL USG FLEX Series User's Guide 132 - ZyXEL USG FLEX 100 | User Guide - Page 133
right to choose sorting method. This field displays the user in each active session. Service If you are looking at the sessions by users (or all sessions) report, click the Zyxel Device. To access this screen, click Monitor > System Status > Login Users. ZyWALL USG FLEX Series User's Guide 133 - ZyXEL USG FLEX 100 | User Guide - Page 134
status of the account used to log into the Zyxel Device. Accounting-on means accounting is being performed for the user login. Accounting-off means accounting has stopped for this user login. A "-" displays if accounting is not enabled for this login. ZyWALL USG FLEX Series User's Guide 134 - ZyXEL USG FLEX 100 | User Guide - Page 135
user name and password that allows a guest user to access the Internet or the Zyxel Device's services in a specified period of time. Multiple dynamic guest accounts can be automatically generated at the WAN interface before the Internet access expires. ZyWALL USG FLEX Series User's Guide 135 - ZyXEL USG FLEX 100 | User Guide - Page 136
the IP address of the computer used to log in to the Zyxel Device. Group This field displays the name of the dynamic guest group the field allowing more efficient use of resources when supporting these types of applications. Click Monitor > System Status ZyWALL USG FLEX Series User's Guide 136 - ZyXEL USG FLEX 100 | User Guide - Page 137
attempt to resolve the IP address for the domain name was successful or not. Updating means the Zyxel Device is currently attempting to resolve the IP address for the domain name. Last Update Time This this button to update the information on the screen. ZyWALL USG FLEX Series User's Guide 137 - ZyXEL USG FLEX 100 | User Guide - Page 138
assigned. Last Access This is when the device last established a session with the Zyxel Device through this interface. Description This field displays the description of the IP/MAC Monitor > System Status > Cellular Status to display this screen. ZyWALL USG FLEX Series User's Guide 138 - ZyXEL USG FLEX 100 | User Guide - Page 139
IMEA/ESN and IMSI. This is only available when the mobile broadband device attached and activated on your Zyxel Device. Refer to Section 6.11.1 on page 141. # This field is a sequential value, and This field displays the model name of the cellular card. ZyWALL USG FLEX Series User's Guide 139 - ZyXEL USG FLEX 100 | User Guide - Page 140
connection. Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired. ZyWALL USG FLEX Series User's Guide 140 - ZyXEL USG FLEX 100 | User Guide - Page 141
the Zyxel Device. Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 142
signal strength mainly depends on the antenna output power and the distance between your Zyxel Device and the service provider's base station. This shows the name of the company that produced the index number of the UPnP-created NAT mapping rule entry. ZyWALL USG FLEX Series User's Guide 142 - ZyXEL USG FLEX 100 | User Guide - Page 143
rule (TCP or UDP). This field displays the port number on the Internal Client to which the Zyxel Device should forward incoming connection requests. This field displays the DNS host name or IP address of of its total capacity and what percentage that makes. ZyWALL USG FLEX Series User's Guide 143 - ZyXEL USG FLEX 100 | User Guide - Page 144
that uses the Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices on the same network as the computer on which the ZON utility is installed. Click Monitor > System Status > Ethernet Neighbor to see the following screen ZyWALL USG FLEX Series User's Guide 144 - ZyXEL USG FLEX 100 | User Guide - Page 145
DNS name server. The Zyxel Device updates FQDN-to-IP address mappings when the TTL (Time To Live) setting expires. You can configure FQDN objects in Configuration > Object > Address/Geo IP > Address or Configuration > Object > Address/Geo IP > Address Group. ZyWALL USG FLEX Series User's Guide 145 - ZyXEL USG FLEX 100 | User Guide - Page 146
address. This is the IP address of a host. TTL This field displays the number of seconds the Zyxel Device holds IP address - FQDN object mapping in its cache. The mapping is updated when the TTL > Address/Geo IP in the IPv6 Address Configuration field. ZyWALL USG FLEX Series User's Guide 146 - ZyXEL USG FLEX 100 | User Guide - Page 147
IPv6 address of a host. TTL This field displays the number of seconds the Zyxel Device holds IP address - FQDN object mapping in its cache. The mapping is Zyxel Device. Select NebulaFlexPRO to show the APs that can work in Nebula cloud management mode. ZyWALL USG FLEX Series User's Guide 147 - ZyXEL USG FLEX 100 | User Guide - Page 148
now • Conflict: APs with configurations in conflict with the Zyxel Device (see More Details) • Non Support: APs with features not supported by the Zyxel Device (see More Details) • Updating: APs that removed from the managed AP list right after you click OK. ZyWALL USG FLEX Series User's Guide 148 - ZyXEL USG FLEX 100 | User Guide - Page 149
is not available if the selected AP doesn't support suppression mode. Select an AP and click this button Zyxel Device and the information is unavailable as a result. Click Apply to save your changes back to the Zyxel Device. Click Refresh to update the AP list. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 150
VLAN ID setting that conflicts with the VLAN ID setting on the Access Controller (the Zyxel Device). • A setting the Zyxel Device assigns to this AP does not match the AP's capability. 6.16.1 AP List List screen. Use this screen to look at configuration ZyWALL USG FLEX Series User's Guide 150 - ZyXEL USG FLEX 100 | User Guide - Page 151
with the Zyxel Device's settings for the AP. Non Support If any of the AP's configuration conflicts with the Zyxel Device's settings Zyxel Device's settings for the AP. Port Status Port This shows the name of the physical Ethernet port on the Zyxel Device. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 152
this VLAN. This field displays the port of the Zyxel Device, on which the neighboring device is discovered. For Zyxel Devices that support Port Role, if ports 3 to 5 are grouped to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 152 - ZyXEL USG FLEX 100 | User Guide - Page 153
Chapter 6 Monitor 6.16.2 AP List: Config AP Select an AP and click the Config AP button in the Monitor > Wireless > AP Information > AP List table to display this screen. Figure 123 Monitor > Wireless > AP Information > AP List > Config AP ZyWALL USG FLEX Series User's Guide 153 - ZyXEL USG FLEX 100 | User Guide - Page 154
the AP VLAN setting with the setting you configure here. Select this to have the Zyxel Device change the AP's management VLAN to match the configuration in this screen. Enter back to the Zyxel Device. Click Cancel to close the window with changes unsaved. ZyWALL USG FLEX Series User's Guide 154 - ZyXEL USG FLEX 100 | User Guide - Page 155
It displays N/A (not applicable) only when the AP disconnects from the Zyxel Device and the information is unavailable as a result. This field displays the to the Zyxel Device to be managed (or subsequently passed on to an upstream gateway for managing). ZyWALL USG FLEX Series User's Guide 155 - ZyXEL USG FLEX 100 | User Guide - Page 156
AP does not allow you to adjust coverage depending on the orientation of the antenna for each radio using the web configurator or a physical switch. ZyWALL USG FLEX Series User's Guide 156 - ZyXEL USG FLEX 100 | User Guide - Page 157
window, select an entry and click the More Information button on the Radio List screen. Figure 125 Monitor > Wireless > AP Information > Radio List > More Information ZyWALL USG FLEX Series User's Guide 157 - ZyXEL USG FLEX 100 | User Guide - Page 158
the number of connected wireless stations. x-axis The x-axis represents the time over which a wireless client was connected. Refresh Click Refresh to update this screen. ZyWALL USG FLEX Series User's Guide 158 - ZyXEL USG FLEX 100 | User Guide - Page 159
about all the wireless stations that have connected to the AP for the preceding 24 hours. The y-axis represents the number of connected wireless stations. ZyWALL USG FLEX Series User's Guide 159 - ZyXEL USG FLEX 100 | User Guide - Page 160
y-axis represents the amount of traffic in megabytes/gigabytes. x-axis The x-axis represents the time over which wireless traffic flows transmitting from/to the AP. ZyWALL USG FLEX Series User's Guide 160 - ZyXEL USG FLEX 100 | User Guide - Page 161
time the managed AP first associated with the root AP or repeater. This field displays the MAC address of the managed AP (in repeater mode). ZyWALL USG FLEX Series User's Guide 161 - ZyXEL USG FLEX 100 | User Guide - Page 162
the SSID is defined, Security Mode This indicates which secure encryption methods is being used by the SSID. Refresh Click Refresh to update this screen. ZyWALL USG FLEX Series User's Guide 162 - ZyXEL USG FLEX 100 | User Guide - Page 163
to view the top five or top ten traffic statistics of the wireless stations. Click Monitor > Wireless > Station Info > Top N Stations to display this screen. ZyWALL USG FLEX Series User's Guide 163 - ZyXEL USG FLEX 100 | User Guide - Page 164
Station Use this screen to view traffic statistics of the wireless station you specified. Click Monitor > Wireless > Station Info > Single Station to display this screen. ZyWALL USG FLEX Series User's Guide 164 - ZyXEL USG FLEX 100 | User Guide - Page 165
. Note: At least one radio of the APs connected to the Zyxel Device must be set to monitor mode (on the Configuration > Wireless > AP Management screen) in order to detect other wireless devices in its vicinity. Figure 133 Monitor > Wireless > Detected Device ZyWALL USG FLEX Series User's Guide 165 - ZyXEL USG FLEX 100 | User Guide - Page 166
last time the device was detected by the Zyxel Device. Refresh Click this to refresh the items Zyxel Device can connect to the printer and update the printer information. This field displays the descriptive name of the printer that you configured in the screen. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 167
displays the name used to identify the Zyxel Device. Name This field displays the name of the IPSec SA. Policy This field displays the content of the local and remote policies for this IPSec SA. The IP addresses, not the address objects, are displayed. ZyWALL USG FLEX Series User's Guide 167 - ZyXEL USG FLEX 100 | User Guide - Page 168
remain in the SA life time, before the Zyxel Device automatically disconnects the IPSec SA. This field displays N/A if the IPSec SA uses manual keys. Inbound (Bytes) This field displays the is removed from the screen. Figure 136 Monitor > VPN Monitor > SSL ZyWALL USG FLEX Series User's Guide 168 - ZyXEL USG FLEX 100 | User Guide - Page 169
. Assigned IP This field displays the IP address that the Zyxel Device assigned for the remote user's computer to use within the L2TP VPN tunnel. Public IP This field displays the public IP address that the remote user is using to connect to the Internet. ZyWALL USG FLEX Series User's Guide 169 - ZyXEL USG FLEX 100 | User Guide - Page 170
rejected (in kilobytes). This traffic was rejected because it matched an application policy set to "reject". This is how much of the application's traffic the Zyxel Device identified by examining the IP payload. ZyWALL USG FLEX Series User's Guide 170 - ZyXEL USG FLEX 100 | User Guide - Page 171
or click Flush Data. Collecting starts over and a new collection start time displays. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. Click this button to update the report display. ZyWALL USG FLEX Series User's Guide 171 - ZyXEL USG FLEX 100 | User Guide - Page 172
they contained one of the content filtering custom service's list of forbidden keywords. 6.32 The Anti-Malware Screen Click Monitor > Security Statistics > Anti-Malware > Summary to display the following screen. This screen displays anti-malware statistics. ZyWALL USG FLEX Series User's Guide 172 - ZyXEL USG FLEX 100 | User Guide - Page 173
to list the most common destination IPv6 addresses for virusinfected files that Zyxel Device has detected. Select an entry and click this to add it to the anti-malware white list. Select an entry and click this to remove it from the anti-malware white list. ZyWALL USG FLEX Series User's Guide 173 - ZyXEL USG FLEX 100 | User Guide - Page 174
the entries by Source IP. It shows the source IP address of virus-infected files that the Zyxel Device has detected. his column displays when you display the entries by Source IPv6. It shows as follows when you display the top entries by destination IPv6. ZyWALL USG FLEX Series User's Guide 174 - ZyXEL USG FLEX 100 | User Guide - Page 175
starts over and a new collection start time displays. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. Click this button to update displays the total number of URLs that have been scanned. ZyWALL USG FLEX Series User's Guide 175 - ZyXEL USG FLEX 100 | User Guide - Page 176
> IDP > Summary to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 146 Monitor > Security Statistics > IDP > Summary: Signature Name ZyWALL USG FLEX Series User's Guide 176 - ZyXEL USG FLEX 100 | User Guide - Page 177
at which intrusion attempts were targeted. This field displays how many times the Zyxel Device has detected the event described in the entry. Click this to add this signature to the IDP white list. Click this to remove this signature from the IDP white list. ZyWALL USG FLEX Series User's Guide 177 - ZyXEL USG FLEX 100 | User Guide - Page 178
Click Monitor > Security Statistics > Email Security > Summary to display the following screen. This screen displays spam statistics. Figure 149 Monitor > Security Statistics > Email Security > Summary ZyWALL USG FLEX Series User's Guide 178 - ZyXEL USG FLEX 100 | User Guide - Page 179
a time. You can see the Zyxel Device's threshold of concurrent email sessions on the Email Security > Status screen. Statistics Use the Email Security > Summary screen to set whether the Zyxel Device forwards or drops sessions that exceed this threshold. ZyWALL USG FLEX Series User's Guide 179 - ZyXEL USG FLEX 100 | User Guide - Page 180
maximum number of email sessions that the Zyxel Device can check at once. An email session is when an email client and email server (or two email servers) connect through the Zyxel Device. Click this button to update the information displayed on this screen. ZyWALL USG FLEX Series User's Guide 180 - ZyXEL USG FLEX 100 | User Guide - Page 181
service the Zyxel Device uses. These statistics are for when the Zyxel Device actually queries the service servers. # This is the entry's index number in the list. Service This displays the name of the service Statistics > SSL Inspection > Summaryt ZyWALL USG FLEX Series User's Guide 181 - ZyXEL USG FLEX 100 | User Guide - Page 182
was last flushed or the Zyxel Device last rebooted after Collect Statistics was enabled This shows the number of kilobytes (KB) of data that was decrypted for Security Service inspection. This shows the number option to add that traffic to the Exclude List. ZyWALL USG FLEX Series User's Guide 182 - ZyXEL USG FLEX 100 | User Guide - Page 183
SSL session. SSL Version This field shows the SSL version. SSLv3/TLS1.0 is currently supported. Destination This displays the IP address and port number of the SSL traffic destination server. Debug Log. All debugging messages have the same priority. ZyWALL USG FLEX Series User's Guide 183 - ZyXEL USG FLEX 100 | User Guide - Page 184
. • The maximum possible number of log messages in the Zyxel Device varies by model. Events that generate an alert (as Address, Destination Address, Source Interface, Destination Interface, Service, Keyword, Protocol and Search fields are available. Select . ZyWALL USG FLEX Series User's Guide 184 - ZyXEL USG FLEX 100 | User Guide - Page 185
quotes, and brackets are not allowed. Protocol This displays when you show the filter. Select a service protocol whose log messages you would like to see. Search This displays when you show the filter. > Log > View AP Log to open the following screen. ZyWALL USG FLEX Series User's Guide 185 - ZyXEL USG FLEX 100 | User Guide - Page 186
when the log message was generated. Select a policy service available from Zyxel Device from the pull down menu. Type a keyword of the policy service available from Zyxel Device to search for a log. Select the protocol of the AP from the pull down menu. ZyWALL USG FLEX Series User's Guide 186 - ZyXEL USG FLEX 100 | User Guide - Page 187
log message. Destination This displays the source IP address of the selected log message. Note This field displays any additional information about the log message. ZyWALL USG FLEX Series User's Guide 187 - ZyXEL USG FLEX 100 | User Guide - Page 188
analysis for 30 days 7.1.2 Registration Screen Click the link in this screen to register your Zyxel Device at myZyxel. Then click Refresh in this screen and wait a few moments for the registration information to update. If the page does not refresh, make sure ZyWALL USG FLEX Series User's Guide 188 - ZyXEL USG FLEX 100 | User Guide - Page 189
Activate in this screen to enable both Trial and Standard services on this Zyxel Device. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 156 Configuration > Licensing > Registration > Service - USG FLEX 500 ZyWALL USG FLEX Series User's Guide 189 - ZyXEL USG FLEX 100 | User Guide - Page 190
license that allows SecuReporter to collect and analyze logs from your Zyxel Device in order to identify anomalies, notify you of potential internal instances of a service you can use with your current license. N/A means a count does not apply to this service. ZyWALL USG FLEX Series User's Guide 190 - ZyXEL USG FLEX 100 | User Guide - Page 191
need a service registration Zyxel Device does not have to reboot when you upload new signatures. 7.2.2 The Signature Screen Click Configuration > Licensing > Signature Update to display the following screen. Figure 157 Configuration > Licensing > Signature Update ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 192
> Licensing > Signature Update LABEL DESCRIPTION Service Status Feature Type Current Version Released Date Zyxel Device check for new signatures once a week on the day and at the time specified. OK Click this button to save your changes to the Zyxel Device. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 193
8.5 on page 211) to extend the wireless service coverage area of the managed APs when one of Zyxel Device allows new APs to connect to the network. Click Configuration > Wireless > Controller to access this screen. Figure 159 Configuration > Wireless > Controller ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 194
select Manual. 5 Under Primary static AC IP, enter the IP address of the Zyxel Device. 6 Click Apply. The Zyxel Device can now manage the AP. 8.2.3 Connecting an AP to the Zyxel Device Using DHCP Option 138 1 Ensure that the Zyxel Device has a static IP address. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 195
type of APs you want to display. Select All to show all kinds of APs that are currently or used to be connected to the Zyxel Device. Select NebulaFlexPRO to show the APs that can work in Nebula cloud management mode. ZyWALL USG FLEX Series User's Guide 195 - ZyXEL USG FLEX 100 | User Guide - Page 196
selected AP doesn't support suppression mode. Select an AP and click this button to run the locator feature. The AP's Locator LED will start to blink for 10 minutes by default. It will show the actual location of the AP between several devices on the network. ZyWALL USG FLEX Series User's Guide 196 - ZyXEL USG FLEX 100 | User Guide - Page 197
Status • Online All • Online • Conflict • Non Support • Updating • Offline All • Offline • Offline for Zyxel Device and the information is unavailable as a result. Click Apply to save your changes back to the Zyxel Device. Click Refresh to update the AP list. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 198
Chapter 8 Wireless 8.3.1.1 Edit AP List Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen. Figure 161 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List ZyWALL USG FLEX Series User's Guide 198 - ZyXEL USG FLEX 100 | User Guide - Page 199
area for other APs, then passes their information on to the Zyxel Device where it can be determined if those APs are friendly clients. Root AP means the radio acts as an AP and also supports the wireless connections with other APs (in repeater mode) to form a ZyWALL USG FLEX Series User's Guide 199 - ZyXEL USG FLEX 100 | User Guide - Page 200
overwrite the AP VLAN setting with the setting you configure here. Select this to have the Zyxel Device change the AP's management VLAN to match the configuration in this screen. Enter a VLAN . Figure 162 Configuration > Wireless > AP Management > AP Policy ZyWALL USG FLEX Series User's Guide 200 - ZyXEL USG FLEX 100 | User Guide - Page 201
IP Config on AP Override Type Select this to have the Zyxel Device change the AP controller's IP address on the managed AP to find any other available AP controllers. Select Manual to replace the AP controller's IP address configured Management > AP Group ZyWALL USG FLEX Series User's Guide 201 - ZyXEL USG FLEX 100 | User Guide - Page 202
APs can use DCS. # Group Name Member Count Apply Reset Note: DCS is not supported on the radio which is working in repeater AP mode. This is the index number your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 202 - ZyXEL USG FLEX 100 | User Guide - Page 203
Edit button in the Configuration > Wireless > AP Management > AP Group table to display this screen. Figure 164 Configuration > Wireless > AP Management > AP Group > Add/Edit ZyWALL USG FLEX Series User's Guide 203 - ZyXEL USG FLEX 100 | User Guide - Page 204
the radio acts as an AP and also supports the wireless connections with other APs (in repeater Zyxel Device's effective broadcast radius. Edit Select an SSID and click this button to reassign it. The selected SSID becomes editable immediately upon clicking. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 205
to enable load balancing on the Zyxel Device. Use this section to configure wireless network traffic load balancing between the managed APs in this group. Note: Load balancing is not supported on the radio which is working in root AP or repeater AP mode. ZyWALL USG FLEX Series User's Guide 205 - ZyXEL USG FLEX 100 | User Guide - Page 206
click the left arrow button to remove them. Click OK to save your changes back to the Zyxel Device. Click Cancel to close the window with changes unsaved. Click this button to overwrite the settings AP List screen for the APs in this group will be deselected. ZyWALL USG FLEX Series User's Guide 206 - ZyXEL USG FLEX 100 | User Guide - Page 207
, then the Zyxel Device will delete an existing firmware that no AP is using before downloading the new AP firmware. Click Configuration > Wireless > AP Management > Firmware to access this screen. Figure 165 Configuration > Wireless > AP Management > Firmware ZyWALL USG FLEX Series User's Guide 207 - ZyXEL USG FLEX 100 | User Guide - Page 208
displays the current AP firmware version on the Zyxel Device. The Zyxel Device must have the latest AP firmware to manage all supported APs. This field displays if there is a network's security. Click Configuration > Wireless > Rogue AP to access this screen. ZyWALL USG FLEX Series User's Guide 208 - ZyXEL USG FLEX 100 | User Guide - Page 209
WPA-PSK), Un-managed AP, Hidden SSID, SSID Keyword) of the characteristics an AP should have for the Zyxel Device to rule it as a rogue AP. Add Click this to add an SSID Keyword. Edit Select an SSID its status. Remove Select an AP in the list to remove. ZyWALL USG FLEX Series User's Guide 209 - ZyXEL USG FLEX 100 | User Guide - Page 210
A quarantined AP cannot grant access to any network services. Any stations that attempt to connect to a quarantined rogue AP containment. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. . ZyWALL USG FLEX Series User's Guide 210 - ZyXEL USG FLEX 100 | User Guide - Page 211
service coverage areas. Apply Reset When the failed AP is working again, its neighbor APs return their output power to the original level. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 212
three APs managed by the Zyxel Device (the more APs the better since it increases the amount of information the Ekahau RTLS Controller has for calculating the location of the tags) • IP addresses for the Ekahau Wi-Fi tags • A dedicated RTLS SSID is recommended ZyWALL USG FLEX Series User's Guide 212 - ZyXEL USG FLEX 100 | User Guide - Page 213
Controller in blink mode with TZSP Updater enabled • Security policies to allow RTLS traffic if the Zyxel Device security policy control is enabled or the Ekahau RTLS Controller is behind a firewall. For the server port number of the Ekahau RTLS Controller. ZyWALL USG FLEX Series User's Guide 213 - ZyXEL USG FLEX 100 | User Guide - Page 214
Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at ZyWALL USG FLEX Series User's Guide 214 - ZyXEL USG FLEX 100 | User Guide - Page 215
means to maintain bandwidth integrity. There are two kinds of wireless load balancing available on the Zyxel Device: Load balancing by station number limits the number of devices allowed to connect to your turn or get shunted to the nearest identical AP. ZyWALL USG FLEX Series User's Guide 215 - ZyXEL USG FLEX 100 | User Guide - Page 216
in configuring various features. An interface also describes a network that is directly connected to the Zyxel Device. For example, You connect the LAN network to the LAN interface. • Zones are although not all characteristics apply to each type of interface). ZyWALL USG FLEX Series User's Guide 216 - ZyXEL USG FLEX 100 | User Guide - Page 217
take advantage of some security features in the Zyxel Device. You can also assign an IP address and subnet mask to the bridge. • PPP interfaces support Point-to-Point Protocols (PPP). ISP accounts Yes Yes Yes Interface Parameters VIRTUAL ** No Yes No Yes ZyWALL USG FLEX Series User's Guide 217 - ZyXEL USG FLEX 100 | User Guide - Page 218
if you use the CLI to set up a virtual interface. Relationships Between Interfaces In the Zyxel Device, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created * VLAN interface* bridge interface WAN1, WAN2, OPT* ZyWALL USG FLEX Series User's Guide 218 - ZyXEL USG FLEX 100 | User Guide - Page 219
x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) from the left is the network prefix. ZyWALL USG FLEX Series User's Guide 219 - ZyXEL USG FLEX 100 | User Guide - Page 220
.) This is a routable global IP address. Prefix Delegation Prefix delegation enables an IPv6 router (the Zyxel Device) to use the IPv6 prefix (network address) received from the ISP (or a connected uplink and other parameters to the hosts on the same network. ZyWALL USG FLEX Series User's Guide 220 - ZyXEL USG FLEX 100 | User Guide - Page 221
> System > IPv6 screen to enable IPv6 support on the Zyxel Device first. 9.2 Port Role To access Zyxel Device's interface IP address. • Use the appropriate interface IP address to access the Zyxel Device. Figure 174 Configuration > Network > Interface > Port Role ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 222
's LAN radio button to use the port as part of the LAN interface. The port will use the Zyxel Device's LAN IP address and MAC address. When you assign more than one physical port to a network . Figure 175 Configuration > Network > Interface > Port Configuration ZyWALL USG FLEX Series User's Guide 222 - ZyXEL USG FLEX 100 | User Guide - Page 223
bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. Zyxel Device supports the following routing protocols: RIP, OSPF and BGP. See Chapter 10 on page 324 for background information about these routing protocols. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 224
modify the entry's settings. Remove To remove a virtual interface, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an interface, select This field displays the description of the interface. ZyWALL USG FLEX Series User's Guide 224 - ZyXEL USG FLEX 100 | User Guide - Page 225
method for the selected area. • Select in which direction(s) routing information is exchanged - The Zyxel Device can receive routing information, send routing information, or do both. Set the priority used to identify the DR or BDR if one does not exist. ZyWALL USG FLEX Series User's Guide 225 - ZyXEL USG FLEX 100 | User Guide - Page 226
Enable IGMP Upstream (US) on the Zyxel Device interface that connects to a router (R) running IGMP that is closer to the multicast server (MS). • Enable IGMP Downstream on the Zyxel Device interface which connects to the multicast hosts. Figure 177 IGMP Proxy ZyWALL USG FLEX Series User's Guide 226 - ZyXEL USG FLEX 100 | User Guide - Page 227
Chapter 9 Interfaces Figure 178 Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL USG FLEX Series User's Guide 227 - ZyXEL USG FLEX 100 | User Guide - Page 228
Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (External Type ZyWALL USG FLEX Series User's Guide 228 - ZyXEL USG FLEX 100 | User Guide - Page 229
Chapter 9 Interfaces Figure 179 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL USG FLEX Series User's Guide 229 - ZyXEL USG FLEX 100 | User Guide - Page 230
Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL USG FLEX Series User's Guide 230 - ZyXEL USG FLEX 100 | User Guide - Page 231
Chapter 9 Interfaces Figure 180 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL USG FLEX Series User's Guide 231 - ZyXEL USG FLEX 100 | User Guide - Page 232
correspond. The Zyxel Device automatically manually configure a policy route to add routing and SNAT settings for the interface. Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 233
want to specify the IP address, subnet mask, and gateway manually. IP Address Enter the IP address for this interface. same priority, the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act ZyWALL USG FLEX Series User's Guide 233 - ZyXEL USG FLEX 100 | User Guide - Page 234
down list. Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Zyxel Device will append it to the delegated prefix. Address For example, you got a delegated prefix of 2003: others. See DHCPv6 on page 221 for more information. ZyWALL USG FLEX Series User's Guide 234 - ZyXEL USG FLEX 100 | User Guide - Page 235
hosts what preference they should use for the Zyxel Device. This helps hosts to choose their default router especially when there are multiple IPv6 router on the network. Note: Make sure the hosts also support router preference to make this function work. ZyWALL USG FLEX Series User's Guide 235 - ZyXEL USG FLEX 100 | User Guide - Page 236
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL USG FLEX Series User's Guide 236 - ZyXEL USG FLEX 100 | User Guide - Page 237
. These fields appear if the Zyxel Device is a DHCP Relay. Enter the IP address of a DHCP server for the network. This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the Zyxel Device is a DHCP Server. ZyWALL USG FLEX Series User's Guide 237 - ZyXEL USG FLEX 100 | User Guide - Page 238
Server Default Router Zyxel Device - the DHCP clients use the IP address of this interface and the Zyxel Device works as a DNS relay. Type the IP address of the WINS (Windows Internet Naming Service) server that you This is the value set for the DHCP option. ZyWALL USG FLEX Series User's Guide 238 - ZyXEL USG FLEX 100 | User Guide - Page 239
and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to to use specific IP addresses. Select this option to have the Zyxel Device generate a log if a device connected to this interface attempts ZyWALL USG FLEX Series User's Guide 239 - ZyXEL USG FLEX 100 | User Guide - Page 240
default MAC address, a manually specified MAC address, or Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address. Select an existing entry and click Remove to delete that entry. Related Setting ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 241
screen where you can manually Route associate traffic with this interface. You must manually configure a policy Zyxel Device. The Zyxel Device then forwards the packet to the correct target IP address in its LAN. Figure 181 Proxy ARP 172.16.x.x 172.16.x.x ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 242
the Zyxel Device to answer external interface ARP requests on behalf of a device on a supported make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual interfaces do not provide DHCP services, and they do not verify ZyWALL USG FLEX Series User's Guide 242 - ZyXEL USG FLEX 100 | User Guide - Page 243
network as the interface. Metric Enter the priority of the gateway (if any) on this interface. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the . The fields shown vary with the type of object. ZyWALL USG FLEX Series User's Guide 243 - ZyXEL USG FLEX 100 | User Guide - Page 244
entry. Service This is the type of setting that references the selected object. Click a service's name to display the service's additionally add DHCPv6 request or lease options which have the Zyxel Device to add more information in the DHCPv6 packets. To ZyWALL USG FLEX Series User's Guide 244 - ZyXEL USG FLEX 100 | User Guide - Page 245
interface as a DHCPv4 server, you can additionally add DHCP extended options which have the Zyxel Device to add more information in the DHCP packets. The available fields vary depending on the for the corresponding enterprise number in these fields. ZyWALL USG FLEX Series User's Guide 245 - ZyXEL USG FLEX 100 | User Guide - Page 246
screen. The following table lists the available DHCP extended options (defined in RFCs) on the Zyxel Device. See RFCs for more information. Table 102 DHCP Extended Options OPTION NAME CODE DESCRIPTION /PPTP/L2TP software on each computer on the network. ZyWALL USG FLEX Series User's Guide 246 - ZyXEL USG FLEX 100 | User Guide - Page 247
, the Zyxel Device always treats the ISP as a gateway. 9.5.1 PPP Interface Summary This screen lists every PPPoE/PPTP/L2TP interface. To access this screen, click Configuration > Network > Interface > PPP. Figure 188 Configuration > Network > Interface > PPP ZyWALL USG FLEX Series User's Guide 247 - ZyXEL USG FLEX 100 | User Guide - Page 248
remove a user-configured PPP interface, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate Inactivate might use this in testing the interface or to manually establish the connection for a Dial-on-Demand PPPoE/ ZyWALL USG FLEX Series User's Guide 248 - ZyXEL USG FLEX 100 | User Guide - Page 249
Chapter 9 Interfaces Figure 189 Configuration > Network > Interface > PPP > Add ZyWALL USG FLEX Series User's Guide 249 - ZyXEL USG FLEX 100 | User Guide - Page 250
up. Clear this to have the Zyxel Device establish the PPPoE/PPTP/L2TP connection read-only. It displays the PPPoE service name specified in the ISP account. manually. This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 251
priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first. These IP address to obtain an IP address and DNS information from the service provider for the interface. Otherwise, select N/A to disable the ZyWALL USG FLEX Series User's Guide 251 - ZyXEL USG FLEX 100 | User Guide - Page 252
Check Fail Tolerance Check Default Gateway Select tcp to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify Zyxel Device stops routing through the gateway. Select this to use the default gateway for the connectivity check. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 253
manually configure a policy route to associate traffic with this interface. OK Click OK to save your changes back to the Zyxel are the 4G candidate systems. 4G only supports allIP-based packet-switched telephony services and is required to offer Gigabit speed ZyWALL USG FLEX Series User's Guide 253 - ZyXEL USG FLEX 100 | User Guide - Page 254
known as TIA-EIA-95. Slow 2.5G Packetswitched GPRS (General Packet Radio Services), High-Speed Circuit-Switched Data (HSCSD), etc. CDMA2000 is a hybrid 2. : The WAN IP addresses of a Zyxel Device with multiple WAN interfaces must be on different subnets. ZyWALL USG FLEX Series User's Guide 254 - ZyXEL USG FLEX 100 | User Guide - Page 255
might use this in testing the interface or to manually establish the connection. To disconnect an interface, Zyxel Device at myZyxel. myZyxel hosts a list of supported mobile broadband dongle devices. You should have an Internet connection to access this website. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 256
button to download the latest list of supported mobile broadband dongle devices to the Zyxel Device. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the mobile broadband device in the previous pop-up window. ZyWALL USG FLEX Series User's Guide 256 - ZyXEL USG FLEX 100 | User Guide - Page 257
Chapter 9 Interfaces Figure 191 Configuration > Network > Interface > Cellular > Add / Edit ZyWALL USG FLEX Series User's Guide 257 - ZyXEL USG FLEX 100 | User Guide - Page 258
Profile 1 unless your ISP instructed you to do otherwise). to manually input the APN (Access Point Name) provided by your service provider The Zyxel Device supports PAP Zyxel Device accepts CHAP requests only. PAP - Your Zyxel Device accepts PAP requests only. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 259
the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Enter the number of seconds between connection check attempts. Enter the number of seconds to wait for a response before the attempt is a failure. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 260
the Zyxel Device uses service available to you in your region. Select auto to have the card connect to an available network. Choose this option if you do not know what networks are available. You may want to manually USG dongle for 4G technology is inserted. ZyWALL USG FLEX Series User's Guide 260 - ZyXEL USG FLEX 100 | User Guide - Page 261
the Zyxel Device takes when the specified percentage of time budget or data limit is exceeded. Enter a number from 1 to 99 in the percentage fields. If you change the value after you configure and enable budget control, the Zyxel Device resets the statistics. ZyWALL USG FLEX Series User's Guide 261 - ZyXEL USG FLEX 100 | User Guide - Page 262
between the Zyxel Device and another router over an IPv4 network. At the time of writing, the Zyxel Device only supports GRE tunneling Zyxel Device, you can either set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4 tunnel. The following describes each method: ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 263
-tosite application such as two branch offices. Figure 194 IPv6-in-IPv4 Tunnel In the Zyxel Device, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to make the tunnel work. 6to4 The IPv6 address prefix becomes 2002:ca9c:1e29::/48. ZyWALL USG FLEX Series User's Guide 263 - ZyXEL USG FLEX 100 | User Guide - Page 264
you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it . Name This field displays the name of the interface. ZyWALL USG FLEX Series User's Guide 264 - ZyXEL USG FLEX 100 | User Guide - Page 265
the Zyxel Device. Reset Click Reset to begin configuring this screen afresh. 9.7.2 Tunnel Add or Edit Screen This screen lets you configure a tunnel interface. Click Configuration > Network > Interface > Tunnel > Add (or Edit) to open the following screen. ZyWALL USG FLEX Series User's Guide 265 - ZyXEL USG FLEX 100 | User Guide - Page 266
display a greater or lesser number of configuration fields. General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface Properties ZyWALL USG FLEX Series User's Guide 266 - ZyXEL USG FLEX 100 | User Guide - Page 267
lower the number, the higher the priority. If two or more gateways have the same priority, the Zyxel Device uses the one that was configured first. This section is available if you are configuring a 6to4 gateway sends traffic to this interface or IP address. ZyWALL USG FLEX Series User's Guide 267 - ZyXEL USG FLEX 100 | User Guide - Page 268
WAN trunk load balancing. Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 268 - ZyXEL USG FLEX 100 | User Guide - Page 269
security - If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN. ZyWALL USG FLEX Series User's Guide 269 - ZyXEL USG FLEX 100 | User Guide - Page 270
VLAN Interfaces Overview In the Zyxel Device, each VLAN is called a VLAN interface. As a router, the Zyxel Device routes traffic between VLAN restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. VLAN ZyWALL USG FLEX Series User's Guide 270 - ZyXEL USG FLEX 100 | User Guide - Page 271
to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. 9.8.2 VLAN Add/Edit Select an existing entry on the previous screen and click Edit or click Add to create a new entry. The following screen appears. ZyWALL USG FLEX Series User's Guide 271 - ZyXEL USG FLEX 100 | User Guide - Page 272
Chapter 9 Interfaces Figure 201 Configuration > Network > Interface > VLAN > Add /Edit ZyWALL USG FLEX Series User's Guide 272 - ZyXEL USG FLEX 100 | User Guide - Page 273
Chapter 9 Interfaces ZyWALL USG FLEX Series User's Guide 273 - ZyXEL USG FLEX 100 | User Guide - Page 274
following option depending on the type of network to which the Zyxel Device is connected or if you want to additionally manually configure some related settings. internal is for connecting to a each VLAN. Allowed values are 1 4094. (0 and 4095 are reserved.) ZyWALL USG FLEX Series User's Guide 274 - ZyXEL USG FLEX 100 | User Guide - Page 275
more gateways have the same priority, the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy and the network prefix that the Zyxel Device generates itself for the interface. ZyWALL USG FLEX Series User's Guide 275 - ZyXEL USG FLEX 100 | User Guide - Page 276
list. Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Zyxel Device will append it to the delegated prefix. Address For example, you got a delegated prefix of 2003 DUID generated from the interface's default MAC address. ZyWALL USG FLEX Series User's Guide 276 - ZyXEL USG FLEX 100 | User Guide - Page 277
hosts what preference they should use for the Zyxel Device. This helps hosts to choose their default router especially when there are multiple IPv6 router on the network. Note: Make sure the hosts also support router preference to make this function work. ZyWALL USG FLEX Series User's Guide 277 - ZyXEL USG FLEX 100 | User Guide - Page 278
Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL USG FLEX Series User's Guide 278 - ZyXEL USG FLEX 100 | User Guide - Page 279
Pool Size must also be blank. In this case, the Zyxel Device can assign every IP address allowed by the interface's IP address and subnet mask, except for the first address (network address), last address (broadcast address) and the interface's IP address. ZyWALL USG FLEX Series User's Guide 279 - ZyXEL USG FLEX 100 | User Guide - Page 280
to another device's MAC address. Configure a list of static IP addresses the Zyxel Device assigns to computers connected to the interface. Otherwise, the Zyxel Device assigns an IP address dynamically using the interface's IP Pool Start Address and Pool Size. ZyWALL USG FLEX Series User's Guide 280 - ZyXEL USG FLEX 100 | User Guide - Page 281
effective when RIP is enabled. Select this to send RIP-2 packets using subnet broadcasting; otherwise, the Zyxel Device uses multicasting. See Section 10.7 on page 327 for more information about OSPF. Select the area , and it can be up to 16 characters long. ZyWALL USG FLEX Series User's Guide 281 - ZyXEL USG FLEX 100 | User Guide - Page 282
assigned default MAC address, a manually specified MAC address, or Zyxel Device. Click Cancel to exit this screen without saving. 9.9 Bridge Interfaces This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 283
interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole Zyxel Device as a transparent bridge, add all of the Zyxel Device's interfaces to a bridge interface. ZyWALL USG FLEX Series User's Guide 283 - ZyXEL USG FLEX 100 | User Guide - Page 284
and any associated virtual Ethernet interfaces) When you create a bridge interface, the Zyxel Device removes the members' entries from the routing table and adds the bridge > Interface > Bridge. Figure 202 Configuration > Network > Interface > Bridge ZyWALL USG FLEX Series User's Guide 284 - ZyXEL USG FLEX 100 | User Guide - Page 285
can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate Inactivate To turn on an entry, on the Bridge Summary screen. The following screen appears. ZyWALL USG FLEX Series User's Guide 285 - ZyXEL USG FLEX 100 | User Guide - Page 286
Chapter 9 Interfaces Figure 203 Configuration > Network > Interface > Bridge > Add / Edit ZyWALL USG FLEX Series User's Guide 286 - ZyXEL USG FLEX 100 | User Guide - Page 287
Chapter 9 Interfaces ZyWALL USG FLEX Series User's Guide 287 - ZyXEL USG FLEX 100 | User Guide - Page 288
following option depending on the type of network to which the Zyxel Device is connected or if you want to additionally manually configure some related settings. internal is for connecting to a . Spaces are allowed, but the string can't start with a space. ZyWALL USG FLEX Series User's Guide 288 - ZyXEL USG FLEX 100 | User Guide - Page 289
more gateways have the same priority, the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy and the network prefix that the Zyxel Device generates itself for the interface. ZyWALL USG FLEX Series User's Guide 289 - ZyXEL USG FLEX 100 | User Guide - Page 290
down list. Enter the ending part of the IPv6 address, a slash (/), and the prefix length. The Zyxel Device will append it to the delegated prefix. Address For example, you got a delegated prefix of 2003 is generated from the interface's default MAC address. ZyWALL USG FLEX Series User's Guide 290 - ZyXEL USG FLEX 100 | User Guide - Page 291
use the prefix in the router advertisement message. Select this to have the Zyxel Device indicate to hosts to obtain DNS information through DHCPv6. Clear this to have the Zyxel Device indicate to hosts that DNS information is not available in this network. ZyWALL USG FLEX Series User's Guide 291 - ZyXEL USG FLEX 100 | User Guide - Page 292
multiple IPv6 router on the network. Note: Make sure the hosts also support router preference to make this function work. MTU Hop Limit The Maximum , the Zyxel Device can send through the interface to the network. Allowed values are 0 - 1048576. ZyWALL USG FLEX Series User's Guide 292 - ZyXEL USG FLEX 100 | User Guide - Page 293
DHCP service the Zyxel Device provides to the network. Choices are: None - the Zyxel Device does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the Zyxel Device , select Custom Defined and enter the IP address. ZyWALL USG FLEX Series User's Guide 293 - ZyXEL USG FLEX 100 | User Guide - Page 294
and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to to use specific IP addresses. Select this option to have the Zyxel Device generate a log if a device connected to this interface attempts ZyWALL USG FLEX Series User's Guide 294 - ZyXEL USG FLEX 100 | User Guide - Page 295
target IP addresses. For example, if the IPv4 Address is 192.168.1.5, then the Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address. Select an existing entry and click Remove to delete that entry. ZyWALL USG FLEX Series User's Guide 295 - ZyXEL USG FLEX 100 | User Guide - Page 296
to the screen where you can manually configure a policy route to Route associate traffic with OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen supported • The IPSec VTI is limited to IP unicast and multicast traffic only. ZyWALL USG FLEX Series User's Guide 296 - ZyXEL USG FLEX 100 | User Guide - Page 297
can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select icon in Network > Interface > VTI. The following screen appears. ZyWALL USG FLEX Series User's Guide 297 - ZyXEL USG FLEX 100 | User Guide - Page 298
VPN tunnel interface in vtix format, where x is a number from 0 to the maximum number of VPN connections allowed for this model. For example, enter vti10. ZyWALL USG FLEX Series User's Guide 298 - ZyXEL USG FLEX 100 | User Guide - Page 299
two or more gateways have the same priority, the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy for hosts Section 10.6 on page 325 for more information about RIP. ZyWALL USG FLEX Series User's Guide 299 - ZyXEL USG FLEX 100 | User Guide - Page 300
Policy Route to go to the screen where you can manually configure a policy route to Route associate traffic with this bridge interface. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 300 - ZyXEL USG FLEX 100 | User Guide - Page 301
VoIP service Zyxel Device is using active/active load balancing. So when LAN user A tries to access something on the server, the request goes out through wan2. 3 The server finds that the request comes from wan2's IP address instead of wan1's IP address and rejects the request. ZyWALL USG FLEX - ZyXEL USG FLEX 100 | User Guide - Page 302
412K and WAN 2 is 198K. The Zyxel Device calculates the load balancing index as services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 303
overloading the interface. In this example figure, the upper threshold of the first interface is set to 800K. The Zyxel Device sends network traffic of new sessions that exceed this limit to the secondary WAN interface. Figure 209 Spillover Algorithm Example ZyWALL USG FLEX Series User's Guide 303 - ZyXEL USG FLEX 100 | User Guide - Page 304
Default SNAT Select this to have the Zyxel Device use the IP address of the Zyxel Device is to use the default system WAN trunk or one of the user configured WAN trunks as the default trunk for routing traffic from internal interfaces to external interfaces. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 305
entry's settings. Remove To remove a user-configured trunk, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click 211 Configuration > Network > Interface > Trunk > Add (or Edit) ZyWALL USG FLEX Series User's Guide 305 - ZyXEL USG FLEX 100 | User Guide - Page 306
part of another Ethernet interface, the Zyxel Device does not send traffic through the Zyxel Device assigns to each member interface. The higher an interface's weight is (relative to the weights of the interfaces), the more sessions that interface should handle. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 307
least load first load balancing algorithm. It displays the maximum number of kilobits of data the Zyxel Device is to allow to come in through the interface per second. Egress Bandwidth Note: Configuration > Network > Interface > Trunk > Edit (System Default) ZyWALL USG FLEX Series User's Guide 307 - ZyXEL USG FLEX 100 | User Guide - Page 308
interfaces in the order that they are listed. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. 9.13 Interface Technical Reference Here is more detailed information about interfaces on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 308 - ZyXEL USG FLEX 100 | User Guide - Page 309
subnet mask manually. In general Zyxel Device uses the one that was set up first (the first entry in the routing table). In PPPoE/PPTP/L2TP interfaces, the other computer is the gateway for the interface by default. In this case, you should specify the metric. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 310
Zyxel Device allows in through the interface from the network.At the time of writing, the Zyxel Device does not support reduces the amount of manual configuration you have to client. In the Zyxel Device, some interfaces can provide DHCP services to the network. ZyWALL USG FLEX Series User's Guide 310 - ZyXEL USG FLEX 100 | User Guide - Page 311
120.120.199 The Zyxel Device cannot assign the services for DHCP clients. You can specify each IP address manually services. This makes it easier for the service provider to offer the service • PPPoE does not usually require any special configuration of the modem. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 312
more complicated to set up. It supports up to 256 bit session keys using the IPSec protocol. When security is a priority, L2TP is a good option as it requires certificates unlike PPTP. It uses the following ports: UDP 500, Protocol 50, UDP 1701 and UDP 4500. ZyWALL USG FLEX Series User's Guide 312 - ZyXEL USG FLEX 100 | User Guide - Page 313
the Zyxel Device's LAN interface. The Zyxel Device routes most traffic from A to the Internet through the Zyxel Device's default gateway (R1). You create one policy route to connect to services offered 10.3 on page 322) to list and configure static routes. ZyWALL USG FLEX Series User's Guide 313 - ZyXEL USG FLEX 100 | User Guide - Page 314
schedules, NAT, and bandwidth management. • Policy routes are only used within the Zyxel Device itself. Static routes can be propagated to other routers using RIP or OSPF (class of service) is a way of managing traffic in a network by grouping similar types of ZyWALL USG FLEX Series User's Guide 314 - ZyXEL USG FLEX 100 | User Guide - Page 315
DSCP Marking and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2- on configuration walkthroughs, troubleshooting, and other information. ZyWALL USG FLEX Series User's Guide 315 - ZyXEL USG FLEX 100 | User Guide - Page 316
you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it as they are applied in order of their numbering. ZyWALL USG FLEX Series User's Guide 316 - ZyXEL USG FLEX 100 | User Guide - Page 317
service object. any means all services. This is the name of a service object. The Zyxel Device applies the policy route to the packets sent from the corresponding service port. any means all service settings except the Address Translation (SNAT) settings. ZyWALL USG FLEX Series User's Guide 317 - ZyXEL USG FLEX 100 | User Guide - Page 318
Chapter 10 Routing Figure 216 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL USG FLEX Series User's Guide 318 - ZyXEL USG FLEX 100 | User Guide - Page 319
next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the Zyxel Device uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL USG FLEX Series User's Guide 319 - ZyXEL USG FLEX 100 | User Guide - Page 320
Service Source Zyxel Device send the packets via the interfaces in the group. This field displays when you select Interface in the Type field. Select an interface to have the Zyxel Device send traffic that matches the policy route through the specified interface. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 321
10 seconds). Check Fail Tolerance: Enter the number of consecutive failures before the Zyxel Device stops routing using this policy (1-10). Check Port: This field only displays to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 321 - ZyXEL USG FLEX 100 | User Guide - Page 322
can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. # This is the number of an individual screen to configure the required information for a static route. ZyWALL USG FLEX Series User's Guide 322 - ZyXEL USG FLEX 100 | User Guide - Page 323
. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations. Select the to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 323 - ZyXEL USG FLEX 100 | User Guide - Page 324
about the network from other routers. The Zyxel Device stores this routing information in the routing table it uses to make routing decisions. In turn, the Zyxel Device can also use routing protocols to propagate routing information to other routers. ZyWALL USG FLEX Series User's Guide 324 - ZyXEL USG FLEX 100 | User Guide - Page 325
334) to configure eBGP (exterior Border Gate Protocol). 10.5.1 What You Need to Know The Zyxel Device supports two standards, RIP and OSPF, for routing protocols. RIP and OSPF are compared here and discussed > Routing > RIP to open the following screen. ZyWALL USG FLEX Series User's Guide 325 - ZyXEL USG FLEX 100 | User Guide - Page 326
to be precise, but it must be between 0 and 16. In practice, 2 or 3 is usually used. Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 326 - ZyXEL USG FLEX 100 | User Guide - Page 327
System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. . Each type of area is illustrated in the following figure. ZyWALL USG FLEX Series User's Guide 327 - ZyXEL USG FLEX 100 | User Guide - Page 328
area 0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is illustrated in the following example. ZyWALL USG FLEX Series User's Guide 328 - ZyXEL USG FLEX 100 | User Guide - Page 329
100 and the backbone. You cannot create a virtual link to a router in a different area. OSPF Configuration Follow these steps when you configure OSPF on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 329 - ZyXEL USG FLEX 100 | User Guide - Page 330
10.7.1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the Zyxel Device uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides 2 - cost = external cost (Metric); the OSPF AS cost is ignored. ZyWALL USG FLEX Series User's Guide 330 - ZyXEL USG FLEX 100 | User Guide - Page 331
modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References Figure 226 Configuration > Network > Routing > OSPF > Add ZyWALL USG FLEX Series User's Guide 331 - ZyXEL USG FLEX 100 | User Guide - Page 332
, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. This field is a sequential value, and it is not associated with a specific area. This is the 32-bit ID (in IP address format) of the other ABR in the virtual link. ZyWALL USG FLEX Series User's Guide 332 - ZyXEL USG FLEX 100 | User Guide - Page 333
protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an . Figure 227 Configuration > Network > Routing > OSPF > Add > Add ZyWALL USG FLEX Series User's Guide 333 - ZyXEL USG FLEX 100 | User Guide - Page 334
protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an 327 for more information on autonomous systems. Figure 228 eBGP Concept ZyWALL USG FLEX Series User's Guide 334 - ZyXEL USG FLEX 100 | User Guide - Page 335
. 4 Click OK. Figure 229 Allow BGP to the Zyxel Device 10.8.2 Configuring the BGP Screen Use this screen to configure BGP information about the Zyxel Device and its peer BGP routers. Click Configuration > Network > Routing > BGP to open the following screen. ZyWALL USG FLEX Series User's Guide 335 - ZyXEL USG FLEX 100 | User Guide - Page 336
Edit Remove # IP Address AS Number Network Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. Click this to configure BGP criteria for a new peer BGP router. Double open a screen where you can modify the entry's settings. ZyWALL USG FLEX Series User's Guide 336 - ZyXEL USG FLEX 100 | User Guide - Page 337
to 4294967295 in this field. Get the number from your service provider. Enable EBGP Multihop Select this to allow the Zyxel Device to attempt BGP connections to external peers on indirectly Enter a maximum hop count from . The default is 255. ZyWALL USG FLEX Series User's Guide 337 - ZyXEL USG FLEX 100 | User Guide - Page 338
preference. Keepalive messages are sent by the Zyxel Device to a peer BGP router to service provider MPLS network. • MPLS: MultiProtocol Label Switching (MPLS) forwards data from one network node to the next based on path labels rather than network addresses. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 339
in Configuration > Network > Routing > BGP > Add Neighbors. Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. 3 Configure the network for BGP routes in the neighboring AS. Note: You may configure up to 16 network routes. ZyWALL USG FLEX Series User's Guide 339 - ZyXEL USG FLEX 100 | User Guide - Page 340
: Record your DDNS account's user name, password, and domain name to use to configure the Zyxel Device. After you configure the Zyxel Device, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. ZyWALL USG FLEX Series User's Guide 340 - ZyXEL USG FLEX 100 | User Guide - Page 341
entry. This field displays which DDNS service you are using. This field displays each domain name the Zyxel Device can route. This field displays the from the Zyxel Device for the IP address to use for the domain name. custom - The IP address is static. ZyWALL USG FLEX Series User's Guide 341 - ZyXEL USG FLEX 100 | User Guide - Page 342
Add/Edit screen allows you to add a domain name to the Zyxel Device or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 234 Configuration > Network > DDNS > Add ZyWALL USG FLEX Series User's Guide 342 - ZyXEL USG FLEX 100 | User Guide - Page 343
adding a DDNS entry, type a descriptive name for this DDNS entry in the Zyxel Device. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the into the service, not the name recorded in your personal information in the Dynu website. ZyWALL USG FLEX Series User's Guide 343 - ZyXEL USG FLEX 100 | User Guide - Page 344
you have a static IP address, you can select this to use it for the domain name. The Zyxel Device still sends the static IP address to the DDNS server. This field is only available when the IP for example, www.yourhost.dyndns.org and still reach your hostname. ZyWALL USG FLEX Series User's Guide 344 - ZyXEL USG FLEX 100 | User Guide - Page 345
server that will host the DDSN service. This field displays when you select User custom from the DDNS Type field above. These are the options supported at the time of writing: changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 345 - ZyXEL USG FLEX 100 | User Guide - Page 346
for privileged services and designated as well-known ports. The following list specifies the ports used by the server process as its contact ports. See Section 39.7 on page 713 (Configuration > Object > Service) for more information about service objects. ZyWALL USG FLEX Series User's Guide 346 - ZyXEL USG FLEX 100 | User Guide - Page 347
range from 49152 to 65535. Table 142 Well-known Ports PORT TCP/UDP DESCRIPTION 1 TCP TCP Port Service Multiplexer (TCPMUX) 20 TCP FTP - Data 21 TCP FTP - Control 22 TCP SSH Remote Login edit and delete existing NAT rules. To access this screen, ZyWALL USG FLEX Series User's Guide 347 - ZyXEL USG FLEX 100 | User Guide - Page 348
website where there is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 237 Configuration > settings. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. To turn ZyWALL USG FLEX Series User's Guide 348 - ZyXEL USG FLEX 100 | User Guide - Page 349
the packet. Protocol This field displays the service used by the packets for this NAT entry. It displays port. Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its case-sensitive. ZyWALL USG FLEX Series User's Guide 349 - ZyXEL USG FLEX 100 | User Guide - Page 350
Zyxel supports. This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 351
, according to the source IP address and mapped IP address. Click OK to save your changes back to the Zyxel Device. Click Cancel to return to the NAT summary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists). ZyWALL USG FLEX Series User's Guide 351 - ZyXEL USG FLEX 100 | User Guide - Page 352
.168.1.21 192.168.1.89 The LAN user's computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the Zyxel Device's LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server. ZyWALL USG FLEX Series User's Guide 352 - ZyXEL USG FLEX 100 | User Guide - Page 353
Source 192.168.1.89 SMTP 192.168.1.89 The LAN SMTP server replies to the Zyxel Device's LAN IP address and the Zyxel Device changes the source address to 1.1.1.1 before sending it to the LAN user. The SMTP LAN Source 1.1.1.1 SMTP 192.168.1.21 192.168.1.89 ZyWALL USG FLEX Series User's Guide 353 - ZyXEL USG FLEX 100 | User Guide - Page 354
into the Zyxel Device and wants to send an email, its SMTP message is redirected to SMTP server A. SMTP server A then sends it to a mail server, where the message will be delivered to the recipient. The Zyxel Device forwards SMTP traffic using TCP port 25. ZyWALL USG FLEX Series User's Guide 354 - ZyXEL USG FLEX 100 | User Guide - Page 355
web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the Security Policy 2 Application Patrol 3 HTTP Redirect 4 Policy Route ZyWALL USG FLEX Series User's Guide 355 - ZyXEL USG FLEX 100 | User Guide - Page 356
interface and service as a SMTP redirect rule, the Zyxel Device checks manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet. To make the example in Figure 243 on page 355 work, make sure you have the following settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 357
rules is important as they are applied in order of their numbering. # This field is a sequential value, and it is not associated with a specific entry. ZyWALL USG FLEX Series User's Guide 357 - ZyXEL USG FLEX 100 | User Guide - Page 358
.2.1 The Redirect Service Edit Screen Click Network > Redirect Service to open the Redirect Service screen. Then click the Add or Edit icon to open the Redirect Service Edit screen where you can configure the rule. Figure 245 Network > Redirect Service > Edit ZyWALL USG FLEX Series User's Guide 358 - ZyXEL USG FLEX 100 | User Guide - Page 359
Network > Redirect Service > Edit LABEL DESCRIPTION Enable Use this option to turn the Redirect Service rule on or off. Service Select the service to be redirected back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 359 - ZyXEL USG FLEX 100 | User Guide - Page 360
file transfer service. The following Zyxel Device dynamically creates an implicit NAT session and security policy session for the application's traffic from the WAN to the LAN. The ALG on the Zyxel Device supports all of the Zyxel Device's NAT mapping types. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 361
be calls between LAN IP addresses that are on the same subnet. • The SIP ALG supports peer-to-peer SIP calls. The security policy (by default) allows peer to peer calls specified port destination to pass through. • The Zyxel Device allows SIP audio connections. ZyWALL USG FLEX Series User's Guide 361 - ZyXEL USG FLEX 100 | User Guide - Page 362
SIP ALG to use the same port numbers for SIP traffic. Peer-to-Peer Calls and the Zyxel Device The Zyxel Device ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You must B to receive calls through public WAN IP address 2. You configure corresponding ZyWALL USG FLEX Series User's Guide 362 - ZyXEL USG FLEX 100 | User Guide - Page 363
screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs. Note: If the Zyxel Device provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service's traffic. ZyWALL USG FLEX Series User's Guide 363 - ZyXEL USG FLEX 100 | User Guide - Page 364
(without voice traffic) before dropping it. If no voice packets go through the SIP ALG before the timeout period expires, the Zyxel Device deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation. ZyWALL USG FLEX Series User's Guide 364 - ZyXEL USG FLEX 100 | User Guide - Page 365
disable this if have registered for cloud VoIP services. If you are using a custom UDP Zyxel Device. Click Reset to return the screen to its last-saved settings. 14.3 ALG Technical Reference Here is more detailed information about the Application Layer Gateway. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 366
to active and a second interface set to passive. The Zyxel Device does not automatically change ALG-managed connections to the users can manually force them to re-register. FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates ZyWALL USG FLEX Series User's Guide 366 - ZyXEL USG FLEX 100 | User Guide - Page 367
service descriptions. NAT traversal allows the following: • Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT. ZyWALL USG FLEX - ZyXEL USG FLEX 100 | User Guide - Page 368
nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security Zyxel Device. Click Configuration > Network > UPnP to display the screen shown next. Figure 251 Configuration > Network > UPnP ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 369
(s) on which the Zyxel Device supports UPnP and/or NAT Zyxel Device. Make sure the computer is connected to a LAN port of the Zyxel Device. Turn on your computer and the Zyxel Device. 1 Click the start icon, Control Panel and then the Network and Sharing Center. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 370
computers and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. ZyWALL USG FLEX Series User's Guide 370 - ZyXEL USG FLEX 100 | User Guide - Page 371
connected to a LAN port of the Zyxel Device. 1 Open the Windows Explorer and click Network. 2 Right-click the device icon and select Properties. Figure 252 Network Connections 3 In the Internet Connection Properties window, click Settings to see port mappings. ZyWALL USG FLEX Series User's Guide 371 - ZyXEL USG FLEX 100 | User Guide - Page 372
Chapter 15 UPnP Figure 253 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. Figure 254 Internet Connection Properties: Advanced Settings ZyWALL USG FLEX Series User's Guide 372 - ZyXEL USG FLEX 100 | User Guide - Page 373
UPnP on the Zyxel Device by clicking Network Setting > Home Networking > UPnP. Make sure the computer is connected to the LAN port of the Zyxel Device. Turn on your computer and the Zyxel Device. 1 Click the start icon, Settings and then Network & Internet. ZyWALL USG FLEX Series User's Guide 373 - ZyXEL USG FLEX 100 | User Guide - Page 374
Chapter 15 UPnP 2 Click Network and Sharing Center. 3 Click Change advanced sharing settings. ZyWALL USG FLEX Series User's Guide 374 - ZyXEL USG FLEX 100 | User Guide - Page 375
files and printers. 15.4.3 Auto-discover Your UPnP-enabled Network Device Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer. ZyWALL USG FLEX Series User's Guide 375 - ZyXEL USG FLEX 100 | User Guide - Page 376
computer is connected to the LAN port of the Zyxel Device. 1 Open File Explorer and click Network. 2 Right-click the Zyxel Device icon and select Properties. Figure 258 Network Connections or delete the port mappings or click Add to manually add port mappings. ZyWALL USG FLEX Series User's Guide 376 - ZyXEL USG FLEX 100 | User Guide - Page 377
status, right click the network icon in the system tray and click Open Network & Internet settings. Click Network and Sharing Center and click the Connections. ZyWALL USG FLEX Series User's Guide 377 - ZyXEL USG FLEX 100 | User Guide - Page 378
on the Zyxel Device without finding out the IP address of the Zyxel Device first. This comes helpful if you do not know the IP address of the Zyxel Device. Follow the steps below to access the web configurator. 1 Open Windows Explorer. 2 Click Network. ZyWALL USG FLEX Series User's Guide 378 - ZyXEL USG FLEX 100 | User Guide - Page 379
under Network Infrastructure. 4 Right-click on the icon for your Zyxel Device and select View device webpage. The web configurator login Zyxel Device and select Properties. Click the Network Device tab. A window displays with information about the Zyxel Device. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 380
.4.5 Web Configurator Easy Access in Windows 10 Follow the steps below to access the Web Configurator. 1 Open File Explorer. 2 Click Network. Figure 267 Network Connections ZyWALL USG FLEX Series User's Guide 380 - ZyXEL USG FLEX 100 | User Guide - Page 381
-click the icon for your Zyxel Device and select View device webpage Zyxel Device and select Properties. Click the Network Device tab. A window displays information about the Zyxel Device. Figure 269 Network Connections: Network Infrastructure: Properties: Example ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 382
List screen (Section 16.3 on page 386) to configure ranges of IP addresses to which the Zyxel Device does not apply IP/MAC binding. 16.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the Zyxel Device's dynamic and static DHCP entries. ZyWALL USG FLEX Series User's Guide 382 - ZyXEL USG FLEX 100 | User Guide - Page 383
and dimmed when the entry is inactive. Interface This is the name of an interface that supports IP/MAC binding. Number of Binding This field displays the interface's total number of IP/MAC bindings and IP addresses that the interface has assigned by DHCP. ZyWALL USG FLEX Series User's Guide 383 - ZyXEL USG FLEX 100 | User Guide - Page 384
This field displays the name of the interface within the Zyxel Device and the interface's IP address and subnet mask. addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this . ZyWALL USG FLEX Series User's Guide 384 - ZyXEL USG FLEX 100 | User Guide - Page 385
continued) LABEL DESCRIPTION Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. # This is the index back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 385 - ZyXEL USG FLEX 100 | User Guide - Page 386
delete an entry. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the Zyxel Device. ZyWALL USG FLEX Series User's Guide 386 - ZyXEL USG FLEX 100 | User Guide - Page 387
) to enable and configures the white list. 17.2 Layer-2 Isolation General Screen This screen allows you to enable Layer-2 isolation on the Zyxel Device and specific internal interface(s). To access this screen click Configuration > Network > Layer 2 Isolation. ZyWALL USG FLEX Series User's Guide 387 - ZyXEL USG FLEX 100 | User Guide - Page 388
Member list and click the left arrow button. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. 17.3 White List Screen screen click Configuration > Network > Layer 2 Isolation > White List. ZyWALL USG FLEX Series User's Guide 388 - ZyXEL USG FLEX 100 | User Guide - Page 389
list and click the Edit button. Note: You can configure up to 100 white list rules on the Zyxel Device. Note: You need to know the IP address of each connected device that you want to allow to be accessed by other devices when layer-2 isolation is enabled. ZyWALL USG FLEX Series User's Guide 389 - ZyXEL USG FLEX 100 | User Guide - Page 390
IP address associated with this rule. Enter up to 60 characters, spaces and underscores allowed. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 390 - ZyXEL USG FLEX 100 | User Guide - Page 391
moment. Another Internet host (B) also sends a DNS query message to ask where www.example.com is. The Zyxel Device responds to it with the WAN1's IP address, 1.1.1.1, since WAN1 has the least load this time. page 393) to add or edit a DNS load balancing rule. ZyWALL USG FLEX Series User's Guide 391 - ZyXEL USG FLEX 100 | User Guide - Page 392
This field displays the order in which the Zyxel Device checks the member interfaces of this DNS load balancing rule. Query Domain Name This field displays the domain name for which the Zyxel Device manages load balancing between the specified interfaces. ZyWALL USG FLEX Series User's Guide 392 - ZyXEL USG FLEX 100 | User Guide - Page 393
between the specified interfaces. You can configure the Zyxel Device to apply DNS load balancing to some specific hosts only by configuring the Query From settings. Click Configuration > Network > Inbound LB and then the Add or Edit icon to open this screen. ZyWALL USG FLEX Series User's Guide 393 - ZyXEL USG FLEX 100 | User Guide - Page 394
this DNS load balancing rule. Type up to 255 characters for a domain name for which you want the Zyxel Device to manage DNS load balancing. You can use a wildcard (*) to let multiple domains match the name. to the client's IP address when iteration is used. ZyWALL USG FLEX Series User's Guide 394 - ZyXEL USG FLEX 100 | User Guide - Page 395
transmit traffic than an interface with a smaller weight. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. 18.2.2 The DNS Inbound LB Add/Edit Edit and then an Add or Edit icon to open this screen. ZyWALL USG FLEX Series User's Guide 395 - ZyXEL USG FLEX 100 | User Guide - Page 396
LB > Add/Edit > Add/Edit LABEL DESCRIPTION Member Monitor Interface Weight The Zyxel Device checks each member interface's loading in the order displayed here. Select an changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 396 - ZyXEL USG FLEX 100 | User Guide - Page 397
VPN Example Internet Key Exchange (IKE): IKEv1 and IKEv2 The Zyxel Device supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic. IKE (Internet keys are derived. A security policy for each peer must be manually created. IPSec VPN consists of two phases: Phase 1 and ZyWALL USG FLEX Series User's Guide 397 - ZyXEL USG FLEX 100 | User Guide - Page 398
has the SA apply only to IP addresses in common between the Zyxel Device and the remote IPSec router. • The IKEv2 protocol supports connectivity checks which is used to detect whether the tunnel is still Share Non-Web Web-based Application Application Server ZyWALL USG FLEX Series User's Guide 398 - ZyXEL USG FLEX 100 | User Guide - Page 399
remote IPSec router. The second phase uses the IKE SA to securely establish an IPSec SA through which the Zyxel Device and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. ZyWALL USG FLEX Series User's Guide 399 - ZyXEL USG FLEX 100 | User Guide - Page 400
by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG FLEX Series User's Guide 400 - ZyXEL USG FLEX 100 | User Guide - Page 401
but you specify the remote policy (the addresses of the devices behind the remote IPSec router). This Zyxel Device must have a static IP address or a domain name. Only the remote IPSec router can • See the help in the IPSec VPN quick setup wizard screens. ZyWALL USG FLEX Series User's Guide 401 - ZyXEL USG FLEX 100 | User Guide - Page 402
interface, virtual Ethernet interface, VLAN interface, or virtual VLAN interface to specify what address the Zyxel Device uses as its IP address when it establishes the IKE SA. You should set configuration walkthroughs, troubleshooting and other information. ZyWALL USG FLEX Series User's Guide 402 - ZyXEL USG FLEX 100 | User Guide - Page 403
able to use policy routes to manually specify the destination addresses of dynamic IPSec rules. You must manually create these policy routes. The Zyxel Device automatically obtains source and destination disconnect an IPSec SA, select it and click Disconnect. ZyWALL USG FLEX Series User's Guide 403 - ZyXEL USG FLEX 100 | User Guide - Page 404
the local policy and the remote policy, respectively. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. 19.2.1 The VPN Connection Add 402), and click either the Add icon or an Edit icon. ZyWALL USG FLEX Series User's Guide 404 - ZyXEL USG FLEX 100 | User Guide - Page 405
Chapter 19 IPSec VPN Figure 288 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit ZyWALL USG FLEX Series User's Guide 405 - ZyXEL USG FLEX 100 | User Guide - Page 406
old or duplicate packets to protect against Denial-of-Service attacks. Enable NetBIOS Broadcast over IPSec Select this check box if you the Zyxel Device to send NetBIOS (Network Basic Input/ Output System .168.30.80 Narrowed 192.168.30.60 ~ 192.168.30.70 ZyWALL USG FLEX Series User's Guide 406 - ZyXEL USG FLEX 100 | User Guide - Page 407
router has a static IP address or a domain name. This Zyxel Device can initiate the VPN tunnel. Site-to-site with Dynamic Peer unavailable. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. ZyWALL USG FLEX Series User's Guide 407 - ZyXEL USG FLEX 100 | User Guide - Page 408
maps a domain name to an IP address and vice versa. The Zyxel Device uses these (in the order you specify here) to resolve domain unavailable. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. ZyWALL USG FLEX Series User's Guide 408 - ZyXEL USG FLEX 100 | User Guide - Page 409
VPN connection policy. The Zyxel Device can regularly check the Zyxel Device regularly perform a TCP handshake with the address you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP connection. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 410
to it. Check the First and Last IP Address in the Remote Policy Select this to have the Zyxel Device check the connection to the first and last IP addresses in the connection's remote policy. Make it. Remove Select an entry and click this to delete it. ZyWALL USG FLEX Series User's Guide 410 - ZyXEL USG FLEX 100 | User Guide - Page 411
The VPN Gateway summary screen displays the IPSec VPN gateway policies in the Zyxel Device, as well as the Zyxel Device's address, remote IPSec router's address, and associated VPN connections appears. Figure 289 Configuration > VPN > IPSec VPN > VPN Gateway ZyWALL USG FLEX Series User's Guide 411 - ZyXEL USG FLEX 100 | User Guide - Page 412
you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it and 411), and click either the Add icon or an Edit icon. ZyWALL USG FLEX Series User's Guide 412 - ZyXEL USG FLEX 100 | User Guide - Page 413
Chapter 19 IPSec VPN Figure 290 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL USG FLEX Series User's Guide 413 - ZyXEL USG FLEX 100 | User Guide - Page 414
router. You can provide a second IP address or domain name for the Zyxel Device to try if it cannot establish an IKE SA with the first one DDNS). Note: The Zyxel Device and remote IPSec router must use the same authentication method to establish the IKE SA. ZyWALL USG FLEX Series User's Guide 414 - ZyXEL USG FLEX 100 | User Guide - Page 415
to have the Zyxel Device and remote IPSec Zyxel Device is identified by the string you specify here; you can use up to 63 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 416
remote IPSec router must use the same negotiation mode. Use this section to manage the encryption algorithm and authentication algorithm pairs the Zyxel Device accepts from the remote IPSec router for negotiating the IKE SA. Click this to create a new entry. ZyWALL USG FLEX Series User's Guide 416 - ZyXEL USG FLEX 100 | User Guide - Page 417
between the Zyxel Device and remote IPSec router, and these routers do not support IPSec pass- thru or a similar feature. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 ZyWALL USG FLEX Series User's Guide 417 - ZyXEL USG FLEX 100 | User Guide - Page 418
the authentication method, which specifies how the Zyxel Device authenticates this information. Allowed User Extended authentication now supports an allowed user. Select what users should this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 418 - ZyXEL USG FLEX 100 | User Guide - Page 419
tunnel, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your security policies can still block VPN packets. ZyWALL USG FLEX Series User's Guide 419 - ZyXEL USG FLEX 100 | User Guide - Page 420
VPN 19.4.2 VPN Concentrator Screen The VPN Concentrator summary screen displays the VPN concentrators in the Zyxel Device. To access this screen, click Configuration > VPN > IPSec VPN > Concentrator. Figure 419), and click either the Add icon or an Edit icon. ZyWALL USG FLEX Series User's Guide 420 - ZyXEL USG FLEX 100 | User Guide - Page 421
to manually configure all rule settings in the Zyxel Device IPSec VPN client. VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must not contain the following settings: • AH active protocol • NULL encryption • SHA512 authentication ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 422
IPv6 in System > IPv6 to activate IPv6 VPN tunneling rules. In the Zyxel Device Quick Setup wizard, you can use the VPN Settings for Configuration Provisioning user, but the Zyxel Device will only allow VPN rule setting retrieval for the first match found. ZyWALL USG FLEX Series User's Guide 422 - ZyXEL USG FLEX 100 | User Guide - Page 423
the Zyxel Device and remote IPSec router. It takes several steps to establish an IKE SA. The negotiation mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 424
examples in the rest of this section. The Zyxel Device supports IKEv1 and IKEv2. See Section 19.1 on page 397 for more information. IP Addresses of the Zyxel Device and Remote IPSec Router To set up an . It applies a 56-bit key to each 64-bit block of data. ZyWALL USG FLEX Series User's Guide 424 - ZyXEL USG FLEX 100 | User Guide - Page 425
, the Zyxel Device and remote IPSec router authenticate each other in steps 5 and 6, as illustrated below. The identities are also encrypted using the encryption algorithm and encryption key the Zyxel Device and remote IPSec router selected in previous steps. ZyWALL USG FLEX Series User's Guide 425 - ZyXEL USG FLEX 100 | User Guide - Page 426
and Content ZYXEL DEVICE REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: [email protected] Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: [email protected] ZyWALL USG FLEX Series User's Guide 426 - ZyXEL USG FLEX 100 | User Guide - Page 427
use this if your Zyxel Device provides another way to check the identity of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel. example, there is another router (A) between router X and router Y. ZyWALL USG FLEX Series User's Guide 427 - ZyXEL USG FLEX 100 | User Guide - Page 428
pass-thru or if the active protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router Y add UDP port 500 or UDP port 4500, depending on the standard(s) the Zyxel Device and remote IPSec router support. X-Auth ). ZyWALL USG FLEX Series User's Guide 428 - ZyXEL USG FLEX 100 | User Guide - Page 429
computers on the local and remote networks. Note: The Zyxel Device and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 299 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP Header TCP Header Data ZyWALL USG FLEX Series User's Guide 429 - ZyXEL USG FLEX 100 | User Guide - Page 430
In tunnel mode, the Zyxel Device uses the active protocol Zyxel Device and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The Zyxel Device and remote IPSec router must use the same SPI. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 431
Traffic Source Address in Outbound Packets (Outbound Traffic, Source NAT) This translation lets the Zyxel Device route packets from computers that are not part of the specified local network (local policy NAT, you have to specify the following information: ZyWALL USG FLEX Series User's Guide 431 - ZyXEL USG FLEX 100 | User Guide - Page 432
more rules when you set up this kind of NAT. The Zyxel Device checks these rules similar to the way it checks rules for Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection. • Original Port - the original destination port or ZyWALL USG FLEX Series User's Guide 432 - ZyXEL USG FLEX 100 | User Guide - Page 433
VPN > Global Setting screen (see Section 20.3 on page 437) to set the IP address of the Zyxel Device (or a gateway device) on your network for full tunnel mode access, enter access messages or upload information to remote users to access internal networks. ZyWALL USG FLEX Series User's Guide 433 - ZyXEL USG FLEX 100 | User Guide - Page 434
. If you update this information, in response to changes, the Zyxel Device automatically propagates the changes through the SSL policies that use the configuration walkthroughs, troubleshooting and other information. Figure 303 VPN > SSL VPN > Access Privilege ZyWALL USG FLEX Series User's Guide 434 - ZyXEL USG FLEX 100 | User Guide - Page 435
can modify the entry's settings. Remove Activate To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. To turn on an entry, select it and click the Add or Edit icon in the Access Privilege screen. ZyWALL USG FLEX Series User's Guide 435 - ZyXEL USG FLEX 100 | User Guide - Page 436
settings such as security policy and remote management. Description Enter additional information about this SSL access policy. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_"). ZyWALL USG FLEX Series User's Guide 436 - ZyXEL USG FLEX 100 | User Guide - Page 437
access to resources not supported by SSL application objects. For example this lets users Telnet to the internal network even though the Zyxel Device does not have address of the Zyxel Device (or a gateway device) on your network for full tunnel mode access. ZyWALL USG FLEX Series User's Guide 437 - ZyXEL USG FLEX 100 | User Guide - Page 438
> Global Setting LABEL DESCRIPTION Global Setting Network Extension Local IP Specify the IP address of the Zyxel Device (or a gateway device) for full tunnel mode SSL VPN access. Apply Reset Leave this to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 438 - ZyXEL USG FLEX 100 | User Guide - Page 439
AuthIP IPsec Keying Modules, and click Restart the service. 21.1.1 What You Can Do in this Chapter • Use the L2TP VPN screen (see Section 21.2 on page 440) to configure the Zyxel Device's L2TP VPN settings. • Use the 19 on page 397 for information on IPSec VPN. ZyWALL USG FLEX Series User's Guide 439 - ZyXEL USG FLEX 100 | User Guide - Page 440
to configure the Zyxel Device's L2TP VPN settings. Note: Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings. ZyWALL USG FLEX Series User's Guide 440 - ZyXEL USG FLEX 100 | User Guide - Page 441
is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 308 Zyxel Device check a user's user name and password against the Zyxel Device's local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 442
(Windows Internet Naming Service) server keeps a Zyxel Device (Z) using L2TP over IPv4. Figure 309 L2TP and Zyxel Device Behind a NAT Router 1 Create an address object in Configuration > Object > Address/GEO IP > Address for the WAN IP address of the NAT router. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 443
. 4 Select the NAT router WAN IP address object as the Local Policy. 5 Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured. ZyWALL USG FLEX Series User's Guide 443 - ZyXEL USG FLEX 100 | User Guide - Page 444
Chapter 21 L2TP VPN ZyWALL USG FLEX Series User's Guide 444 - ZyXEL USG FLEX 100 | User Guide - Page 445
page 449) to control bandwidth for services passing through the Zyxel Device, and to identify the conditions that Zyxel Device. Then, you can specify, by port, whether or not the Zyxel Device continues to route the connection. BWM Type The Zyxel Device supports ZyWALL USG FLEX Series User's Guide 445 - ZyXEL USG FLEX 100 | User Guide - Page 446
flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by Zyxel Device. • Inbound traffic comes back from the WAN device to the LAN1 device. Bandwidth management is applied before sending the traffic out a LAN1 interface. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 447
limited to 500 kbs. Zyxel Device uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority. • The Zyxel Device automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 448
on the out-going interface. After each application gets its configured bandwidth rate, the Zyxel Device uses the fairness- based scheduler to divide any unused bandwidth on the out-going 200 kbps MAX. B. U. No No PRIORITY 1 1 ACTUAL RATE 300 kbps 200 kbps ZyWALL USG FLEX Series User's Guide 448 - ZyXEL USG FLEX 100 | User Guide - Page 449
and service Zyxel Device handles the DSCP value and allocate bandwidth for the matching packets. Click Configuration > BWM to open the following screen. This screen allows you to enable/disable bandwidth management and add, edit, and remove user-defined bandwidth management policies. ZyWALL USG FLEX - ZyXEL USG FLEX 100 | User Guide - Page 450
management policy is the one with the priority of "default". It is the last policy the Zyxel Device checks if traffic does not match any other bandwidth management policies you have configured. You group • Per-Source-IP, when the policy is set for a source IP ZyWALL USG FLEX Series User's Guide 450 - ZyXEL USG FLEX 100 | User Guide - Page 451
best effort traffic Service The "af" Zyxel Device ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field's configuration. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 452
classes and one of three drop preferences. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. 22.2.1 The than 100 ms latency and jitter 5 Voice, less than 10 ms latency and jitter ZyWALL USG FLEX Series User's Guide 452 - ZyXEL USG FLEX 100 | User Guide - Page 453
Section 22.2 on page 449), and click either the Add icon or an Edit icon. Figure 315 Configuration > Bandwidth Management > Edit (For the Default Policy) ZyWALL USG FLEX Series User's Guide 453 - ZyXEL USG FLEX 100 | User Guide - Page 454
• Per User, when the policy is set for an individual user or a user group • Per Source IP, when the policy is set for a source IP ZyWALL USG FLEX Series User's Guide 454 - ZyXEL USG FLEX 100 | User Guide - Page 455
Code Service Type Service Zyxel Device keep the packets' original DSCP value. Bandwidth Shaping Select default to have the Zyxel Device set the DSCP value of the packets to 0. Configure these fields to set the amount of bandwidth the matching traffic can use. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 456
Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when any traffic matches this policy. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 456 - ZyXEL USG FLEX 100 | User Guide - Page 457
rule. User Type Select a user type from the drop down menu. The user types are Admin, Limited admin, User, Guest, Ext-user, Ext-group-user. ZyWALL USG FLEX Series User's Guide 457 - ZyXEL USG FLEX 100 | User Guide - Page 458
of 1,440 minutes and Reauthentication Time of 1,440 minutes or you can enter them manually by choosing Use Manual Settings option. Lease Time This shows the Lease Time setting for the user, by save the setting. Cancel Click Cancel to abandon this screen. ZyWALL USG FLEX Series User's Guide 458 - ZyXEL USG FLEX 100 | User Guide - Page 459
right to choose a Stop Date for schedule object. Stop Time Click the icon menu on the right to choose a Stop Time for the schedule object. ZyWALL USG FLEX Series User's Guide 459 - ZyXEL USG FLEX 100 | User Guide - Page 460
Gateway. IP Address Enter an IP address for the Address object. OK Click OK to save the setting. Cancel Click Cancel to abandon the setting. ZyWALL USG FLEX Series User's Guide 460 - ZyXEL USG FLEX 100 | User Guide - Page 461
the network or Internet. As soon as a user attempt to open a web page, the Zyxel Device reroutes his/her browser to a web portal page that prompts him/her to log in 23.3 on page 482) to configure how the Zyxel Device communicates with a Single Sign-On agent. ZyWALL USG FLEX Series User's Guide 461 - ZyXEL USG FLEX 100 | User Guide - Page 462
aware policies have been configured go to the Zyxel Device Login screen manually, you can configure the Zyxel Device to display the Login screen automatically configured on the Zyxel Device. Use this screen to enable web authentication on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 462 - ZyXEL USG FLEX 100 | User Guide - Page 463
traffic is blocked until a client authenticates with the Zyxel Device through the specifically designated web portal or user agreement an IP address that users can use to terminate their sessions manually by entering the IP address in the address bar of the . ZyWALL USG FLEX Series User's Guide 463 - ZyXEL USG FLEX 100 | User Guide - Page 464
priority. Default displays for the default authentication policy that the Zyxel Device uses on traffic that does not match any exceptional service or other authentication policy. You can edit the default rule means the policy is active at all times if enabled. ZyWALL USG FLEX Series User's Guide 464 - ZyXEL USG FLEX 100 | User Guide - Page 465
required - Users need to be authenticated. They must manually go to the login screen or user agreement page. The Zyxel Device will not redirect them to the login screen. 323 Configuration > Web Authentication > General > Add Exceptional Service ZyWALL USG FLEX Series User's Guide 465 - ZyXEL USG FLEX 100 | User Guide - Page 466
that defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy. ZyWALL USG FLEX Series User's Guide 466 - ZyXEL USG FLEX 100 | User Guide - Page 467
is redirected to a default or user-defined login page. Otherwise, they must manually go to the login screen. The Zyxel Device will not redirect them to the login screen. This field is available user account is authenticated by an external server. Click OK. ZyWALL USG FLEX Series User's Guide 467 - ZyXEL USG FLEX 100 | User Guide - Page 468
course you could add more members later. Figure 326 Configuration > Object > User/Group > Group > Add 3 Repeat this process to set up the remaining user groups. ZyWALL USG FLEX Series User's Guide 468 - ZyXEL USG FLEX 100 | User Guide - Page 469
. Double-click the default entry. Click the Add icon. Select group radius because the Zyxel Device should use the specified RADIUS server for authentication. Click OK. Figure 328 Configuration > to turn on the web authentication feature and click Apply. ZyWALL USG FLEX Series User's Guide 469 - ZyXEL USG FLEX 100 | User Guide - Page 470
policy that has priority over other policies and forces every user to log into the Zyxel Device before the Zyxel Device routes traffic for them. 5 Select Enable Policy. Enter a descriptive name, "default_policy login screen before they can use HTTP or MSN. ZyWALL USG FLEX Series User's Guide 470 - ZyXEL USG FLEX 100 | User Guide - Page 471
the Zyxel Device is to check to determine to which group a user belongs. This example uses Class. This attribute's value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 472
Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius. ZyWALL USG FLEX Series User's Guide 472 - ZyXEL USG FLEX 100 | User Guide - Page 473
screen to view, create and manage the authentication type profiles on the Zyxel Device. An authentication type profile decides which type of web authentication pages select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. ZyWALL USG FLEX Series User's Guide 473 - ZyXEL USG FLEX 100 | User Guide - Page 474
This field displays whether this profile uses the default web authentication page built into the Zyxel Device (System Default Page) or custom web authentication pages from an external web server Web Authentication > Authentication Type: Add/Edit (Web Portal) ZyWALL USG FLEX Series User's Guide 474 - ZyXEL USG FLEX 100 | User Guide - Page 475
Device before you can preview the pages. Select the file name of the web portal file in the Zyxel Device. Note: You can upload zipped custom web portal files to the Zyxel Device using the Configuration > Web Authentication > Web Portal Customize File screen. ZyWALL USG FLEX Series User's Guide 475 - ZyXEL USG FLEX 100 | User Guide - Page 476
this to use a custom login page from an external web portal instead of the one uploaded to the Zyxel Device. You can configure the look and feel of the web portal page. Specify the login page's the web server on which the user agreement files are installed. ZyWALL USG FLEX Series User's Guide 476 - ZyXEL USG FLEX 100 | User Guide - Page 477
example external user agreement file for your reference. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. 23.2.3 Custom Web Portal / User 336 Configuration > Web Authentication > Custom Web Portal File ZyWALL USG FLEX Series User's Guide 477 - ZyXEL USG FLEX 100 | User Guide - Page 478
.2.4 Facebook Wi-Fi Screen The Zyxel Device supports Facebook Wi-Fi to let users check in to a business on Facebook for free Internet access after connecting to the Zyxel Device's wireless or LAN network Facebook page before they can have free Internet access. ZyWALL USG FLEX Series User's Guide 478 - ZyXEL USG FLEX 100 | User Guide - Page 479
is no traffic for this user). Specify the User idle timeout between 1 and 60 minutes. The Zyxel Device automatically disconnects a user (authenticated via Facebook Wi-Fi) from the network after a period of paired with facebook. Please configure this device'. ZyWALL USG FLEX Series User's Guide 479 - ZyXEL USG FLEX 100 | User Guide - Page 480
Get Started. 4 In the following screen, select the page just created and click Save Settings. Your Facebook page is now paired with Facebook Wi-Fi. ZyWALL USG FLEX Series User's Guide 480 - ZyXEL USG FLEX 100 | User Guide - Page 481
the Internet for free after you enable and set up Facebook Wi-Fi on the Zyxel Device. 1 Connect to the Zyxel Device's wireless or LAN network. 2 Open a web browser from the connected computer Continue Browsing to surf the Internet through the Zyxel Device. ZyWALL USG FLEX Series User's Guide 481 - ZyXEL USG FLEX 100 | User Guide - Page 482
. SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database. You must enable Web Authentication in the Configuration > Web Authentication screen. Figure 339 SSO Overview ZyWALL USG FLEX Series User's Guide 482 - ZyXEL USG FLEX 100 | User Guide - Page 483
bit) 23.4 SSO - Zyxel Device Configuration This section shows what you have to do on the Zyxel Device in order to use SSO. Table 192 Zyxel Device - SSO Agent Field Mapping ZYXEL DEVICE SSO SCREEN Web Bind DN Login Name Attribute Server Address Gateway IP ZyWALL USG FLEX Series User's Guide 483 - ZyXEL USG FLEX 100 | User Guide - Page 484
. The Zyxel Device and the SSO agent must be in the same domain and be able to communicate with each other. Primary Agent Port Type the same port number here as in the Agent Listening Port field on the SSO agent. Type a number ranging from 1025 to 65535. ZyWALL USG FLEX Series User's Guide 484 - ZyXEL USG FLEX 100 | User Guide - Page 485
a number ranging from 1025 to 65535. Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings 23.4.3 Enable Web unless you want all incoming connections to be authenticated! ZyWALL USG FLEX Series User's Guide 485 - ZyXEL USG FLEX 100 | User Guide - Page 486
this traffic. Go to Configuration > Security Policy > Policy Control and add a new policy if a default one does not cover the SSO web authentication traffic direction. ZyWALL USG FLEX Series User's Guide 486 - ZyXEL USG FLEX 100 | User Guide - Page 487
User Information Configure a User account of the ext-group-user type. Configure Group Identifier to be the same as Group Membership on the SSO agent. ZyWALL USG FLEX Series User's Guide 487 - ZyXEL USG FLEX 100 | User Guide - Page 488
Chapter 23 Web Authentication 23.4.6 Configure an Authentication Method Configure Active Directory (AD) for authentication with SSO. Choose group ad as the authentication server for SSO. ZyWALL USG FLEX Series User's Guide 488 - ZyXEL USG FLEX 100 | User Guide - Page 489
SSO. Configure the Base DN exactly the same as on the Domain Controller and SSO. Bind DN is a user name and password that allows the Zyxel Device to join the domain with administrative privileges. It is a required field. ZyWALL USG FLEX Series User's Guide 489 - ZyXEL USG FLEX 100 | User Guide - Page 490
and select Configure Zyxel SSO Agent. Configure the Agent Listening Port, AD server exactly as you have done on the Zyxel Device. Add the Zyxel Device IP address as the Gateway. Make sure the Zyxel Device and SSO agent are able to communicate with each other. ZyWALL USG FLEX Series User's Guide 490 - ZyXEL USG FLEX 100 | User Guide - Page 491
Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the Zyxel Device. Group Membership is called Group Identifier on the Zyxel Device. LDAP/AD Server Configuration ZyWALL USG FLEX Series User's Guide 491 - ZyXEL USG FLEX 100 | User Guide - Page 492
a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the Zyxel Device. After all SSO agent configurations are done, right-click the SSO icon in the system tray and select Enable Zyxel SSO Agent. ZyWALL USG FLEX Series User's Guide 492 - ZyXEL USG FLEX 100 | User Guide - Page 493
support Hotspot service and configure the service pages. 24.2.1 What You Need to Know Accumulation Accounting Method The accumulation accounting method allows multiple re-logins until the allocated time period or until the user account is expired. The Zyxel ZyWALL USG FLEX Series User's Guide 493 - ZyXEL USG FLEX 100 | User Guide - Page 494
the SSID profiles to which the settings are applied. Click Configuration > Hotspot > Billing > General to open the following screen. Figure 341 Configuration > Hotspot > Billing > General ZyWALL USG FLEX Series User's Guide 494 - ZyXEL USG FLEX 100 | User Guide - Page 495
down list box to specify how long to wait before the Zyxel Device deletes an account that has not been used. Select set Currency code to User-Define, enter a three-letter alphabetic code manually. This shows the number of decimal places to be used for billing. ZyWALL USG FLEX Series User's Guide 495 - ZyXEL USG FLEX 100 | User Guide - Page 496
Standard license has expired, click Renew to extend the license. Service Type Expiration Date Apply Reset Then, click Activate to connect with expire. Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its ZyWALL USG FLEX Series User's Guide 496 - ZyXEL USG FLEX 100 | User Guide - Page 497
where you can modify the entry's settings. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it into the Web Configurator with the guest-manager account. ZyWALL USG FLEX Series User's Guide 497 - ZyXEL USG FLEX 100 | User Guide - Page 498
the duration of the billing period that should be reached before the Zyxel Device charges users at this level. This field displays the price per time unit for each level. Enter the user's name. Enter the user's email address. Enter the user's phone number. ZyWALL USG FLEX Series User's Guide 498 - ZyXEL USG FLEX 100 | User Guide - Page 499
(continued) LABEL DESCRIPTION Default Thermal Printer Select a statement printer that is attached to the Zyxel Device. It displays n/a if there is no printer attached. Summary Total This shows the to close this window when you are finished viewing it. ZyWALL USG FLEX Series User's Guide 499 - ZyXEL USG FLEX 100 | User Guide - Page 500
Redeem screen allows you to send SMS messages for certain accounts. Click the Account Redeem tab in the Account Generator screen to open this screen. ZyWALL USG FLEX Series User's Guide 500 - ZyXEL USG FLEX 100 | User Guide - Page 501
field displays the total account of time the account can use to access the Internet through the Zyxel Device. This field displays the date and time the account becomes invalid. Charge Payment Info Phone field displays the mobile phone number for the account. ZyWALL USG FLEX Series User's Guide 501 - ZyXEL USG FLEX 100 | User Guide - Page 502
period expires, the user's access will be stopped. The allowed time period ranges are 10 to 60 minutes, 0 to 24 hours, or 0 to 365 days. ZyWALL USG FLEX Series User's Guide 502 - ZyXEL USG FLEX 100 | User Guide - Page 503
Note: When the limit is exceeded, the user is not allowed to access the Internet through the Zyxel Device. Select Total to set a limit on the total traffic in both directions. Total Quota Upload to users who purchase access time online with a credit card. ZyWALL USG FLEX Series User's Guide 503 - ZyXEL USG FLEX 100 | User Guide - Page 504
should be reached before the Zyxel Device charges users at this level. This field displays the price per time unit for each level. Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 504 - ZyXEL USG FLEX 100 | User Guide - Page 505
directly through the Internet. You must register with the supported credit card service before you can configure the Zyxel Device to handle credit card transactions. Click Configuration > Hotspot > Billing > Payment Service to open the following screen. ZyWALL USG FLEX Series User's Guide 505 - ZyXEL USG FLEX 100 | User Guide - Page 506
the online payment service on the Zyxel Device, a supports. Enter the ID token provided to you by PayPal after successfully applying for your PayPal account. Enter the address of the PayPal gateway provided to you by PayPal after applying for your PayPal account. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 507
can configure both the desktop and mobile versions of the service pages. Users click a link in the pages to switch between the two versions. Click Configuration > Hotspot > Billing > Payment Service > Desktop View or Mobile View to open the following screen. ZyWALL USG FLEX Series User's Guide 507 - ZyXEL USG FLEX 100 | User Guide - Page 508
Chapter 24 Hotspot Figure 349 Configuration > Hotspot > Billing > Payment Service > Desktop View ZyWALL USG FLEX Series User's Guide 508 - ZyXEL USG FLEX 100 | User Guide - Page 509
Chapter 24 Hotspot Figure 350 Configuration > Hotspot > Billing > Payment Service > Mobile View ZyWALL USG FLEX Series User's Guide 509 - ZyXEL USG FLEX 100 | User Guide - Page 510
Select this to use a custom online payment service page instead of the default one built into the Zyxel Device. Once this option is selected, the save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 510 - ZyXEL USG FLEX 100 | User Guide - Page 511
that the printer is connected to the appropriate power and the Zyxel Device, and that there is printing paper in the printer. Refer Zyxel Device to monitor the printer status. Click Configuration > Hotspot > Printer Manager > General to open the following screen. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 512
use this feature. Refresh Use Printer Manager > General > Add to manually configure a printer's IP address and add it to the managed printer list when the printer is not detected or connected to the Zyxel Device. Click this to update the printer list table. ZyWALL USG FLEX Series User's Guide 512 - ZyXEL USG FLEX 100 | User Guide - Page 513
. If a Standard license has expired, click Renew to extend the license. Service Type Expiration Date Apply Reset Then, click Activate to connect with the myZyxel server to the Zyxel Device. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 513 - ZyXEL USG FLEX 100 | User Guide - Page 514
can be up to 60 characters long. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. 25.2.2 Edit Printer Rule Select an . Figure 353 Configuration > Hotspot > Printer Manager > General: Edit ZyWALL USG FLEX Series User's Guide 514 - ZyXEL USG FLEX 100 | User Guide - Page 515
if you want to specify the IP address, subnet mask, and gateway manually. This field is enabled if you select Use Fixed IP Address. the printer. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. 25.2.3 ZyWALL USG FLEX Series User's Guide 515 - ZyXEL USG FLEX 100 | User Guide - Page 516
Manager General > Add to manually configure a printer's IP address and add it to the managed printer list when the printer is not detected or connected to the Zyxel Device. Figure 354 Configuration fail. This field displays the MAC address of the printer. ZyWALL USG FLEX Series User's Guide 516 - ZyXEL USG FLEX 100 | User Guide - Page 517
Address Select this if you want to specify the IP address, subnet mask, and gateway manually. IP Address This field is enabled if you select Use Fixed IP Address. Subnet Mask back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 517 - ZyXEL USG FLEX 100 | User Guide - Page 518
file from the Zyxel Device for your reference. Select how many copies of subscriber statements you want to print (1 is the default). Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 518 - ZyXEL USG FLEX 100 | User Guide - Page 519
Overview The SP350E allows you to print status reports about the guest accounts and general Zyxel Device system information. Simply press a key combination on the SP350E to print a 59:59. Key combination: A B C A A The following figure shows an example. ZyWALL USG FLEX Series User's Guide 519 - ZyXEL USG FLEX 100 | User Guide - Page 520
entries. If there are more than 2000 accounts created in the same month or same day, the account report's calculations only include the latest 2000. ZyWALL USG FLEX Series User's Guide 520 - ZyXEL USG FLEX 100 | User Guide - Page 521
the version of the firmware on the Zyxel Device. BTVR This field displays the version of the bootrom. WAMA This field displays the MAC address of the Zyxel Device on the WAN. LAMA This field displays the MAC address of the Zyxel Device on the LAN. ZyWALL USG FLEX Series User's Guide 521 - ZyXEL USG FLEX 100 | User Guide - Page 522
IP address pool. CPUS This field displays the Zyxel Device's recent CPU usage. MEMS This field displays the Zyxel Device's recent memory usage. DKST This field displays what percentage of the Zyxel Device's on-board flash memory is currently being used. ZyWALL USG FLEX Series User's Guide 522 - ZyXEL USG FLEX 100 | User Guide - Page 523
CHAPTER 26 Free Time 26.1 Free Time Overview With Free Time, the Zyxel Device can create dynamic guest accounts that allow users to browse the Internet free of > Hotspot > Free Time to open the following screen. Figure 360 Configuration > Hotspot > Free Time ZyWALL USG FLEX Series User's Guide 523 - ZyXEL USG FLEX 100 | User Guide - Page 524
and/or access the Internet until 13:00. Specify how the Zyxel Device provides dynamic guest account information. Select On-Screen to display in the web screen. Select SMS to use Short Message Service (SMS) to send account information in a text message to ZyWALL USG FLEX Series User's Guide 524 - ZyXEL USG FLEX 100 | User Guide - Page 525
click Renew to extend the license. Service Type Expiration Date Apply Reset Then, Zyxel Device. Click this button to return the screen to its last-saved settings. The following figure shows an example login screen with a link to create a free guest account. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 526
description in the login screen will be mainly for online payment service. You can still click the link to get a free account. If SMS is enabled on the Zyxel Device, you have to enter your mobile phone number before clicking OK to get a free guest account. ZyWALL USG FLEX Series User's Guide 526 - ZyXEL USG FLEX 100 | User Guide - Page 527
The guest account information then displays on the screen and/or is sent to the configured mobile phone number. EXAMPLE ZyWALL USG FLEX Series User's Guide 527 - ZyXEL USG FLEX 100 | User Guide - Page 528
as the Zyxel Device's IP Zyxel Device is installed, you can still use the computer to access the Internet without changing the network settings, even when the IP addresses of the computer and the Zyxel Device are not in the same subnet. Figure 361 IPnP Application ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 529
the Zyxel Device service. If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license. Then, click Activate to connect with the myZyxel server to activate the new license. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 530
can register your Zyxel Device and activate the service. Apply Reset This link is available only when the service is not activated yet. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 530 - ZyXEL USG FLEX 100 | User Guide - Page 531
28 Walled Garden 28.1 Walled Garden Overview A user must log in before the Zyxel Device allows the user's access to the Internet. However, with a walled garden, Note: This feature works only with the web portal authentication type. Hotspot Service Status ZyWALL USG FLEX Series User's Guide 531 - ZyXEL USG FLEX 100 | User Guide - Page 532
can register your Zyxel Device and activate the service. Apply Reset This link is available only when the service is not activated yet. Click this button to save your changes to the Zyxel Device. Click this screen where you can modify the entry's settings. ZyWALL USG FLEX Series User's Guide 532 - ZyXEL USG FLEX 100 | User Guide - Page 533
displays the URL of the web site. Apply Click this button to save your changes to the Zyxel Device. Reset Click this button to return the screen to its last-saved settings. 28.3.1 Adding/ (_). Spaces are also allowed. The first character must be a letter. ZyWALL USG FLEX Series User's Guide 533 - ZyXEL USG FLEX 100 | User Guide - Page 534
you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Activate To turn on an entry, select it This field displays the descriptive name of the web site. ZyWALL USG FLEX Series User's Guide 534 - ZyXEL USG FLEX 100 | User Guide - Page 535
the Zyxel Device. Click Cancel to exit this screen without saving. 28.4.2 Walled Garden Login Example The following figure shows the user login screen with two walled garden links. The links are named WalledGardenLink1 through 2 for demonstration purposes. ZyWALL USG FLEX Series User's Guide 535 - ZyXEL USG FLEX 100 | User Guide - Page 536
Chapter 28 Walled Garden Figure 368 Walled Garden Login Example ZyWALL USG FLEX Series User's Guide 536 - ZyXEL USG FLEX 100 | User Guide - Page 537
open a screen where you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. # This field is a sequential value, and it is not associated with any entry. ZyWALL USG FLEX Series User's Guide 537 - ZyXEL USG FLEX 100 | User Guide - Page 538
to be activated for this service. If you need a license Zyxel Device randomly picks one and open the specified web site in a new frame when an authenticated user is attempts to access the Internet. Figure 370 Configuration > Hotspot > Advertisement > Add/Edit ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 539
http://172.16.1.35. Click this button to open the specified web site in a new frame. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 539 - ZyXEL USG FLEX 100 | User Guide - Page 540
a specific type of traffic (services) • to a specific user Zyxel Device allows the response. However, the Zyxel Device blocks incoming Telnet traffic initiated from the WAN zone and destined for the LAN zone. Figure 371 Default Directional Security Policy Example ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 541
troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough. Figure 372 Example of a Port Forwarding Configuration Walkthrough. 1 2 3 4 This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 542
Chapter 30 Security Policy Figure 373 Example of L2TP over IPSec Troubleshooting - 1 1 2 3 2 ZyWALL USG FLEX Series User's Guide 542 - ZyXEL USG FLEX 100 | User Guide - Page 543
> NAT • Network > Routing > Policy Route • Security Service > App Patrol • Security Service > Content Filter • Security Service > IDP • Security Service > Anti-Malware • Security Service > Email Security • VPN > IPSec VPN • VPN > SSL VPN • VPN > L2TP VPN ZyWALL USG FLEX Series User's Guide 543 - ZyXEL USG FLEX 100 | User Guide - Page 544
specific web sites or web content. • Security Service > Content Filter Click this icon for more Zyxel Device's interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 545
address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy. ZyWALL USG FLEX Series User's Guide 545 - ZyXEL USG FLEX 100 | User Guide - Page 546
by sending a SYN packet to a receiving server on the WAN. 2 The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2. 3 The reply from the WAN goes to the Zyxel Device. 4 The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1. ZyWALL USG FLEX Series User's Guide 546 - ZyXEL USG FLEX 100 | User Guide - Page 547
need to configure NAT rules to allow computers on the WAN to access LAN devices. • The Zyxel Device applies NAT (Destination NAT) settings before applying the Security Policies. So for example, if The following screen shows the Security Policy summary screen. ZyWALL USG FLEX Series User's Guide 547 - ZyXEL USG FLEX 100 | User Guide - Page 548
Chapter 30 Security Policy Figure 376 Configuration > Security Policy > Policy Control ZyWALL USG FLEX Series User's Guide 548 - ZyXEL USG FLEX 100 | User Guide - Page 549
0000:0000:1a2f:0000. Service View all security policies based the service object used. User Zyxel Device confirms you want to remove it before doing so. To turn on an entry, select it and click Activate. To turn off an entry, select it and click Inactivate. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 550
email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 550 - ZyXEL USG FLEX 100 | User Guide - Page 551
to 60 printable ASCII characters for the Policy. Spaces are allowed. For through-Zyxel Device policies, select the direction of travel of packets to which the policy to IPv4 / IPv6 addresses. Select a service or service group from the drop-down list box. ZyWALL USG FLEX Series User's Guide 551 - ZyXEL USG FLEX 100 | User Guide - Page 552
to permit the passage of the packets. Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or no profiles have been created in the Configuration > Security Service > SSL Inspection screen. Click OK to save your customized ZyWALL USG FLEX Series User's Guide 552 - ZyXEL USG FLEX 100 | User Guide - Page 553
put that entry and press [ENTER] to move the entry to the number that you typed. # This is the entry's index number in the list. ZyWALL USG FLEX Series User's Guide 553 - ZyXEL USG FLEX 100 | User Guide - Page 554
on the same subnet. From WAN means packets that come in from the WAN zone and the Zyxel Device routes back out through the WAN zone. Anomaly Profile Note: Depending on your network topology > Security Policy > ADP > Profile to view the following screen. ZyWALL USG FLEX Series User's Guide 554 - ZyXEL USG FLEX 100 | User Guide - Page 555
Configuration > Security Policy > ADP > Profile screen, click the Edit or Add icon and choose a base profile. Traffic Anomaly is the first tab in the profile. ZyWALL USG FLEX Series User's Guide 555 - ZyXEL USG FLEX 100 | User Guide - Page 556
are invalid profile names: Description • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 In addition to the name, type additional information to help you identify this ADP profile. ZyWALL USG FLEX Series User's Guide 556 - ZyXEL USG FLEX 100 | User Guide - Page 557
network protocols or services a device supports. Sensitivity Flood Zyxel Device but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 558
network. • In an IP Spoof from the WAN, the source address appears to be in the same subnet as a Zyxel Device LAN interface. • In an IP Spoof from a LAN interface, the source address appears to be in a different subnet from that Zyxel Device LAN interface. ZyWALL USG FLEX Series User's Guide 558 - ZyXEL USG FLEX 100 | User Guide - Page 559
Chapter 30 Security Policy Figure 381 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly ZyWALL USG FLEX Series User's Guide 559 - ZyXEL USG FLEX 100 | User Guide - Page 560
setting: Select this action to return each rule in a service group to its previously saved configuration. none: Select this action to have the Zyxel Device take no action when a packet matches a policy. order according to the protocol anomaly policy name. ZyWALL USG FLEX Series User's Guide 560 - ZyXEL USG FLEX 100 | User Guide - Page 561
select an item and use the Action icon. OK Click OK to save your settings to the Zyxel Device, complete the profile and return to the profile summary page. Cancel Click Cancel to return to both. Figure 382 Configuration > Security Policy > Session Control ZyWALL USG FLEX Series User's Guide 561 - ZyXEL USG FLEX 100 | User Guide - Page 562
where you can modify the entry's settings. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. To turn on an entry, select it and rules that define a session limit for specific users or addresses. ZyWALL USG FLEX Series User's Guide 562 - ZyXEL USG FLEX 100 | User Guide - Page 563
not need to specify a schedule since you need the Security Policy to always be in effect. The following figure shows the results of this policy. ZyWALL USG FLEX Series User's Guide 563 - ZyXEL USG FLEX 100 | User Guide - Page 564
service on the WAN. • The second row is the Security Policy's default policy that allows all LAN1 to WAN traffic. The Zyxel Device applies the security policies in order. So for this example, when the Zyxel figure shows the results of your two custom policies. ZyWALL USG FLEX Series User's Guide 564 - ZyXEL USG FLEX 100 | User Guide - Page 565
Any 172.16.1.7 Any Any 2 Any Any Any Any 3 Any Any Any Any SERVICE IRC IRC Any ACTION Allow Deny Allow • The first row allows the LAN1 computer at IP that policy and the Zyxel Device would drop it and not check any other security policies. ZyWALL USG FLEX Series User's Guide 565 - ZyXEL USG FLEX 100 | User Guide - Page 566
use a service, make sure both the Security Policy and application patrol allow the service's packets to go through the Zyxel Device. Note: The Zyxel Device checks across connections, and the Zyxel Device examines several packets to make sure the match ZyWALL USG FLEX Series User's Guide 566 - ZyXEL USG FLEX 100 | User Guide - Page 567
action and log settings. Click Configuration > Security Service > App Patrol to open the following screen. Click the Application Patrol icon for more information on the Zyxel Device's security features. Figure 386 Configuration > Security Service > App Patrol ZyWALL USG FLEX Series User's Guide 567 - ZyXEL USG FLEX 100 | User Guide - Page 568
labels in this screen. Table 233 Configuration > Security Service > App Patrol LABEL DESCRIPTION Add Click this to create fields display information on the current signature set that the Zyxel Device is using. Current Version This field displays the . ZyWALL USG FLEX Series User's Guide 568 - ZyXEL USG FLEX 100 | User Guide - Page 569
The following table describes the labels in this screen. Table 234 Configuration > Security Service > App Patrol > Action LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display a particular zone and/or to a particular zone. any means all zones. ZyWALL USG FLEX Series User's Guide 569 - ZyXEL USG FLEX 100 | User Guide - Page 570
, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 570 - ZyXEL USG FLEX 100 | User Guide - Page 571
My Application The following table describes the labels in this screen. Table 235 Configuration > Security Service > App Patrol > Add/Edit > My Application LABEL DESCRIPTION General Settings Name Type the and click Remove to delete the selected entry. ZyWALL USG FLEX Series User's Guide 571 - ZyXEL USG FLEX 100 | User Guide - Page 572
Save to save your settings to the Zyxel Device without leaving this page. 31.2.3 Application Patrol Profile > Add/Edit - Query Result Click Configuration > Security Service > App Patrol > Add, then it), then click Query Result to open the following screen. ZyWALL USG FLEX Series User's Guide 572 - ZyXEL USG FLEX 100 | User Guide - Page 573
Query Result The following table describes the labels in this screen. Table 236 Configuration > Security Service > App Patrol > Add/Edit > Query Result LABEL DESCRIPTION General Settings Name Type the field displays the category type of the application. ZyWALL USG FLEX Series User's Guide 573 - ZyXEL USG FLEX 100 | User Guide - Page 574
Service > App Patrol > Add/Edit (continued)> Query Result LABEL DESCRIPTION Tag Action This field displays the tag information of the policy. Select the default action for all signatures in this category. forward - the Zyxel without saving any changes. ZyWALL USG FLEX Series User's Guide 574 - ZyXEL USG FLEX 100 | User Guide - Page 575
Profiles A content filtering profile conveniently stores your custom settings for the following features. • Category-based Blocking The Zyxel Device can block access to particular categories of web site content, such as pornography or racial intolerance. ZyWALL USG FLEX Series User's Guide 575 - ZyXEL USG FLEX 100 | User Guide - Page 576
that go across the two. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the Zyxel Device would find "tw" in the domain name (www.zyxel.com.tw). It would also find "news" in the file path (news/pressroom.php) but it would not find "tw/news". ZyWALL USG FLEX Series User's Guide 576 - ZyXEL USG FLEX 100 | User Guide - Page 577
or specify a redirect URL and check your external web filtering service registration status. Click the Content Filter icon for more information on the Zyxel Device's security features. Figure 390 Configuration > Security Service > Content Filter > Profile ZyWALL USG FLEX Series User's Guide 577 - ZyXEL USG FLEX 100 | User Guide - Page 578
service's Zyxel Device. Click Reset to return the screen to its last-saved settings. 32.2.1 Apply to a Security Policy Click the icon in the Action field to apply the entry to a security policy. Go to the Configuration > Security Policy > Policy Control screen to check the result. ZyWALL USG FLEX - ZyXEL USG FLEX 100 | User Guide - Page 579
Action The following table describes the labels in this screen. Table 238 Configuration > Security Service > Content Filter > Action LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display zone and/or to a particular zone. any means all zones. ZyWALL USG FLEX Series User's Guide 579 - ZyXEL USG FLEX 100 | User Guide - Page 580
, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 580 - ZyXEL USG FLEX 100 | User Guide - Page 581
Content Filter 32.2.2 Content Filter Add Profile Category Service Click Configuration > Security Service > Content Filter > Profile > Add or Edit to open the Add Filter Profile screen. Figure 392 Content Filter > Profile > Add Filter Profile > Category Service ZyWALL USG FLEX Series User's Guide 581 - ZyXEL USG FLEX 100 | User Guide - Page 582
the category of the blocked web page. Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG FLEX Series User's Guide 582 - ZyXEL USG FLEX 100 | User Guide - Page 583
Category URL to test You must have the Category Service content filtering license to filter these categories. See the Click this link to see the category recorded in the Zyxel Device's content filtering database for the web page you specified instructions. ZyWALL USG FLEX Series User's Guide 583 - ZyXEL USG FLEX 100 | User Guide - Page 584
category also includes sites where many consumers reported being cheated or not receiving services. Content Server This category does not include phishing, which tries to perpetrate fraud servers that serve only advertisements. See the Web Ads category. ZyWALL USG FLEX Series User's Guide 584 - ZyXEL USG FLEX 100 | User Guide - Page 585
interaction such as online dating, friendship, school reunions, pen-pals, escort services, or introductions to potential spouses. Digital Postcards Discrimination This category does not include as Games, Humor/ Comics, Recreation/Hobbies, or Entertainment. ZyWALL USG FLEX Series User's Guide 585 - ZyXEL USG FLEX 100 | User Guide - Page 586
category does not include message forums with a business or technical support focus. Web pages that allow users to wager or place cover all health-related information and health care services. Historical Revisionism This category does not include value. ZyWALL USG FLEX Series User's Guide 586 - ZyXEL USG FLEX 100 | User Guide - Page 587
sites such as web design, domain registration, Internet Service Providers, and broadband and telecommunications companies that provide web services. This category includes web utilities such as statistics and access logs, and web graphics like clip art. ZyWALL USG FLEX Series User's Guide 587 - ZyXEL USG FLEX 100 | User Guide - Page 588
Software/Hardware, Stock Trading, Tobacco, Travel, and Weapons. • Sites that market their services only to other businesses. See the Business category. • Sites that rob or cheat consumers that provide business-to-business-only content regarding motor vehicles. ZyWALL USG FLEX Series User's Guide 588 - ZyXEL USG FLEX 100 | User Guide - Page 589
sites also provide a variety of internal site features or services such as search engines, email, news, and entertainment. Mailing list sites with a variety of content are in this category. This category does not include sites with topic-specific content. ZyWALL USG FLEX Series User's Guide 589 - ZyXEL USG FLEX 100 | User Guide - Page 590
pages that provide instructions to commit illegal or criminal activities. Instructions include committing murder or suicide, sabotage, bomb-making, lockpicking, service theft, evading law cases, they might want to remove this software from their computers. ZyWALL USG FLEX Series User's Guide 590 - ZyXEL USG FLEX 100 | User Guide - Page 591
astrology and horoscope sites Web pages that provide remote access to a program, online service, or an entire computer system. Reserved Residential IP Addresses Although remote access is often or other content that is often the subject of research papers. ZyWALL USG FLEX Series User's Guide 591 - ZyXEL USG FLEX 100 | User Guide - Page 592
business focus that provide online message posting or real-time chatting, such as technical support or interactive business communication. Although users can post any type of content, these forums are only in the categories of Forum/Bulletin Boards or Chat. ZyWALL USG FLEX Series User's Guide 592 - ZyXEL USG FLEX 100 | User Guide - Page 593
, not the companies that provide the advertisements or advertising services. Web Mail This category does not include aggressive advertising adware. See the Spyware/ Adware category. Web pages that enable users to send or receive email through the Internet. ZyWALL USG FLEX Series User's Guide 593 - ZyXEL USG FLEX 100 | User Guide - Page 594
the web site's address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. Figure 393 Configuration > Security Service > Content Filter > Filter Profile > Custom Service ZyWALL USG FLEX Series User's Guide 594 - ZyXEL USG FLEX 100 | User Guide - Page 595
drive. Some web servers use them to track usage and provide service based on ID. A server that acts as an intermediary pointing to this proxy server. When this box is selected, the Zyxel Device will permit Java, ActiveX and Cookies from sites on the Trusted ZyWALL USG FLEX Series User's Guide 595 - ZyXEL USG FLEX 100 | User Guide - Page 596
entering "*zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com Service > Content Filter > Trusted Web Sites to open the Trusted Web Sites screen. You can create a common list of good (allowed) web site addresses. When you configure Filter ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 597
are allowed. For example, entering "zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com", and so on. You can Filter Forbidden Web Sites Screen Click Configuration > Security Service > Content Filter > Forbidden Web Sites to open ZyWALL USG FLEX Series User's Guide 597 - ZyXEL USG FLEX 100 | User Guide - Page 598
Sites The following table describes the labels in this screen. Table 243 Configuration > Security Service > Content Filter > Forbidden Web Sites LABEL DESCRIPTION Forbidden Web Site List Add Edit The content filter lookup process is described below. ZyWALL USG FLEX Series User's Guide 598 - ZyXEL USG FLEX 100 | User Guide - Page 599
sends the category information back to the Zyxel Device, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site's address and category are then stored in the Zyxel Device's content filter cache. ZyWALL USG FLEX Series User's Guide 599 - ZyXEL USG FLEX 100 | User Guide - Page 600
malware matches a file with those in a malware database. This is done as files go through the Zyxel Device. Virus, Worm, and Spyware A computer virus is a type of malicious software designed to corrupt your network activity, passwords, bank details, and so on. ZyWALL USG FLEX Series User's Guide 600 - ZyXEL USG FLEX 100 | User Guide - Page 601
the Anti-Malware scan, the Zyxel Device first identifies the packets sent by the following four major protocols with corresponding standard ports: • FTP (File Transfer Protocol) • HTTP (Hyper Text Transfer Protocol) • SMTP (Simple Mail Transfer Protocol) ZyWALL USG FLEX Series User's Guide 601 - ZyXEL USG FLEX 100 | User Guide - Page 602
-setup packets such as SYN, ACK and FIN is ignored. Anti-Malware Scanning Procedure: 1 The Zyxel Device checks every packet of the file for matches with the local signature databases. If a malware next figure shows a flow chart detailing the anti-malware scan. ZyWALL USG FLEX Series User's Guide 602 - ZyXEL USG FLEX 100 | User Guide - Page 603
Chapter 33 Anti-Malware Figure 399 Anti-Malware Flowchart ZyWALL USG FLEX Series User's Guide 603 - ZyXEL USG FLEX 100 | User Guide - Page 604
file decompression (ZIP and RAR). • Traffic compressed or encoded using a method the Zyxel Device does not support. Finding Out More • See Section 33.6 on page 612 for anti-malware background black (blocked) and white (allowed) lists of malware patterns. ZyWALL USG FLEX Series User's Guide 604 - ZyXEL USG FLEX 100 | User Guide - Page 605
Malware icon for more information on the Zyxel Device's security features. See Subscription Services Available on page 188 for more information on the subscription services for the two types of security packs. to inform the user if there is an infected file. ZyWALL USG FLEX Series User's Guide 605 - ZyXEL USG FLEX 100 | User Guide - Page 606
the labels in this screen. Table 245 Configuration > Security Service > Anti-Malware LABEL DESCRIPTION General Setting Enable Select this checkbox the sandboxing inspection results and helps the Zyxel Device block possible malicious or suspicious files. ZyWALL USG FLEX Series User's Guide 606 - ZyXEL USG FLEX 100 | User Guide - Page 607
Anti-Malware Table 245 Configuration > Security Service > Anti-Malware (continued) LABEL DESCRIPTION Scan and detect EICAR test virus Select this option to have the Zyxel Device check for an EICAR test file and on an entry, select it and click Activate. ZyWALL USG FLEX Series User's Guide 607 - ZyXEL USG FLEX 100 | User Guide - Page 608
Zyxel Device to allow this file. Click Configuration > Security Service > Anti-Malware > Black/White List > White List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 609
. Table 246 Configuration > Security Service > Anti-Malware > Black/White Zyxel Device checks up to the first 80 characters of a file name. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 610
block. Enter a file or encryption pattern that would cause the Zyxel Device to log and then destroy this file. Click Configuration > Security Service > Anti-Malware > Black/White List > Black List to to use to distinguish whether a file should be blocked. ZyWALL USG FLEX Series User's Guide 610 - ZyXEL USG FLEX 100 | User Guide - Page 611
the Zyxel Service > Anti-Malware > Signature LABEL DESCRIPTION Signatures Search Enter the name, part of the name or keyword of the signature(s) you want to find and click Search. This search is not case-sensitive and accepts numerical strings. Query Result ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 612
Chapter 33 Anti-Malware Table 248 Configuration > Security Service > Anti-Malware > Signature (continued) LABEL DESCRIPTION # Name This is the entry's index number in The section describes two types of anti-malware scanner: host-based and network-based. ZyWALL USG FLEX Series User's Guide 612 - ZyXEL USG FLEX 100 | User Guide - Page 613
based anti-malware (NAM) scanner is often deployed as a dedicated security device (such as your Zyxel Device) on the network edge. NAM scanners inspect real-time data traffic (such as email messages traffic inspection is done on a dedicated security device. ZyWALL USG FLEX Series User's Guide 613 - ZyXEL USG FLEX 100 | User Guide - Page 614
from a site in a selected category. Click the URL Threat Filter icon for more information on the Zyxel Device's security features. Click Configuration > Security Service > Reputation Filter > URL Threat Filter to display the configuration screen as shown next. ZyWALL USG FLEX Series User's Guide 614 - ZyXEL USG FLEX 100 | User Guide - Page 615
labels in this screen. Table 250 Configuration > Security Service > Reputation Filter > URL Threat Filter > General Zyxel Device when it detects a connection attempt to or from the web pages of the specified categories. Message to display when a site is blocked ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 616
table describes the labels in this screen. Table 251 Configuration > Security Service > Reputation Filter > URL Threat Filter > White List LABEL DESCRIPTION back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 616 - ZyXEL USG FLEX 100 | User Guide - Page 617
table describes the labels in this screen. Table 252 Configuration > Security Service > Reputation Filter > URL Threat Filter > Black List LABEL DESCRIPTION back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 617 - ZyXEL USG FLEX 100 | User Guide - Page 618
and respond instantaneously. IDP on the Zyxel Device protects against network-based intrusions. 35.1.1 What You Can Do in this Chapter • Use the Security Service > IDP screen (Section 35.2 on a license key using the same screens to continue the subscription. ZyWALL USG FLEX Series User's Guide 618 - ZyXEL USG FLEX 100 | User Guide - Page 619
. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled. Click the IDP icon for more information on the Zyxel Device's security features. Figure 407 Configuration > Security Service > IDP ZyWALL USG FLEX Series User's Guide 619 - ZyXEL USG FLEX 100 | User Guide - Page 620
make multiple selections. These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if you want to make multiple selections. Search for signatures by IDP service group(s). See Table 254 on page 621 for group details. ZyWALL USG FLEX Series User's Guide 620 - ZyXEL USG FLEX 100 | User Guide - Page 621
table describes Policy Types as categorized in the Zyxel Device. Table 254 Policy Types POLICY TYPE mechanism that can be triggered to gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program Trojan. ZyWALL USG FLEX Series User's Guide 621 - ZyXEL USG FLEX 100 | User Guide - Page 622
can be both the client and the server. In the Zyxel Device, P2P refers to peer-topeer applications such as e-Mule , he looks for open ports. SPAM Stream Media Tunnel A scan on a service is commonly referred to a layer-7 scan. For example, once an attacker has ZyWALL USG FLEX Series User's Guide 622 - ZyXEL USG FLEX 100 | User Guide - Page 623
ICMP n/a WEB_FRONTPAGE TELNET RSERVICES P2P MYSQL MISC FTP 35.2.1 Query Example This example shows a search with these criteria: • Severity: Severe • Classification Type: Misc • Platform: Windows • Service: Any • Actions: Any ZyWALL USG FLEX Series User's Guide 623 - ZyXEL USG FLEX 100 | User Guide - Page 624
your own custom signatures. IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header. Figure 409 IP v4 Packet Headers ZyWALL USG FLEX Series User's Guide 624 - ZyXEL USG FLEX 100 | User Guide - Page 625
Configuration > Security Service. The Custom Zyxel Device will reject-both. 35.3.1 Add / Edit Custom Signatures Click the Add icon to create a new signature or click the Edit icon to edit an existing signature on the screen as shown in Figure 407 on page 619. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 626
. Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 410 Configuration > Security Service > IDP > Custom Signatures > Add/Edit ZyWALL USG FLEX Series User's Guide 626 - ZyXEL USG FLEX 100 | User Guide - Page 627
is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type Of Service number. Select the check box, then select Equal or Not-Equal and then type in a number box, select Equal, Smaller or Greater and then type in a number. ZyWALL USG FLEX Series User's Guide 627 - ZyXEL USG FLEX 100 | User Guide - Page 628
Chapter 35 IDP Table 257 Configuration > Security Service > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options Same IP Transport Protocol if possible, it is recommended to have at least one payload option in your signature. ZyWALL USG FLEX Series User's Guide 628 - ZyXEL USG FLEX 100 | User Guide - Page 629
a service ("today Zyxel Device and return to the summary screen. Click this button to return to the summary screen without saving any changes. 35.3.2 Custom Signature Example Before creating a custom signature, you must first clearly understand the vulnerability. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 630
Chapter 35 IDP 35.3.2.1 Understand the Vulnerability Check the Zyxel Device logs when the attack occurs. Use web sites such as Google or Security protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 411 DNS Query Packet Details ZyWALL USG FLEX Series User's Guide 630 - ZyXEL USG FLEX 100 | User Guide - Page 631
Example Custom Signature 35.3.3 Applying Custom Signatures After you create your custom signature, it becomes available in an IDP profile (Configuration > Security Service > IDP > Profile > Edit screen). Custom signatures have an SID from 9000000 to 9999999. ZyWALL USG FLEX Series User's Guide 631 - ZyXEL USG FLEX 100 | User Guide - Page 632
listed signature(s) from being intercepted and inspected. Click Configuration > Security Service > IDP > White List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. ZyWALL USG FLEX Series User's Guide 632 - ZyXEL USG FLEX 100 | User Guide - Page 633
the fields in this screen. Table 258 Configuration > Security Service > IDP > White List LABEL DESCRIPTION White List Settings . Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its problems. ZyWALL USG FLEX Series User's Guide 633 - ZyXEL USG FLEX 100 | User Guide - Page 634
Snort terms in the Zyxel Device. Table 259 Zyxel Device - Snort Equivalent Terms ZYXEL DEVICE TERM SNORT EQUIVALENT TERM Type Of Service tos Identification id Fragmentation fragbits flags Sequence Number seq Ack Number ack Window Size window ZyWALL USG FLEX Series User's Guide 634 - ZyXEL USG FLEX 100 | User Guide - Page 635
Chapter 35 IDP Table 259 Zyxel Device - Snort Equivalent Terms (continued) ZYXEL DEVICE TERM SNORT EQUIVALENT TERM Transport Protocol: UDP (In Snort rule Decode as URI uricontent Note: Not all Snort functionality is supported in the Zyxel Device. ZyWALL USG FLEX Series User's Guide 635 - ZyXEL USG FLEX 100 | User Guide - Page 636
. If an email matches a blacklist entry, the Zyxel Device does not perform any more email security checking on that individual email. A properly configured black list helps catch spam email and increases the Zyxel Device's email security speed and efficiency. ZyWALL USG FLEX Series User's Guide 636 - ZyXEL USG FLEX 100 | User Guide - Page 637
) emails by default. You can also specify custom SMTP and POP3 ports for the Zyxel Device to check. Email Headers Every email has a header and a body. The activate your email security Service license. • Configure your zones before you configure email security. ZyWALL USG FLEX Series User's Guide 637 - ZyXEL USG FLEX 100 | User Guide - Page 638
. You can also select the action the Zyxel Device takes when the mail sessions threshold is reached. Click the Email Security icon for more information on the Zyxel Device's security features. Figure 415 Configuration > Security Service > Email Security ZyWALL USG FLEX Series User's Guide 638 - ZyXEL USG FLEX 100 | User Guide - Page 639
in this screen. Table 260 Configuration > Security Service > Email Security LABEL DESCRIPTION General Settings Enable ZyXEL device generate a log (log), log and alert (log alert) or neither (no) by default when traffic matches a signature in this category. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 640
Service > Email Security LABEL DESCRIPTION Action taken when mail sessions threshold is reached An email session is when an email client and email server (or two email servers) connect through the Zyxel the heading cell again to reverse the sort order. ZyWALL USG FLEX Series User's Guide 640 - ZyXEL USG FLEX 100 | User Guide - Page 641
the labels in this screen. Table 261 Configuration > Security Service > Email Security > Black/White List LABEL DESCRIPTION Rule checks. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last ZyWALL USG FLEX Series User's Guide 641 - ZyXEL USG FLEX 100 | User Guide - Page 642
Table 262 Configuration > Security Service > Email Security > Black/White List > Black/White List > Add LABEL DESCRIPTION Enable Rule Select this to have the Zyxel Device use this entry as part for a specific mail server's domain, enter "Received" here. ZyWALL USG FLEX Series User's Guide 642 - ZyXEL USG FLEX 100 | User Guide - Page 643
Table 262 Configuration > Security Service > Email Security > Black/ Zyxel Device immediately classifies the email as legitimate and forwards it. • Any further DNSBL replies that come after the Zyxel Device classifies an email as spam or legitimate have no effect. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 644
defined in the email security policy. In this example it was an SMTP mail and the defined action was to drop the mail. The Zyxel Device does not wait for any more DNSBL replies. Here is an example of an email classified as legitimate based on DNSBL replies. ZyWALL USG FLEX Series User's Guide 644 - ZyXEL USG FLEX 100 | User Guide - Page 645
the email as legitimate and forwards it. The Zyxel Device does not wait for any more DNSBL replies. If the Zyxel Device receives conflicting DNSBL replies for an email routing IP address, the Zyxel Device classifies the email as spam. Here is an example. ZyWALL USG FLEX Series User's Guide 645 - ZyXEL USG FLEX 100 | User Guide - Page 646
you defined in the email security policy. In this example it was an SMTP mail and the defined action was to drop the mail. The Zyxel Device does not wait for any more DNSBL replies. ZyWALL USG FLEX Series User's Guide 646 - ZyXEL USG FLEX 100 | User Guide - Page 647
Security Service > SSL Inspection > Exclude List screens (Section 37.3 on page 653) to create a whitelist of destination servers to which traffic is passed through uninspected. 37.1.2 What You Need To Know • Supported Cipher Suite • DES (Data Encryption Standard) ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 648
Screen An SSL Inspection profile is a template with pre-configured certificate, action and log. Click Configuration > Security Service > SSL Inspection > Profile to open this screen. Figure 422 Configuration > Security Service > SSL Inspection > Profile ZyWALL USG FLEX Series User's Guide 648 - ZyXEL USG FLEX 100 | User Guide - Page 649
263 Configuration > Security Service > SSL Inspection > a Certificate Authority (CA) listed in the Zyxel Device's list of trusted CAs. Choose RSA slower. Some clients such as those using iOS13 do not support RSA 1024. Click Add to create a new profile. Select ZyWALL USG FLEX Series User's Guide 649 - ZyXEL USG FLEX 100 | User Guide - Page 650
Action The following table describes the labels in this screen. Table 264 Configuration > Security Service > SSL Inspection > Action LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display zone and/or to a particular zone. any means all zones. ZyWALL USG FLEX Series User's Guide 650 - ZyXEL USG FLEX 100 | User Guide - Page 651
, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 651 - ZyXEL USG FLEX 100 | User Guide - Page 652
settings. Figure 424 Configuration > Security Service > SSL Inspection > Profile > Add for this profile. SSL Inspection supports SSLv3, TLS1.0, TLS1.1, and Zyxel Device send an alert for unsupported traffic that matches traffic bound to this policy. ZyWALL USG FLEX Series User's Guide 652 - ZyXEL USG FLEX 100 | User Guide - Page 653
Select this option to have the Zyxel Device send an alert for unsupported Service > SSL Inspection > Exclude List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 654
the fields in this screen. Table 266 Configuration > Security Service > SSL Inspection > Exclude List LABEL DESCRIPTION General Settings Enable the Zyxel Device. Reset Click Reset to return to the profile summary page without saving any changes. ZyWALL USG FLEX Series User's Guide 654 - ZyXEL USG FLEX 100 | User Guide - Page 655
the Zyxel Device. Figure 426 SSL Inspection Certificate Update Overview Click Configuration > Security Service > SSL Inspection > Certificate Update to display the following screen. Figure 427 Configuration > Security Service > SSL Inspection > Certificate Update ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 656
screen. Table 267 Configuration > Security Service > SSL Inspection > Certificate Update should have Internet access and have activated SSL Inspection on the Zyxel Device at myZyxel. Update Now Click this button to download Authorities > Certificates. ZyWALL USG FLEX Series User's Guide 656 - ZyXEL USG FLEX 100 | User Guide - Page 657
Chapter 37 SSL Inspection 3 From the main menu, select Action > All Tasks > Import and run the Certificate Import Wizard to install the certificate on the PC. ZyWALL USG FLEX Series User's Guide 657 - ZyXEL USG FLEX 100 | User Guide - Page 658
> Options > Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import. See the browser's help for further information. ZyWALL USG FLEX Series User's Guide 658 - ZyXEL USG FLEX 100 | User Guide - Page 659
. Click Configuration > Security Service > IP Exception to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. Figure 428 Configuration > Security Service > IP Exception ZyWALL USG FLEX Series User's Guide 659 - ZyXEL USG FLEX 100 | User Guide - Page 660
the destination IP address. Log This field displays if the Zyxel Device will generate a log when the incoming traffic is in Service > IP Exception > Add/Edit to display the following screen. Figure 429 Configuration > Security Service > IP Exception > Add/Edit ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 661
> Security Service > IP Zyxel Device generate a log when the incoming traffic is in the exception list. Otherwise, select No. OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 662
Figure 430 Example: Zones Use the Zone screens (see Section 39.8.2 on page 719) to manage the Zyxel Device's zones. 39.1.1 What You Need to Know Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic. ZyWALL USG FLEX Series User's Guide 662 - ZyXEL USG FLEX 100 | User Guide - Page 663
> Zone LABEL DESCRIPTION User Configuration / System Default The Zyxel Device comes with pre-configured System Default zones that you cannot delete. You can create your own User Configuration zones Add Click this to create a new, user-configured zone. ZyWALL USG FLEX Series User's Guide 663 - ZyXEL USG FLEX 100 | User Guide - Page 664
the entry's settings. Remove To remove a user-configured trunk, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to and click the left arrow button to remove them. ZyWALL USG FLEX Series User's Guide 664 - ZyXEL USG FLEX 100 | User Guide - Page 665
user Perform basic diagnostics (CLI) Access network services guest ext-user Browse user-mode commands (CLI) Access network services External user account LOGIN METHOD(S) WWW, TELNET, SSH, FTP, Console WWW, TELNET, SSH, Console WWW, TELNET, SSH WWW WWW ZyWALL USG FLEX Series User's Guide 665 - ZyXEL USG FLEX 100 | User Guide - Page 666
guest-manager Create dynamic guest accounts dynamic-guest Access network services LOGIN METHOD(S) WWW WWW Hotspot Portal Note: The default and stored in the Zyxel Device's local user database. A dynamic guest account has a dynamically-created user name and ZyWALL USG FLEX Series User's Guide 666 - ZyXEL USG FLEX 100 | User Guide - Page 667
services they can use. See Section 39.2.6 on page 680 for a user-aware login example. Finding Out More • See Section 39.2.6 on page 680 for some information on users who use an external authentication server in order to log in. • The Zyxel Device supports . ZyWALL USG FLEX Series User's Guide 667 - ZyXEL USG FLEX 100 | User Guide - Page 668
this user has access to the Zyxel Device's services and can also browse user-mode commands (CLI). • guest - this user has access to the Zyxel Device's services but cannot look at the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) ZyWALL USG FLEX Series User's Guide 668 - ZyXEL USG FLEX 100 | User Guide - Page 669
• zyxel • bin • games • news • shutdown • daemon • halt • nobody • sshd To access this screen, go to the User screen (see Section 39.13.1 on page 761), and click either the Add icon or an Edit icon. Figure 434 Configuration > Object > User/Group > User > Add ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 670
- this user has access to the Zyxel Device's services and can also browse user-mode commands (CLI). • guest - this user has access to the Zyxel Device's services but cannot look at the configuration. the following characters in the square brackets [+*#()-]. ZyWALL USG FLEX Series User's Guide 670 - ZyXEL USG FLEX 100 | User Guide - Page 671
the default lease time is shown. If you select Use Manual Settings, you need to type the number of minutes this user can be logged into the Zyxel Device in one session before the user has to log based on the user credentials instead of using an AAA server. ZyWALL USG FLEX Series User's Guide 671 - ZyXEL USG FLEX 100 | User Guide - Page 672
you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Removing a group does not remove the user accounts ), and click either the Add icon or an Edit icon. ZyWALL USG FLEX Series User's Guide 672 - ZyXEL USG FLEX 100 | User Guide - Page 673
settings for the Zyxel Device. You can also use this screen to specify when users must log in to the Zyxel Device before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. ZyWALL USG FLEX Series User's Guide 673 - ZyXEL USG FLEX 100 | User Guide - Page 674
user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. ZyWALL USG FLEX Series User's Guide 674 - ZyXEL USG FLEX 100 | User Guide - Page 675
1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as ZyWALL USG FLEX Series User's Guide 675 - ZyXEL USG FLEX 100 | User Guide - Page 676
any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. To access this screen, go to the icons. Figure 440 Configuration > Object > User/Group > Setting > Edit ZyWALL USG FLEX Series User's Guide 676 - ZyXEL USG FLEX 100 | User Guide - Page 677
has access to the Zyxel Device's services but cannot look at the configuration. • guest - this user has access to the Zyxel Device's services but cannot look at Zyxel Device. Instead, after access users log into the Zyxel Device, the following screen appears. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 678
reset it. This field displays the amount of time that remains before the Zyxel Device automatically logs the access user out, regardless of the lease time. 39 AP use the Zyxel Device's local database to authenticate wireless clients by their MAC addresses. ZyWALL USG FLEX Series User's Guide 678 - ZyXEL USG FLEX 100 | User Guide - Page 679
's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. MAC Address/ OUI This back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 679 - ZyXEL USG FLEX 100 | User Guide - Page 680
This section shows you how to configure preset profiles for the Access Points (APs) connected to your Zyxel Device's wireless network. • The Radio screen (Section 39.3.1 on page 681) creates radio configurations concepts may help as you read this section. ZyWALL USG FLEX Series User's Guide 680 - ZyXEL USG FLEX 100 | User Guide - Page 681
settings that a supported managed AP (NWA5121-N for example) can use to configure either one of its two radio transmitters. To access this screen click Configuration > Object > AP Profile. Note: You can have a maximum of 32 radio profiles on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 681 - ZyXEL USG FLEX 100 | User Guide - Page 682
This field displays the schedule object which defines when this radio profile can be used. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 682 - ZyXEL USG FLEX 100 | User Guide - Page 683
the Advanced Settings in this window. Create New Object Use this to configure any new settings objects that you need to use in this screen. ZyWALL USG FLEX Series User's Guide 683 - ZyXEL USG FLEX 100 | User Guide - Page 684
11ac but the WLAN devices on the network do not support IEEE 802.11ac, the Zyxel Device automatically sets the AP to use 11a/n. Select what channels are currently being used by other devices. Select Manual and specify the channels the AP uses. This field is ZyWALL USG FLEX Series User's Guide 684 - ZyXEL USG FLEX 100 | User Guide - Page 685
Channel Selection to DCS and set 2.4 GHz Channel Selection Method to manual. Time Interval DCS Time Interval Schedule Start Time Week Days 2.4 1-11 then the Zyxel Device uses channels 1, 4, 7, 11 in this configuration; otherwise, the Zyxel Device uses channels ZyWALL USG FLEX Series User's Guide 685 - ZyXEL USG FLEX 100 | User Guide - Page 686
APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located/installed. The available each time. Select this to enable A-MSDU aggregation. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of ZyWALL USG FLEX Series User's Guide 686 - ZyXEL USG FLEX 100 | User Guide - Page 687
4 Mbps. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes configurations that can be used by the APs. An SSID, or Service Set IDentifier, is basically the name of the wireless network to SSID. ZyWALL USG FLEX Series User's Guide 687 - ZyXEL USG FLEX 100 | User Guide - Page 688
Chapter 39 Object Note: You can have a maximum of 32 SSID profiles on the Zyxel Device. Figure 448 Configuration > Object > AP Profile > SSID List The following table describes the VLAN ID This field indicates the VLAN ID associated with the SSID profile. ZyWALL USG FLEX Series User's Guide 688 - ZyXEL USG FLEX 100 | User Guide - Page 689
that have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections. The disable setting means no MAC filtering is used. ZyWALL USG FLEX Series User's Guide 689 - ZyXEL USG FLEX 100 | User Guide - Page 690
SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION QoS Select a Quality of Service (QoS) access category to associate with this SSID. Access categories minimize the delay of All the wireless station's traffic is forwarded to the Zyxel Device first. ZyWALL USG FLEX Series User's Guide 690 - ZyXEL USG FLEX 100 | User Guide - Page 691
it, the only way you can connect to the SSID is by manually entering the SSID name in your wireless connection setup screen(s) (these vary /enabled. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your ZyWALL USG FLEX Series User's Guide 691 - ZyXEL USG FLEX 100 | User Guide - Page 692
on the Security Mode selected. Only the default screen is displayed here. Figure 451 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile ZyWALL USG FLEX Series User's Guide 692 - ZyXEL USG FLEX 100 | User Guide - Page 693
video. Wireless clients should also support WPA2 and fast roaming to associate with the AP (Zyxel Device) and roam seamlessly. Select Internal to use the Zyxel Device's internal authentication database, for the two-character pairs within account MAC addresses. ZyWALL USG FLEX Series User's Guide 693 - ZyXEL USG FLEX 100 | User Guide - Page 694
considerably more robust. Not all wireless clients may support this. Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued. Enter the interval (in seconds) at which the AP updates the group WPA encryption key. ZyWALL USG FLEX Series User's Guide 694 - ZyXEL USG FLEX 100 | User Guide - Page 695
the clients support MFP. OK Cancel Select Required and wireless clients must support MFP in order to join the AP's wireless network. Click OK to save your changes back to the Zyxel Device. Click This field indicates this profile's filter action (if any). ZyWALL USG FLEX Series User's Guide 695 - ZyXEL USG FLEX 100 | User Guide - Page 696
60 characters, spaces and underscores allowed. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. 39.4 MON Profile 39 as either rogue or friendly and then manage them accordingly. ZyWALL USG FLEX Series User's Guide 696 - ZyXEL USG FLEX 100 | User Guide - Page 697
, and it is not associated with a specific user. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG FLEX Series User's Guide 697 - ZyXEL USG FLEX 100 | User Guide - Page 698
the name assigned to the monitor profile. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. 39.4.3 Add/Edit field indicates the name assigned to the monitor mode profile. ZyWALL USG FLEX Series User's Guide 698 - ZyXEL USG FLEX 100 | User Guide - Page 699
of APs that are connected to the Zyxel Device to be the same as where the Zyxel Device is located/installed. The available this profile scan that channel when Scan Channel Mode is set to manual. Set Scan Channel List (5 GHz) These channels are limited to ZyWALL USG FLEX Series User's Guide 699 - ZyXEL USG FLEX 100 | User Guide - Page 700
the wireless network. Managed APs can provide services or forward traffic between the Zyxel Device and wireless clients. ZyMesh also allows the Zyxel Device to use CAPWAP to automatically update the . A manged AP can be either a root AP or repeater in a ZyMesh. ZyWALL USG FLEX Series User's Guide 700 - ZyXEL USG FLEX 100 | User Guide - Page 701
time, the root AP must be connected to an AP controller (the Zyxel Device). In the following example, managed APs 1 and 2 act as varies according to how many wireless clients a managed AP can support. Note: A ZyMesh link with more hops has lower throughput. ZyWALL USG FLEX Series User's Guide 701 - ZyXEL USG FLEX 100 | User Guide - Page 702
screen instructions to update the AP controller's MAC address. Click this to add a new profile. Click this to edit the selected profile. Click this to remove the selected profile. This field is a sequential value, and it is not associated with a specific profile. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 703
708) and the Address Group Add/ Edit screen, to maintain address groups in the Zyxel Device. • Use the Geo IP screen (Section 39.6.4 on page 710) to update the database of country-to-IP address mappings and to manually configure country-to-IP address mappings. ZyWALL USG FLEX Series User's Guide 703 - ZyXEL USG FLEX 100 | User Guide - Page 704
a summary of all addresses in the Zyxel Device. To access this screen, click Configuration > Object > Address > Address. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. ZyWALL USG FLEX Series User's Guide 704 - ZyXEL USG FLEX 100 | User Guide - Page 705
. IPv4 Address This field displays the IPv4 addresses represented by each address object. If the object's settings are based on one of the Zyxel Device's interfaces, the name of the interface displays first followed by the object's current address settings. ZyWALL USG FLEX Series User's Guide 705 - ZyXEL USG FLEX 100 | User Guide - Page 706
to modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References of IP addresses that this address object represents. ZyWALL USG FLEX Series User's Guide 706 - ZyXEL USG FLEX 100 | User Guide - Page 707
IP address, the Zyxel Device automatically updates the corresponding interface-based, LAN subnet address object. This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents. ZyWALL USG FLEX Series User's Guide 707 - ZyXEL USG FLEX 100 | User Guide - Page 708
modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References Name This field displays the name of each address group. ZyWALL USG FLEX Series User's Guide 708 - ZyXEL USG FLEX 100 | User Guide - Page 709
to modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References use up to 60 characters, punctuation marks, and spaces. ZyWALL USG FLEX Series User's Guide 709 - ZyXEL USG FLEX 100 | User Guide - Page 710
a address group. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. country-to-IP and continent-to-IP address mappings and manually configure custom country-to-IP and continent-to-IP address ZyWALL USG FLEX Series User's Guide 710 - ZyXEL USG FLEX 100 | User Guide - Page 711
Chapter 39 Object Figure 464 Configuration > Object > Address/Geo IP > Geo IP ZyWALL USG FLEX Series User's Guide 711 - ZyXEL USG FLEX 100 | User Guide - Page 712
to show the update status. You need to have a registered Content Filter Service license. Auto Update If you want the Zyxel Device to check weekly for the latest country-to-IP address database version on Rules or Custom IPv6 to Geography Rules section. ZyWALL USG FLEX Series User's Guide 712 - ZyXEL USG FLEX 100 | User Guide - Page 713
list of service groups. 39.7.1 What You Need to Know IP Protocols IP protocols are based on the eight-bit protocol field in the IP header. This field represents the next-level protocol that is sent in this packet. This section discusses three of the most common IP protocols. ZyWALL USG FLEX Series - ZyXEL USG FLEX 100 | User Guide - Page 714
remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 715
Remove. The Zyxel Device confirms you service or edit an existing one. To access this screen, go to the Service screen (see Section 39.7.2 on page 714), and click either the Add icon or an Edit icon. Figure 467 Configuration > Object > Service > Service > Edit ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 716
service group, which is used in the WAN_to_Device security policy. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 468 Configuration > Object > Service > Service Group ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 717
to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 39.7.3 on page 716), and click either the Add icon or an Edit icon. Figure 469 Configuration > Object > Service > Service Group > Edit ZyWALL USG FLEX Series User's Guide 717 - ZyXEL USG FLEX 100 | User Guide - Page 718
Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not , application patrol, and content filtering. The Zyxel Device supports one-time and recurring schedules. One-time ZyWALL USG FLEX Series User's Guide 718 - ZyXEL USG FLEX 100 | User Guide - Page 719
to modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to of times an object reference is used in a profile. ZyWALL USG FLEX Series User's Guide 719 - ZyXEL USG FLEX 100 | User Guide - Page 720
31.) Specify the hour and minute when the schedule ends. OK Cancel • Hour - 0 - 23 • Minute - 0 - 59 Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 720 - ZyXEL USG FLEX 100 | User Guide - Page 721
Cancel • Hour - 0 - 23 • Minute - 0 - 59 Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 721 - ZyXEL USG FLEX 100 | User Guide - Page 722
to modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to icon or an Edit icon in the Schedule Group section. ZyWALL USG FLEX Series User's Guide 722 - ZyXEL USG FLEX 100 | User Guide - Page 723
list displays the names of the service and service group objects that have been added to the service group. The order of members is list. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes ZyWALL USG FLEX Series User's Guide 723 - ZyXEL USG FLEX 100 | User Guide - Page 724
Dial-In User Service) authentication is a Zyxel Device OTP package in order to use this feature. The package contains server software and physical OTP tokens (PIN generators). Do the following to use OTP. See the documentation included on the ASAS' CD for details. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 725
Supported by the Zyxel Device The following lists the types of authentication server the Zyxel Device supports. • Local user database The Zyxel • RADIUS RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate ZyWALL USG FLEX Series User's Guide 725 - ZyXEL USG FLEX 100 | User Guide - Page 726
Summary Use the Active Directory or LDAP screen to manage the list of AD or LDAP servers the Zyxel Device can use in authenticating users. Click Configuration > Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. ZyWALL USG FLEX Series User's Guide 726 - ZyXEL USG FLEX 100 | User Guide - Page 727
you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to new AD or LDAP entry or edit an existing one. ZyWALL USG FLEX Series User's Guide 727 - ZyXEL USG FLEX 100 | User Guide - Page 728
Enter the address of the AD or LDAP server. Backup Server Address If the AD or LDAP server has a backup server, enter its address here. ZyWALL USG FLEX Series User's Guide 728 - ZyXEL USG FLEX 100 | User Guide - Page 729
An AD or LDAP server defines attributes for its accounts. Enter the name of the attribute that the Zyxel Device is to check to determine to which group a user belongs. The value for this attribute is to find computers on the remote network and vice versa. ZyWALL USG FLEX Series User's Guide 729 - ZyXEL USG FLEX 100 | User Guide - Page 730
you can modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to new AD or LDAP entry or edit an existing one. ZyWALL USG FLEX Series User's Guide 730 - ZyXEL USG FLEX 100 | User Guide - Page 731
Authentication Port Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535. server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535. ZyWALL USG FLEX Series User's Guide 731 - ZyXEL USG FLEX 100 | User Guide - Page 732
IP address of the NAS (Network Access Server). If the RADIUS server requires the Zyxel Device to provide the Network Access Server identifier attribute with a specific value, enter it here. Select this if you want configure your username as case-sensitive. ZyWALL USG FLEX Series User's Guide 732 - ZyXEL USG FLEX 100 | User Guide - Page 733
39.10.4 on page 736) to configure double-layer security to access a secured network behind the Zyxel Device via a VPN tunnel, Web Configurator, SSH, or Telnet. 39.10.1 Before You Begin Configure from the drop-down list box. 4 Click OK to save the settings. ZyWALL USG FLEX Series User's Guide 733 - ZyXEL USG FLEX 100 | User Guide - Page 734
modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References Click Configuration > Object > Auth. Method. 2 Click Add. ZyWALL USG FLEX Series User's Guide 734 - ZyXEL USG FLEX 100 | User Guide - Page 735
press [ENTER] to move the rule to the number that you typed. The ordering of your methods is important as Zyxel Device authenticates the users using the authentication methods in the order they appear in this screen. # This field displays the index number. ZyWALL USG FLEX Series User's Guide 735 - ZyXEL USG FLEX 100 | User Guide - Page 736
the VPN client/Zyxel Device's login user name / password and the second layer is an authorized SMS (via mobile phone number) or email address. 39.10.4.1 Overview This section introduces how two-factor authentication works. Figure 485 Two-Factor Authentication ZyWALL USG FLEX Series User's Guide 736 - ZyXEL USG FLEX 100 | User Guide - Page 737
on the Zyxel Device • Have an account with ViaNett to be able to send SMS/email authorization requests • Enable HTTP and/or HTTPS in System > WWW > Service Control • Enable SSH and/or Telnet in System > SSH and/or System > TELNET • Configure SMS in System > Notification > SMS. ZyWALL USG FLEX Series - ZyXEL USG FLEX 100 | User Guide - Page 738
Zyxel Device service(s) that requires two-factor authentication. Go to Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access and configure the following screen as shown. Figure 486 Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access ZyWALL USG FLEX - ZyXEL USG FLEX 100 | User Guide - Page 739
it to the Zyxel Device. The message service (Web, SSH, and TELNET) that requires two-factor authentication for the admin user. Go to Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access and configure the following screen as shown. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 740
Enable Valid Time Two-factor Authentication for Services: User Select the check box to require double-layer security to access a secured network behind the Zyxel Device via the Web Configurator, SSH, to configure how to send an SMS or email for authorization. ZyWALL USG FLEX Series User's Guide 740 - ZyXEL USG FLEX 100 | User Guide - Page 741
.11.4.2 on page 757) to save CA certificates and trusted remote host certificates to the Zyxel Device. The Zyxel Device trusts any valid certificate that you have imported as a trusted certificate. It also trusts re-sign the message with Tim's private key). ZyWALL USG FLEX Series User's Guide 741 - ZyXEL USG FLEX 100 | User Guide - Page 742
to sign a message and Tim uses Jenny's public key to verify the message. The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection to convert a binary PKCS#7 certificate into a printable form. ZyWALL USG FLEX Series User's Guide 742 - ZyXEL USG FLEX 100 | User Guide - Page 743
creates this and you must provide it to decrypt the contents when you import the file into the Zyxel Device. Note: Be careful not to convert a binary file to text during the transfer process. It Algorithm and Thumbprint fields. Figure 489 Certificate Details ZyWALL USG FLEX Series User's Guide 743 - ZyXEL USG FLEX 100 | User Guide - Page 744
certificates move up by one when you take this action. References You cannot delete certificates that any of the Zyxel Device's features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry. ZyWALL USG FLEX Series User's Guide 744 - ZyXEL USG FLEX 100 | User Guide - Page 745
Click this and the following screen will appear. Type the selected certificate's password and save the selected certificate to your computer. Figure 491 Download a Certificate ZyWALL USG FLEX Series User's Guide 745 - ZyXEL USG FLEX 100 | User Guide - Page 746
Here are the field descriptions: • Mail Subject: Type the subject line for outgoing email from the Zyxel Device. • Mail To: Type the email address (or addresses) to which the outgoing email is It is recommended that you give each certificate a unique name. ZyWALL USG FLEX Series User's Guide 746 - ZyXEL USG FLEX 100 | User Guide - Page 747
> Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the Zyxel Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL USG FLEX Series User's Guide 747 - ZyXEL USG FLEX 100 | User Guide - Page 748
or city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. ZyWALL USG FLEX Series User's Guide 748 - ZyXEL USG FLEX 100 | User Guide - Page 749
certification request and save it locally for later manual enrollment OK Cancel Select DSA to use the Digital apply to a certification authority for certificates. Select this to have the Zyxel Device generate and store a request for a certificate. Use the My ZyWALL USG FLEX Series User's Guide 749 - ZyXEL USG FLEX 100 | User Guide - Page 750
, the certificate itself is the only one in the list. The Zyxel Device does not trust the certificate and displays "Not trusted" in this field if any certificate on the path has expired or been revoked. Click Refresh to display the certification path. ZyWALL USG FLEX Series User's Guide 750 - ZyXEL USG FLEX 100 | User Guide - Page 751
. This field does not display for a certification request. This is the certificate's message digest that the Zyxel Device calculated using the MD5 algorithm. This is the certificate's message digest that the Zyxel Device calculated using the SHA1 algorithm. ZyWALL USG FLEX Series User's Guide 751 - ZyXEL USG FLEX 100 | User Guide - Page 752
editor and save the file on a management computer for later manual enrollment. Export Certificate Only Password Export Certificate with Private Key screen. Follow the instructions in this screen to save an existing certificate to the Zyxel Device. Note: You ZyWALL USG FLEX Series User's Guide 752 - ZyXEL USG FLEX 100 | User Guide - Page 753
any of the Zyxel Device's features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry. # This field displays the certificate index number. The certificates are listed in alphabetical order. ZyWALL USG FLEX Series User's Guide 753 - ZyXEL USG FLEX 100 | User Guide - Page 754
in-depth information about the certificate, change the certificate's name and set whether or not you want the Zyxel Device to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL USG FLEX Series User's Guide 754 - ZyXEL USG FLEX 100 | User Guide - Page 755
Chapter 39 Object Figure 497 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG FLEX Series User's Guide 755 - ZyXEL USG FLEX 100 | User Guide - Page 756
Certificate Status Protocol). Type the protocol, IP address and path name of the OCSP server. The Zyxel Device may need to authenticate itself in order to assess the OCSP server. Type the login name is the same information as in the Subject Name field. ZyWALL USG FLEX Series User's Guide 756 - ZyXEL USG FLEX 100 | User Guide - Page 757
the certificate's key pair (the Zyxel Device uses RSA encryption) and the instructions in this screen to save a trusted certificate to the Zyxel Device. Note: You must remove any spaces from the certificate's filename before you can import the certificate. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 758
screens (Section 39.12.1 on page 758) to create and manage ISP accounts in the Zyxel Device. 39.12.1 ISP Account Summary This screen provides a summary of ISP accounts in the Zyxel Device. To access this screen, click Configuration > Object > ISP Account. ZyWALL USG FLEX Series User's Guide 758 - ZyXEL USG FLEX 100 | User Guide - Page 759
to modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References to Edit icon to open the ISP Account Edit screen below. ZyWALL USG FLEX Series User's Guide 759 - ZyXEL USG FLEX 100 | User Guide - Page 760
Chapter 39 Object Figure 500 Configuration > Object > ISP Account > Edit Your Zyxel Device accepts CHAP only. PAP - Your Zyxel Device accepts PAP only. MSCHAP - Your Zyxel Device accepts MSCHAP only. Encryption Method MSCHAP-V2 - Your Zyxel by your ISP. ZyWALL USG FLEX Series User's Guide 760 - ZyXEL USG FLEX 100 | User Guide - Page 761
the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE is disabled. Click OK to save your changes back to the Zyxel Device. If there are no errors, the program returns to the Request ZyWALL USG FLEX Series User's Guide 761 - ZyXEL USG FLEX 100 | User Guide - Page 762
's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 762 - ZyXEL USG FLEX 100 | User Guide - Page 763
modify the entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. References Select an entry and click References icon. Figure 504 Configuration > DHCPv6 > Lease > Add ZyWALL USG FLEX Series User's Guide 763 - ZyXEL USG FLEX 100 | User Guide - Page 764
as your lease type, you must enter the IP address of the server your selected. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 764 - ZyXEL USG FLEX 100 | User Guide - Page 765
active and passive devices. 40.2 Device HA Status Use this screen to view Device HA Pro license status and details on the active and passive Zyxel Devices. Go to Configuration > Device HA > Device HA Status to view the following screen. ZyWALL USG FLEX Series User's Guide 765 - ZyXEL USG FLEX 100 | User Guide - Page 766
passive Zyxel Devices at myZyxel. 3. Activate the license by entering one key on the active Zyxel Device and the other key on the passive Zyxel Device. It doesn't matter which Zyxel Device is actually active or passive as this is dynamic in Device HA Pro. ZyWALL USG FLEX Series User's Guide 766 - ZyXEL USG FLEX 100 | User Guide - Page 767
Device HA Pro to work. Figure 507 Device HA Pro Failover from the active Zyxel Device to the passive Zyxel Device is activated when: • A monitored interface is down. • A monitored service (daemon) is down. • The heartbeat link exceeds the failure tolerance. ZyWALL USG FLEX Series User's Guide 767 - ZyXEL USG FLEX 100 | User Guide - Page 768
firmware in partition 2), then the running firmware must also be in partition 1 in the passive Zyxel Device (standby firmware in partition 2). 40.3.2 Configuring Device HA Pro Go to Configuration > Device HA > Device HA Pro and configure the following screen. ZyWALL USG FLEX Series User's Guide 768 - ZyXEL USG FLEX 100 | User Guide - Page 769
-numbered copper Ethernet port on the passive Zyxel Device (the heartbeat dedicated link port). Subnet Mask Note: The active and passive Zyxel Device Management IP addresses must be in the same subnet. Type the subnet mask for the management IP addresses. ZyWALL USG FLEX Series User's Guide 769 - ZyXEL USG FLEX 100 | User Guide - Page 770
When Device Service Fails (Option) Select this to have the passive Zyxel Device take over when a monitored service daemon on the active Zyxel Device fails and passive Zyxel Devices. Go to Configuration > Device HA > View Log to display the following screen. ZyWALL USG FLEX Series User's Guide 770 - ZyXEL USG FLEX 100 | User Guide - Page 771
HA > View Log LABEL DESCRIPTION Logs Active Device This displays Device HA Pro logs on the active Zyxel Device. Passive Device This displays Device HA Pro logs on the passive Zyxel Device. Refresh Click Refresh to update information in this screen. ZyWALL USG FLEX Series User's Guide 771 - ZyXEL USG FLEX 100 | User Guide - Page 772
of the Zyxel Device by ZyWALL/USG devices for management and monitoring; these devices must have firmware that supports the TR-069 protocol. In the following figure, SP is the management service provider, while A and B are sites with devices being managed by SP. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 773
number or a Cloud CNM SecuManager server URL. • The Zyxel Device must be able to communicate with the Cloud CNM SecuManager server. You must configure Configuration > Cloud CNM > SecuManager to allow the Zyxel Device to find the Cloud CNM SecuManager server. ZyWALL USG FLEX Series User's Guide 773 - ZyXEL USG FLEX 100 | User Guide - Page 774
VM server is behind a NAT router. You then need to manually enter the VM server URL into the Zyxel Device. Enter the IPv4 IP address of the Cloud CNM have the Zyxel Device inform the Cloud CNM SecuManager server of its presence at regular intervals. ZyWALL USG FLEX Series User's Guide 774 - ZyXEL USG FLEX 100 | User Guide - Page 775
network usage. You need to buy a license for SecuReporter for your Zyxel Device and register it at myZyxel. You must be a registered user at myZyxel. You can access the portal from a web browser and also get notifications sent to an app on your mobile phone. ZyWALL USG FLEX Series User's Guide 775 - ZyXEL USG FLEX 100 | User Guide - Page 776
SecuReporter license for this Zyxel Device. The Zyxel Device must be able to communicate with the myZyxel server. Your SecuReporter license displays in Configuration > Licensing > Registration > Service after you activate the SecuReporter license at myZyxel. ZyWALL USG FLEX Series User's Guide 776 - ZyXEL USG FLEX 100 | User Guide - Page 777
organization. 3 Add this Zyxel Device to an Organization using the hyper link under Unclaimed Device. SecuReporter Banner The SecuReporter banner appears when: 1 SecuReporter hasn't been enabled before. 2 The Zyxel Device is not added to an organization yet. ZyWALL USG FLEX Series User's Guide 777 - ZyXEL USG FLEX 100 | User Guide - Page 778
from existing organization: Select an existing organization from the drop-down list box to add the Zyxel Device to the selected organization. • Create new organization: Type a name of up to Configuration > Cloud CNM > SecuReporter to open the following screen. ZyWALL USG FLEX Series User's Guide 778 - ZyXEL USG FLEX 100 | User Guide - Page 779
This field is blank when the service is not activated. Expiration Date This field displays the date your service expires. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 779 - ZyXEL USG FLEX 100 | User Guide - Page 780
> SMS screen (Section 42.14 on page 833) to turn on the SMS service on the Zyxel Device in order to send dynamic guest account information in text messages and authorization for page 834) to set a language for the Zyxel Device's Web Configurator screens. ZyWALL USG FLEX Series User's Guide 780 - ZyXEL USG FLEX 100 | User Guide - Page 781
support on the Zyxel Device. • Use the System > ZON screen (see Section 42.17 on page 835) to enable or disable the Zyxel One Network (ZON) utility that uses Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDPaware Zyxel , or EXT3 file system. ZyWALL USG FLEX Series User's Guide 781 - ZyXEL USG FLEX 100 | User Guide - Page 782
service Zyxel Device's time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the Zyxel Device's time and date or have the Zyxel Device get the date and time from a time server. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 783
new time and date you entered. When you enter the time settings manually, the Zyxel Device uses the new setting once you click Apply. New Time (hh manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. ZyWALL USG FLEX Series User's Guide 783 - ZyXEL USG FLEX 100 | User Guide - Page 784
Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the Zyxel Device get the time and date from the time server you specify below. The Zyxel time zone is one hour ahead of GMT or UTC (GMT+1). ZyWALL USG FLEX Series User's Guide 784 - ZyXEL USG FLEX 100 | User Guide - Page 785
is successful. If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen. To manually set the Zyxel Device date and time. 1 Click System > Date/Time. 2 Select Manual under Time and Date Setup. ZyWALL USG FLEX Series User's Guide 785 - ZyXEL USG FLEX 100 | User Guide - Page 786
you how to set the console port speed when you connect to the Zyxel Device via the console port using a terminal emulation program. Click Configuration > System > Console Speed to open the Console Speed screen. Figure 521 Configuration > System > Console Speed ZyWALL USG FLEX Series User's Guide 786 - ZyXEL USG FLEX 100 | User Guide - Page 787
. Your Zyxel Device supports 9600, Service (DDoS) attack that uses publicly accessible open DNS servers to flood a victim with DNS response traffic. An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone on the Internet. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 788
in the Configuration > System > DNS screen (click Show Advanced Settings to display it) if you suspect the Zyxel Device is being used (either by hackers or by a corrupted open DNS server) in a DNS amplification attack. Figure 522 Configuration > System > DNS ZyWALL USG FLEX Series User's Guide 788 - ZyXEL USG FLEX 100 | User Guide - Page 789
A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The Zyxel Device uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. ZyWALL USG FLEX Series User's Guide 789 - ZyXEL USG FLEX 100 | User Guide - Page 790
dynamically through a specified interface or configured manually (User-Defined). This is the IP address of a DNS server. This field displays N/A if you have the Zyxel Device get a DNS server IP address [ENTER] to move the rule to the number that you typed. ZyWALL USG FLEX Series User's Guide 790 - ZyXEL USG FLEX 100 | User Guide - Page 791
) LABEL DESCRIPTION # This the index number of the service control rule. The ordering of your rules is important allowed or denied to send DNS queries. This displays whether the Zyxel Device accepts DNS queries from the computer with the IP address specified ZyWALL USG FLEX Series User's Guide 791 - ZyXEL USG FLEX 100 | User Guide - Page 792
with one edit to the record. For example, the domain name zyxel.com is hooked up to a record named A which translates it to 11.22.33 for a wildcard domain name. For example *.zyxel.com. Figure 524 Configuration > System > DNS > CNAME Record > Add ZyWALL USG FLEX Series User's Guide 792 - ZyXEL USG FLEX 100 | User Guide - Page 793
zone for the www.zyxel.com.tw fully qualified domain name. 42.6.9 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 525 Configuration > System > DNS > Domain Zone Forwarder Add ZyWALL USG FLEX Series User's Guide 793 - ZyXEL USG FLEX 100 | User Guide - Page 794
address of a DNS server. Enter the DNS server's IP address in the field to the right. The Zyxel Device must be able to connect to the DNS server without using a VPN tunnel. The DNS server a MX record. Figure 526 Configuration > System > DNS > MX Record Add ZyWALL USG FLEX Series User's Guide 794 - ZyXEL USG FLEX 100 | User Guide - Page 795
System > DNS screen (click Show Advanced Settings to display it) if you suspect the Zyxel Device is being used by hackers in a DNS amplification attack. One possible strategy would be Configuration > System > DNS > Security Option Control Edit (Customize) ZyWALL USG FLEX Series User's Guide 795 - ZyXEL USG FLEX 100 | User Guide - Page 796
allow or deny the computer with the IP address that you specified to send DNS queries to the Zyxel Device. Select ALL to allow or prevent DNS queries through any zones. Select a predefined zone on which a DNS query to the Zyxel Device is allowed or denied. ZyWALL USG FLEX Series User's Guide 796 - ZyXEL USG FLEX 100 | User Guide - Page 797
the timeout settings in the User/Group screens. 42.7.3 HTTPS You can set the Zyxel Device to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come. ZyWALL USG FLEX Series User's Guide 797 - ZyXEL USG FLEX 100 | User Guide - Page 798
or HTTPS. You can also specify which IP addresses the access can come from. Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the Zyxel Device (logging into SSL VPN for example). ZyWALL USG FLEX Series User's Guide 798 - ZyXEL USG FLEX 100 | User Guide - Page 799
Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device Web Configurator using secure HTTPs connections. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 800
into the Zyxel Device (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the Zyxel Device. Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. ZyWALL USG FLEX Series User's Guide 800 - ZyXEL USG FLEX 100 | User Guide - Page 801
to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. 42.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. ZyWALL USG FLEX Series User's Guide 801 - ZyXEL USG FLEX 100 | User Guide - Page 802
this screen. Select ALL to allow or deny any computer to communicate with the Zyxel Device using this service. Zone Select a predefined address object to just allow or deny the computer with the Web Configurator to access network services like the Internet. ZyWALL USG FLEX Series User's Guide 802 - ZyXEL USG FLEX 100 | User Guide - Page 803
Chapter 42 System Figure 532 Configuration > System > WWW > Login Page (Desktop View) ZyWALL USG FLEX Series User's Guide 803 - ZyXEL USG FLEX 100 | User Guide - Page 804
Chapter 42 System Figure 533 Configuration > System > WWW > Login Page (Mobile View) The following figures identify the parts you can customize in the login and access pages. ZyWALL USG FLEX Series User's Guide 804 - ZyXEL USG FLEX 100 | User Guide - Page 805
one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. ZyWALL USG FLEX Series User's Guide 805 - ZyXEL USG FLEX 100 | User Guide - Page 806
does not display, your browser may not support it. Try selecting another color. The following graphic file from your computer to the Zyxel Device. Use this section to set into the Web Configurator to access network services like the Internet. Enter the title for ZyWALL USG FLEX Series User's Guide 806 - ZyXEL USG FLEX 100 | User Guide - Page 807
. Click Technical Details if you want to verify more information about the certificate from the Zyxel Device. Select I Understand the Risks and then click Add Exception to add the Zyxel Device to the security exception list. Click Confirm Security Exception. ZyWALL USG FLEX Series User's Guide 807 - ZyXEL USG FLEX 100 | User Guide - Page 808
authority's certificate into your operating system as a trusted certificate. 42.7.7.4 Login Screen After you accept the certificate, the Zyxel Device login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. ZyWALL USG FLEX Series User's Guide 808 - ZyXEL USG FLEX 100 | User Guide - Page 809
Certification Authority (CA) that is trusted by the Zyxel Device (see the Zyxel Device's Trusted CA Web Configurator screen). Figure 540 Zyxel Device Trusted CA Screen The CA sends you a trusted certificate to produce a screen similar to the one shown next. ZyWALL USG FLEX Series User's Guide 809 - ZyXEL USG FLEX 100 | User Guide - Page 810
-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. ZyWALL USG FLEX Series User's Guide 810 - ZyXEL USG FLEX 100 | User Guide - Page 811
box. Click Browse if you wish to import a different certificate. Figure 543 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. ZyWALL USG FLEX Series User's Guide 811 - ZyXEL USG FLEX 100 | User Guide - Page 812
in the following store and choose a different location. Figure 545 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. ZyWALL USG FLEX Series User's Guide 812 - ZyXEL USG FLEX 100 | User Guide - Page 813
Via HTTPS 2 When Authenticate Client Certificates is selected on the Zyxel Device, the following screen asks you to select a personal certificate to send to the Zyxel Device. This screen displays even if you only have a single certificate as in the example. ZyWALL USG FLEX Series User's Guide 813 - ZyXEL USG FLEX 100 | User Guide - Page 814
Login Screen 42.8 SSH You can use SSH (Secure SHell) to securely access the Zyxel Device's command line interface. Specify which zones allow SSH access and from which IP address securely connect to the WAN port of the Zyxel Device for a management session. ZyWALL USG FLEX Series User's Guide 814 - ZyXEL USG FLEX 100 | User Guide - Page 815
an SSH connection to the Zyxel Device, add SSH in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security must agree on the type of encryption method to use. ZyWALL USG FLEX Series User's Guide 815 - ZyXEL USG FLEX 100 | User Guide - Page 816
Zyxel Device Your Zyxel Device supports SSH Zyxel Device uses only SSH version 2 protocol. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 817
computer with the IP address that you specified to access the Zyxel Device using SSH. Select ALL to allow or prevent any Zyxel Device zones from being accessed using SSH. Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. ZyWALL USG FLEX Series User's Guide 817 - ZyXEL USG FLEX 100 | User Guide - Page 818
"telnet 192.168.1.1 22" at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the Zyxel Device (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the Zyxel Device. ZyWALL USG FLEX Series User's Guide 818 - ZyXEL USG FLEX 100 | User Guide - Page 819
can use Telnet to access the Zyxel Device's command line interface. Specify Zyxel Device, add Telnet in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security policy. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 820
DESCRIPTION Enable Server Port Service Control Add Edit Remove Move Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 821
Service Zyxel Device's FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can be used to access the Zyxel Device. You can also specify from which IP addresses the access can come. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 822
address that matches the IP address(es) in the Service Control table to access the Zyxel Device using this service. Select the check box to use FTP over TLS above can access the Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). ZyWALL USG FLEX Series User's Guide 822 - ZyXEL USG FLEX 100 | User Guide - Page 823
, which allows a manager station to manage and monitor the Zyxel Device through the network. The Zyxel Device supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3). The next figure illustrates an SNMP management operation. ZyWALL USG FLEX Series User's Guide 823 - ZyXEL USG FLEX 100 | User Guide - Page 824
manager. An agent is a management software module that resides in a managed device (the Zyxel Device). An agent translates the local management information from the managed device into a form compatible with agents before conducting SNMP management sessions. ZyWALL USG FLEX Series User's Guide 824 - ZyXEL USG FLEX 100 | User Guide - Page 825
Supported MIBs The Zyxel Device supports MIB II that is defined in RFC-1213 and RFC-1215. The Zyxel Device also supports private MIBs (zywall.mib and zyxel-zywall- to access the Zyxel Device. You can also specify from which IP addresses the access can come. ZyWALL USG FLEX Series User's Guide 825 - ZyXEL USG FLEX 100 | User Guide - Page 826
matches the IP address(es) in the Service Control table to access the Zyxel Device using this service. Server Port You may change the server port number for a service if needed, however you must use the . The default is private and allows all requests. ZyWALL USG FLEX Series User's Guide 826 - ZyXEL USG FLEX 100 | User Guide - Page 827
Authenticati on Privacy Privilege Service Control Add Edit Remove Zyxel Device zone(s) configured in the Zone field (Accept) or not (Deny). Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 828
can only collect information from the Zyxel Device MIBs. Click OK to save the changes. Click Cancel to begin configuring this screen afresh. 42.11.6 Service Control Rules Click the Add or Edit icon in the Service Control table to add a service control rule. ZyWALL USG FLEX Series User's Guide 828 - ZyXEL USG FLEX 100 | User Guide - Page 829
labels in this screen. Table 362 Configuration > System > SNMP > Service Control Rule Add/Edit LABEL DESCRIPTION Create new Object Address Object Use enable the authentication server feature of the Zyxel Device and specify the RADIUS client's IP address. ZyWALL USG FLEX Series User's Guide 829 - ZyXEL USG FLEX 100 | User Guide - Page 830
Zyxel Device. Mask This is the subnet mask of the RADIUS client. Description This is the description of the RADIUS client. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 831
over the network. This key must be the same on the external authentication server and the Zyxel Device. Enter the description of each server, if any. You can use up to 60 printable Click Configuration > System > Notification to display the Mail Server screen. ZyWALL USG FLEX Series User's Guide 831 - ZyXEL USG FLEX 100 | User Guide - Page 832
Layer Security (TLS) for encrypted communications between the mail server and the Zyxel Device. STARTTLS Select this option if the mail server uses SSL or changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 832 - ZyXEL USG FLEX 100 | User Guide - Page 833
. Note: Go to the Configuration > System > Notification > Mail Server screen to configure a mail server first, so the Zyxel Device can send SMS messages to the SMS service provider via emails. Thus, the SMS service provider will send the SMS messages. ZyWALL USG FLEX Series User's Guide 833 - ZyXEL USG FLEX 100 | User Guide - Page 834
auto append to "Mail to" to add the domain name of your SMS service provider after the mobile phone number in the Mail To field. Type the subject a display language for the Zyxel Device's Web Configurator screens. Figure 570 Configuration > System > Language ZyWALL USG FLEX Series User's Guide 834 - ZyXEL USG FLEX 100 | User Guide - Page 835
screen. Use this screen to enable IPv6 support for the Zyxel Device's Web Configurator screens. Figure 571 Configuration Zyxel device responds with basic information including IP address, firmware version, location, system and model name. The information is ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 836
batch firmware upgrade in it. You can download the ZON Utility at www.zyxel.com and install it on a computer. 42.17.1 Requirements Before installing see if your Zyxel Device and firmware version support the ZON Utility. Click the OK button to close this screen. ZyWALL USG FLEX Series User's Guide 836 - ZyXEL USG FLEX 100 | User Guide - Page 837
your device is not listed here, see the device release notes for ZON utility support. The release notes are in the firmware zip file on the Zyxel web site. Figure 573 ZON Utility Screen 3 Select a network adapter to which your supported devices are connected. ZyWALL USG FLEX Series User's Guide 837 - ZyXEL USG FLEX 100 | User Guide - Page 838
Adapter Chapter 42 System 4 Click the Go button for the ZON Utility to discover all supported devices in your network. Figure 575 Discovery 5 The ZON Utility screen shows the devices address. 2 Renew IP Address Update a DHCP-assigned dynamic IP address. ZyWALL USG FLEX Series User's Guide 838 - ZyXEL USG FLEX 100 | User Guide - Page 839
troubleshooting Zyxel supports the Nebula Control Center (NCC) discovery feature. If it's enabled, the selected device will try to connect to the NCC. Once the selected device is connected to and has registered in the NCC, it'll go into the cloud management mode. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 840
. Enable Select to activate LLDP discovery on the Zyxel Device. See also Monitor > System Status > Ethernet Discovery. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 840 - ZyXEL USG FLEX 100 | User Guide - Page 841
. Note: Data collection may decrease the Zyxel Device's traffic throughput rate. Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the Zyxel Device email you system statistics every day. ZyWALL USG FLEX Series User's Guide 841 - ZyXEL USG FLEX 100 | User Guide - Page 842
DESCRIPTION Enable Email Daily Select this to send reports by email every day. Report Mail Subject Type the subject line for outgoing email from the Zyxel Device. ZyWALL USG FLEX Series User's Guide 842 - ZyXEL USG FLEX 100 | User Guide - Page 843
System Resource Usage, Wireless Report, Security Service, Interface Traffic Statistics and DHCP Table. , such as system errors and attacks. The Zyxel Device provides a system log and supports email profiles and remote syslog servers. View the > Log Setting. ZyWALL USG FLEX Series User's Guide 843 - ZyXEL USG FLEX 100 | User Guide - Page 844
the type of log setting entry (system log, logs stored on a USB storage device connected to the Zyxel Device, or one of the remote servers). This field displays the format of the log. Internal - system .3.1 on page 843), and click the system log Edit icon. ZyWALL USG FLEX Series User's Guide 844 - ZyXEL USG FLEX 100 | User Guide - Page 845
Chapter 43 Log and Report Figure 580 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) Figure 581 Configuration > Log & Report > Log Setting > Edit (System Log ) ZyWALL USG FLEX Series User's Guide 845 - ZyXEL USG FLEX 100 | User Guide - Page 846
the Zyxel Device will email logs to them. enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories. The Zyxel Device does not email debugging information, even if this setting is selected. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 847
/or in alerts (red exclamation point) for the email settings specified in E-Mail Server 1. The Zyxel Device does not email debugging information, even if it is recorded in the System log. Select whether to the previous screen without saving your changes. ZyWALL USG FLEX Series User's Guide 847 - ZyXEL USG FLEX 100 | User Guide - Page 848
checkbox to enter a value in the Keep Duration field. Enter a number of days that the Zyxel Device keeps this log. Use the Selection drop-down list to change the log settings for all of log messages, alerts, and debugging information for all log categories. ZyWALL USG FLEX Series User's Guide 848 - ZyXEL USG FLEX 100 | User Guide - Page 849
Summary screen (see Section 43.3.1 on page 843), and click a remote server Edit icon. Figure 584 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC) ZyWALL USG FLEX Series User's Guide 849 - ZyXEL USG FLEX 100 | User Guide - Page 850
log information. It is read-only. VRPT/Syslog - Zyxel's Vantage Report, syslog-compatible format. Server Address Server Port of the syslog server to which to send log information. Type the service port number used by the remote server. Select a log facility. ZyWALL USG FLEX Series User's Guide 850 - ZyXEL USG FLEX 100 | User Guide - Page 851
each alert. Please see Section 43.3.2 on page 844, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG FLEX Series User's Guide 851 - ZyXEL USG FLEX 100 | User Guide - Page 852
and alerts from this category enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information from this category; the Zyxel Device does not email debugging information, however, even if this setting is selected. ZyWALL USG FLEX Series User's Guide 852 - ZyXEL USG FLEX 100 | User Guide - Page 853
/or in alerts (red exclamation point) for the email settings specified in E-Mail Server 1. The Zyxel Device does not email debugging information, even if it is recorded in the System log. E-mail Server to the previous screen without saving your changes. ZyWALL USG FLEX Series User's Guide 853 - ZyXEL USG FLEX 100 | User Guide - Page 854
a configuration file, the Zyxel Device uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the Zyxel Device only applies the commands that it contains. Other settings do not change. ZyWALL USG FLEX Series User's Guide 854 - ZyXEL USG FLEX 100 | User Guide - Page 855
which is also identical to the way you run CLI commands manually. An example is shown below. Figure 587 Configuration File / Zyxel Device exit sub command mode. Note: "exit" or "!" must follow sub commands if it is to make the Zyxel Device exit sub command mode. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 856
Scripts When you apply a configuration file or run a shell script, the Zyxel Device processes the file line-by-line. The Zyxel Device checks the first line and applies the line if no errors are file, then click Apply to apply the file to the Zyxel Device . ZyWALL USG FLEX Series User's Guide 856 - ZyXEL USG FLEX 100 | User Guide - Page 857
startup-config.conf file and applies all of the valid commands. The Zyxel Device still generates a log for any errors. Figure 588 Maintenance > File Manager > Configuration File Do not turn off the Zyxel Device while configuration file upload is in progress. ZyWALL USG FLEX Series User's Guide 857 - ZyXEL USG FLEX 100 | User Guide - Page 858
file's row to select it and click Remove to delete it from the Zyxel Device. You can only delete manually saved configuration files. You cannot delete the systemdefault.conf, startup-config.conf the screen without saving a duplicate of the configuration file. ZyWALL USG FLEX Series User's Guide 858 - ZyXEL USG FLEX 100 | User Guide - Page 859
configuration file and generates error logs for all of the configuration file's errors. This lets the Zyxel Device apply most of your configuration and you can refer to the logs for what to fix. you can apply lastgood.conf to return to a valid configuration. ZyWALL USG FLEX Series User's Guide 859 - ZyXEL USG FLEX 100 | User Guide - Page 860
panic, out-of-memory etc.), then the Zyxel Device will automatically use the (good) backup image to boot. 44.3.1 Cloud Helper Cloud Helper lets you know if there is a later firmware available on the Cloud Helper server and lets you download it if there is. ZyWALL USG FLEX Series User's Guide 860 - ZyXEL USG FLEX 100 | User Guide - Page 861
on new firmware available. At the time of writing, the Firmware Upgrade license providing Cloud Helper new firmware notifications is free when you register your Zyxel Device. The license does not expire if you have firmware version 4.32 patch 1 and later. ZyWALL USG FLEX Series User's Guide 861 - ZyXEL USG FLEX 100 | User Guide - Page 862
Now to directly upgrade firmware to the standby partition and have the Zyxel Device reboot automatically so that the new standby firmware becomes the running Zyxel Device, a message will appear and remind you to register it. Also, Upgrade Now is grayed out. ZyWALL USG FLEX Series User's Guide 862 - ZyXEL USG FLEX 100 | User Guide - Page 863
you upload the latest firmware to the standby partition, a message will appear to ask if you want to reboot the Zyxel Device. 44.3.2 The Firmware Management Screen Click Maintenance > File Manager > Firmware Management to open the Firmware Management screen. ZyWALL USG FLEX Series User's Guide 863 - ZyXEL USG FLEX 100 | User Guide - Page 864
one time. This indicates whether the firmware is Running, or not running but already uploaded to the Zyxel Device and is on Standby. It displays N/A if there is no firmware uploaded to that system space the date that the version of the firmware was created. ZyWALL USG FLEX Series User's Guide 864 - ZyXEL USG FLEX 100 | User Guide - Page 865
in the standby partition become the running firmware after the Zyxel Device automatically restarts. This field displays whether the firmware license service is activated at myZyxel (Activated) or not (Not appears in the status bar at the bottom of the screen. ZyWALL USG FLEX Series User's Guide 865 - ZyXEL USG FLEX 100 | User Guide - Page 866
If the startup-config.conf configuration file has problems and you are upgrading to 4.25 or later firmware, then the Zyxel Device will revert (failover) to the previously running . You can store multiple shell script files on the Zyxel Device at the same time. ZyWALL USG FLEX Series User's Guide 866 - ZyXEL USG FLEX 100 | User Guide - Page 867
a shell script file's row to select it and click Remove to delete the shell script file from the Zyxel Device. A pop-up window asks you to confirm that you want to delete the shell script file. it and click Download to save the configuration to your computer. ZyWALL USG FLEX Series User's Guide 867 - ZyXEL USG FLEX 100 | User Guide - Page 868
your Zyxel Device. Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse... to find the .zysh file you want to upload. Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 869
provide an easy way for you to generate a file containing the Zyxel Device's configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics to open the Diagnostics screens. ZyWALL USG FLEX Series User's Guide 869 - ZyXEL USG FLEX 100 | User Guide - Page 870
to display information about the Zyxel Device. This is an example of a customized Diagnostics > Collect script. show service-register status all show myzyxel-service get-cloud-timezone show cloud-helper the size of the most recently created diagnostic file. ZyWALL USG FLEX Series User's Guide 870 - ZyXEL USG FLEX 100 | User Guide - Page 871
storage (if ready) Select this to have the Zyxel Device create an extra copy of the diagnostic support during troubleshooting. Click Maintenance > Diagnostics > Collect on AP to open the Collect on AP screen. Figure 600 Maintenance > Diagnostics > Collect on AP ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 872
information the Zyxel Device has collected and stored on the Zyxel Device or in a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 601 depends on the file sizes and the available storage space. ZyWALL USG FLEX Series User's Guide 872 - ZyXEL USG FLEX 100 | User Guide - Page 873
captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this. ZyWALL USG FLEX Series User's Guide 873 - ZyXEL USG FLEX 100 | User Guide - Page 874
all IP versions. Protocol Type Select the protocol of traffic for which to capture packets. Select any to capture packets for all types of traffic. ZyWALL USG FLEX Series User's Guide 874 - ZyXEL USG FLEX 100 | User Guide - Page 875
USB device to store system logs and other diagnostic information. available - you can have the Zyxel Device use the USB storage device. The available storage capacity also displays. Note: The Zyxel Device reserves some USB storage space as a buffer. ZyWALL USG FLEX Series User's Guide 875 - ZyXEL USG FLEX 100 | User Guide - Page 876
to have the Zyxel Device store problems. Click Maintenance > Diagnostics > Packet Capture > Capture on AP to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 877
lists the managed APs that are connected and available. Select the managed AP that you want the Zyxel Device to capture network traffic going through it. Query After you select an AP, click this the [Shift] and/or [Ctrl] key to select multiple objects. ZyWALL USG FLEX Series User's Guide 877 - ZyXEL USG FLEX 100 | User Guide - Page 878
be larger than the size of captured packets. Select this to have the Zyxel Device only store packet capture entries on the Zyxel Device. The available storage size is displayed as well. Note: The Zyxel Device reserves some on board storage space as a buffer. ZyWALL USG FLEX Series User's Guide 878 - ZyXEL USG FLEX 100 | User Guide - Page 879
lists the files of packet captures stored on the Zyxel Device or a connected USB storage device. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. ZyWALL USG FLEX Series User's Guide 879 - ZyXEL USG FLEX 100 | User Guide - Page 880
Packet Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the Zyxel Device or the connected USB storage device. Use the [Shift] and/or [Ctrl] key and memory performance of various applications on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 880 - ZyXEL USG FLEX 100 | User Guide - Page 881
most Zyxel Device DRAM memory. Memory Usage Memory usage shows how much DRAM memory the Zyxel Device is using. This field displays the current percentage of memory utilization. # This field is a sequential value, and it is not associated with any entry. ZyWALL USG FLEX Series User's Guide 881 - ZyXEL USG FLEX 100 | User Guide - Page 882
> Diagnostics > System Log to open the System Log screen. This screen lists the files of Zyxel Device system logs stored on a connected USB storage device. The files are in comma separated value > Diagnostics > Network Tool to display this screen. ZyWALL USG FLEX Series User's Guide 882 - ZyXEL USG FLEX 100 | User Guide - Page 883
Chapter 45 Diagnostics Figure 607 Maintenance > Diagnostics > Network Tool Figure 608 Maintenance > Diagnostics > Network Tool - Test Email Server ZyWALL USG FLEX Series User's Guide 883 - ZyXEL USG FLEX 100 | User Guide - Page 884
server uses SSL or TLS for encrypted communications between the mail server and the Zyxel Device. Select this if the Zyxel Device authenticates the mail server in the TLS handshake. Type the email address button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 884 - ZyXEL USG FLEX 100 | User Guide - Page 885
dropped for troubleshooting. Figure Zyxel Device. This field displays the tagged VLAN ID in egress packets going out from the Zyxel Device. This is the source interface of packets to which this active session applies. This field displays traceroute information. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 886
AP interfaces connected to your Zyxel Device. Studying these frame captures may help you identify network problems. Click Maintenance > Diagnostics 50000. The Zyxel Device stops the capture and generates the capture file when either the file reaches this size. ZyWALL USG FLEX Series User's Guide 886 - ZyXEL USG FLEX 100 | User Guide - Page 887
Wireless Frame Capture > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the Zyxel Device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up the date and time that the individual files were saved. ZyWALL USG FLEX Series User's Guide 887 - ZyXEL USG FLEX 100 | User Guide - Page 888
routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection screen. Note: Once a packet matches the criteria of a routing rule, the Zyxel Device takes the corresponding action and does not perform any further flow checking. ZyWALL USG FLEX Series User's Guide 888 - ZyXEL USG FLEX 100 | User Guide - Page 889
Flow Explore > Routing Status (Dynamic VPN) Figure 614 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 615 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) ZyWALL USG FLEX Series User's Guide 889 - ZyXEL USG FLEX 100 | User Guide - Page 890
Status (Static-Dynamic Route) Figure 618 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 619 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL USG FLEX Series User's Guide 890 - ZyXEL USG FLEX 100 | User Guide - Page 891
Flow This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function to which the packets are transmitted. Service This is the name of the service object. any means all services. Source Port This is the source ZyWALL USG FLEX Series User's Guide 891 - ZyXEL USG FLEX 100 | User Guide - Page 892
-rules activate command. Note: Once a packet matches the criteria of an SNAT rule, the Zyxel Device takes the corresponding action and does not perform any further flow checking. Figure 620 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT) ZyWALL USG FLEX Series User's Guide 892 - ZyXEL USG FLEX 100 | User Guide - Page 893
section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device. Click a function box to display the is a sequential value, and it is not associated with any entry. ZyWALL USG FLEX Series User's Guide 893 - ZyXEL USG FLEX 100 | User Guide - Page 894
This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. ZyWALL USG FLEX Series User's Guide 894 - ZyXEL USG FLEX 100 | User Guide - Page 895
> Shutdown Click the Shutdown button to shut down the Zyxel Device. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to close down the Zyxel Device. ZyWALL USG FLEX Series User's Guide 895 - ZyXEL USG FLEX 100 | User Guide - Page 896
PART III Appendices and Troubleshooting 896 - ZyXEL USG FLEX 100 | User Guide - Page 897
CHAPTER 48 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Section 6.37 on page 183). • For the order in which the Zyxel Device applies Use the same case as provided by your ISP. ZyWALL USG FLEX Series User's Guide 897 - ZyXEL USG FLEX 100 | User Guide - Page 898
. The Zyxel Device is not applying the custom policy route I configured. The Zyxel Device checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. ZyWALL USG FLEX Series User's Guide 898 - ZyXEL USG FLEX 100 | User Guide - Page 899
Chapter 48 Troubleshooting The Zyxel Device is not applying the custom security policy I configured. The Zyxel Device checks the security policies in the order that they are data rates through my cellular connection are no-where near the rates I expected. ZyWALL USG FLEX Series User's Guide 899 - ZyXEL USG FLEX 100 | User Guide - Page 900
of writing, the Zyxel Device does not support ingress bandwidth management. The Zyxel Device is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. ZyWALL USG FLEX Series User's Guide 900 - ZyXEL USG FLEX 100 | User Guide - Page 901
> Security Service > Anti-Malware Zyxel Device cannot unzip. The Zyxel Device cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the Zyxel Device can concurrently unzip. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 902
Troubleshooting The threat intelligence machine learning (TIML) feature is not working. 1 Make sure you purchase the gold security pack. • Make sure you've registered the Zyxel Device and activated the anti-malware service is supported in the Zyxel Device. ZyWALL USG FLEX Series User's Guide 902 - ZyXEL USG FLEX 100 | User Guide - Page 903
the Interface Type set to Internal or External. I cannot get Dynamic DNS to work. • You must have a public WAN IP address to use Dynamic DNS. ZyWALL USG FLEX Series User's Guide 903 - ZyXEL USG FLEX 100 | User Guide - Page 904
to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. See Asymmetrical Routes on page 546 and the chapter about interfaces for more information. ZyWALL USG FLEX Series User's Guide 904 - ZyXEL USG FLEX 100 | User Guide - Page 905
Zyxel Device decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed. • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using). ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 906
on the anti-malware Destroy compressed files that could not be decompressed option. I changed the LAN IP address and can no longer access the Internet. ZyWALL USG FLEX Series User's Guide 906 - ZyXEL USG FLEX 100 | User Guide - Page 907
in this guide.) I cannot add the admin users to a user group with access users. You cannot put access users and admin users in the same user group. I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. ZyWALL USG FLEX Series User - ZyXEL USG FLEX 100 | User Guide - Page 908
the service control rules and to-Zyxel Device security policies. I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. ZyWALL USG FLEX Series - ZyXEL USG FLEX 100 | User Guide - Page 909
I wanted or failed. The packet capture screen's File Size sets a maximum size limit for the total combined size of all the capture files on the Zyxel Device, including any existing capture files and any new capture files you ZyWALL USG FLEX Series User's Guide 909 - ZyXEL USG FLEX 100 | User Guide - Page 910
48 Troubleshooting generate. If you have existing capture files you may need to set this size larger or delete existing capture files. The Zyxel wait for the Zyxel Device to restart. You should be able to access the Zyxel Device using the default settings. ZyWALL USG FLEX Series User's Guide 910 - ZyXEL USG FLEX 100 | User Guide - Page 911
Chapter 48 Troubleshooting 48.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG FLEX Series User's Guide 911 - ZyXEL USG FLEX 100 | User Guide - Page 912
China • Zyxel Communications (Shanghai) Corp. Zyxel Communications (Beijing) Corp. Zyxel Communications (Tianjin) Corp. • http://www.zyxel.cn India • Zyxel Technology India Pvt Ltd • http://www.zyxel.in Kazakhstan • Zyxel Kazakhstan • http://www.zyxel.kz ZyWALL USG FLEX Series User's Guide 912 - ZyXEL USG FLEX 100 | User Guide - Page 913
com/tw/zh/ Thailand • Zyxel Thailand Co., Ltd • http://www.zyxel.co.th Vietnam • Zyxel Communications Corporation-Vietnam Office • http://www.zyxel.com/vn/vi Europe Austria • Zyxel Deutschland GmbH • http://www.zyxel.de Belarus • Zyxel BY • http://www.zyxel.by ZyWALL USG FLEX Series User's Guide 913 - ZyXEL USG FLEX 100 | User Guide - Page 914
• Zyxel Communications • http://www.zyxel.fi France • Zyxel France • http://www.zyxel.fr Germany • Zyxel Deutschland GmbH • http://www.zyxel.de Hungary • Zyxel Hungary & SEE • http://www.zyxel.hu Italy • Zyxel Communications Italy • http://www.zyxel.it/ ZyWALL USG FLEX Series User's Guide 914 - ZyXEL USG FLEX 100 | User Guide - Page 915
• Zyxel Russia • http://www.zyxel.ru Slovakia • Zyxel Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • Zyxel Communications ES Ltd • http://www.zyxel.es Sweden • Zyxel Communications • http://www.zyxel.se Switzerland • Studerus AG ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 916
www.zyxel.com/br/pt/ Ecuador • Zyxel Communication Corporation • http://www.zyxel.com/ec/es/ Middle East Israel • Zyxel Communication Corporation • http://il.zyxel.com/homepage.shtml Middle East • Zyxel Communication Corporation • http://www.zyxel.com/me/en/ ZyWALL USG FLEX Series User's Guide 916 - ZyXEL USG FLEX 100 | User Guide - Page 917
Support North America USA • Zyxel Communications, Inc. - North America Headquarters • http://www.zyxel.com/us/en/ Oceania Australia • Zyxel Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 918
24 Application Object 500 4.55 USG FLEX 200 7 16 4 per interface 3 4 8 4 128 500 500 10 5 16 600,000 8,000 256 500 1000 32 32 128 5 32 128 200 200 256 300 50 128 500 100 128 32 16 24 500 ZyWALL USG FLEX Series User's Guide 918 4.55 USG FLEX 500 7 64 4 per interface 8 16 16 4 256 500 500 10 5 16 - ZyXEL USG FLEX 100 | User Guide - Page 919
) 8 8 8 8 16 1 8 4+8 100 2 100 60 60 8 32 256k 64 16 8 16 per service 29 256 15 10 2 per interface 1 1024 1024 2 4 32 32 1 32 8 256 16 256 per profiles 256 per profiles 128 per profiles 1024 ZyWALL USG FLEX Series User's Guide 919 4.55 USG FLEX 500 200 128 32(PPP+3G) 16 16 16 9 16 1 16 16+8 300 - ZyXEL USG FLEX 100 | User Guide - Page 920
1000 800 Yes 50 50 20 SP350E (Ethernet) Up to 10 4.55 USG FLEX 500 1024 500 1024 1024 N/A N/A N/A 1 128 128 5 200 500 10 1 500 10 N/A N/A N/A 8 72 8 64 1024 1024 32 512 32 512 1024 100 4 Up to 2MB Up to 5MB 2000 1600 Yes 50 50 20 SP350E (Ethernet) Up to 10 ZyWALL USG FLEX Series User's Guide 920 - ZyXEL USG FLEX 100 | User Guide - Page 921
manual, or otherwise, without the prior written permission of Zyxel Communications Corporation. Published by Zyxel Communications Corporation. All rights reserved. Disclaimer Zyxel and used according to the instructions, may cause harmful interference to ZyWALL USG FLEX Series User's Guide 921 - ZyXEL USG FLEX 100 | User Guide - Page 922
stumble over them. • Always disconnect all cables from this device before servicing or disassembling. • Do not remove the plug and connect it to , dispose of used batteries according to the instruction. Dispose them at the applicable collection point for 11. ZyWALL USG FLEX Series User's Guide 922 - ZyXEL USG FLEX 100 | User Guide - Page 923
Appendix C Legal Information Environment Statement ErP (Energy-related Products) Zyxel products put on the EU market in compliance with the requirement of the ttre miljö och mänsklig hälsa genom att göra dig av med den på ett återvinningsställe. 台灣 ZyWALL USG FLEX Series User's Guide 923 - ZyXEL USG FLEX 100 | User Guide - Page 924
is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. ZyWALL USG FLEX Series User's Guide 924 - ZyXEL USG FLEX 100 | User Guide - Page 925
, please contact [email protected] to get it. Regulatory Notice and Statement (Class A) Model List: USG FLEX 500 United States of not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. . ZyWALL USG FLEX Series User's Guide 925 - ZyXEL USG FLEX 100 | User Guide - Page 926
stumble over them. • Always disconnect all cables from this device before servicing or disassembling. • Do not remove the plug and connect it to , dispose of used batteries according to the instruction. Dispose them at the applicable collection point for 11. ZyWALL USG FLEX Series User's Guide 926 - ZyXEL USG FLEX 100 | User Guide - Page 927
tiden för kasseringen bidrar du till en bättre miljö och mänsklig hälsa genom att göra dig av med den på ett återvinningsställe. 台灣 110V AC 230V AC ZyWALL USG FLEX Series User's Guide 927 - ZyXEL USG FLEX 100 | User Guide - Page 928
purpose. Zyxel shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. To obtain the services of this .zyxel.com. To obtain the source code covered under those Licenses, please contact [email protected] to get it. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 929
729 port 729, 731 search time limit 729 SSL 729 AAA server 723 AD 725 and users 666 directory service 724 LDAP 724, 725 local user database 725 RADIUS 724, 725, 730 RADIUS group 730 see also RADIUS and Telnet 820 and VPN connections 402 and WWW 802 HOST 704 ZyWALL USG FLEX Series User's Guide 929 - ZyXEL USG FLEX 100 | User Guide - Page 930
EICAR 607 e-mail virus 612 polymorphic virus 612 statistics 172, 175 troubleshooting 898, 901 troubleshooting signatures update 898 updating signatures 191, 192 AP group 154, 199 622 Denial of Service (DoS) 406 DoS/DDoS 622 IM 622 P2P 622 scan 622 spam 622 ZyWALL USG FLEX Series User's Guide 930 - ZyXEL USG FLEX 100 | User Guide - Page 931
policy exceptional services 464 Authentication troubleshooting 899, 900 certificate troubleshooting 908 Certificate Authority (CA) see certificates Certificate Revocation List (CRL) 742 vs OCSP 758 certificates 741 advantages of 742 and CA 742 and FTP 822 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 932
854 connection troubleshooting 904 service 582 default policy 576 external web filtering service 582, 599 filter list 576 managed web pages 582 policies 575, 576 registration status 190 statistics 171 testing 583 uncategorized pages 582 URL for blocked access 578 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 933
82, 787, 793 and interfaces 311 DNSBL 637, 639 see also anti-spam 637 domain name 781 Domain Name System, see DNS DoS (Denial of Service) attacks 622 DPD 417 DSA 749 DSCP 317, 320, 452, 891 DUID 221 Dynamic Domain Name System, see DDNS ZyWALL USG FLEX Series User's Guide 933 - ZyXEL USG FLEX 100 | User Guide - Page 934
with FTP 821 firmware package troubleshooting 906 firmware upload troubleshooting 909 flags 625 flash usage 115 forcing login 462 FQDN 791 fragmentation flag 627 fragmentation offset 627 free guest account 523 free time 523 configuration 523 enable 523 ZyWALL USG FLEX Series User's Guide 934 - ZyXEL USG FLEX 100 | User Guide - Page 935
560 reject-both 560 reject-receiver 560 service group 623 signatures 618 Snort signatures 634 statistics 176 troubleshooting 898, 902 verifying custom signatures 632 IEEE 802.1q VLAN IEEE 802.1q. See VLAN. IEEE 802.1x 681 IHL (IP Header Length) 625 IKE SA ZyWALL USG FLEX Series User's Guide 935 - ZyXEL USG FLEX 100 | User Guide - Page 936
ID type 426 IP address, remote IPSec router 424 IP address, Zyxel device 424 local identity 426 main mode 423, 427 NAT traversal (IM) 566, 622 managing 566 interface status 126 troubleshooting 899 interfaces 216 and DNS servers 311 and HTTP redirect 437 ZyWALL USG FLEX Series User's Guide 936 - ZyXEL USG FLEX 100 | User Guide - Page 937
713 and service objects 714 by name 167 search by policy 167 Security Parameter Index (SPI) (manual keys) 430 see also IPSec see also VPN source NAT for 429 when IKE SA is disconnected 429 IPSec VPN troubleshooting 905 IPv6 219 link-local address 220 prefix 219 ZyWALL USG FLEX Series User's Guide 937 - ZyXEL USG FLEX 100 | User Guide - Page 938
page 802 logo troubleshooting 908 logout Web Configurator 35 logs and security policy 552 e-mail profiles 843 e-mailing log messages 187, 846 formats 844 log consolidation 847 settings 843 syslog servers 843 system 843 types of 843 loose source routing 625 ZyWALL USG FLEX Series User's Guide 938 - ZyXEL USG FLEX 100 | User Guide - Page 939
virus 612 malware infection and prevention 612 life cycle 612 managed web pages 582 management access troubleshooting 908 Management Information Base (MIB) 824, 825 managing the device using SNMP. See SNMP. -based intrusions 634 Nimda 634 no IP options 625 ZyWALL USG FLEX Series User's Guide 939 - ZyXEL USG FLEX 100 | User Guide - Page 940
address groups 703 authentication method 733 certificates 741 schedules 718 services and service groups 713 users, user groups 665, 761 offset ( troubleshooting 901, 902, 903 Personal Identification Number code, see PIN code PFS (Perfect Forward Secrecy) 409, 430 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 941
service problems Guide 2 R rack-mounting 30, 71 RADIUS 724, 725 advantages 724 and IKE SA 428 and PPPoE 311 and users 666 user attributes 680 RADIUS server 829, 831 troubleshooting 907 Real-time Transport Protocol, see RTP record route 625 Reference Guide, CLI 2 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 100 | User Guide - Page 942
Authentication Dial-In User Service, see RADIUS remote management FTP, see FTP see also service control 797 Telnet 819 72 S same IP 628 scan attacks 622 scanner types 612 schedule troubleshooting 908 schedules 718 and content filtering 575, 576 and current date ZyWALL USG FLEX Series User's Guide 942 - ZyXEL USG FLEX 100 | User Guide - Page 943
552 and NAT 547 and schedules 451, 455, 466, 552 and service groups 551 and service objects 714 and services 551 and SIP (ALG) 361 and user groups 552, 563 port 365 troubleshooting 904 SMS 833 send account information 833 ViaNett account 833 SMS gateway 833 ZyWALL USG FLEX Series User's Guide 943 - ZyXEL USG FLEX 100 | User Guide - Page 944
433 access policy 433 full tunnel mode 433 network access mode 29 see also SSL 433 troubleshooting 906 stac compression 761 startup-config.conf 859 if errors 857 missing at restart 857 present area 327 STUN 362 and ALG 362 subscription services status 190 ZyWALL USG FLEX Series User's Guide 944 - ZyXEL USG FLEX 100 | User Guide - Page 945
supported address objects 820 and zones 820 with SSH 818 throughput rate troubleshooting 909 time 782 time servers (default) 785 time to live 724 to-ZyWALL security policy and NAT 351 and NAT traversal (VPN) 905 and OSPF 327 and RIP 325 and service control 797 ZyWALL USG FLEX Series User's Guide 945 - ZyXEL USG FLEX 100 | User Guide - Page 946
666 and policy routes 319, 451, 455 and RADIUS 666 and security policy 552, 563 and service control 797 and shell scripts 680 attributes for Ext-User 666 attributes for LDAP 680 attributes for admin (type) 665 lockout 676 reauthentication time 671 types of 665 ZyWALL USG FLEX Series User's Guide 946 - ZyXEL USG FLEX 100 | User Guide - Page 947
397 active protocol 429 and NAT 427 basic troubleshooting 905 hub-and-spoke, see VPN concentrator 30 access 32 access users 677 requirements 31 supported browsers 31 web features ActiveX 595 cookies Service, see WINS Windows Internet Naming Service, see WINS. ZyWALL USG FLEX Series User's Guide 947 - ZyXEL USG FLEX 100 | User Guide - Page 948
Index Root AP 701 root AP 700 security 703 SSID 703 WDS 700 ZyMesh profiles 702 Z zipped files troubleshooting 901 ZON Utility 835 zones 662 and FTP 822 and interfaces 662 and security policy 544, 550, 570 701 hop 701 profile 702 Repeater 701 repeater 700 ZyWALL USG FLEX Series User's Guide 948
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
-
743
-
744
-
745
-
746
-
747
-
748
-
749
-
750
-
751
-
752
-
753
-
754
-
755
-
756
-
757
-
758
-
759
-
760
-
761
-
762
-
763
-
764
-
765
-
766
-
767
-
768
-
769
-
770
-
771
-
772
-
773
-
774
-
775
-
776
-
777
-
778
-
779
-
780
-
781
-
782
-
783
-
784
-
785
-
786
-
787
-
788
-
789
-
790
-
791
-
792
-
793
-
794
-
795
-
796
-
797
-
798
-
799
-
800
-
801
-
802
-
803
-
804
-
805
-
806
-
807
-
808
-
809
-
810
-
811
-
812
-
813
-
814
-
815
-
816
-
817
-
818
-
819
-
820
-
821
-
822
-
823
-
824
-
825
-
826
-
827
-
828
-
829
-
830
-
831
-
832
-
833
-
834
-
835
-
836
-
837
-
838
-
839
-
840
-
841
-
842
-
843
-
844
-
845
-
846
-
847
-
848
-
849
-
850
-
851
-
852
-
853
-
854
-
855
-
856
-
857
-
858
-
859
-
860
-
861
-
862
-
863
-
864
-
865
-
866
-
867
-
868
-
869
-
870
-
871
-
872
-
873
-
874
-
875
-
876
-
877
-
878
-
879
-
880
-
881
-
882
-
883
-
884
-
885
-
886
-
887
-
888
-
889
-
890
-
891
-
892
-
893
-
894
-
895
-
896
-
897
-
898
-
899
-
900
-
901
-
902
-
903
-
904
-
905
-
906
-
907
-
908
-
909
-
910
-
911
-
912
-
913
-
914
-
915
-
916
-
917
-
918
-
919
-
920
-
921
-
922
-
923
-
924
-
925
-
926
-
927
-
928
-
929
-
930
-
931
-
932
-
933
-
934
-
935
-
936
-
937
-
938
-
939
-
940
-
941
-
942
-
943
-
944
-
945
-
946
-
947
-
948
 |
 |
Default Login Details
User’s Guide
ZyWALL
USG FLEX
Series
Copyright © 2020 Zyxel Communications Corporation
LAN Port IP Address
User Name
admin
Password
1234
Version 4.55 Edition 1, 6/2020