ZyXEL ZYWALL USG 100 User Guide

ZyXEL ZYWALL USG 100 Manual

Get ZyXEL ZYWALL USG 100 PDF manuals and user guides View all ZyXEL ZYWALL USG 100 manuals
Add to My Manuals
Save this manual to your list of manuals

ZyXEL ZYWALL USG 100 manual content summary:

  • ZyXEL ZYWALL USG 100 | User Guide - Page 1
    ZyWALL USG100-PLUS Unified Security Gateway Default Login Details LAN IP Address https://192.168.1.1 User Name admin Password 1234 Version 3.00 Editionw2w,w.9zy/x2el0.c1om2 www.zyxel.com Copyright © 2012 ZyXEL Communications Corporation
  • ZyXEL ZYWALL USG 100 | User Guide - Page 2
    ZyWALL IPSec VPN Client Configuration Provisioning Video Example 72 SSL VPN Video Example 74 Configuring L2TP VPN on the ZyWALL Video Example 80 Configuring L2TP VPN in Windows 7 Video Example 85 Bandwidth Management Video Example 100 AppPatrol Video Example 117 2 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 3
    (EPS) ...47 3.4 Device and Service Registration ...47 3.5 Anti-Virus Policy ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, and Windows 75 4.7 One-Time Password Version 2 (OTPv2 90 Managing Traffic ...93 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 4
    USB Storage Device 127 6.8 How to Get the ZyWALL's Diagnostic File 130 6.9 How to Capture Packets on the ZyWALL 131 6.10 How to Get the ZyWALL's Core Dump File 134 6.11 How to Use Packet Flow Explore for Troubleshooting 135 Appendix A Legal Information...137 4 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 5
    , anti-virus, and anti-spam. Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy secure access to your network. You can also purchase the ZyWALL OTPv2 One-Time ZyWALL USG100-PLUS User's Guide 5
  • ZyXEL ZYWALL USG 100 | User Guide - Page 6
    for strong two-factor authentication for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. Figure 3 Applications: VPN Connectivity ***** OTP PIN SafeWord access the Internet. User C is not even logged in and cannot access either. 6 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 7
    interfaces may be generic rather than the specific name used in your model. For example, this guide may use "the WAN interface" rather than "wan1" or "wan2". Figure 7 Zones, Interfaces P6 1.3 Management Overview You can manage the ZyWALL in the following ways. ZyWALL USG100-PLUS User's Guide 7
  • ZyXEL ZYWALL USG 100 | User Guide - Page 8
    or later: Internet Explorer 7, Firefox 3.5, Chrome 9.0, Opera 10.0, Safari 4.0 • Allow pop-up windows (blocked by default in Windows XP Service Pack 2) • Enable JavaScripts, Java permissions, and cookies The recommended screen resolution is 1024 x 768 pixels. 8 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 9
    appears. 5 The Network Risk Warning screen displays any unregistered or disabled security services. Select how often to display the screen and click OK. 6 Follow the Wizard opens if the ZyWALL is using its default configuration; otherwise the dashboard appears. ZyWALL USG100-PLUS User's Guide 9
  • ZyXEL ZYWALL USG 100 | User Guide - Page 10
    Chapter 1 Introduction B C A 1.4.2 Web Configurator Introduction Video Use Adobe Reader 9 or later or a recent version of Foxit Reader to play this video. After clicking play, you may need to confirm that you want to play the content and click play again. 10 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 11
    for the current screen. About Click this to display basic information about the ZyWALL. Site Map Click this to see an overview of links to the Web following sections introduce the ZyWALL's navigation panel menus and their screens. Figure 10 Navigation Panel ZyWALL USG100-PLUS User's Guide 11
  • ZyXEL ZYWALL USG 100 | User Guide - Page 12
    Cache Manage the ZyWALL's URL cache. Anti-Spam Report Collect and display spam statistics. Status Displays how many mail sessions the ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics. Log Lists log entries. 12 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 13
    activate trial services. Service View the licensed service status and upgrade licensed services. Signature Update devices connected to each supported interface. Exempt List Configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC . VPN ZyWALL USG100-PLUS User's Guide 13
  • ZyXEL ZYWALL USG 100 | User Guide - Page 14
    Provisioning Set who can retrieve VPN rule settings from the ZyWALL using the ZyWALL IPSec VPN Client. SSL VPN Access Privilege Configure SSL VPN white list to identify legitimate e-mail. DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Object 14 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 15
    Web Configurator language. IPv6 Enable IPv6 globally on the ZyWALL here. Log & Report Email Daily Report Configure where and how to send daily reports and what reports to send. Log Setting Configure the system log, e-mail logs, and remote syslog servers. ZyWALL USG100-PLUS User's Guide 15
  • ZyXEL ZYWALL USG 100 | User Guide - Page 16
    for the ZyWALL. Firmware Package View the current firmware version and to upload firmware. Shell Script Manage and run shell script files for the ZyWALL. Diagnostics • Show entries in groups • Filter by mathematical operators (, or =) or searching for text 16 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 17
    have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. ZyWALL USG100-PLUS User's Guide 17
  • ZyXEL ZYWALL USG 100 | User Guide - Page 18
    changes that you have not yet applied. Remove To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Activate To turn on an entry, select it and to move them to the other list. Figure 17 Working with Lists 18 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 19
    than the rack-mounting screws). 2 Attach the other bracket in a similar fashion. 3 After attaching both mounting brackets, position the ZyWALL in the rack and up the bracket holes with the rack holes. Secure the ZyWALL to the rack with the rack-mounting screws. ZyWALL USG100-PLUS User's Guide 19
  • ZyXEL ZYWALL USG 100 | User Guide - Page 20
    link. No device is connected to the ZyWALL's USB port or the connected device is not supported by the ZyWALL. A 3G USB card or USB storage ZyWALL is sending or receiving packets on this port. There is no connection on this port. This port has a successful link. 20 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 21
    to quickly configure Internet connection and VPN settings as well as activate subscription services. WIZARD Installation Setup Wizard Quick Setup WAN Interface VPN Setup DESCRIPTION Use this , port roles, and zones for the following example configuration. ZyWALL USG100-PLUS User's Guide 21
  • ZyXEL ZYWALL USG 100 | User Guide - Page 22
    Roles, and Zone Configuration Example 2.2.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL's wan1 interface a static IP address of 1.2.3.4. Click Configuration > Network > Interface > subnet mask, and default gateway settings and click OK. 22 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 23
    a new zone. 1 Click Configuration > Network > Zone and then double-click the IPSec_VPN entry. 2 Select WIZ_VPN and remove it from the Member box and click OK. ZyWALL USG100-PLUS User's Guide 23
  • ZyXEL ZYWALL USG 100 | User Guide - Page 24
    for cellular WAN (Internet) connections. See www.zyxel.com for a supported 3G card. In this example you connect the ZyWALL not apply any security settings to the 3G connection. Enter the PIN Code provided by the cellular 3G service provider (0000 in this example). 24 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 25
    or local service provider. ZyWALL automatically adds the cellular interface to the system default WAN trunk. If the ZyWALL is using a user-configured trunk as its default trunk and you want this cellular interface to be part of it, use the Trunk screens to add it. ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 26
    interfaces and network policies. Configure this if you need your service provider to provide an IP address through PPPoE or PPTP in appropriate interface or VPN tunnel. Since firmware version 3.00, the ZyWALL supports IPv6 configuration in these Ethernet, PPP, . 26 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 27
    Pure IPv6 Routing This example shows how to configure your ZyWALL Z's WAN and LAN interfaces which connects two IPv6 networks. ZyWALL Z periodically advertises a network prefix of 2006:1111:1111: Note: Your ISP or uplink router should enable router advertisement. ZyWALL USG100-PLUS User's Guide 27
  • ZyXEL ZYWALL USG 100 | User Guide - Page 28
    1111:1111::/64 in this example). Click OK. You have completed the settings on the ZyWALL. But if you want to request a network address prefix from your ISP for your computers on the LAN, you can configure prefix delegation (see Section Section 2.5.4 on page 29). 28 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 29
    Prefix Delegation and Router Advertisement Settings This example shows how to configure prefix delegation on the ZyWALL's WAN and router advertisement on the LAN. 2.5.4.1 Apply a Network Prefix From Your ISP First LAN1's IP address is 2001:b050:2d:1111::1/128. ZyWALL USG100-PLUS User's Guide 29
  • ZyXEL ZYWALL USG 100 | User Guide - Page 30
    example. Note: Your ISP or a DHCPv6 server in the same network as the WAN should assign an IPv6 IP address for the WAN interface. 30 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 31
    combined prefix 2001:b050:2d:1111::/64 will display for the LAN1's network prefix after you click OK and come back to this screen again). ZyWALL USG100-PLUS User's Guide 31
  • ZyXEL ZYWALL USG 100 | User Guide - Page 32
    Chapter 2 How to Set Up Your Network 2.5.5 Test 1 Connect a computer to the ZyWALL's LAN1. 32 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 33
    XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default. You can enable IPv6 in the Control Panel > Network and Sharing Center > Local Area Connection that you want to play the content and click play again. ZyWALL USG100-PLUS User's Guide 33
  • ZyXEL ZYWALL USG 100 | User Guide - Page 34
    Request Options table displays n/a, contact your ISP for further support. 4 In Windows, some IPv6 related tunnels may be IP address from the left must be converted from 122.100.220.238. It becomes 7a64:dcee in hexadecimal. You ZyWALL through the following flow. 34 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 35
    :7a64:dcee:1::/64. The LAN1 hosts will get the network prefix through the router advertisement messages sent by the LAN1 IPv6 interface periodically. Click OK. ZyWALL USG100-PLUS User's Guide 35
  • ZyXEL ZYWALL USG 100 | User Guide - Page 36
    wan1 as the gateway. Click OK. 2.6.4 Testing the 6to4 Tunnel 1 Connect a computer to the ZyWALL's LAN1. 2 Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a a Command Prompt to test. You should get a response. 36 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 37
    a 6to4 packet can be retrieved from the packet's destination IP address. The ZyWALL only forwards a 6to4 packet to the relay router using the default route if . In 6to4, the ZyWALL uses the WAN1 IPv4 interface to forward your 6to4 packets over the IPv4 network. ZyWALL USG100-PLUS User's Guide 37
  • ZyXEL ZYWALL USG 100 | User Guide - Page 38
    are complete, IPv4 and IPv6 packets transmitted between WAN1 and LAN1 will be handled by the ZyWALL through the following flow. Figure 25 IPv6-in-IPv4 Tunnel Configuration Concept LAN1 (IPv6) IPv6- Enter 5.6.7.8 as the remote gateway's IP address. Click OK. 38 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 39
    add 2003:1111:1111:1::/64. The LAN1 hosts will get the network prefix through router advertisements sent by the LAN1 IPv6 interface periodically. Click OK. ZyWALL USG100-PLUS User's Guide 39
  • ZyXEL ZYWALL USG 100 | User Guide - Page 40
    Address field. Select any in the Destination Address field. Select Interface as the next-hop type and then tunnel0 as the interface. Click OK. 40 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 41
    to the ZyWALL's LAN1. 2 Enable IPv6 support on you computer. In Windows XP, you need to use the IPv6 install command in a Command Prompt. In Windows 7, IPv6 is supported by default to test whether you can ping a computer behind ZyWALL Y. You should get a response. ZyWALL USG100-PLUS User's Guide 41
  • ZyXEL ZYWALL USG 100 | User Guide - Page 42
    the WAN1 IPv6 interface but make sure you enable the WAN1 IPv4 interface. In IPv6-in-IPv4, the ZyWALL uses the WAN1 IPv4 interface to forward your 6to4 packets to the IPv4 network. 2 In Windows, some is recommended to disable those tunnels on your computer. 42 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 43
    Chapter 2 How to Set Up Your Network ZyWALL USG100-PLUS User's Guide 43
  • ZyXEL ZYWALL USG 100 | User Guide - Page 44
    Chapter 2 How to Set Up Your Network 44 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 45
    schedule, user, user groups, address, address group, service, and service group objects. To-ZyWALL firewall rules control access to the ZyWALL itself including management access. By default the firewall the networks. Figure 26 Default Firewall Action LAN WAN ZyWALL USG100-PLUS User's Guide 45
  • ZyXEL ZYWALL USG 100 | User Guide - Page 46
    for a management service such as HTTP, you must also enable the service in the service control rules. • The ZyWALL is not applying your firewall rules for certain interfaces. The ZyWALL only apply's a cannot put the default admin account into any user group. 46 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 47
    . Click Apply to create your account and register the device. 2 Click the Service tab. To activate or extend a standard service subscription enter your iCard's license key in the License Key field. The license key can be found on the reverse side of the iCard. ZyWALL USG100-PLUS User's Guide 47
  • ZyXEL ZYWALL USG 100 | User Guide - Page 48
    configure an Anti-Virus policy. Note: You need to first activate your Anti-Virus service license or trial. See Device and Service Registration on page 47. 1 Click Configuration > Anti-X > Anti-Virus to display scan for viruses under Protocols to Scan. Click OK. 48 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 49
    where the ZyWALL is not the endpoint (pass-through VPN traffic). • Traffic through custom (non-standard) ports. The only exception is FTP traffic. The ZyWALL scans whatever port number is specified for FTP in the ALG screen. • ZIP file(s) within a ZIP file. ZyWALL USG100-PLUS User's Guide 49
  • ZyXEL ZYWALL USG 100 | User Guide - Page 50
    against network-based intrusions. Note: You need to first activate your IDP service license or trial. See Device and Service Registration on page 47. You may want to create a new profile if by selecting a row and clicking Activate or Inactivate. Click OK. 50 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 51
    your network. In this case you should disable non-applicable rules so as to improve ZyWALL ADP processing efficiency. You may also find that certain rules are triggering too many false positives 3.7.1 Procedure To Create a New ADP Profile To create a new profile: ZyWALL USG100-PLUS User's Guide 51
  • ZyXEL ZYWALL USG 100 | User Guide - Page 52
    times. Edit the default log options and actions by selecting a row and making a selection in the Log or Action drop-down menus. Click OK. 52 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 53
    or Inactivate. Edit the default log options and actions by selecting a row and making a selection in the Log or Action drop-down menus. Click OK. ZyWALL USG100-PLUS User's Guide 53
  • ZyXEL ZYWALL USG 100 | User Guide - Page 54
    open the following screen. Enter a profile Name and select Enable Content Filter Category Service and select desired actions for the different web page categories. Then select the categories to include in the profile or select Select All Categories. Click Apply. 54 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 55
    the General screen, the configured policy will appear in the Policies section. Select Enable Content Filter and select BlueCoat. Then select Enable Content Filter Report Service to collect content filtering statistics for reports. Click Apply. ZyWALL USG100-PLUS User's Guide 55
  • ZyXEL ZYWALL USG 100 | User Guide - Page 56
    during the free trial (up to 30 days). 1 Go to http://www.myZyXEL.com. Fill in your myZyXEL.com account information and click Login. 56 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 57
    the descriptive name for your ZyWALL using the Rename button in the Service Management screen. 3 In the Service Management screen click Content Filter (BlueCoat) or Content Filter (Commtouch) in the Service Name column to open the content filter reports screens. ZyWALL USG100-PLUS User's Guide 57
  • ZyXEL ZYWALL USG 100 | User Guide - Page 58
    to view single user reports) and click Run Report. The screens vary according to the report type you selected in the Report Home screen. 58 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 59
    Chapter 3 Protecting Your Network 7 A chart and/or list of requested web site categories display in the lower half of the screen. 8 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL USG100-PLUS User's Guide 59
  • ZyXEL ZYWALL USG 100 | User Guide - Page 60
    (Sender Reputation, Mail Content Analysis and Virus Outbreak Detection). See Device and Service Registration on page 47. 1 To use the Mail Scan functions (Sender Enter the DNSBL Domain for a DNSBL service. In this example, zen.spamhaus.org is used. Click Apply. 60 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 61
    . 4 In the General screen, the policy configured in the previous step will display in the Policy Summary section. Select Enable Anti-Spam and click Apply. ZyWALL USG100-PLUS User's Guide 61
  • ZyXEL ZYWALL USG 100 | User Guide - Page 62
    Chapter 3 Protecting Your Network 62 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 63
    VPN Concentrator Example on page 65 • Hub-and-spoke IPSec VPN Without VPN Concentrator on page 67 • ZyWALL IPSec VPN Client Configuration Provisioning on page 69 • SSL VPN on page 73 • L2TP VPN with Android, up security policies that apply to the IPSec_VPN zone. ZyWALL USG100-PLUS User's Guide 63
  • ZyXEL ZYWALL USG 100 | User Guide - Page 64
    problem. ZyWALL uses one of its Trusted Certificates to authenticate the remote IPSec router's certificate. The trusted certificate can be the remote IPSec router's self-signed certificate or that of a trusted CA that signed the remote IPSec router's certificate. 64 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 65
    : 10.0.0.1 VPN Connection (VPN Tunnel 1): • Local Policy: 192.168.11.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route ZyWALL USG100-PLUS User's Guide 65
  • ZyXEL ZYWALL USG 100 | User Guide - Page 66
    .0.0.1 VPN Connection (VPN Tunnel 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 67
    ZyWALL uses one VPN rule to access both the headquarters and branch A's networks. Figure 28 Hub-and-spoke VPN Example This hub-and-spoke VPN example uses the following settings. Branch Office A (ZyNOS-based ZyWALL): Gateway Policy (Phase 1): • My Address: 10.0.0.2 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 68
    spoke VPN. • This example uses a wide range for the ZyNOS-based ZyWALL's remote network, to use a narrower range, see Section 4.3 on page 67 for an example of configuring a VPN concentrator. • The local IP addresses configured in the VPN rules should not overlap. 68 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 69
    . 4.4.1 Overview of What to Do 1 Create a VPN rule on the ZyWALL using the VPN Configuration Provisioning wizard. 2 Configure a username and password for the rule on the ZyWALL. 3 On a computer, use the ZyWALL IPSec VPN Client to get the VPN rule configuration. ZyWALL USG100-PLUS User's Guide 69
  • ZyXEL ZYWALL USG 100 | User Guide - Page 70
    . 5 Enter the WAN IP address or URL for the ZyWALL. If you changed the default HTTPS port on the ZyWALL, then enter the new one here. Enter the user name (Login) and and password exactly as configured on the ZyWALL or external authentication server. Click Next. 70 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 71
    Chapter 4 Create Secure Connections Across the Internet 6 Click OK. The rule settings are now imported from the ZyWALL into the ZyWALL IPSec VPN Client. ZyWALL USG100-PLUS User's Guide 71
  • ZyXEL ZYWALL USG 100 | User Guide - Page 72
    server. Check that the client authentication method selected on the ZyWALL is where the user name and password are configured . For example, if the user name and password are configured on the ZyWALL, then the configured authentication method should be Local. 72 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 73
    policy has network extension enabled the ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. ZyWALL USG100-PLUS User's Guide 73
  • ZyXEL ZYWALL USG 100 | User Guide - Page 74
    to avoid distortion when displayed. The ZyWALL automatically resizes a graphic of a different resolution to 103 x 29 pixels. The file size must be 100 kilobytes or less. Transparent background is • Internet Explorer 7 and above or Firefox 1.5 and above 74 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 75
    (LAN1_SUBNET in the following example). • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in the following example). • Set the next hop to be the user to access the LAN1_SUBNET (the 192.168.1.x subnet). ZyWALL USG100-PLUS User's Guide 75
  • ZyXEL ZYWALL USG 100 | User Guide - Page 76
    's IP address (172.16.1.2) and is named L2TP_IFACE. Select Enable, set Application Scenario to Remote Acces and Local Policy to L2TP_IFACE, and click OK. 76 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 77
    allow the remote users to access (LAN_1SUBNET in this example). • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in this example)). • Set the next hop to be the VPN tunnel that you are using for L2TP VPN. ZyWALL USG100-PLUS User's Guide 77
  • ZyXEL ZYWALL USG 100 | User Guide - Page 78
    tunnels out through a WAN trunk. • Set Incoming to Tunnel and select your L2TP VPN connection. • Set the Source Address to the L2TP address pool. 78 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 79
    Chapter 4 Create Secure Connections Across the Internet • Set the Next-Hop Type to Trunk and select the appropriate WAN trunk. ZyWALL USG100-PLUS User's Guide 79
  • ZyXEL ZYWALL USG 100 | User Guide - Page 80
    pre-shared key of the IPSec VPN gateway the ZyWALL uses for L2TP VPN over IPSec (top-secret in this example). • Enable L2TP secret turn this off. • DNS search domain leave this on. • When dialing the L2TP VPN, the user will have to enter his account and password. 80 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 81
    of the VPN gateway the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). 4a For the Destination name, specify a name to identify this VPN (L2TP to ZyWALL for example). 4b Select Don't connect now, just set it up so I can connect later and click Next. ZyWALL USG100-PLUS User's Guide 81
  • ZyXEL ZYWALL USG 100 | User Guide - Page 82
    Chapter 4 Create Secure Connections Across the Internet 5 Enter your ZyWALL user name and password and click Create. 6 Click Close. Configure the Connection Object 1 In the Network click Networking. Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings. 82 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 83
    or CHAP is negotiated, click Yes. When you use L2TP VPN to connect to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel inside it. . Enter the user name and password of your ZyWALL user account and click Connect. ZyWALL USG100-PLUS User's Guide 83
  • ZyXEL ZYWALL USG 100 | User Guide - Page 84
    a network screen shows Connected after the L2TP over IPSec VPN tunnel is built. L2TP to ZyWALL 3 After the connection is up a connection icon displays in your system tray. Click it range you specified on the ZyWALL (192.168.10.10-192.168.10.20 in the example). 84 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 85
    Foxit Reader to play this video. After clicking play, you may need to confirm that you want to play the content and click play again. ZyWALL USG100-PLUS User's Guide 85
  • ZyXEL ZYWALL USG 100 | User Guide - Page 86
    the quotes) to make sure the computer is running the Microsoft IPSec service. net start "ipsec services". Then do the following to establish an L2TP VPN connection. 1 Click Private Network connection and click Next. 5 Type L2TP to ZyWALL as the Company Name. 86 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 87
    configuration that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). 172.16.1.2 8 Click Finish. 9 The Connect L2TP to ZyWALL screen appears. Click Properties > Security. 10 Click Security, select Advanced (custom settings) and click Settings. ZyWALL USG100-PLUS User's Guide 87
  • ZyXEL ZYWALL USG 100 | User Guide - Page 88
    . 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN. Click OK. 14 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. 88 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 89
    user name and password are verified. 17 A ZyWALL-L2TP icon displays in your system tray. Double-click it to open a status screen. 18 Click Details to see the address that you received from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). ZyWALL USG100-PLUS User's Guide 89
  • ZyXEL ZYWALL USG 100 | User Guide - Page 90
    ZyWALL to make sure your access works. 4.6.7 What Can Go Wrong The IPSec VPN connection must: • Be enabled • Use transport mode • Not be a manual ZyXEL IPSec VPN client user logins. For each login a user must use his ZyWALL ZyWALL OTPv2 support note for details. 90 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 91
    Policy and VPN to use the authentication method object. 8 Give the ZyWALL OTPv2 tokens to the assigned users. 9 A user presses his ZyWALL OTPv2 token's button to generate a password to enter in the connection, or is too busy. Users can try again a little later. ZyWALL USG100-PLUS User's Guide 91
  • ZyXEL ZYWALL USG 100 | User Guide - Page 92
    Chapter 4 Create Secure Connections Across the Internet 92 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 93
    out a WAN interface. • Inbound traffic comes back from the WAN to the LAN1 device. The ZyWALL applies bandwidth management before sending the traffic out a LAN1 interface. You can set outbound and inbound guaranteed and maximum bandwidths for an application. ZyWALL USG100-PLUS User's Guide 93
  • ZyXEL ZYWALL USG 100 | User Guide - Page 94
    bandwidth for the following: • SIP: Up to 10 simultaneous 100 Kbps calls guaranteed • Video conferencing: Up to 10 simultaneous 128 to (or slightly less than) what the connected device can support. This example uses 5120 Kbps. 5.1.3 SIP Bandwidth Management The ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 95
    incoming interface to any and select wan1 as the outgoing interface. Select App Patrol Service and sip as the service type. Set the inbound and outbound guaranteed bandwidth to 1000 (kbps) and maximum bandwidth (4) for the HTTP traffic in both directions. ZyWALL USG100-PLUS User's Guide 95
  • ZyXEL ZYWALL USG 100 | User Guide - Page 96
    interface to any and select wan1 as the outgoing interface. Select App Patrol Service and http as the service type. Set the guaranteed inbound bandwidth to 10240 (kbps) and set priority 4. Set the maximum to 46080 (kbps). Set the outbound priority to 4. Click OK. 96 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 97
    dmz as the outgoing interface. Select App Patrol Service and ftp as the service type. Set inbound guaranteed bandwidth to 792 kbps, priority 5, and maximum 2048 kbps. Set outbound guaranteed bandwidth to 5120 kbps, priority 5, and maximum 10240 kbps. Click OK. ZyWALL USG100-PLUS User's Guide 97
  • ZyXEL ZYWALL USG 100 | User Guide - Page 98
    Bandwidth Management Example FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but give it lower priority and limit it to avoid interference with Example BWM Inbound: 50 Mbps Outbound: 50 Mbps BWM 98 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 99
    ftp as the service type. Type 10240 (kbps) with priority 5 for both the inbound and outbound guaranteed bandwidth. Do not select the Maximize Bandwidth Usage. Set the maximum to 51200 (kbps). Click OK. Finally, in the BWM screen, select Enable BWM. Click Apply. ZyWALL USG100-PLUS User's Guide 99
  • ZyXEL ZYWALL USG 100 | User Guide - Page 100
    to classify services. 5.2 How to Configure a Trunk for WAN Load Balancing These examples show how to configure a trunk for two WAN connections to the Internet. The available bandwidth for the connections is 1 Mbps (wan1) and 512 Kbps (wan2 or cellular1) 100 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 101
    to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. 1 Click Configuration > Network > Interface > Ethernet and double-click the wan1 entry. Enter the available bandwidth (1000 kbps) in the Egress Bandwidth field. Click OK. ZyWALL USG100-PLUS User's Guide 101
  • ZyXEL ZYWALL USG 100 | User Guide - Page 102
    to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add wan2 (or cellular1) and enter 1 in the Weight column. Click OK. 102 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 103
    range of static public IP addresses, this example shows how to configure a policy route to have the ZyWALL use them for traffic it sends out from the LAN. 5.3.1 Create the Public IP Address Range Object Click Configuration -IPs and it goes from 1.1.1.10 to 1.1.1.17. ZyWALL USG100-PLUS User's Guide 103
  • ZyXEL ZYWALL USG 100 | User Guide - Page 104
    .example.com. You want your ZyWALL's WAN1 (202.1.2.3) and WAN2 (202.5.6.7) to use DNS inbound load balancing to balance traffic loading coming from the Internet. 1 In the CONFIGURATION > Network > Inbound LB screen, select Enable DNS Load Balancing. Click Apply. 104 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 105
    the inbound service access. ZyWALL that often. • If you choose Custom in the Load Balancing Member screen and enter another IP address for a member interface, make sure the entered IP address is configured in the corresponding firewall and NAT virtual server rules. ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 106
    the original and mapped ports to 80. Keep Enable NAT Loopback selected to allow users connected to other interfaces to access the HTTP server. 106 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 107
    field as DMZ. Set the Destination to the HTTP server's DMZ IP address object (DMZ_HTTP). DMZ_HTTP is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and the Service to HTTP, and click OK. ZyWALL USG100-PLUS User's Guide 107
  • ZyXEL ZYWALL USG 100 | User Guide - Page 108
    . 5.6 How to Manage Voice Traffic Here are examples of allowing H.323 and SIP traffic through the ZyWALL. 5.6.1 How to Allow Incoming H.323 Peer-to-peer Calls Suppose you have a H.323 device on Enable H.323 ALG and Enable H.323 transformations and click Apply. 108 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 109
    For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Network > NAT > Add address to go to LAN IP address 192.168.1.56. ZyWALL USG100-PLUS User's Guide 109
  • ZyXEL ZYWALL USG 100 | User Guide - Page 110
    's LAN1 IP address object (LAN_H323). LAN_H323 is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Service to H.323. Click OK. 5.6.2 How to Use an IPPBX on Set the Incoming Interface to use the WAN interface. 110 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 111
    as WAN and the To field as DMZ. Set the Destination to the IPPBX's DMZ IP address object (DMZ_SIP). IPPBX_DMZ is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Access field to allow and click OK. ZyWALL USG100-PLUS User's Guide 111
  • ZyXEL ZYWALL USG 100 | User Guide - Page 112
    matches a rule that comes earlier in the list, it may be unexpectedly blocked. • The ZyWALL does not apply the firewall rule. The ZyWALL only apply's a zone's rules to the interfaces that belong to the zone. Make sure the WAN interface is assigned to WAN zone. 112 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 113
    Policies Before you configure any policies, you must have already subscribed for the application patrol service. You can subscribe using the Configuration > Licensing > Registration screens or using one of authorized user groups to browse the web. Click OK. ZyWALL USG100-PLUS User's Guide 113
  • ZyXEL ZYWALL USG 100 | User Guide - Page 114
    Default policy. 3 Change the access to Drop because you do not want anyone except the authorized user group (sales) to use MSN. Click OK. 114 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 115
    user group that is allowed to use MSN at the appointed schedule. Then select forward in the Access field. Click OK to finish the setup. ZyWALL USG100-PLUS User's Guide 115
  • ZyXEL ZYWALL USG 100 | User Guide - Page 116
    Chapter 5 Managing Traffic Now only the sales group may use MSN during work hours on week days. 116 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 117
    play again. 5.7.4 What Can Go Wrong If you have not already subscribed for the application patrol service, you will not be able to configure any policies. You can do so by using the Configuration > Licensing > Registration screens or using one of the wizards. ZyWALL USG100-PLUS User's Guide 117
  • ZyXEL ZYWALL USG 100 | User Guide - Page 118
    Chapter 5 Managing Traffic 118 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 119
    is set to accept. • The to-ZyWALL firewall rules allow this traffic. The following example is used to check that administrators and users are allowed to access the ZyWALL from the WAN using HTTPs. 6.1.1 Check Service Control 1 Click Configuration > System > WWW. ZyWALL USG100-PLUS User's Guide 119
  • ZyXEL ZYWALL USG 100 | User Guide - Page 120
    > Firewall. 2 If the WAN to ZyWALL firewall rule denies access, double-click it to edit it. Mouse over the Service field and if HTTPS is not in the Default_Allow_WAN_To_ZyWALL service group list go to the Object > Service > Service Group screen to edit it. 120 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 121
    Chapter 6 Maintenance In the Edit Firewall Rule screen, you can also configure a schedule object, address object, or apply it to certain a user/user group. ZyWALL USG100-PLUS User's Guide 121
  • ZyXEL ZYWALL USG 100 | User Guide - Page 122
    address, authentication port, and key; set the Group Membership Attribute field to the attribute that the ZyWALL is to check to determine to which group a user belongs. This example uses Class. This Finance and set the Associated AAA Server Object to radius. 122 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 123
    number) for the ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Enter the password to log in to the ZyWALL. The CLI screen displays next. ZyWALL USG100-PLUS User's Guide 123
  • ZyXEL ZYWALL USG 100 | User Guide - Page 124
    . After the upload is successful, you can find the *.conf file in the configuration file list. Click Apply to run the selected configuration file. 124 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 125
    restore by using the system-default.conf file so that the device can boot up normally. 6.5 How to Manage ZyWALL Firmware Click Maintenance > File Manager > Firmware Package. Use this screen to check current firmware version and upload firmware to the ZyWALL. ZyWALL USG100-PLUS User's Guide 125
  • ZyXEL ZYWALL USG 100 | User Guide - Page 126
    , you can find the *.zysh file in the shell script list. Click Apply to run the selected shell script. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. 126 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 127
    Insert a USB storage device to any USB port on your ZyWALL. In the Monitor > System Status > USB Storage screen, you can see the USB device's information. Note: Make sure the USB device's file system is supported by the ZyWALL. (It should not display "Unknown".) ZyWALL USG100-PLUS User's Guide 127
  • ZyXEL ZYWALL USG 100 | User Guide - Page 128
    6 Maintenance 2 Go to Configuration > System > USB Storage, select Activate USB storage service and click Apply to allow the ZyWALL to save diagnostic data to the connected USB device. 3 Go to Configuration > Log categories as shown in this example. Click OK. 128 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 129
    have the ZyWALL start recording system logs to the USB device. 6 In the Maintenance > Diagnostics > System Log screen, you can see a new log file which is recording the system logs. You can select it and click Download if you want to save it to your computer. ZyWALL USG100-PLUS User's Guide 129
  • ZyXEL ZYWALL USG 100 | User Guide - Page 130
    containing the ZyWALL's configuration and diagnostic information if you need to provide it to customer support for troubleshooting. 1 Go ZyWALL. In the Monitor > System Status > USB Storage screen, make sure the USB device's file system doesn't display "unknown". 130 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 131
    to a specific IP address (172.16.1.33) through the ZyWALL's LAN1 and WAN1. You have to evaluate when the best timing is to capture packets for troubleshooting and do it at the right time. 1 Go to (if the displayed available size is enough). Click Capture. ZyWALL USG100-PLUS User's Guide 131
  • ZyXEL ZYWALL USG 100 | User Guide - Page 132
    CAP files display each captured packet's details. You will need a packet analyzer tool to view them (see Section 6.9.1 on page 133 for an example). 132 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 133
    to Configuration > System > USB Storage, select Activate USB storage service and click Apply. 3 In the Maintenance > Diagnostics > Packet ZyWALL truncated the frame because the capture screen's Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 134
    the ZyWALL stops generating the file. If your ZyWALL's flash is almost full, you can use a USB storage device. Note: You can check the remaining flash space in the Dashboard screen. To save new core dump files to a connected USB storage device, do the following: 134 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 135
    rule's criteria by following the order of the flow as shown from left to right. Once a packet matches the criteria of an SNAT rule, the ZyWALL takes the corresponding action on the packet and does not perform any further SNAT flow checking. ZyWALL USG100-PLUS User's Guide 135
  • ZyXEL ZYWALL USG 100 | User Guide - Page 136
    Chapter 6 Maintenance 136 ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 137
    manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL with the instructions, may the U.S.A. is firmware-limited to channels zyxel.com. ZyWALL USG100-PLUS User's Guide 137
  • ZyXEL ZYWALL USG 100 | User Guide - Page 138
    firmware package. You can download the latest firmware at www.zyxel.com. To obtain the source code covered under those Licenses, please contact support@zyxel all cables from this device before servicing or disassembling. • Use ONLY an TO THE INSTRUCTIONS. Dispose them ZyWALL USG100-PLUS User's Guide
  • ZyXEL ZYWALL USG 100 | User Guide - Page 139
    ROHS Appendix A Legal Information ZyWALL USG100-PLUS User's Guide 139
  • ZyXEL ZYWALL USG 100 | User Guide - Page 140
    Appendix A Legal Information 140 ZyWALL USG100-PLUS User's Guide
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
www.zyxel.com
www.zyxel.com
ZyWALL USG100-PLUS
Unified Security Gateway
Copyright © 2012
ZyXEL Communications Corporation
Version 3.00
Edition 2, 9/2012
Default Login Details
LAN IP
Address
User Name
admin
Password
1234