ZyXEL ZYWALL USG 20W User Guide
ZyXEL ZYWALL USG 20W Manual
 |
View all ZyXEL ZYWALL USG 20W manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL ZYWALL USG 20W manual content summary:
- ZyXEL ZYWALL USG 20W | User Guide - Page 1
ZyWALL USG 20/20W Unified Security Gateway Default Login Details LAN Port P2, P3 IP Address https://192.168.1.1 User Name Password admin 1234 www.zyxel.com Version 2.21 Edition 4, 4/2011 www.zyxel.com Copyright © 2011 ZyXEL Communications Corporation - ZyXEL ZYWALL USG 20W | User Guide - Page 2
- ZyXEL ZYWALL USG 20W | User Guide - Page 3
also contains a connection diagram and package contents list. • CLI Reference Guide The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the ZyWALL. Note: It is recommended you use the Web Configurator to configure the ZyWALL. ZyWALL USG 20/20W User's Guide 3 - ZyXEL ZYWALL USG 20W | User Guide - Page 4
Line Interface Reference Guide in order to better understand how to use your product. • Knowledge Base If you have a specific question about your product, the answer may be here. This is a collection of answers to previously asked questions about ZyXEL products. 4 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 5
this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL USG 20/20W User's Guide 5 - ZyXEL ZYWALL USG 20W | User Guide - Page 6
to configure or helpful tips) or recommendations. Syntax Conventions • The ZyWALL may be referred to as the "ZyWALL", the "device", the "system" or the "product" in this User's Guide. a shorthand for "for instance", and "i.e.," means "that is" or "in other words". 6 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 7
Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 20/20W User's Guide 7 - ZyXEL ZYWALL USG 20W | User Guide - Page 8
service personnel should service or disassemble this device. Please contact your vendor for further information. • Make sure to connect the cables to the correct ports DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Dispose them at the applicable collection ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 9
391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9 - ZyXEL ZYWALL USG 20W | User Guide - Page 10
...589 ISP Accounts ...611 SSL Application ...615 Endpoint Security ...621 System ...629 Log and Report ...679 File Manager ...693 Diagnostics ...705 Packet Flow Explore ...715 Reboot ...723 Shutdown ...725 Troubleshooting ...727 Product Specifications ...741 10 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 11
Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User's Guide 11 - ZyXEL ZYWALL USG 20W | User Guide - Page 12
Physical Ports 88 6.2.1 Interface Types ...89 6.2.2 Default Interface and Zone Configuration 90 6.3 Terminology in the ZyWALL 91 6.4 Packet Flow ...91 6.4.1 Routing Table Checking Flow 92 6.4.2 NAT Table Checking Flow 94 6.5 Feature Configuration Overview 95 12 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 13
6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 14
Wireless Clients to Use the WLAN Interface 150 Part II: Technical Reference 163 Chapter 8 Dashboard ...165 8.1 Overview ...165 8.1.1 What You Can Do in this Chapter 165 8.2 The Dashboard Screen ...165 8.2.1 The CPU Usage Screen 171 8.2.2 The Memory Usage Screen 172 14 ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 15
Can Do in this Chapter 211 10.1.2 What you Need to Know 211 10.2 The Registration Screen 212 10.3 The Service Screen ...214 Chapter 11 Interfaces ...217 11.1 Interface Overview ...217 11.1.1 What You Can Do in this Chapter 217 11.1.2 What You Need to Know 218 ZyWALL USG 20/20W User's Guide 15 - ZyXEL ZYWALL USG 20W | User Guide - Page 16
Can Do in this Chapter 297 13.1.2 What You Need to Know 298 13.2 Policy Route Screen ...300 13.2.1 Policy Route Edit Screen 303 13.3 IP Static Route Screen ...307 13.3.1 Static Route Add/Edit Screen 308 13.4 Policy Routing Technical Reference 309 16 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 17
What You Need to Know 313 14.2 The RIP Screen ...314 14.3 The OSPF Screen ...315 14.3.1 Configuring the OSPF Screen 319 14.3.2 OSPF Area Add/Edit Screen 322 14.3.3 Virtual Link Add/Edit Screen 323 14 What You Need to Know 348 18.2 The HTTP Redirect Screen 349 ZyWALL USG 20/20W User's Guide 17 - ZyXEL ZYWALL USG 20W | User Guide - Page 18
Rule Configuration Example 379 22.2 The Firewall Screen ...381 22.2.1 Configuring the Firewall Screen 382 22.2.2 The Firewall Add/Edit Screen 385 22.3 The Session Limit Screen 386 22.3.1 The Session Limit Add/Edit Screen 388 Chapter 23 IPSec VPN...391 18 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 19
User Application Screens Overview 447 26.2 The Application Screen 447 Chapter 27 ZyWALL SecuExtender...449 27.1 The ZyWALL SecuExtender Icon 449 27.2 Statistics ...450 27.3 View Log ...451 27.4 Suspend and Resume the Connection 451 27.5 Stop the Connection ...452 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 20
Screen 469 29.3 The Profile Summary Screen 470 29.3.1 Base Profiles ...471 29.3.2 Configuring The ADP Profile Summary Screen 471 29.3.3 Creating New ADP Profiles 472 29.3.4 Traffic Anomaly Technical Reference 511 Chapter 31 Content Filter Reports ...513 20 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 21
.2 Address Summary Screen 555 34.2.1 Address Add/Edit Screen 557 34.3 Address Group Summary Screen 558 34.3.1 Address Group Add/Edit Screen 559 Chapter 35 Services ...561 ZyWALL USG 20/20W User's Guide 21 - ZyXEL ZYWALL USG 20W | User Guide - Page 22
...573 37.1.1 Directory Service (AD/LDAP 573 VPN Authentication Method 583 38.2 Authentication Method Objects 584 38.2.1 Creating an Authentication Method Object 585 Chapter 39 Certificates ...589 39.1 Overview ...589 39.1.1 What You Can Do in this Chapter 589 22 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 23
609 Chapter 40 ISP Accounts...611 40.1 Overview ...611 40.1.1 What You Can Do in this Chapter 611 40.2 ISP Account Summary ...611 40.2.1 ISP Account Edit 612 Chapter 41 SSL Application ...615 Date and Time ...631 43.4.1 Pre-defined NTP Time Servers List 634 ZyWALL USG 20/20W User's Guide 23 - ZyXEL ZYWALL USG 20W | User Guide - Page 24
.11.1 Supported MIBs ...672 43.11.2 SNMP Traps ...672 43.11.3 Configuring SNMP 672 43.12 Vantage CNM ...674 43.12.1 Configuring Vantage CNM 675 43.13 Language Screen ...677 Chapter 44 Log and Report ...679 44.1 Overview ...679 44.1.1 What You Can Do In this Chapter 679 24 ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 25
Can Do in this Chapter 693 45.1.2 What you Need to Know 693 45.2 The Configuration File Screen 696 45.3 The Firmware Package Screen 700 45.4 The Shell Script Screen 702 Chapter 46 Diagnostics...705 46.1 .2 The Reboot Screen ...723 Chapter 49 Shutdown...725 ZyWALL USG 20/20W User's Guide 25 - ZyXEL ZYWALL USG 20W | User Guide - Page 26
51.1 Power Adaptor Specifications 745 Appendix A Log Descriptions 747 Appendix B Common Services 799 Appendix C Wireless LANs 803 Appendix D Importing Certificates 819 Appendix E Open Software Announcements 845 Appendix F Legal Information 935 Index...939 26 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 27
PART I User's Guide 27 - ZyXEL ZYWALL USG 20W | User Guide - Page 28
28 - ZyXEL ZYWALL USG 20W | User Guide - Page 29
separate LAN networks. You can set ports to be part of the LAN1, WLAN, or DMZ. Alternatively, you can deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration. 1.2 Wall-mounting Do the following to attach your ZyWALL to a wall. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 30
of the ZyWALL. Note: Make sure the screws are securely fixed to the wall and strong enough to hold the weight of the ZyWALL with the connection cables. 2 Align the holes on the back of the ZyWALL with the screws on the wall. Hang the ZyWALL on the screws. USG 20 30 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 31
USG 20W Chapter 1 Introducing the ZyWALL The ZyWALL should be wall-mounted horizontally. The ZyWALL's side panels with ventilation slots should not be facing up or down as this position is less safe. ZyWALL USG 20/20W User's Guide 31 - ZyXEL ZYWALL USG 20W | User Guide - Page 32
Section 1.5 on page 34). If the LED turns red again, then please contact your vendor. SYS Green Off The ZyWALL is not ready or has failed. On The ZyWALL is ready and running. Blinking The ZyWALL is booting. Red On The ZyWALL had an error or has failed. 32 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 33
about the Web Configurator. Figure 2 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the ZyWALL USG 20/20W User's Guide 33 - ZyXEL ZYWALL USG 20W | User Guide - Page 34
screen or when you use the reboot command. The ZyWALL writes all cached data to the local storage, stops the system processes, and then does a warm start. If you press the RESET button, the ZyWALL sets the configuration to its default values and then reboots. 34 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 35
. Wait for the device to shut down and then manually turn off or remove the power. It does not turn ZyWALL does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 36
Chapter 1 Introducing the ZyWALL 36 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 37
Zones Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ZyWALL. You can create your own custom zones. You can add interfaces and VPN tunnels to zones. ZyWALL USG 20/20W User's Guide 37 - ZyXEL ZYWALL USG 20W | User Guide - Page 38
flows such as port scans. The ZyWALL's ADP protects ZyWALL to check web sites against an external database of dynamically-updated ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers. 38 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 39
access to your network. You can also set up additional connections to the Internet to provide better service. Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. ZyWALL USG 20/20W User's Guide 39 - ZyXEL ZYWALL USG 20W | User Guide - Page 40
In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows 192.168.1.100 https;// LAN (192.168.1.X) Web Mail File Share Web-based Application Non-Web Application Server 40 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 41
Chapter 2 Features and Applications 2.2.3 User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 5 Applications: User-Aware Access Control ZyWALL USG 20/20W User's Guide 41 - ZyXEL ZYWALL USG 20W | User Guide - Page 42
Chapter 2 Features and Applications 42 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 43
JavaScripts (enabled by default) • Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.2 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. ZyWALL USG 20/20W User's Guide 43 - ZyXEL ZYWALL USG 20W | User Guide - Page 44
a new number the next time you log in. 4 Click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 7 on page 44) appears. Otherwise, the dashboard (Figure 8 on page 45) appears. Figure 7 Update Admin Info Screen 44 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 45
the dashboard appears as shown next. Figure 8 Dashboard B A C 3.3 Web Configurator Screens Overview The Web Configurator screen is divided into these parts (as illustrated in Figure 8 on page 45): • A - title bar • B - navigation panel • C - main window ZyWALL USG 20/20W User's Guide 45 - ZyXEL ZYWALL USG 20W | User Guide - Page 46
(CLI). See the CLI Reference Guide for details on the commands. CLI Click this to open a popup window that displays the CLI commands sent by the Web Configurator. 3.3.1.1 About Click this to display basic information about the ZyWALL. Figure 10 Title Bar 46 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 47
3.3.2.1 Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 8 on page 165 for details on the dashboard. ZyWALL USG 20/20W User's Guide 47 - ZyXEL ZYWALL USG 20W | User Guide - Page 48
FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 49
firewall sessions. VPN IPSec VPN VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. SSL VPN Access Privilege Configure SSL VPN access rights for users and groups. Global Setting Configure the ZyWALL's SSL VPN settings that apply to all connections. ZyWALL USG 20/20W - ZyXEL ZYWALL USG 20W | User Guide - Page 50
Create and manage the ZyWALL's certificates. Trusted Certificates Import and manage certificates from trusted sources. ISP Account Create and manage ISP account information for PPPoE/PPTP interfaces. SSL Application Create SSL web application objects. 50 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 51
FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the ZyWALL. Firmware Package View the current firmware version and to upload firmware. Shell Script Manage and run shell script files for the ZyWALL. ZyWALL USG 20/20W User's Guide 51 - ZyXEL ZYWALL USG 20W | User Guide - Page 52
a clear picture on how the ZyWALL converts a packet's source IP address and check the related settings. Reboot Restart the ZyWALL. Shutdown Turn off the ZyWALL. 3.3.3 Main Window The main misconfiguration, display in a popup window. Figure 12 Warning Message 52 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 53
and the individual object and click Refresh to show which configuration settings reference the object. The following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule). Figure 14 Object Reference ZyWALL USG 20/20W User's Guide 53 - ZyXEL ZYWALL USG 20W | User Guide - Page 54
Clear to remove the currently displayed information. See the Command Reference Guide for information about the commands. 3.3.4 Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries. 54 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 55
3.3.4.1 Manipulating Table Display Here are some of the ways you can manipulate the Web Configurator tables. 1 Click a column heading to sort the table's entries according to that operators (, or =) or searching for text Figure 17 Common Table Column Options ZyWALL USG 20/20W User's Guide 55 - ZyXEL ZYWALL USG 20W | User Guide - Page 56
Chapter 3 Web Configurator 3 Select a column heading cell's right border and drag to re-size the column. Figure 18 Resizing a Table navigate to different pages of entries and control how many entries display at a time. Figure 20 Navigating Pages of Table Entries 56 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 57
Chapter 3 Web Configurator 3.3.4.2 Working with Table Entries The tables position in the numbered list is important (features where the ZyWALL applies the table's entries in order like the firewall for example), you can select an entry and click Add . In some lists ZyWALL USG 20/20W User's Guide 57 - ZyXEL ZYWALL USG 20W | User Guide - Page 58
Chapter 3 Web Configurator you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 22 Working with Lists 58 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 59
Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access. 4.1.1 Internet Access Setup - WAN Interface Use this screen to configure the WAN interface's type of encapsulation and method of IP address assignment. ZyWALL USG 20/20W User's Guide 59 - ZyXEL ZYWALL USG 20W | User Guide - Page 60
the Ethernet option when the WAN port is used as a regular configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. 60 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 61
. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and _@$./ characters, and it can be up to 64 characters long. • Authentication Type - Select an authentication protocol for outgoing connection requests. Options are: ZyWALL USG 20/20W User's Guide 61 - ZyXEL ZYWALL USG 20W | User Guide - Page 62
in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it. 62 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 63
Chapter 4 Installation Setup Wizard 4.1.4 Internet Access: PPTP Note: Enter the Internet Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password in the next field to confirm it. ZyWALL USG 20/20W User's Guide 63 - ZyXEL ZYWALL USG 20W | User Guide - Page 64
it, you must know the IP address of a computer before you can access it. The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 65
you have not already done so. If the ZyWALL is already registered this screen displays your user name and which trial services are activated (if any). You can still activate any un-activated trial services. Note: You must be connected to the Internet to register. ZyWALL USG 20/20W User's Guide 65 - ZyXEL ZYWALL USG 20W | User Guide - Page 66
allowed. Type it again in the Confirm Password field. • E-Mail Address: Enter your e-mail address. Use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. • Country Code: Select your country from the drop-down box list. 66 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 67
try a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. Figure 30 Registraton: Registered Device ZyWALL USG 20/20W User's Guide 67 - ZyXEL ZYWALL USG 20W | User Guide - Page 68
Chapter 4 Installation Setup Wizard 68 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 69
matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 5.2 on page 70. • VPN SETUP Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for a secure connection to another computer or network. See Section 5.4 on page 76. ZyWALL USG 20/20W User's Guide 69 - ZyXEL ZYWALL USG 20W | User Guide - Page 70
want to configure for a WAN connection and click Next. Figure 33 Choose an Ethernet Interface 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. 70 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 71
the interface should use a fixed or dynamic IP address. Figure 35 WAN Interface Setup: Step 2 • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. ZyWALL USG 20/20W User's Guide 71 - ZyXEL ZYWALL USG 20W | User Guide - Page 72
DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring. 72 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 73
. WAN Interface Setup WAN Interface This displays the identity of the interface you configure to connect with IP Address This field is read-only when the WAN interface uses a dynamic IP address. If your WAN interface uses a static IP address, enter it in this field. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 74
to the Internet. Service Name This field is read-only and only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account. Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. 74 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 75
to open the VPN Setup Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you can use later in configuring more VPN connections or other features. Click Next. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 - ZyXEL ZYWALL USG 20W | User Guide - Page 76
with another ZLD-based ZyWALL using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device. 76 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 77
have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. ZyWALL USG 20/20W User's Guide 77 - ZyXEL ZYWALL USG 20W | User Guide - Page 78
this field, it is not configurable for the chosen scenario. If this field is configurable, type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device. 78 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 79
save these commands as a shell script file with a ".zysh" filename extension. Then you can use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list. ZyWALL USG 20/20W User's Guide 79 - ZyXEL ZYWALL USG 20W | User Guide - Page 80
Now you can use the VPN tunnel. Figure 43 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 80 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 81
IPSec device can initiate the VPN tunnel. • Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. ZyWALL USG 20/20W User's Guide 81 - ZyXEL ZYWALL USG 20W | User Guide - Page 82
Figure 45 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or uses a 56-bit key. Triple DES (3DES) is a variation on DES 82 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 83
Chapter 5 Quick Setup that uses a 168- password or Certificate to use one of the ZyWALL's certificates. 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec. Figure 46 VPN Advanced Wizard: Step 4 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 84
must match the local IP address configured on the remote IPSec device. • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 85
IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL's command line interface. • Click Save to save the VPN rule. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 86
Wizard - Finish Now you can use the VPN tunnel. Figure 48 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 86 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 87
the updated schedule. You can create address objects based on an interface's IP address, subnet, or gateway. The ZyWALL automatically updates every rule or setting that uses these objects whenever the interface's IP address settings change. For example, if you ZyWALL USG 20/20W User's Guide 87 - ZyXEL ZYWALL USG 20W | User Guide - Page 88
roles combine physical ports into interfaces. Physical Ethernet Ports (P1, P2, ...) The physical port is where you connect a cable. In configuration, you use physical ports when configuring port groups. You use interfaces and zones in configuring other features. 88 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 89
between the member interfaces in the bridge. • Virtual interfaces increase the amount of routing information in the ZyWALL. There are three types: virtual Ethernet interfaces (also known as IP alias), virtual VLAN interfaces, and virtual bridge interfaces. ZyWALL USG 20/20W User's Guide 89 - ZyXEL ZYWALL USG 20W | User Guide - Page 90
The LAN1 zone contains the lan1 interface (a port group made up of physical ports P2 and P3 on the ZyWALL). The LAN1 zone is a protected zone. The lan1 interface uses 192.168.1.1 and the connected devices use IP addresses in the 192.168.1.2 to 192.168.1.254 range. 90 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 91
Policy route Address mapping Policy route Address mapping (VPN) IPSec VPN Interface bandwidth management Interface (outbound) General bandwidth management Policy route 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks. ZyWALL USG 20/20W User's Guide 91 - ZyXEL ZYWALL USG 20W | User Guide - Page 92
6.4.1 Routing Table Checking Flow When the ZyWALL receives packets it defragments them and applies destination NAT. Then it examines the packets and determines how to route them. The checking flow is from top to bottom. As soon as the packets match an entry in one 92 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 93
297). 2 Policy Routes: These are the user-configured policy routes. Configure policy routes to send packets through the appropriate interface or VPN tunnel. See Chapter 13 on page 297 for to a range of public IP addresses. See Section 17.2.1 on page 340 for more. ZyWALL USG 20/20W User's Guide 93 - ZyXEL ZYWALL USG 20W | User Guide - Page 94
Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for the VPN rules. Disabling the IPSec VPN feature's Use Policy Route to control dynamic IPSec in the NAT table instead of requiring a separate policy route. 94 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 95
on the network topology in Figure 50 on page 90. Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry. ZyWALL USG 20/20W User's Guide 95 - ZyXEL ZYWALL USG 20W | User Guide - Page 96
107. 6.5.5 Policy Routes Use policy routes to override the ZyWALL's default routing behavior in order to send packets through the appropriate interface or VPN tunnel. You can also use policy routes for bandwidth management (out of the ZyWALL), port triggering, 96 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 97
traffic can use. You may also want to set a low priority for FTP traffic. Note: The ZyWALL checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that would also match the FTP traffic. ZyWALL USG 20/20W User's Guide 97 - ZyXEL ZYWALL USG 20W | User Guide - Page 98
network behind the ZyWALL available outside the private network. The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are redirected by NAT, it does not check the to-ZyWALL firewall rules. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 99
you want HTTP requests from your LAN to go to a HTTP proxy server at IP address 192.168.3.80. 1 Click Configuration > Network > HTTP Redirect. 2 Add an entry. 3 Name the entry. 4 Select the interface from which you want to redirect incoming HTTP requests (lan1). ZyWALL USG 20/20W User's Guide 99 - ZyXEL ZYWALL USG 20W | User Guide - Page 100
), services, service groups Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls. You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ to the LAN so VoIP users on the LAN can receive calls. 100 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 101
Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. ZyWALL USG 20/20W - ZyXEL ZYWALL USG 20W | User Guide - Page 102
a policy that blocks Bill's access to arts and entertainment web pages during the workday. You must have already subscribed to the content filter service. 1 Create a user account for Bill if you have not done so already (Configuration > Object > User/Group). 102 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 103
change through the features that use the object. Move your cursor over a configuration object that has a magnifying-glass icon (such as a user group, address, address group, service, service group, zone, or schedule) to display basic information about the object. ZyWALL USG 20/20W User's Guide 103 - ZyXEL ZYWALL USG 20W | User Guide - Page 104
the ZyWALL before the ZyWALL routes traffic for them, you might have to configure prerequisites first. MENU ITEM(S) Object > User/Group PREREQUISITES Addresses, address groups, schedules. The prerequisites are only used in policies to force user authentication 104 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 105
6.7.2 Logs and Reports The ZyWALL provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It can also e-mail you statistical reports on a daily basis. MENU ITEM(S) Configuration > Log & Report ZyWALL USG 20/20W User's Guide 105 - ZyXEL ZYWALL USG 20W | User Guide - Page 106
device in preparation for disconnecting the power. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. MENU ITEM(S) Maintenance > Shutdown 106 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 107
following example configuration (see Section 6.2.2 on page 90 for the default configuration). • You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone. • The wan1 interface uses a static IP address of 1.2.3.4. ZyWALL USG 20/20W User's Guide 107 - ZyXEL ZYWALL USG 20W | User Guide - Page 108
the LAN zone so all of the LAN zone's security policies apply to it. Figure 54 Ethernet Interface, Port Roles, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL's wan1 interface a static IP address of 1.2.3.4. 108 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 109
7.1.3 Configure the DMZ Interface for a Local Network Here is how to set the dmz interface (created in the previous section) for a separate local network. It uses 192.168.4.1 as its IP address and has a DHCP server to distribute IP addresses to connected DHCP clients. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 110
Subnet Mask to 255.255.255.0. Set DHCP to DHCP Server and click OK. Figure 57 Configuration > Network > Interface > Ethernet > Edit lan2 7.1.4 Configure Zones Do the following to create a VPN zone. 1 Click Configuration > Network > Zone and then the Add icon. 110 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 111
sure the 3G device's SIM card is installed. 2 Connect the 3G device to one of the ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. Select the 3G device's entry and click Edit. Figure 59 Configuration > Network > Interface > Cellular ZyWALL USG 20/20W User's Guide 111 - ZyXEL ZYWALL USG 20W | User Guide - Page 112
provided by the cellular 3G service provider (0000 in this example). Figure 60 Configuration > Network > Interface > Cellular > Edit Note: The Network Selection is set to Auto by default. This means that the 3G connection to access the Internet. Figure 61 Status 112 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 113
bandwidth on each of the WAN interfaces and configure the WAN_TRUNK trunk's load balancing settings. 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. ZyWALL USG 20/20W User's Guide 113 - ZyXEL ZYWALL USG 20W | User Guide - Page 114
> Edit (wan1) 2 Go to Configuration > Network > Interface > Cellular. Double-click the cellular1 entry and set the egress bandwidth for cellular1 to 512 Kbps. 7.3.2 Configure the WAN Trunk 1 Click Configuration > Network > Interface > Trunk. Click the Add icon. 114 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 115
field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add cellular1 and enter 1 in the Weight column. Click OK. Figure 64 Configuration > Network > Interface > Trunk > Add ZyWALL USG 20/20W User's Guide 115 - ZyXEL ZYWALL USG 20W | User Guide - Page 116
VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Figure 66 VPN Example LAN LAN 116 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 117
Gateway Address, select Static Address and enter 2.2.2.2 in the Primary field. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. Figure 67 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 20/20W User's Guide 117 - ZyXEL ZYWALL USG 20W | User Guide - Page 118
"), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 68 Configuration > Object > Address > Add 3 Click Configuration > VPN > IPSec VPN > VPN Connection. Click the Add icon. 118 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 119
IPSec_VPN zone. Make sure all firewalls between the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500. ZyWALL USG 20/20W User's Guide 119 - ZyXEL ZYWALL USG 20W | User Guide - Page 120
. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead. This example uses the Web Configurator. 1 Click Configuration > Object > User/Group > User. Click the Add icon. 120 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 121
> Object > User/Group > User > Add 3 Repeat this process to set up the remaining user accounts. 7.5.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group. Click the Add icon. ZyWALL USG 20/20W User's Guide 121 - ZyXEL ZYWALL USG 20W | User Guide - Page 122
using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method. Finally, force users to log in to the ZyWALL before it routes traffic for them. 122 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 123
default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 124
the RADIUS server has different user groups distinguished by the value of a specific attribute, you can configure the make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server. 124 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 125
a user belongs. This example uses Class. This attribute's value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. Figure 75 Configuration > Object > AAA Server > RADIUS > Add ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 126
Endpoint Security Objects Click Configuration > Object > Endpoint Security > Add to open the Endpoint Security Edit screen. • Select Endpoint must comply with all checking items. • Set the Endpoint Operating System to Windows and the Window Version to Windows 7. 126 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 127
Chapter 7 Tutorials • Select Endpoint must have Personal Firewall installed and move the Kaspersky Internet Security entries to allowed list. The following figure shows the configuration screen example. Figure 77 Configuration > Object > Endpoint Security > Add ZyWALL USG 20/20W User's Guide 127 - ZyXEL ZYWALL USG 20W | User Guide - Page 128
Force User Authentication to redirect the HTTP traffic of users who are not yet logged in to the ZyWALL's login screen. • Enable EPS checking and move the EPS objects you created to the selected list. • Click OK. Figure 78 Configuration > Auth. Policy > Add 128 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 129
the login screen. Figure 80 Example: Endpoint Security Error Message 7.8 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access (to the Web Configurator) and separate rules that control HTTP and HTTPS ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 130
except the LAN1. 1 Click Configuration > System > WWW. 2 In HTTPS Admin Service Control, click the Add icon. Figure 81 Configuration > System > WWW 3 In the Zone field select LAN1 and click OK. Figure 82 Configuration > System > WWW > Service Control Rule Edit 130 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 131
the new rule and click the Add icon. Figure 83 Configuration > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny. Click OK. Figure 84 Configuration > System > WWW > Service Control Rule Edit ZyWALL USG 20/20W User's Guide 131 - ZyXEL ZYWALL USG 20W | User Guide - Page 132
323 Peer-to-peer Calls Suppose you have a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN. Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H.323 traffic destined 132 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 133
and click Apply. Figure 87 Configuration > Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56. ZyWALL USG 20/20W User's Guide 133 - ZyXEL ZYWALL USG 20W | User Guide - Page 134
> Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device's private LAN1 IP address (called LAN_H323 here). Figure 88 Create Address Objects 134 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 135
Set Up a Firewall Rule For H.323 The default firewall rule for WAN-to-LAN traffic drops all traffic. Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56. ZyWALL USG 20/20W User's Guide 135 - ZyXEL ZYWALL USG 20W | User Guide - Page 136
the Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the wan1 interface and map to the HTTP server's private IP address of 192.168.3.7. Figure 91 Public Server Example Network Topology DMZ 192.168.3.7 1.1.1.1 136 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 137
IP to the Public_HTTP_Server_IP object and the Mapped IP to the DMZ_HTTP object. • HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the Port Mapping Type to Port, the Protocol Type to TCP, and the original and mapped ports to 80. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 138
default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. 138 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 139
the Service to HTTP, and click OK. Figure 95 Configuration > Firewall > Add 7.11 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP ZyWALL USG 20/20W User's Guide 139 - ZyXEL ZYWALL USG 20W | User Guide - Page 140
Chapter 7 Tutorials address 1.1.1.2 that you will use on the wan1 interface and map to the IPPBX's private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 96 IPPBX Example Network Topology 140 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 141
Objects Use Configuration > Object > Address > Add to create the address objects. 1 Create a host address object named IPPBX-DMZ for the IPPBX's private DMZ IP address of 192.168.3.9. Figure 98 Creating the Address Object for the IPPBX's Private IP Address ZyWALL USG 20/20W User's Guide 141 - ZyXEL ZYWALL USG 20W | User Guide - Page 142
's DMZ IP address object (IPPBX-DMZ). • Set the Port Mapping Type to Port, the Protocol Type to UDP and the original and mapped ports to 5060. • Keep Enable NAT Loopback selected to allow the LAN users to use the IPPBX (see NAT Loopback on page 343 for details). 142 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 143
firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX. If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 144
Configuration > Firewall > Add 7.11.5 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. 144 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 145
Click Configuration > Object > Address > Add to create the address object that represents the range of static public IP addresses. In this example you name it Public-IPs and it goes from 1.1.1.10 to 1.1.1.17. Figure 103 Creating the Public IP Address Range Object ZyWALL USG 20/20W User's Guide 145 - ZyXEL ZYWALL USG 20W | User Guide - Page 146
the Policy Route 7.13 How to Set Up a Wireless LAN This tutorial applies only to USG 20W. You can configure different interfaces to use on the wireless LAN card. This lets you have different wireless LAN networks using different SSIDs. You can configure 146 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 147
> User > Add 3 Use the Add icon in the Configuration > Object > User/Group > User screen to set up the remaining user accounts in similar fashion. 7.13.2 Create the WLAN Interface 1 Click Configuration > Network > Interface > WLAN > Add to open the WLAN Add screen. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 148
Enterprise. Set the Authentication Type to Auth Method. The ZyWALL can use its default authentication method (the local user database) and its default certificate to authenticate the users. Configure the interface's IP address and set it to DHCP Server. Click OK. 148 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 149
Chapter 7 Tutorials Figure 106 Configuration > Network > Interface > WLAN > Add ZyWALL USG 20/20W User's Guide 149 - ZyXEL ZYWALL USG 20W | User Guide - Page 150
the ZyWALL) to use the WLAN interface. See Section 7.13.3.2 on page 154 instead for how to use Funk Odyssey's wireless client software if you want the wireless client to validate the ZyWALL's certificate (for added protection against connecting to a rogue AP). 150 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 151
Profile. Figure 108 ZyXEL Wireless Client Chapter 7 Tutorials 2 Add a new profile. This example uses "ZYXEL_WPA" as the name. It is also the SSID (name) of the wireless network. Select Infrastructure and click Next. Figure 109 ZyXEL Wireless Client > Profile ZyWALL USG 20/20W User's Guide 151 - ZyXEL ZYWALL USG 20W | User Guide - Page 152
the encryption type to TKIP and the EAP type to TTLS. Configure wlan_user as the Login Name and enter the account's password (also wlan_user in this example. In TTLS Protocol, select PAP. Click Next. Figure 111 ZyXEL Wireless Client > Profile: Security Settings 152 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 153
5 Confirm your settings and click Save. Figure 112 ZyXEL Wireless Client > Profile: Save Chapter 7 Tutorials 6 Click Activate Now. Figure 113 ZyXEL Wireless Client > Profile: Activate ZyWALL USG 20/20W User's Guide 153 - ZyXEL ZYWALL USG 20W | User Guide - Page 154
how to configure Funk's Odyssey Access Client Manager wireless client software (not included with the ZyWALL) to use the WLAN interface. 1 Open the Odyssey wireless client software and click Profiles > Add. Figure 115 Odyssey Access Client Manager > Profiles 154 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 155
the Password sub-tab, select Prompt for long name and password. Figure 116 Odyssey Access Client Manager > Profiles > User Info 3 Click the Authentication tab and select Validate server certificate. Figure 117 Odyssey Access Client Manager > Profiles > Authentication ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 156
Chapter 7 Tutorials 4 Click the TTLS tab and select PAP. Then click OK. Figure 118 Odyssey Access Client Manager > Profiles > Authentication 5 Click Networks > Add. Figure 119 Odyssey Access Client Manager > Networks 156 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 157
ZyWALL's certificate. Use the Configuration > Object > Certificate > Edit screen (see Section 39.2.2 on page 599) to export the certificate the ZyWALL is using for the WLAN interface. Then do the following to import the certificate into each wireless client computer. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 158
and click the Certificates button. Figure 121 Internet Explorer: Tools > Internet Options > Content 2 Click Import. Figure 122 Internet Explorer: Tools > Internet Options > Content > Certificates 158 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 159
, select the option to automatically select the certificate store based on the type of certificate. Figure 124 Internet Explorer Certificate Import Wizard Certificate Store Screen ZyWALL USG 20/20W User's Guide 159 - ZyXEL ZYWALL USG 20W | User Guide - Page 160
Chapter 7 Tutorials 5 If you get a security warning screen, click Yes to proceed. Figure 125 Internet Explorer Certificate Import Certificate Warning Screen 160 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 161
(OU), Organization (O) and Country (C). Figure 127 Configuration > Object > Certificate > My Certificates Repeat the steps to import the certificate into each wireless client computer that is to validate the ZyWALL's certificate when using the WLAN interface. ZyWALL USG 20/20W User's Guide 161 - ZyXEL ZYWALL USG 20W | User Guide - Page 162
Chapter 7 Tutorials 7.13.3.4 Wireless Clients Use the WLAN Interface A login screen displays when the wireless client attempts to connect to the wireless interface. Enter the username and password and click OK. Funk Odyssey Access Wireless Client Login Example 162 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 163
PART II Technical Reference 163 - ZyXEL ZYWALL USG 20W | User Guide - Page 164
164 - ZyXEL ZYWALL USG 20W | User Guide - Page 165
into the ZyWALL. 8.2 The Dashboard Screen The Dashboard screen displays when you log into the ZyWALL or click Dashboard in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and ZyWALL USG 20/20W User's Guide 165 - ZyXEL ZYWALL USG 20W | User Guide - Page 166
Chapter 8 Dashboard interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 128 Dashboard USG 20 A B C DE 166 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 167
. Refresh Now (D) Close this Module (E) Click this to update the widget's information immediately. Click this to close the widget the status of the ZyWALL's front panel LEDs and connections. See Section 1.3.1 on page 32 for LED descriptions. An unconnected ZyWALL USG 20/20W User's Guide 167 - ZyXEL ZYWALL USG 20W | User Guide - Page 168
port speed and duplex setting (Full or Half). (For USG 20W only) The status for an installed WLAN ZyWALL. The format Date/Time is yyyy-mm-dd hh:mm:ss. VPN Status Click this to look at the VPN tunnels that are currently established. See Section 8.2.1 on page 171. 168 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 169
traversing the ZyWALL. Hover your cursor over this field to display icons. Click the Detail icon to go to the Session Monitor screen to see details about the active sessions. Click the Show Active Sessions icon to display a chart of ZyWALL's recent session usage. ZyWALL USG 20/20W User's Guide 169 - ZyXEL ZYWALL USG 20W | User Guide - Page 170
field displays the port speed and duplex setting (Full or Half). (For USG 20W only) The status for an installed WLAN card is none. Zone IP Address For licensed services there are. This is the current status of the license. This identifies the licensed service. 170 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 171
. Expiration If the service license is valid, this shows when it will expire. N/A displays if the service license does not have chart of the ZyWALL's recent CPU usage. To access this screen, click CPU Usage in the dashboard. Figure 129 Dashboard > CPU Usage ZyWALL USG 20/20W User's Guide 171 - ZyXEL ZYWALL USG 20W | User Guide - Page 172
usage. The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Click this to update the information in the window right away. 172 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 173
Active Sessions Screen Use this screen to look at a chart of the ZyWALL's recent traffic session usage. To access this screen, click Session Usage this window to be automatically updated. Refresh Click this to update the information in the window right away. ZyWALL USG 20/20W User's Guide 173 - ZyXEL ZYWALL USG 20W | User Guide - Page 174
DHCP Table Screen Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the dashboard. Figure 133 Dashboard > DHCP Table 174 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 175
, and then click Apply. 8.2.6 The Number of Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click the dashboard's Number of Login Users icon. Figure 134 Dashboard > Number of Login Users ZyWALL USG 20/20W User's Guide 175 - ZyXEL ZYWALL USG 20W | User Guide - Page 176
for each user. See Chapter 33 on page 539. Type This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user's session. 176 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 177
of the users currently logged into the ZyWALL. • Use the System Status > WLAN Status screen (Section 9.9 on page 191) to view the connection status of the wireless clients connected to (or trying to connect to) a IEEE 802.11b/g card installed in the ZyWALL. This is available for USG 20W only. • Use - ZyXEL ZYWALL USG 20W | User Guide - Page 178
clear the log in this screen. 9.2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Monitor > System Status > Port Statistics. Figure 135 Monitor > System Status > Port Statistics 178 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 179
physical port in the one-second interval before the screen updated. Up Time This field displays how long the physical port has been connected. System Up Time This field displays how long the ZyWALL has been running since it last restarted or was turned on. ZyWALL USG 20/20W User's Guide 179 - ZyXEL ZYWALL USG 20W | User Guide - Page 180
the transmission or reception occurred TX This line represents traffic transmitted from the ZyWALL on the physical port since it was last connected. RX This line represents the traffic received by the ZyWALL on the physical port since it was last connected. 180 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 181
Port Statistics > Switch to Graphic View LABEL DESCRIPTION Last Update This field displays the date and time the information in the window was last updated. System Up Time This field displays how long the ZyWALL virtual interfaces on top of this interface. ZyWALL USG 20/20W User's Guide 181 - ZyXEL ZYWALL USG 20W | User Guide - Page 182
gets its IP address from a DHCP server. This field lists which services the interface provides to the network. Examples include DHCP relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface does not provide any services to the network. 182 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 183
updated. ZyWALL counts HTTP GET packets. Please see Table 29 on page 184 for more information. • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 184
save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge and PPPoE/PPTP interfaces. 184 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 185
the service was using. This field indicates whether the indicated protocol or service port is sending or receiving traffic. Ingress - traffic is coming into the router through the interface Egress - traffic is going out from the router through the interface ZyWALL USG 20/20W User's Guide 185 - ZyXEL ZYWALL USG 20W | User Guide - Page 186
or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. • User who started the session • Protocol or service port used • Source address • Destination address • Number of bytes received (so far) 186 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 187
also refreshes automatically when you open and close the screen. The User, Service, Source Address, and Destination Address fields display if you view all sessions. Select your desired filter criteria and click the Search button to filter the list of sessions. ZyWALL USG 20/20W User's Guide 187 - ZyXEL ZYWALL USG 20W | User Guide - Page 188
IP address whose sessions you want to view. You cannot include the destination port. This button displays when View is set to all sessions. Click this button to update the information on the screen using the filter criteria in the User, Service session in seconds. 188 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 189
:second format). 9.7 IP/MAC Binding Monitor Click Monitor > System Status > IP/MAC Binding to open the IP/MAC Binding Monitor screen. This screen lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled and have ever ZyWALL USG 20/20W User's Guide 189 - ZyXEL ZYWALL USG 20W | User Guide - Page 190
update the information in the screen. 9.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click Monitor > System Status > Login Users. Figure 142 Monitor > System Status > Login Users 190 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 191
of the wireless clients connected to (or trying to connect to) a IEEE 802.11b/g card installed in the ZyWALL. To open the station monitor, click Monitor > System Status > WLAN Status. The screen appears as shown. Figure 143 Monitor > System Status > WLAN Status ZyWALL USG 20/20W User's Guide 191 - ZyXEL ZYWALL USG 20W | User Guide - Page 192
Table 35 Monitor > System Status > Cellular Status LABEL DESCRIPTION Refresh Click this button to update the information in the screen. More Information Click this to display more information on your This field displays the model name of the cellular card. 192 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 193
can use the 3G connection. Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the 3G SIM card. For example if the bill has not been paid or the account has expired. ZyWALL USG 20/20W User's Guide 193 - ZyXEL ZYWALL USG 20W | User Guide - Page 194
mainly depends on the antenna output power and the distance between your ZyWALL and the service provider's base station. 9.10.1 More Information This screen displays more to and activated on the ZyWALL. Figure 145 Monitor > System Status > More Information 194 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 195
service provider's base station. Device Manufacturer This shows the name of the company that produced the 3G device. Device Model This field displays the model name of the cellular card. Device Firmware screen. Figure 146 Monitor > System Status > USB Storage ZyWALL USG 20/20W User's Guide 195 - ZyXEL ZYWALL USG 20W | User Guide - Page 196
The IPSec Monitor Screen You can use the IPSec Monitor screen to display and to manage active IPSec SAs. To access this screen, click Monitor > VPN Monitor > IPSec. The following 196 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 197
in the SA. Up Time This field displays how many seconds the IPSec SA has been active. This field displays N/A if the IPSec SA uses manual keys. ZyWALL USG 20/20W User's Guide 197 - ZyXEL ZYWALL USG 20W | User Guide - Page 198
are currently logged into the VPN SSL client portal. Click Monitor > VPN Monitor > SSL to display the user list. Use this screen to do the following: • View a list of active SSL VPN connections. • Log out individual users and delete related session information. 198 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 199
established. Inbound (Bytes) This field displays the number of bytes received by the ZyWALL on this connection. Outbound (Bytes) Refresh This field displays the number of bytes transmitted by the ZyWALL on this connection. Click Refresh to update this screen. ZyWALL USG 20/20W User's Guide 199 - ZyXEL ZYWALL USG 20W | User Guide - Page 200
the ZyWALL or click Flush Data. Collecting starts over and a new collection start time displays. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. Refresh Click this button to update the report display. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 201
by the external database content Without Policy filtering service. Report Server Click this link to go to http://www.myZyXEL.com where you can view content filtering reports after you have activated the category-based content filtering subscription service. ZyWALL USG 20/20W User's Guide 201 - ZyXEL ZYWALL USG 20W | User Guide - Page 202
to display the Content Filter Cache screen. Use this screen to view and configure your ZyWALL's URL caching. You can also configure how long a categorized web site address remains in the cache as well as the sort order. Figure 150 Anti-X > Content Filter > Cache 202 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 203
the processing of web access requests but will also make it take longer for the ZyWALL to reflect changes in the external content filtering database. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User's Guide 203 - ZyXEL ZYWALL USG 20W | User Guide - Page 204
of the screen's statistics and update the report display. Total Mails Scanned This field displays the number of e-mails that the ZyWALL's anti-spam feature has checked. Clear Mails This is the number of e-mails that the ZyWALL has determined to not be spam. 204 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 205
. This column displays when you display the entries by Sender Mail Address. This column displays the e-mail addresses from which the ZyWALL has detected the most spam. Occurrence This field displays how many spam e-mails the ZyWALL detected from the sender. ZyWALL USG 20/20W User's Guide 205 - ZyXEL ZYWALL USG 20W | User Guide - Page 206
IP addresses in e-mails. This is the total number of DNS queries the ZyWALL has sent to this DNSBL. This is the average for how long it takes to receive a reply from this DNSBL. This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 207
by selecting All Logs, or you can select a specific category of log messages (for example, firewall or user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the to reverse the sort order. Figure 153 Monitor > Log ZyWALL USG 20/20W User's Guide 207 - ZyXEL ZYWALL USG 20W | User Guide - Page 208
Service This displays when you show the filter. Select the service whose log messages you would like to see. The Web Configurator uses the protocol and destination port number(s) of the service the filter. Click this button to update the log using the current filter ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 209
IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 210
Chapter 9 Monitor 210 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 211
screen. Alternatively, go to http:// www.myZyXEL.com with the ZyWALL's serial number and LAN MAC address to register it. Refer to the web site's on-line help for details. Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 20/20W User's Guide 211 - ZyXEL ZYWALL USG 20W | User Guide - Page 212
this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 154 Configuration > Licensing > Registration 212 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 213
on content. Your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories. Click Apply to save your changes back to the ZyWALL. ZyWALL USG 20/20W User's Guide 213 - ZyXEL ZYWALL USG 20W | User Guide - Page 214
service subscription, purchase an iCard and enter the iCard's PIN number (license key) in this screen. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 156 Configuration > Licensing > Registration > Service 214 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 215
subscription runs out, you need to buy a new iCard (specific to your ZyWALL) and enter the new PIN number to extend the service. Service License Refresh Click this button to renew service license information (such as the registration status and expiration day). ZyWALL USG 20/20W User's Guide 215 - ZyXEL ZYWALL USG 20W | User Guide - Page 216
Chapter 10 Registration 216 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 217
interfaces on top of Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunk screens (Chapter 12 on page 289) to configure load balancing. ZyWALL USG 20/20W User's Guide 217 - ZyXEL ZYWALL USG 20W | User Guide - Page 218
between interfaces. Port groups and trunks have a lot of characteristics that are specific to each type of interface. See Section 11.2 on page 220 and Chapter 12 on page 289 for details. The other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and 218 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 219
between interfaces are explained in the following table. Table 48 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT / INTERFACE port group Ethernet interface physical port physical port VLAN interface port group Ethernet interface ZyWALL USG 20/20W User's Guide 219 - ZyXEL ZYWALL USG 20W | User Guide - Page 220
trunks. 11.2 Port Role To access this screen, click Configuration > Network > Interface > Port Role. Use the Port Role screen to set the ZyWALL's flexible ports as part of the lan1, lan2 or dmz interfaces. This creates a hardware connection between the physical 220 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 221
bandwidth between the port group and other interfaces. • The port group uses a single MAC address. Click this button to save your changes and apply them to the ZyWALL. Click this button to change the port groups to their current configuration (last-saved values). ZyWALL USG 20/20W User's Guide 221 - ZyXEL ZYWALL USG 20W | User Guide - Page 222
a significant amount of configuration and management. The ZyWALL supports two routing protocols, RIP and OSPF. See Chapter 14 on page 313 for background information about these routing protocols. Figure 158 Configuration > Network > Interface > Ethernet (USG 20W) 222 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 223
the interface's IP address settings change. For example, if you change LAN1's IP address, the ZyWALL automatically updates the corresponding interface-based, LAN1 subnet address object. With RIP, you can use Ethernet interfaces to do the following things. ZyWALL USG 20/20W User's Guide 223 - ZyXEL ZYWALL USG 20W | User Guide - Page 224
method for the selected area. • Select in which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Set the priority used to identify the DR or BDR if one does not exist. 224 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 225
Chapter 11 Interfaces Figure 159 Configuration > Network > Interface > Ethernet > Edit (WAN) ZyWALL USG 20/20W User's Guide 225 - ZyXEL ZYWALL USG 20W | User Guide - Page 226
Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields. Advance Settings General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties 226 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 227
appears when Interface Properties is External or General. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 20/20W User's Guide 227 - ZyXEL ZYWALL USG 20W | User Guide - Page 228
gateway. Check Default Select this to use the default gateway for the connectivity check. Gateway Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. 228 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 229
to specify these IP addresses. Custom Defined - enter a static IP address. From ISP - select the DNS server that another interface received from its DHCP server. ZyWALL - the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL USG 20/20W User's Guide 229 - ZyXEL ZYWALL USG 20W | User Guide - Page 230
51 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION First WINS Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server used for receiving RIP packets. Choices are 1, 2, and 1 and 2. 230 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 231
MAC address, or clone the MAC address of another device or computer. Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address. By default, the ZyWALL uses the factory assigned MAC address to identify itself. ZyWALL USG 20/20W User's Guide 231 - ZyXEL ZYWALL USG 20W | User Guide - Page 232
This identifies the object for which the configuration settings that use it are displayed. Click the object's name to display the object's configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry. 232 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 233
computer. Therefore, the subnet mask is always 255.255.255.255. In addition, the ZyWALL always treats the ISP as a gateway. At the time of writing, it is possible to set up the IP address of the gateway (ISP) using CLI commands but not in the Web Configurator. ZyWALL USG 20/20W User's Guide 233 - ZyXEL ZYWALL USG 20W | User Guide - Page 234
the entry's settings. Remove To remove a user-configured PPP interface, select it and click Remove. The ZyWALL confirms you want to remove it before click Connect. You might use this in testing the interface orto manually establish the connection for a Dial-on- ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 235
PPTP interface. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 11.4.2 PPP configure a PPPoE or PPTP interface. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 236
Chapter 11 Interfaces Figure 164 Configuration > Network > Interface > PPP > Add 236 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 237
is a DHCP client. In this case, the DHCP server configures the IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces. Use Fixed IP Address Select this if you want to specify the IP address manually. ZyWALL USG 20/20W User's Guide 237 - ZyXEL ZYWALL USG 20W | User Guide - Page 238
this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. 238 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 239
3G card you use, the signal strength to the service provider's base station, and so on. • (refer to Section 11.5.1 on page 241). • You can set the 3G device to connect to other networks if the signal strength of the home network is too low or it is unavailable. ZyWALL USG 20/20W User's Guide 239 - ZyXEL ZYWALL USG 20W | User Guide - Page 240
click Configuration > Network > Interface > Cellular. Note: Install (or connect) a compatible 3G USB to use a cellular connection. See Chapter 51 on page 741 for details. Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. 240 ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 241
might use this in testing the interface or to manually establish the connection. To disconnect an Configuration > Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 242
Chapter 11 Interfaces Figure 166 Configuration > Network > Interface > Cellular > Add 242 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 243
. Enter the APN from your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method. You can enter up to 63 ASCII printable characters. Spaces are allowed. ZyWALL USG 20/20W User's Guide 243 - ZyXEL ZYWALL USG 20W | User Guide - Page 244
you insert a GSM 3G card. The ZyWALL supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake and the password is included in the 3G card's profile. If this field is configurable, enter the password for this SIM card exactly as the service provider ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 245
can configure the interface as part of a WAN trunk for load balancing. Click Policy Route to go to the policy route summary screen where you can configure a policy route to override the default routing and SNAT behavior for the interface. IP Address Assignment ZyWALL USG 20/20W User's Guide 245 - ZyXEL ZYWALL USG 20W | User Guide - Page 246
the rate of a different network. Select this to set a monthly limit for the user account of the installed 3G card. You can set a limit on the total traffic and/or call time. The ZyWALL takes the actions you specified when a limit is exceeded during the month. 246 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 247
you change the value after you configure and enable budget control, the ZyWALL resets the statistics. Select this and ZyWALL allows you to transmit data using the current connection, but you cannot build a new connection if the existing connection is disconnected. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 248
network is in the blue circle. Wireless clients (A and B) connect to an access point (AP) to access other devices (such as the printer) or the Internet. Your ZyWALL works as an AP when you install a compatible WLAN card. Figure 167 Example of a Wireless Network 248 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 249
can protect the information that is sent in the wireless network. Click Configuration > Network > Interface > WLAN to open the following screen. See Appendix C on page 803 for more details on wireless LANs. Figure 168 Configuration > Network > Interface > WLAN ZyWALL USG 20/20W User's Guide 249 - ZyXEL ZYWALL USG 20W | User Guide - Page 250
of output power that this WLAN card is to use. If there is a high density of APs in the area, decrease the output power of the ZyWALL to reduce interference with other APs. See the product specifications for more information on your ZyWALL's output power. 250 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 251
errors. Select Long to prioritize data integrity. This may be because your wireless network is busy and congested. Add Edit Remove Activate Inactivate Object References name of the WLAN interface. This is the SSID (Service Set IDentity) of the WLAN interface. ZyWALL USG 20/20W User's Guide 251 - ZyXEL ZYWALL USG 20W | User Guide - Page 252
original information pretty quickly. Click Configuration > Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. The screen varies according to the security features you select. It displays as shown next when you set the Security Type to none. 252 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 253
Chapter 11 Interfaces Figure 169 Configuration > Network > Interface > WLAN > Add (No Security) ZyWALL USG 20/20W User's Guide 253 - ZyXEL ZYWALL USG 20W | User Guide - Page 254
is 1812). Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL. 254 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 255
allocating IP addresses. If this field is blank, the ZyWALL assigns every IP address allowed by the interface's IP address, subnet mask, and pool size; except for the first address (network address), last address (broadcast address) and the interface's IP address. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 256
's IP address. Enter a description to help identify this static DHCP entry. You can use alphanumeric and characters, and it can be up to 60 characters long. See Section 14.2 on page 314 for more information about RIP. Select this to enable RIP in this interface. 256 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 257
Chapter 11 Interfaces Table 60 Configuration > Network > Interface > WLAN > Add (No Security) LABEL DESCRIPTION the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. ZyWALL USG 20/20W User's Guide 257 - ZyXEL ZYWALL USG 20W | User Guide - Page 258
, click Configuration > Network > Interface > WLAN > Add (or Edit) to open the WLAN Edit screen. Select WEP as the Security Type. The following screen shows the WEP security fields. Figure 170 Configuration > Network > Interface > WLAN > Add (WEP Security) 258 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 259
Type. WPA/WPA2-PSK means wireless clients can use either WPA-PSK or WPA2-PSK to connect to the WLAN interface. The following screen shows the security fields. Figure 171 Configuration > Network > Interface > WLAN > Add (WPA-PSK, WPA2PSK, or WPA/WPA2-PSK Security) ZyWALL USG 20/20W User's Guide 259 - ZyXEL ZYWALL USG 20W | User Guide - Page 260
open the WLAN Edit screen. Select WPA-Enterprise, WPA2-Enterprise, or WPA/WPA2-Enterprise as the Security Type. WPA/WPA2-Enterprise means wireless clients can use either WPA or WPA2 to connect to the WLAN interface. The following figure shows the security fields. 260 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 261
The wireless clients must use TTLS authentication protocol and PAP inside the TTLS secure tunnel. The RADIUS fields display if you set the Authentication Type field to Auth Server. Enter the IP address of the external authentication server in dotted decimal notation. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 262
filter to allow only the specified MAC addresses, the ZyWALL does not immediately disconnect all connected wireless clients. To display your ZyWALL's MAC filter settings, click Configuration > Network > Interface > WLAN > MAC Filter. The screen appears as shown. 262 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 263
. Description Apply Reset This field displays a descriptive name for the MAC address entry. Enter a descriptive name for the MAC address entry. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User's Guide 263 - ZyXEL ZYWALL USG 20W | User Guide - Page 264
into three VLANs. Figure 175 Example: After VLAN A B Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID network, the network does not need switches A and B.) 264 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 265
VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. ZyWALL USG 20/20W User's Guide 265 - ZyXEL ZYWALL USG 20W | User Guide - Page 266
an IP address yet. Mask This screen also shows whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. This field displays the interface's subnet mask in dot decimal notation. 266 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 267
your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 11.8.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters in the VLAN Summary screen. The following screen appears. ZyWALL USG 20/20W User's Guide 267 - ZyXEL ZYWALL USG 20W | User Guide - Page 268
Chapter 11 Interfaces Figure 177 Configuration > Network > Interface > VLAN > Edit 268 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 269
. This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 20/20W User's Guide 269 - ZyXEL ZYWALL USG 20W | User Guide - Page 270
that domain name or IP address in the field next to it. This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces. 270 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 271
Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 20/20W User's Guide 271 - ZyXEL ZYWALL USG 20W | User Guide - Page 272
Configure a list of static IP addresses the ZyWALL assigns to computers connected to the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the interface's IP RIP-2 packets using subnet broadcasting; otherwise, the ZyWALL uses multicasting. 272 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 273
part of a WAN trunk for load balancing. Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this VLAN. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User's Guide 273 - ZyXEL ZYWALL USG 20W | User Guide - Page 274
2 in the table. It also looks up 0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4. Table 67 Example: Bridge Table After Computer A Sends a Packet to Computer B MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A 2 274 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 275
/26 wan 250.250.250.0/23 br0 241.241.241.241/32 dmz 242.242.242.242/32 dmz In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or ZyWALL USG 20/20W User's Guide 275 - ZyXEL ZYWALL USG 20W | User Guide - Page 276
whether the IP address is a static IP address (STATIC) or dynamically assigned (DHCP). IP addresses are always static in virtual interfaces. This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 277
parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 20/20W User's Guide 277 - ZyXEL ZYWALL USG 20W | User Guide - Page 278
Chapter 11 Interfaces Figure 179 Configuration > Network > Interface > Bridge > Add 278 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 279
the IP address for this interface. This field is enabled if you select Use Fixed IP Address. Enter the subnet mask of this interface in dot decimal notation. The subnet mask indicates what part of the IP address is the same for all computers in the network. ZyWALL USG 20/20W User's Guide 279 - ZyXEL ZYWALL USG 20W | User Guide - Page 280
appear if the ZyWALL is a DHCP Relay. Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. 280 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 281
device's MAC address. Static DHCP Table Configure a list of static IP addresses the ZyWALL assigns to computers connected to the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the interface's IP Pool Start Address and Pool Size. ZyWALL USG 20/20W User's Guide 281 - ZyXEL ZYWALL USG 20W | User Guide - Page 282
to the ZyWALL. Click Cancel to exit this screen without saving. 11.9.3 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click an Add icon next to an Ethernet 282 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 283
(if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first. Interface Parameters ZyWALL USG 20/20W User's Guide 283 - ZyXEL ZYWALL USG 20W | User Guide - Page 284
ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface wan1. In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 284 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 285
of traffic the ZyWALL sends out through the interface to the network. • Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network.1 1. At the time of writing, the ZyWALL does not support ingress bandwidth management. ZyWALL USG 20/20W User's Guide 285 - ZyXEL ZYWALL USG 20W | User Guide - Page 286
IP addresses of DNS servers) on computers in the network. This reduces the amount of manual configuration you have to do and usually uses available IP assign its IP address to another DHCP client. In the ZyWALL, some interfaces can provide DHCP services to the network ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 287
can query the server instead of broadcasting a request for a computer name's IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. ZyWALL USG 20/20W User's Guide 287 - ZyXEL ZYWALL USG 20W | User Guide - Page 288
Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. 288 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 289
link sticking and view the list of configured trunks and which load balancing algorithm each trunk uses. • Use the Trunk Edit screen (Section 12.3 on page 293) to configure which interfaces belong to each trunk and the load balancing algorithm each trunk uses. ZyWALL USG 20/20W User's Guide 289 - ZyXEL ZYWALL USG 20W | User Guide - Page 290
balancing algorithms the ZyWALL can use to decide which interface the traffic (from the LAN) should use for a session2. The available bandwidth you configure on the ZyWALL refers to the actual , a session may refer to normal connection-oriented, UDP or SNMP2 traffic. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 291
Out More • See Section 6.5.4 on page 96 for related information on the Trunk screens. • See Section 7.3 on page 113 for an example of how to configure load balancing. • See Section 12.4 on page 295 for more background information on trunks. ZyWALL USG 20/20W User's Guide 291 - ZyXEL ZYWALL USG 20W | User Guide - Page 292
Trunk LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields. Advance Settings Enable Link Sticking Enable link sticking to have the to the same destination are to use the same link. 292 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 293
12.3 Configuring a Trunk Click Configuration > Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry. Figure 183 Configuration > Network > Interface > Trunk > Add (or Edit) ZyWALL USG 20/20W User's Guide 293 - ZyXEL ZYWALL USG 20W | User Guide - Page 294
a group member. Select Active to have the ZyWALL always attempt to use this connection. Select Passive to have the ZyWALL only use this connection when all of the connections set to active are down. You can only set one of a group's interfaces to passive mode. 294 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 295
Chapter 12 Trunks Table 77 Configuration > Network > Interface > Trunk > the ZyWALL. Click Cancel to exit this screen without saving. 12.4 Trunk Technical Reference Round Robin Load Balancing Algorithm Round Robin scheduling services queues on a queue is empty. ZyWALL USG 20/20W User's Guide 295 - ZyXEL ZYWALL USG 20W | User Guide - Page 296
Chapter 12 Trunks 296 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 297
to other routers. 13.1.1 What You Can Do in this Chapter • Use the Policy Route screens (see Section 13.2 on page 300) to list and configure policy routes. ZyWALL USG 20/20W User's Guide 297 - ZyXEL ZYWALL USG 20W | User Guide - Page 298
and send traffic through VPN tunnels. • Cost ZyWALL usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the ZyWALL send data to devices not reachable through the default gateway, use static routes. Configure ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 299
service configured policies. Finding Out More • See Section 6.5.5 on page 96 for related information on the policy route screens. • See Section 7.12 on page 145 for an example of creating a policy route for using multiple static public WAN IP addresses for LAN to WAN traffic. ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 300
, VPN tunnel, or trunk. • Limiting the amount of bandwidth available and setting a priority for traffic. IPPR follows the existing packet filtering facility of RAS in style and in implementation. Figure 185 Configuration > Network > Routing > Policy Route 300 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 301
configuration fields. Enable BWM This is a global setting for enabling or disabling bandwidth management on the ZyWALL. IP address (group) object. any means all IP addresses. This is the name of the destination IP address (group) object. any means all IP addresses. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 302
the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 302 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 303
to use in this screen. Configuration Enable Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. ZyWALL USG 20/20W User's Guide 303 - ZyXEL ZYWALL USG 20W | User Guide - Page 304
when you select Gateway in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your ZyWALL's interface(s). 304 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 305
. Select default to have the ZyWALL set the DSCP value of the packets to 0. Use this field to specify a custom DSCP value. Use this section to configure NAT for the policy route. This section does not apply to policy routes that use a VPN tunnel as the next hop. ZyWALL USG 20/20W User's Guide 305 - ZyXEL ZYWALL USG 20W | User Guide - Page 306
the service. This allows you to allocate bandwidth to a route and prioritize traffic that matches the routing policy. You must also enable bandwidth management in the main policy route screen (Network > Routing > Policy Route) in order to apply bandwidth shaping. 306 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 307
Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. Figure 187 Configuration > Network > Routing > Static Route ZyWALL USG 20/20W User's Guide 307 - ZyXEL ZYWALL USG 20W | User Guide - Page 308
or Edit. The screen shown next appears. Use this screen to configure the required information for a static route. Figure 188 Configuration > Network > Routing > Static Route > Add The following table to the host ID. Subnet Mask Enter the IP subnet mask here. 308 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 309
you can configure in policy routing. NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in priority. Combining the classes and drop precedence produces the ZyWALL USG 20/20W User's Guide 309 - ZyXEL ZYWALL USG 20W | User Guide - Page 310
server 1 using port 1234. The ZyWALL records the IP address of computer A when the packets match a policy with SNAT configured. 2 Game server 1 responds using a port number ranging between 5670 - 5678. The ZyWALL allows and forwards the traffic to computer A. 310 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 311
(as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level. ZyWALL USG 20/20W User's Guide 311 - ZyXEL ZYWALL USG 20W | User Guide - Page 312
Chapter 13 Policy and Static Routes 312 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 313
configure general OSPF settings and manage OSPF areas. • Use the OSPF Area Add/Edit screen (see Section 14.3.2 on page 322) to create or edit an OSPF area. 14.1.2 What You Need to Know The ZyWALL supports page 324 for background information on routing protocols. ZyWALL USG 20/20W User's Guide 313 - ZyXEL ZYWALL USG 20W | User Guide - Page 314
terms. • RIP uses UDP port 520. Use the RIP screen to specify the authentication method and maintain the policies for redistribution. Click Configuration > Network > Routing > RIP to open the following screen. Figure 190 Configuration > Network > Routing > RIP 314 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 315
the ZyWALL. Reset Click this button to return the screen to its last-saved settings. 14.3 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 316
over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. • OSPF filters and summarizes routing any routing information about other networks outside the OSPF AS. 316 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 317
IDs, their associated links and path costs. The link-state database is then constantly updated through Link State Advertisements (LSA). Each router uses the link state database and the and it filters, summarizes, and exchanges routing information between them. ZyWALL USG 20/20W User's Guide 317 - ZyXEL ZYWALL USG 20W | User Guide - Page 318
Yes No RIP Yes Yes Yes • A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is you can create a virtual link through an intermediate area 318 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 319
Use the first OSPF screen to specify the OSPF router the ZyWALL uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. ZyWALL USG 20/20W User's Guide 319 - ZyXEL ZYWALL USG 20W | User Guide - Page 320
the OSPF AS, and it can be between 1 and 16777214. Active Static Route Select this to advertise routes that were learned from static routes. The ZyWALL advertises routes learned from static routes to all types of areas. 320 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 321
Configuration 32-bit ID for each area in IP address format. Type This field displays the default authentication method in the area. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 322
authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). 322 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 323
(in IP address ZyWALL. Click Cancel to exit this screen without saving. 14.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 14.3.2 on page ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 324
and the underscore, and it can be up to 16 characters long. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. 14.4 Routing Protocol Technical Reference Here is more detailed information about RIP and OSPF. 324 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 325
to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 326
Chapter 14 Routing Protocols 326 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 327
configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall 15.2 on page 329) to manage the ZyWALL's zones. ZyWALL USG 20/20W User's Guide 327 - ZyXEL ZYWALL USG 20W | User Guide - Page 328
in the LAN zone but prohibit it in the WAN zone. • You can also set up firewall rules to Extra-zone traffic is traffic to or from any interface or VPN tunnel that is not assigned to a zone. For example configuring Ethernet interfaces, port groups, and zones. 328 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 329
interface. Name This field displays the name of the zone. Block Intrazone This field indicates whether or not the ZyWALL blocks network traffic between members in the zone. Member This field displays the names of the interfaces that belong to each zone. ZyWALL USG 20/20W User's Guide 329 - ZyXEL ZYWALL USG 20W | User Guide - Page 330
and VPN tunnels that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. Click OK to save your customized settings and exit this screen. Click Cancel to exit this screen without saving. 330 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 331
PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.org ZyWALL USG 20/20W User's Guide 331 - ZyXEL ZYWALL USG 20W | User Guide - Page 332
user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service DDNS service you are using. Domain Name This field displays each domain name the ZyWALL can route. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 333
source IP address of the packets from the ZyWALL for the IP address to use for the domain name. custom - The IP address is static. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 334
Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable DDNS Select this check box to use this DDNS entry. Profile Profile Name are editing an entry. Select the type of DDNS service you are using. 334 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 335
specified by the Primary Binding Interface settings is not available. Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 20/20W User's Guide 335 - ZyXEL ZYWALL USG 20W | User Guide - Page 336
is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. 336 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 337
in this Chapter Use the NAT screens (see Section 17.2 on page 338) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. ZyWALL USG 20/20W User's Guide 337 - ZyXEL ZYWALL USG 20W | User Guide - Page 338
table describes the labels in this screen. Table 94 Configuration > Network > NAT LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. 338 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 339
the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 20/20W User's Guide 339 - ZyXEL ZYWALL USG 20W | User Guide - Page 340
following table describes the labels in this screen. Table 95 Configuration > Network > NAT > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in character cannot be a number. This value is case-sensitive. 340 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 341
the HOST address objects in the ZyWALL. If you select one of them, this NAT rule supports the IP address specified by the address object. This field is available if Mapped IP is User Defined. Type the translated destination IP address that this NAT rule supports. ZyWALL USG 20/20W User's Guide 341 - ZyXEL ZYWALL USG 20W | User Guide - Page 342
interface's IP address as the source address for the traffic it sends to the LAN server. See NAT Loopback on page 343 for more details. If you do not enable NAT loopback, this NAT rule only applies to packets received on the rule's specified incoming interface. 342 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 343
about NAT on the ZyWALL. NAT Loopback Suppose a NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule's original IP to access the mail server. ZyWALL USG 20/20W User's Guide 343 - ZyXEL ZYWALL USG 20W | User Guide - Page 344
.168.1.89 SMTP 192.168.1.89 344 The LAN SMTP server replies to the ZyWALL's LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic's source matches the original destination address (1.1.1.1). If the ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 345
through NAT, the source would not match the original destination address which would cause the LAN user's computer to shut down the session. Figure 207 LAN to LAN Return Traffic NAT Source 192.168.1.21 SMTP LAN Source 1.1.1.1 SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 20/20W User's Guide 345 - ZyXEL ZYWALL USG 20W | User Guide - Page 346
Chapter 17 NAT 346 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 347
them from a server. Proxy server A then forwards the response to the client. Figure 208 HTTP Redirect Example LAN1 18.1.1 What You Can Do in this Chapter Use the HTTP Redirect screens (see Section 18.2 on page 349) to display and edit the HTTP redirect rules. ZyWALL USG 20/20W User's Guide 347 - ZyXEL ZYWALL USG 20W | User Guide - Page 348
A. For HTTP traffic between dmz and wan1: • a from DMZ to WAN firewall rule (default) to allow HTTP requests from dmz to wan1. Responses to these requests are allowed automatically. • a policy route to forward HTTP traffic from proxy server A to the Internet. 348 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 349
be received. Proxy Server This is the IP address of the proxy server. Port Apply Reset This is the service port number used by the proxy server. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User's Guide 349 - ZyXEL ZYWALL USG 20W | User Guide - Page 350
forward it to the specified proxy server. Proxy Server Enter the IP address of the proxy server. Port OK Cancel Enter the port number that the proxy server uses. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. 350 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 351
FTP - File Transfer Protocol - an Internet file transfer service. The following example shows SIP signaling (1) and audio (2) ZyWALL's NAT. 19.1.1 What You Can Do in this Chapter Use the ALG screen (Section 19.2 on page 355) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 352
H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 212 H.323 ALG Example 352 SIP ALG • SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can be in the same network or different networks. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 353
WAN IP address 1. You also use a policy route to have LAN IP address A make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP address A ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 354
the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses. For example, you configure firewall and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to allow LAN IP - ZyXEL ZYWALL USG 20W | User Guide - Page 355
the ZyWALL's NAT. Select this to have the ZyWALL modify IP addresses and port numbers embedded in the SIP data payload. You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 356
Port Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the ZyWALL's NAT environment. If you are using a custom TCP port number (not 21) for FTP traffic, enter it here. 356 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 357
re-register automatically at set intervals or the users can manually force them to re-register. FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts ZyWALL USG 20/20W User's Guide 357 - ZyXEL ZYWALL USG 20W | User Guide - Page 358
network that does not provide a guaranteed quality of service. NetMeeting uses H.323. SIP The Session Initiation Protocol multimedia sessions over the Internet. SIP is used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol. SIP signaling ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 359
Do in this Chapter • Use the Summary and Edit screens (Section 20.2 on page 360) to bind IP addresses to MAC addresses. • Use the Exempt List screen (Section 20.3 on page 363) to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 20/20W User's Guide 359 - ZyXEL ZYWALL USG 20W | User Guide - Page 360
IP/MAC binding with Ethernet, bridge, VLAN, and WLAN (for USG 20W) interfaces. You can also enable or disable IP/MAC binding and logging in an interface's configuration screen. 20.2 IP/MAC Binding Summary Click Configuration > Network > IP/MAC Binding to open the IP ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 361
make use only the intended users get to use specific IP addresses. Enable Logs for IP/ MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this interface attempts to use an IP address not assigned by the ZyWALL. ZyWALL USG 20/20W User's Guide 361 - ZyXEL ZYWALL USG 20W | User Guide - Page 362
> Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the ZyWALL and the interface's IP address and subnet mask. IP Address Enter the IP address that the ZyWALL is to assign to a device with the entry's MAC address. 362 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 363
for which the ZyWALL does not apply IP/MAC binding. Click the Add icon to add a new entry. Apply Click the Remove icon to delete an entry. A window displays asking you to confirm that you want to delete it. Click Apply to save your changes back to the ZyWALL. ZyWALL USG 20/20W User's Guide 363 - ZyXEL ZYWALL USG 20W | User Guide - Page 364
Chapter 20 IP/MAC Binding 364 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 365
endpoint security check and is denied access. Figure 221 Authentication Policy Using Endpoint Security 21.1.1 What You Can Do in this Chapter Use the Configuration > Auth. Policy screens (Section 21.2 on page 366) to create and manage authentication policies. ZyWALL USG 20/20W User's Guide 365 - ZyXEL ZYWALL USG 20W | User Guide - Page 366
flow's source and destination IP addresses. If VPN traffic matches an authentication policy's source and destination IP addresses, the user must pass authentication. Multiple Policy screen displays the authentication policies you have configured on the ZyWALL. 366 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 367
Chapter 21 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 222 Configuration > Auth. Policy ZyWALL USG 20/20W User's Guide 367 - ZyXEL ZYWALL USG 20W | User Guide - Page 368
Keeping DNS as a member allows users' computers to resolve domain names into IP addresses. Figure 223 Configuration > Auth. Policy > Add Exceptional Service 368 Authentication Policy Summary Add Edit , specify the number to which you want to move the interface. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 369
to return the screen to its last-saved settings. 21.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy. ZyWALL USG 20/20W User's Guide 369 - ZyXEL ZYWALL USG 20W | User Guide - Page 370
and not configurable for the default policy. Destination Address Select a destination address or address group for whom this policy applies. Select any if the policy is effective for every destination. This is any and not configurable for the default policy. 370 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 371
as possible, arrange the endpoint security objects in order with the one that the most users should match first and the one that the least user's should match last. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User's Guide 371 - ZyXEL ZYWALL USG 20W | User Guide - Page 372
Chapter 21 Authentication Policy 372 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 373
(Section 22.2 on page 381) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 22.3 on page 386) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 20/20W User's Guide 373 - ZyXEL ZYWALL USG 20W | User Guide - Page 374
ANY to ANY Traffic that does not match any firewall rule is allowed. So for example, LAN to WAN, LAN to DMZ, and LAN to WLAN traffic is allowed. This also includes traffic to or from interfaces or VPN tunnels that are not assigned to a zone (extra-zone traffic). 374 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 375
to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN, WLAN (USG 20W), or WAN computers to access or manage the ZyWALL. • The ZyWALL drops most packets from the WAN zone to the ZyWALL itself, except for ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log - ZyXEL ZYWALL USG 20W | User Guide - Page 376
from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need 376 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 377
that the CEO's computer always uses the same IP address, make sure it either: • Has a static IP address, or • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 286 for information on DHCP). ZyWALL USG 20/20W User's Guide 377 - ZyXEL ZYWALL USG 20W | User Guide - Page 378
. Your firewall would have the following configuration. Table 108 Limited LAN1 to WAN IRC Traffic Example 2 # USER SOURCE DESTINATION SCHEDULE SERVICE 1 CEO Any Any Any IRC 2 Any Any Any Any IRC 3 Any Any Any Any Any ACTION Allow Deny Allow ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 379
: Firewall Screen 2 At the top of the screen, click Create new Object > Address. 3 The screen for configuring an address object opens. Configure it as follows and click OK. Figure 229 Firewall Example: Create an Address Object 4 Click Create new Object > Service. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 380
the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 231 Firewall Example: Edit a Firewall Rule 380 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 381
steps and figure describe such a scenario. 1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN. 2 The ZyWALL reroutes the packet to gateway A, which is in Subnet 2. 3 The reply from the WAN goes to the ZyWALL. ZyWALL USG 20/20W User's Guide 381 - ZyXEL ZYWALL USG 20W | User Guide - Page 382
. So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as the destination. See Section 7.9 on page 132 for an example. 382 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 383
). Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the backup gateway on separate subnets. Firewall Rule Summary ZyWALL USG 20/20W User's Guide 383 - ZyXEL ZYWALL USG 20W | User Guide - Page 384
at all times if enabled. This is the user name or user group name to which this firewall rule applies. This displays the source address object to which this firewall rule applies. This displays the destination address object to which this firewall rule applies. 384 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 385
. Enable Select this check box to activate the firewall rule. From To For through-ZyWALL rules, select the direction of travel of packets to which the rule applies. any means all interfaces or VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. ZyWALL USG 20/20W User's Guide 385 - ZyXEL ZYWALL USG 20W | User Guide - Page 386
22.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to display the Firewall Session Limit screen. Use this screen to limit the number of concurrent NAT/ firewall sessions a client can use. You can apply a default limit for all users and 386 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 387
111 Configuration > Firewall > Session Limit LABEL DESCRIPTION General Settings Enable Session Select this check box to control the number of concurrent sessions hosts limit can have. Default Session Use is active and dimmed when the entry is inactive. ZyWALL USG 20/20W User's Guide 387 - ZyXEL ZYWALL USG 20W | User Guide - Page 388
to configure any new settings objects that you need to use in this screen. Enable Rule Select this check box to turn on this session limit rule. Description Enter information to help you identify this rule. Use up to 64 printable ASCII characters. Spaces are allowed. 388 ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 389
have. For this rule's users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User's Guide 389 - ZyXEL ZYWALL USG 20W | User Guide - Page 390
Chapter 22 Firewall 390 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 391
which VPN gateway a VPN connection policy uses and which devices (behind the IPSec routers) can use the VPN tunnel and the IPSec SA settings (phase 2 settings). You can also activate / deactivate and connect / disconnect each VPN connection (each IPSec SA). ZyWALL USG 20/20W User's Guide 391 - ZyXEL ZYWALL USG 20W | User Guide - Page 392
ZyWALL's VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. 23.1.2 What You Need to Know An IPSec VPN the IKE SA first. 392 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 393
a dynamic IP address. The IPSec server doesn't configure this ZyWALL's IP address or the addresses of the devices behind it. Only this ZyWALL can initiate the VPN tunnel. Finding Out More • See Section 6.5.14 on page 101 for related information on these screens. ZyWALL USG 20/20W User's Guide 393 - ZyXEL ZYWALL USG 20W | User Guide - Page 394
to open the VPN Connection screen. The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. In addition, it also lets you activate / deactivate and connect / disconnect each VPN connection (each IPSec 394 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 395
Figure 240 Configuration > VPN > IPSec VPN > VPN Connection manually create these policy routes. The ZyWALL automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes. Clear this to have the ZyWALL ZyWALL USG 20/20W User's Guide 395 - ZyXEL ZYWALL USG 20W | User Guide - Page 396
, go to the Configuration > VPN Connection screen (see Section 23.2 on page 394), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. 396 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 397
Chapter 23 IPSec VPN Figure 241 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 20/20W User's Guide 397 - ZyXEL ZYWALL USG 20W | User Guide - Page 398
this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. VPN Gateway Select the VPN gateway this VPN connection is to use or select Create Object to add another VPN gateway for this VPN connection to use. 398 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 399
the IP header information and the data. Transport - this mode only encrypts the data. Proposal Add Edit The ZyWALL and remote IPSec router must use the same encapsulation. Click this to create a new entry. Select an entry and click this to be able to modify it. ZyWALL USG 20/20W User's Guide 399 - ZyXEL ZYWALL USG 20W | User Guide - Page 400
settings configured for the IPSec_VPN security zone will also apply to this VPN connection policy. The ZyWALL can regularly check the VPN connection to the gateway you specified to make sure it is still available. Select this to turn on the VPN connection check. 400 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 401
the translated source address (or select Create Object to configure a new one). This is the address object for the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). ZyWALL USG 20/20W User's Guide 401 - ZyXEL ZYWALL USG 20W | User Guide - Page 402
to configure a port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range. Click OK to save the changes. Click Cancel to discard all changes and return to the main VPN screen. 402 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 403
. See Section 23.2 on page 394 for descriptions of the other fields. Table 116 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. ZyWALL USG 20/20W User's Guide 403 - ZyXEL ZYWALL USG 20W | User Guide - Page 404
VPN Table 116 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Gateway Address SPI Type the IP encryption and the same services offered by AH, ZyWALL and remote IPSec router must use the same algorithm. 404 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 405
23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key ZyWALL only uses 1234567890123456. The ZyWALL still stores the longer key. Click OK to save your settings and exit this screen. Click Cancel to exit this screen without saving. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 406
My address This field displays the interface or a domain name the ZyWALL uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 407
Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 23.3 on page 406), and click either the Add icon or an Edit icon. ZyWALL USG 20/20W User's Guide 407 - ZyXEL ZYWALL USG 20W | User Guide - Page 408
of configuration fields. General Settings VPN Gateway Name Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Gateway Settings ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 409
IPSec VPN Table 118 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION My Address Select how the IP address of the ZyWALL in the you need to enter pairs. The ZyWALL and remote IPSec router must use the same pre-shared key. ZyWALL USG 20/20W User's Guide 409 - ZyXEL ZYWALL USG 20W | User Guide - Page 410
for identification and can be any string. E-mail - the ZyWALL is identified by an e-mail address; you can use up to 31 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. 410 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 411
e-mail address Any - the ZyWALL does not check the identity of the remote IPSec router If the ZyWALL and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate ZyWALL USG 20/20W User's Guide 411 - ZyXEL ZYWALL USG 20W | User Guide - Page 412
ID Type. Type the maximum number of seconds the IKE SA can last. When this time has passed, the ZyWALL and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not affect any existing IPSec SAs, however. 412 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 413
VPN Table 118 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Negotiation Mode Select the negotiation mode to use to negotiate the IKE SA. Choices are Main - this encrypts the ZyWALL routers must use the same DH key group. ZyWALL USG 20/20W User's Guide 413 - ZyXEL ZYWALL USG 20W | User Guide - Page 414
. Type the password the ZyWALL sends to the remote IPSec router. The password can be 1-31 ASCII characters. It is casesensitive, but spaces are not allowed. Click OK to save your settings and exit this screen. Click Cancel to exit this screen without saving. 414 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 415
IP addresses of the ZyWALL and remote IPSec router. You can usually enter a static IP address or a domain name for either or both IP addresses. Sometimes, your ZyWALL might offer another alternative, such as using the IP address of a port Diffie-Hellman key group ZyWALL USG 20/20W User's Guide 415 - ZyXEL ZYWALL USG 20W | User Guide - Page 416
(DH) Key Exchange on page 416 for more information about DH key groups. Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption 416 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 417
Chapter 23 IPSec VPN keys for the IKE SA and IPSec SA. In main mode, ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 418
@yourcompany.com It is also possible to configure the ZyWALL to ignore the identity of the remote IPSec router. In this case, you usually set the peer ID type to Any. This is less secure, so you should only use this if your ZyWALL provides another way to check 418 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 419
example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This IP address. VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 248 VPN/NAT Example X A ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 420
password that is provided by the remote IPSec router. If you use extended authentication, it takes four more steps to establish an IKE SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10 in main mode, steps 4-7 in aggressive mode). 420 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 421
AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The ZyWALL and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. ZyWALL USG 20/20W User's Guide 421 - ZyXEL ZYWALL USG 20W | User Guide - Page 422
to an IKE SA proposal (see IKE SA Proposal on page 415), except that you also have the choice whether or not the ZyWALL and remote IPSec router perform a new DH key exchange every time an IPSec SA is established. This is called Perfect Forward Secrecy (PFS). 422 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 423
and the Security Parameter Index (SPI) For authentication, the ZyWALL and remote IPSec router use the SPI, instead of pre-shared keys, ID type and content. The SPI is an identification number. Note: The ZyWALL and remote IPSec router must use the same SPI. ZyWALL USG 20/20W User's Guide 423 - ZyXEL ZYWALL USG 20W | User Guide - Page 424
may not route messages for computer M through the IPSec SA because computer M's IP address is not part of its local policy. To set up this NAT, you have to specify the following information: • Source - the original source address; most likely, computer M's network. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 425
destination address; in Figure 250 on page 424, the IP address of the mail server in the local network (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 20/20W User's Guide 425 - ZyXEL ZYWALL USG 20W | User Guide - Page 426
Chapter 23 IPSec VPN 426 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 427
to access network resources in the same way as if they were part of the internal network. Figure 251 Network Access Mode: Full Tunnel Mode SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: ZyWALL USG 20/20W User's Guide 427 - ZyXEL ZYWALL USG 20W | User Guide - Page 428
for how to establish an SSL VPN connection to the ZyWALL (after you have configured the SSL VPN settings on the ZyWALL). • See Chapter 42 on page 621 for details on endpoint security objects. • See Chapter 41 on page 615 for details on SSL application objects. 428 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 429
displays the user account or user group name(s) associated to an SSL access policy. Access Policy Summary This field displays up to three names. This field displays details about the SSL application object this policy uses including its name, type, and address. ZyWALL USG 20/20W User's Guide 429 - ZyXEL ZYWALL USG 20W | User Guide - Page 430
settings. Click Reset to discard all changes. 24.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 253 VPN > SSL VPN > Access Privilege > Add/Edit 430 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 431
Operating System (OS) and security requirements of one of the SSL access policy's selected endpoint security objects before granting access. Select this and specify a number of minutes to have the ZyWALL repeat the endpoint security check at a regular interval. ZyWALL USG 20/20W User's Guide 431 - ZyXEL ZYWALL USG 20W | User Guide - Page 432
List OK Cancel The SSL VPN IP pool cannot overlap with IP addresses on the ZyWALL's local networks (LAN and DMZ for example), the SSL user's network, or the networks you specify in the SSL VPN Network List. Select and return to the main Access Privilege screen. 432 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 433
two WAN ports. Do not include the host. For example, www.zyxel.com is a fully qualified domain name where "www" is the host; so you would just use "zyxel.com". The ZyWALL displays the normal login screen without the button for logging into the Web Configurator. ZyWALL USG 20/20W User's Guide 433 - ZyXEL ZYWALL USG 20W | User Guide - Page 434
Setting tab to display the configuration screen. 2 Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG format. 3 Click Apply to start the file transfer process. 4 Log in as a user to verify that the new logo displays properly. 434 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 435
the ZyWALL login screen's SSL VPN button to establish an SSL VPN connection. See Section 25.2 on page 438 for details. 1 Display the ZyWALL's login screen and enter your user account information (the user name and password). Click SSL VPN. Figure 256 Login Screen ZyWALL USG 20/20W User's Guide 435 - ZyXEL ZYWALL USG 20W | User Guide - Page 436
account is not set up for SSL VPN access, an "SSL VPN connection is not activated" message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 25 on page 437. 436 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 437
loads the ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. See Chapter 27 on page 449 for more on the ZyWALL SecuExtender. ZyWALL USG 20/20W User's Guide 437 - ZyXEL ZYWALL USG 20W | User Guide - Page 438
for more information. Finding Out More See Chapter 24 on page 427 for how to configure SSL VPN on the ZyWALL. 25.2 Remote User Login This section shows you how to access and log into the network through the ZyWALL. Example screens for Internet Explorer are shown. 438 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 439
the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. 4 Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources. Figure 261 Login Screen ZyWALL USG 20/20W User's Guide 439 - ZyXEL ZYWALL USG 20W | User Guide - Page 440
OK, Yes or Continue. Figure 262 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client. As shown next, you may have to click some pop-ups to get your browser to allow the installation. Figure 263 ActiveX Object Installation Blocked by Browser 440 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 441
need to click something to get your browser to allow this. In Internet Explorer, click Run. Figure 265 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer. Figure 266 SecuExtender Progress ZyWALL USG 20/20W User's Guide 441 - ZyXEL ZYWALL USG 20W | User Guide - Page 442
Chapter 25 SSL User Screens 10 If a screen like the following displays, click Continue Anyway to finish installing the Figure 268 on page 443 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. 442 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 443
to log out and terminate the secure connection. 3 Click this icon to create a bookmark to the SSL VPN user screen in your web browser. 4 Click this icon to display the on-line help window. 5 screen, click on a link to access or display the access method. ZyWALL USG 20/20W User's Guide 443 - ZyXEL ZYWALL USG 20W | User Guide - Page 444
25.5 Logging Out of the SSL VPN User Screens To properly terminate a connection, click on the Logout icon in any remote user screen. 1 Click the Logout icon in any remote user screen. 2 A prompt window displays. Click OK to continue. Figure 270 Logout: Prompt 444 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 445
Chapter 25 SSL User Screens 3 An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 271 Logout: Connection Termination Progress ZyWALL USG 20/20W User's Guide 445 - ZyXEL ZYWALL USG 20W | User Guide - Page 446
Chapter 25 SSL User Screens 446 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 447
whether the application supports Virtual Network Computing (VNC) or Remote Desktop Protocol (RDP). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 272 Application ZyWALL USG 20/20W User's Guide 447 - ZyXEL ZYWALL USG 20W | User Guide - Page 448
Chapter 26 SSL User Application Screens 448 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 449
to access resources behind the ZyWALL. • Gray: the SSL VPN tunnel's connection is suspended. This means the SSL VPN tunnel is connected, but the ZyWALL SecuExtender will not send any traffic through it until you right-click the icon and resume the connection. ZyWALL USG 20/20W User's Guide 449 - ZyXEL ZYWALL USG 20W | User Guide - Page 450
table of the computer names on your network and the IP addresses that they are currently using. These are the networks (including netmask) that you can access through the SSL VPN connection. This is how long the computer has been connected to the SSL VPN tunnel. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 451
13:35:50 ][SecuExtender Agent][DETAIL] 611 bytes of handshake data received 27.4 Suspend and Resume the Connection When the ZyWALL SecuExtender icon in the system tray is green, you can rightclick the icon and select Suspend Connection to keep the SSL VPN tunnel ZyWALL USG 20/20W User's Guide 451 - ZyXEL ZYWALL USG 20W | User Guide - Page 452
Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. 2 In the confirmation screen, click Yes. Figure 276 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender. Figure 277 ZyWALL SecuExtender Uninstallation 452 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 453
by port, whether or not the ZyWALL continues to route the connection. DiffServ and DSCP Marking QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 454
) indicating the level of service desired. This allows the LAN1 zone device. Bandwidth management is applied before sending the traffic out a LAN1 zone interface. Figure 278 LAN1 to WAN Connection and Packet Directions LAN1 Connection Outbound BWM BWM Inbound 454 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 455
interface. After each application gets its configured bandwidth rate, the ZyWALL uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled. ZyWALL USG 20/20W User's Guide 455 - ZyXEL ZYWALL USG 20W | User Guide - Page 456
server A has higher priority, it gets up to it's configured rate (800 kbps), leaving only 200 kbps for server B. Table 128 Priority Effect POLICY CONFIGURED RATE A 800 kbps B 1000 kbps MAX. B. U. Yes Yes PRIORITY ACTUAL RATE 1 800 kbps 2 200 kbps 456 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 457
divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps. Then the ZyWALL divides the remaining bandwidth (1000 - 500 = 500) equally a 8 Mbps downstream and 1 Mbps upstream ADSL connection. ZyWALL USG 20/20W User's Guide 457 - ZyXEL ZYWALL USG 20W | User Guide - Page 458
the LAN and DMZ) is limited to 200 kbps. The ZyWALL applies this limit before sending the traffic to the WAN. • Inbound traffic (to the LAN and DMZ from the WAN) is also limited to 200 kbps. The ZyWALL applies this limit before sending the traffic to LAN or DMZ. 458 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 459
priorities so the local users' HTTP traffic gets sent before non-SIP traffic. • Enable maximize bandwidth usage so the HTTP traffic can borrow unused bandwidth. Figure 283 HTTP Any to WAN Bandwidth Management Example Outbound: 200 kbps BWM BWM Inbound: 500 kbps ZyWALL USG 20/20W User's Guide 459 - ZyXEL ZYWALL USG 20W | User Guide - Page 460
both outbound and inbound traffic to 50 Mbps. • Fourth highest priority (4). • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 285 FTP LAN to DMZ Bandwidth Management Example BWM Inbound: 50 Mbps BWM Outbound: 50 Mbps 460 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 461
rules used by firewalls, to specify what the ZyWALL should do more precisely.This screen also allows you to add, edit, and remove conditions to this default policy. Click Configuration > Bandwidth Management entry is active and dimmed when the entry is inactive. ZyWALL USG 20/20W User's Guide 461 - ZyXEL ZYWALL USG 20W | User Guide - Page 462
value of the route's outgoing packets to 0. The "af" choices stand for Assured Forwarding. The number following the "af" identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 309 for more details. 462 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 463
field's configuration. Click Apply to save your changes back to the ZyWALL. Click Reset to Configuration > Bandwidth Management screen (see Section 28.2 on page 461), and click either the Add icon or an Edit icon. Figure 287 Configuration > Bandwidth Management > Edit ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 464
details. Select preserve to have the ZyWALL keep the packets' original DSCP value. Select default to have the ZyWALL set the DSCP value of the packets to 0. Bandwidth Management Configure these fields to set the amount of bandwidth the application can use. 464 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 465
treated as being set to the lowest priority (7) regardless of this field's configuration. This field displays when the inbound or outbound bandwidth management is not set changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User's Guide 465 - ZyXEL ZYWALL USG 20W | User Guide - Page 466
Chapter 28 Bandwidth Management 466 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 467
such as port scanning, sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic anomaly rules may be updated when you upload new firmware. Protocol Decoder and ICMP Decoder. Protocol anomaly rules may be updated when you upload new firmware. ZyWALL USG 20/20W User's Guide 467 - ZyXEL ZYWALL USG 20W | User Guide - Page 468
rules and protocol anomaly rules that you can activate as a set and configure common log and action settings. You can apply ADP profiles to traffic flowing .1.4 Before You Begin Configure the ZyWALL's zones - see Chapter 15 on page 327 for more information. 468 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 469
profiles to traffic directions. Figure 288 Configuration > Anti-X > ADP > General The following table describes the screens in this screen. Table 133 Configuration > Anti-X > ADP > General of anomaly profile policies. The list is applied in order of priority. ZyWALL USG 20/20W User's Guide 469 - ZyXEL ZYWALL USG 20W | User Guide - Page 470
. Click Apply to save your changes. Click Reset to return the screen to its last-saved settings. 29.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile 470 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 471
that trigger them. Click OK to save your changes. Click Cancel to exit this screen without saving your changes. 29.3.2 Configuring The ADP Profile Summary Screen Select Configuration > Anti-X > ADP > Profile. Figure 290 Configuration > Anti-X > ADP > Profile ZyWALL USG 20/20W User's Guide 471 - ZyXEL ZYWALL USG 20W | User Guide - Page 472
ADP profile. Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. In the Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile. If you made changes to other screens 472 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 473
Chapter 29 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 291 Profiles: Traffic Anomaly ZyWALL USG 20/20W User's Guide 473 - ZyXEL ZYWALL USG 20W | User Guide - Page 474
136 Configuration > ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. This is the entry's index number in the list. The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. 474 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 475
reflects the packet type inspected. Protocol anomaly rules may be updated when you upload new firmware. 29.3.6 Protocol Anomaly Configuration In the Configuration > Anti-X > ADP > Profile screen, click the the changes before selecting the Protocol Anomaly tab. ZyWALL USG 20/20W User's Guide 475 - ZyXEL ZYWALL USG 20W | User Guide - Page 476
Chapter 29 ADP Figure 292 Profiles: Protocol Anomaly 476 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 477
describes the fields in this screen. Table 137 Configuration > ADP > Profile > Protocol Anomaly LABEL ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule. See Chapter 44 on page 679 for more on logs. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 478
on logs. Action Select what the ZyWALL should do when a packet matches a rule. none: The ZyWALL takes no action when a packet matches the signature(s). block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. 478 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 479
in use by the remote computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router. ZyWALL USG 20/20W User's Guide 479 - ZyXEL ZYWALL USG 20W | User Guide - Page 480
port scan examples. • TCP Filtered Portscan • TCP Filtered Decoy Portscan • TCP Filtered Portsweep • UDP Filtered Portscan • IP Filtered Portscan • UDP Filtered Decoy Portscan • UDP Filtered Portsweep • IP Filtered Decoy Portscan • IP Filtered Portsweep 480 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 481
but the network of the spoofed source IP address (C). Figure 293 Smurf Attack TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then ZyWALL USG 20/20W User's Guide 481 - ZyXEL ZYWALL USG 20W | User Guide - Page 482
attack, hackers flood SYN packets into a network with a spoofed source IP address of the network itself. This makes it appear as if the computers in the network sent the packets to themselves, so the network is unavailable while they try to respond to themselves. 482 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 483
/../xyz" get normalized to "/abc/xyz". Also, "/abc/./xyz" gets normalized to "/abc/xyz". If a user wants to configure an alert, then specify "yes", otherwise "no". This alert may give false positives since some web sites refer to files using directory traversals. ZyWALL USG 20/20W User's Guide 483 - ZyXEL ZYWALL USG 20W | User Guide - Page 484
Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. 484 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 485
-LEN ATTACK This is when a TCP packet is sent which has a TCP datagram length of less than 20 bytes. This may cause some applications to crash. UNDERSIZE-OFFSET ATTACK This is when a TCP packet is sent header length. This may cause some applications to crash. ZyWALL USG 20/20W User's Guide 485 - ZyXEL ZYWALL USG 20W | User Guide - Page 486
is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length. This may cause some applications to crash. 486 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 487
30.2 on page 489) to configure global content filtering settings, configure content filtering policies, and check the user/group objects to define to whose web access to apply the content filter profile. • Apply a content filter profile that you have custom-tailored. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 488
with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. 488 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 489
content filtering (see the Licensing > Registration screens). 30.2 Content Filter General Screen Click Configuration > Anti-X > Content Filter > General to open the Content Filter General screen. Use this screen to enable content filtering, view and order ZyWALL USG 20/20W User's Guide 489 - ZyXEL ZYWALL USG 20W | User Guide - Page 490
Filter Select this check box to have the ZyWALL collect category-based Report Service content filtering statistics. Policies This is a list of the configured content filter policies. Block web access when To turn off an entry, select it and click Inactivate. 490 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 491
users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message. Use "http://" or "https://" followed by up to 262 characters (0-9azA-Z For example, http://192.168.1.17/ blocked access. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 492
. Click Reset to return the screen to its last-saved settings. 30.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content 492 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 493
this policy. OK Cancel Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User's Guide 493 - ZyXEL ZYWALL USG 20W | User Guide - Page 494
screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Figure 298 Configuration > Anti-X > Content Filter > Filter Profile The it. See Section 10.2 on page 212 for how to register. 494 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 495
Chapter 30 Content Filtering See Chapter 31 on page 513 for how to view content filtering reports. Figure 299 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 20/20W User's Guide 495 - ZyXEL ZYWALL USG 20W | User Guide - Page 496
Chapter 30 Content Filtering Figure 300 Configuration > Anti-X > Content Filter > Filter Profile > Add (Continue) 496 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 497
. Enable external database content filtering to have the ZyWALL check an external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page. ZyWALL USG 20/20W User's Guide 497 - ZyXEL ZYWALL USG 20W | User Guide - Page 498
the category of the blocked web page. Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. 498 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 499
the user is reasonably notified that the software will perform these actions (that is, it alerts that it will send personal information, be installed, or that it will log keystrokes). Note: Sites rated as spyware should have a second category assigned with them. ZyWALL USG 20/20W User's Guide 499 - ZyXEL ZYWALL USG 20W | User Guide - Page 500
Chapter 30 Content Filtering Table 142 Configuration > Anti-X > Content Filter > Filter . It also includes any service that will allow a person to bypass the content filtering feature, such as anonymous surfing services. These are categories of web offered. 500 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 501
, review, or describe weapons such as guns, knives or martial arts devices, or provide information on their use, accessories, or other modifications. It does not include pages that promote collecting weapons, or groups that either support or oppose weapons use. ZyWALL USG 20/20W User's Guide 501 - ZyXEL ZYWALL USG 20W | User Guide - Page 502
Table 142 Configuration > Anti-X systems. Hacking encompasses instructions on illegal or questionable Downloads This category includes pages that are dedicated to the electronic download of software packages, whether for payment or at no charge. Society/Government 502 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 503
Configuration or offer methods, means of instruction, or other resources to affect services. It also includes pages that discuss or explain laws of various governmental entities. LGBT This category includes pages that provide information regarding, support ZyWALL USG 20/20W User's Guide 503 - ZyXEL ZYWALL USG 20W | User Guide - Page 504
30 Content Filtering Table 142 Configuration > Anti-X > Content Filter 15 minutes in length. TV/Video Streams This category includes pages that provide streams or downloads of television, movie, Webcam services such as voice over IP (VoIP). Health Related 504 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 505
Filtering Table 142 Configuration > Anti-X > review, discuss, advertise Food and promote food, catering, dining services, cooking and recipes. Alcohol Sites that promote, offer for sale, glorify, review support or host online sweepstakes and giveaways. ZyWALL USG 20/20W User's Guide 505 - ZyXEL ZYWALL USG 20W | User Guide - Page 506
Content Filtering Table 142 Configuration > Anti-X > Content that offer market information, brokerage or trading services. Job Search/Careers This category includes pages that boats, or aircraft, including pages that support online purchase of vehicles or parts. Web ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 507
Configuration communities or hosting services. Web Applications This that support searching the used to identify a language. Test Web Site Category URL to test You can check which category ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User's Guide 507 - ZyXEL ZYWALL USG 20W | User Guide - Page 508
to URLs in any way that bypasses the proxy server. 30.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the web sites based on whether the web site's address contains a 508 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 509
in this screen. Table 144 Configuration > Anti-X > Content Filter This value is case-sensitive. Enable Custom Service Select this check box to allow trusted download a page containing a restricted feature, that part of the web page will appear blank or grayed out. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 510
Chapter 30 Content Filtering Table 144 Configuration > Anti-X > Content Filter > a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN it is possible for LAN users to to delete it. 510 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 511
Configuration certain keywords in the domain name or IP address. Click this to create a new ZyWALL. Click Cancel to exit this screen without saving your changes. 30.7 Content Filter Technical Reference This section provides content filtering background information. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 512
filter server sends the category information back to the ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site's address and category are then stored in the ZyWALL's content filter cache. 512 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 513
on how to create a myZyXEL.com account, register your device and activate the subscription services. 31.2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access trial (up to 30 days). 1 Go to http://www.myZyXEL.com. ZyWALL USG 20/20W User's Guide 513 - ZyXEL ZYWALL USG 20W | User Guide - Page 514
Chapter 31 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 303 myZyXEL.com: Login 514 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 515
/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 305 on page 516). Figure 304 myZyXEL.com: Welcome ZyWALL USG 20/20W User's Guide 515 - ZyXEL ZYWALL USG 20W | User Guide - Page 516
Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 305 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab. Figure 306 Content Filter Reports Main Screen 516 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 517
in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. ZyWALL USG 20/20W User's Guide 517 - ZyXEL ZYWALL USG 20W | User Guide - Page 518
Chapter 31 Content Filter Reports 8 A chart and/or list of requested web site categories display in the lower half of the screen. Figure 308 Global Report Screen Example 518 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 519
Chapter 31 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 309 Requested URLs Example ZyWALL USG 20/20W User's Guide 519 - ZyXEL ZYWALL USG 20W | User Guide - Page 520
Chapter 31 Content Filter Reports 520 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 521
configured white list helps keep important e-mail from being incorrectly classified as spam. The white list can also increases the ZyWALL's anti-spam speed and efficiency by not having the ZyWALL perform the full anti-spam checking process on legitimate e-mail. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 522
Configure black list entries to identify spam. The black list entries have the ZyWALL classify any e-mail that is from or forwarded by a specified IP be the same server). The ZyWALL's anti-spam feature checks SMTP (TCP port 25) and POP3 (TCP port 110) e-mails. The anti- ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 523
. 32.2 Before You Begin Configure your zones before you configure anti-spam. 32.3 The Anti-Spam General Screen Click Configuration > Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti- ZyWALL USG 20/20W User's Guide 523 - ZyXEL ZYWALL USG 20W | User Guide - Page 524
to display a greater or lesser number of configuration fields. General Settings Enable AntiSpam Select this check box to check SMTP (TCP port 25) and POP3 (TCP port 110) traffic for spam e-mail. Action taken an entry and click this to be able to modify it. 524 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 525
Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configuration screen as shown next. Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to ZyWALL USG 20/20W User's Guide 525 - ZyXEL ZYWALL USG 20W | User Guide - Page 526
. The anti-spam policy has the ZyWALL scan traffic coming from the From zone and going to the To zone. Protocols to Scan Select which protocols of traffic to scan for spam. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. 526 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 527
screen. Configure the black list to identify spam e-mail. You can create black list entries based on the sender's or relay server's IP address or e-mail address. You can also create entries that check for particular e-mail header fields with specific values or ZyWALL USG 20/20W User's Guide 527 - ZyXEL ZYWALL USG 20W | User Guide - Page 528
Apply Reset This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 528 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 529
subject text, or the sender's or relay's IP address or e-mail address. You can also create entries that check for particular header fields and values. Figure 313 Configuration > Anti-X > Anti-Spam > Black/White (?). See Section 32.4.2 on page 530 for more details. ZyWALL USG 20/20W User's Guide 529 - ZyXEL ZYWALL USG 20W | User Guide - Page 530
wildcard. You cannot use two wildcards side by side, there must be other characters between them. • The ZyWALL checks the first header with the name you specified in the entry. So if the e-mail has more than one "Received" header, the ZyWALL checks the first one. 530 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 531
display the Anti-Spam White List screen. Configure the white list to identify legitimate e-mail. You can create white list entries based on the sender's or relay's IP address or e-mail address. You can also . # This is the entry's index number in the list. ZyWALL USG 20/20W User's Guide 531 - ZyXEL ZYWALL USG 20W | User Guide - Page 532
to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 315 Configuration > Anti-X > Anti-Spam > DNSBL 532 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 533
the ZyWALL. This tag is only added if the anti-spam policy is configured to forward spam mail with a spam tag. Max. IPs Checking Per Mail IP the ZyWALL forwards if queries to the DNSBL domains time out. DNSBL Domain List Add Click this to create a new entry. ZyWALL USG 20/20W User's Guide 533 - ZyXEL ZYWALL USG 20W | User Guide - Page 534
Domain Apply Reset This is ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours. The ZyWALL checks an e-mail's sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache. 534 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 535
. 4 The ZyWALL immediately classifies the e-mail as spam and takes the action for spam that you defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 20/20W User's Guide 535 - ZyXEL ZYWALL USG 20W | User Guide - Page 536
in its list (not spam). 4 Now that the ZyWALL has received at least one non-spam reply for each of the email's routing IP addresses, the ZyWALL immediately classifies the e-mail as legitimate and forwards it. The ZyWALL does not wait for any more DNSBL replies. 536 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 537
. 4 The ZyWALL immediately classifies the e-mail as spam and takes the action for spam that you defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 20/20W User's Guide 537 - ZyXEL ZYWALL USG 20W | User Guide - Page 538
Chapter 32 Anti-Spam 538 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 539
configuration and services in the ZyWALL. User Types These are the types of user accounts the ZyWALL uses. Table 151 Types of User Accounts TYPE ABILITIES LOGIN METHOD(S) Admin Users admin Change ZyWALL configuration (web, CLI) WWW, TELNET, SSH, FTP, Console ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 540
time, the ZyWALL checks the following places, in order. 1 User account in the remote server. 2 User account (Ext-User) in the ZyWALL. 3 Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the ZyWALL. 540 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 541
an example. • See Section 7.5 on page 120 for an example of configuring user accounts and user groups as part of user-aware access control. • See Section 7.6 on page 124 for an example of how to use a RADIUS server to authenticate user accounts based on groups. ZyWALL USG 20/20W User's Guide 541 - ZyXEL ZYWALL USG 20W | User Guide - Page 542
you to create a new user account or edit an existing one. 33.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] 542 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 543
• uucp • zyxel • bin • games • news • shutdown • daemon • halt • nobody • sshd To access this screen, go to the User screen (see Section 33.2 on page 542), and click either the Add icon or an Edit icon. Figure 320 Configuration > User/Group > User > Add ZyWALL USG 20/20W User's Guide 543 - ZyXEL ZYWALL USG 20W | User Guide - Page 544
the Renew button on their screen. If you allow access users to renew time automatically (see Section 33.4 on page 547), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires. 544 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 545
ZyWALL confirms you want to remove it before doing so. Removing a group does not remove the user accounts in the group. Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 232 for an example. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 546
(-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names. Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. 546 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 547
changes. 33.4 Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. ZyWALL USG 20/20W User's Guide 547 - ZyXEL ZYWALL USG 20W | User Guide - Page 548
manually configure any user account's authentication timeout settings. Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. # This field is a sequential value, and it is not associated with a specific entry. 548 ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 549
User idle timeout has been reached. This is applicable for access users. This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 550
selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. 550 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 551
. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User's Guide 551 - ZyXEL ZYWALL USG 20W | User Guide - Page 552
the amount of lease time that remains, though the user might be able to reset it. Remaining time before auth. timeout This field displays the amount of time that remains before the ZyWALL automatically logs the access user out, regardless of the lease time. 552 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 553
might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 45 on page 693 for more information about shell scripts. ZyWALL USG 20/20W User's Guide 553 - ZyXEL ZYWALL USG 20W | User Guide - Page 554
Chapter 33 User/Group 554 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 555
using multiple static public WAN IP addresses for LAN to WAN traffic. 34.2 Address Summary Screen The address screens are used to create, maintain, and remove addresses. There are the types of address objects. • HOST - a host address is defined by an IP Address. ZyWALL USG 20/20W User's Guide 555 - ZyXEL ZYWALL USG 20W | User Guide - Page 556
field displays the configured name of each address IP addresses represented by each address object. If the object's settings are based on one of the ZyWALL's interfaces, the name of the interface displays first followed by the object's current address settings. 556 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 557
IP address of the network that this address object represents. This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 558
Chapter 34 Addresses Table 161 Configuration > Object > Address > Address > Edit (continued) LABEL DESCRIPTION Interface OK Cancel If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as displays the description of each address group, if any. 558 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 559
icon. Figure 331 Configuration > Object > Address > Address Group > Add (USG 20) The following table describes the labels in this screen. Table 163 Configuration > Object > Address back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User's Guide 559 - ZyXEL ZYWALL USG 20W | User Guide - Page 560
Chapter 34 Addresses 560 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 561
configure the ZyWALL's list of services and their definitions. • Use the Service Group screens (Section 35.2 on page 562) to view and configure the ZyWALL's list of service groups. 35.1.2 What You Need to Know IP Protocols IP or that the messages arrive at all. ZyWALL USG 20/20W User's Guide 561 - ZyXEL ZYWALL USG 20W | User Guide - Page 562
all services and their definitions. In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column's heading cell to sort the table 562 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 563
the entry. See Section 11.3.2 on page 232 for an example. # This field is a sequential value, and it is not associated with a specific service. Name This field displays the name of each service. Content This field displays a description of each service. ZyWALL USG 20/20W User's Guide 563 - ZyXEL ZYWALL USG 20W | User Guide - Page 564
ZyWALL. Click Cancel to exit this screen without saving your changes. 35.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. 564 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 565
displays the name of each service group. Description By default, the ZyWALL uses services starting with "Default_Allow_" in the firewall rules to allow certain services to connect to the ZyWALL. This field displays the description of each service group, if any. ZyWALL USG 20/20W User's Guide 565 - ZyXEL ZYWALL USG 20W | User Guide - Page 566
335 Configuration > Object > Service > Service Group > Edit The following table describes the labels in this screen. Table 167 Configuration > Object > Service > Service Group back to the ZyWALL. Click Cancel to exit this screen without saving your changes. 566 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 567
to set up one-time and recurring schedules for policy routes, firewall rules, and content filtering. The ZyWALL supports one-time and recurring schedules. One-time schedules are effective only schedules are useful for defining the workday and off-work hours. ZyWALL USG 20/20W User's Guide 567 - ZyXEL ZYWALL USG 20W | User Guide - Page 568
36.2.1 on page 569 and Section 36.2.2 on page 570 for more information as well. Table 168 Configuration > Object > Schedule LABEL DESCRIPTION One Time Add Edit Remove Object References Click this to create a new the date and time at which the schedule ends. Time ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 569
> Edit (One Time) LABEL DESCRIPTION Configuration Name Type the name used to refer to the one-time schedule. You may use 131 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 20/20W User's Guide 569 - ZyXEL ZYWALL USG 20W | User Guide - Page 570
Chapter 36 Schedules Table 169 Configuration > Object > Schedule > Edit (One Time) (continued) LABEL DESCRIPTION Date Time StartDate Specify the year, month, and day when the schedule or edit an existing one. To access this screen, go to the Schedule screen 570 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 571
and click either the Add icon or an Edit icon in the Recurring section. Figure 338 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 20/20W User's Guide 571 - ZyXEL ZYWALL USG 20W | User Guide - Page 572
Chapter 36 Schedules 572 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 573
tries to bind (or log in) to the LDAP/AD server. 3 When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair. 4 If it matches, the user is allowed access. Otherwise, access is blocked. ZyWALL USG 20/20W User's Guide 573 - ZyXEL ZYWALL USG 20W | User Guide - Page 574
screens. 6 Give the OTP tokens to (local or remote) users. 37.1.4 What You Can Do in this Chapter • Use the Configuration > Object > AAA Server > Active Directory (or LDAP) screens (Section 37.2 on page 577) to configure Active Directory or LDAP server objects. 574 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 575
RADIUS authentication allows you to validate a large number of users from a central location. Directory Structure The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or ZyWALL USG 20/20W User's Guide 575 - ZyXEL ZYWALL USG 20W | User Guide - Page 576
a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. Finding Out More • See Section 7.5.3 on page 122 for an example of how to set up user authentication using a radius server. 576 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 577
This specifies a directory. For example, o=ZyXEL, c=US. 37.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the ZyWALL USG 20/20W User's Guide 577 - ZyXEL ZYWALL USG 20W | User Guide - Page 578
. Table 172 Configuration > Object > Port Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP server(s) in this group. 578 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 579
the account's user name in the Username field and click Test. Click OK to save the changes. Click Cancel to discard the changes. 37.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL can use in authenticating users. ZyWALL USG 20/20W User's Guide 579 - ZyXEL ZYWALL USG 20W | User Guide - Page 580
. In this case, user authentication fails. Apply Reset Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. Click Apply to save the changes. Click Reset to return the screen to its last-saved settings. 580 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 581
following table describes the labels in this screen. Table 174 Configuration > Object > AAA Server > RADIUS > Add LABEL port number on the RADIUS server to which the ZyWALL Authentication sends authentication requests. Enter a number between 1 and 65535. Port ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 582
"sales", "RD", and "management". Then you could also create a extgroup-user user object for each group. One with "sales" as the group identifier, another for "RD" and a third for "management". Click OK to save the changes. Click Cancel to discard the changes. 582 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 583
on VPN for more information. Follow the steps below to specify the authentication method for a VPN connection. 1 Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Click Show Advance Setting and select Enable Extended Authentication. ZyWALL USG 20/20W User's Guide 583 - ZyXEL ZYWALL USG 20W | User Guide - Page 584
OK to save the settings. Figure 346 Example: Using Authentication Method in VPN 38.2 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Name This field displays a descriptive name for identification purposes. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 585
1 Click Configuration > Object ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn't match the one on the first authentication server. Note: You can NOT select two server objects of the same type. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 586
the labels in this screen. Table 176 Configuration > Object > Auth. Method > Add ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn't match the one on the first authentication server. 586 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 587
176 Configuration > Object > Auth. Method > Add (continued) LABEL Add icon DESCRIPTION Click Add to add a new entry. Click Edit to edit the settings of an entry. OK Cancel Click Delete to delete an entry. Click OK to save the changes. Click Cancel to discard the changes. ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 588
Chapter 38 Authentication Method 588 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 589
CHAPTER 39 Certificates 39.1 Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the a public key pair (one public key and one private key). ZyWALL USG 20/20W User's Guide 589 - ZyXEL ZYWALL USG 20W | User Guide - Page 590
and very secure since you can freely distribute public keys and you never need to transmit private keys. Self-signed Certificates You can have the ZyWALL act as a certification authority and sign its own certificates. 590 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 591
describes how to check a certificate's fingerprint to verify that you have the actual certificate. 1 Browse to where you have the certificate saved on your computer. ZyWALL USG 20/20W User's Guide 591 - ZyXEL ZYWALL USG 20W | User Guide - Page 592
and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 592 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 593
information about the certificate. Remove The ZyWALL keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. that you give each certificate a unique name. ZyWALL USG 20/20W User's Guide 593 - ZyXEL ZYWALL USG 20W | User Guide - Page 594
Click Refresh to display the current validity status of the certificates. 39.2.1 The My Certificates Add Screen Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the 594 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 595
Chapter 39 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 352 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 20/20W User's Guide 595 - ZyXEL ZYWALL USG 20W | User Guide - Page 596
Table 178 Configuration > Object although you must specify a Host IP Address, Host Domain Name, or ZyWALL generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. 596 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 597
's certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities. ZyWALL USG 20/20W User's Guide 597 - ZyXEL ZYWALL USG 20W | User Guide - Page 598
quit and return to the My Certificates screen. If you configured the My Certificate Create screen to have the ZyWALL enroll a certificate and the certificate enrollment is not successful is working properly if you want the ZyWALL to enroll a certificate online. 598 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 599
to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate's name. Figure 353 Configuration > Object > Certificate > My Certificates > Edit ZyWALL USG 20/20W User's Guide 599 - ZyXEL ZYWALL USG 20W | User Guide - Page 600
39 Certificates The following table describes the labels in this screen. Table 179 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name Certification Path certificate has expired. "none" displays for a certification request. 600 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 601
computer for later manual enrollment. Export Export Certificate Only Password Export Certificate with Private password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 602
Configuration > Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyWALL the ZyWALL. Click Browse to find the certificate file you want to upload. 602 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 603
Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action. ZyWALL USG 20/20W User's Guide 603 - ZyXEL ZYWALL USG 20W | User Guide - Page 604
) LABEL DESCRIPTION Object References You cannot delete certificates that any of the ZyWALL's features are configured to use. Select an entry and click Object References to open a 's name and set whether or not you want the ZyWALL to check a certification 604 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 605
Chapter 39 Certificates authority's list of revoked certificates before trusting a certificate issued by the certification authority. Figure 356 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 20/20W User's Guide 605 - ZyXEL ZYWALL USG 20W | User Guide - Page 606
authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority). Certificate Information These read-only fields display detailed information about the certificate. 606 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 607
in the certificate's path. This is the certificate's message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL USG 20/20W User's Guide 607 - ZyXEL ZYWALL USG 20W | User Guide - Page 608
the instructions in this screen to save a trusted certificate to the ZyWALL. Note: You must remove any spaces from the certificate's filename before you can import the certificate. Figure 357 Configuration > Object > Certificate > Trusted Certificates > Import 608 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 609
screen. Table 183 Configuration > Object > ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a "expired", "current" or "unknown" response. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 610
Chapter 39 Certificates 610 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 611
40.2 on page 611) to create and manage ISP accounts in the ZyWALL. 40.2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL. To access this screen, click Configuration > Object > ISP Account. Figure 358 Configuration > Object > ISP Account ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 612
edit information about existing accounts. To open this window, open the ISP Account screen. (See Section 40.2 on page 611.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. Figure 359 Configuration > Object > ISP Account > Edit 612 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 613
. If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank. If this ISP account uses the PPTP protocol, this field is not displayed. ZyWALL USG 20/20W User's Guide 613 - ZyXEL ZYWALL USG 20W | User Guide - Page 614
Chapter 40 ISP Accounts Table 185 Configuration > Object > ISP Account > Edit (continued) LABEL DESCRIPTION Compression Select On button to turn on stac compression, and profile (if it is new) or saving any changes to the profile (if it already exists). 614 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 615
using standard web browsers. Remote User Screen Links Available SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. ZyWALL USG 20/20W User's Guide 615 - ZyXEL ZYWALL USG 20W | User Guide - Page 616
how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. 1 Click Configuration > Object > SSL Application in the navigation panel. 616 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 617
Site for Access 41.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figure 362 Configuration > Object > SSL Application ZyWALL USG 20/20W User's Guide 617 - ZyXEL ZYWALL USG 20W | User Guide - Page 618
Address This field displays the IP address/URL of the application SSL Application screen and select Web Application in the Type field to display the configuration screen as shown. Figure 363 Configuration > Object > SSL Application > Add/Edit: Web Application 618 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 619
"remote" directory. If a link contains a file that is not within this domain, then remote users cannot access it. This field displays if the Server Type is set to Web Server, OWA or Weblink. Click Preview to access the URL you specified in a new IE web browser. ZyWALL USG 20/20W User's Guide 619 - ZyXEL ZYWALL USG 20W | User Guide - Page 620
. Select this option to prevent users from saving the web content. Click Ok to save the changes and return to the main SSL Application Configuration screen. Click Cancel to discard the changes and return to the main SSL Application Configuration screen. 620 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 621
VPN's endpoint security object and is granted access to the system resource defined in the SSL VPN access policy; in this example a web server. SSL VPN user C fails all of the SSL VPN's endpoint security check and is not given any access. Figure 364 Endpoint Security ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 622
. Requirements User computers must have Sun's Java (Java Runtime Environment or 'JRE') installed and enabled with a minimum version of 1.4. Finding Out More See Section 7.7 on page 126 for an example of how to use endpoint security and authentication policies. 622 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 623
be using. Checking Failure Message Enter a message to display when a user's computer fails the endpoint security check. Use up to 1023 characters (0-9a-zA-Z For example, "Endpoint Security checking failed. Please contact your network administrator for help.". ZyWALL USG 20/20W User's Guide 623 - ZyXEL ZYWALL USG 20W | User Guide - Page 624
Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. Figure 366 Configuration > Object > Endpoint Security > Add 624 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 625
Chapter 42 Endpoint Security ZyWALL USG 20/20W User's Guide 625 - ZyXEL ZYWALL USG 20W | User Guide - Page 626
to select multiple entries. The user's computer must have one of the listed personal firewalls to pass this checking item. For some personal firewalls the ZyWALL can also detect whether or not the firewall is activated; in those cases it must also be activated. 626 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 627
. The user's computer must not have any of the listed applications running to pass this checking item. Include the filename extension for Linux operating systems. Click Add to create a new entry. Select one or more entries and click Remove to delete it or them. ZyWALL USG 20/20W User's Guide 627 - ZyXEL ZYWALL USG 20W | User Guide - Page 628
more entries and click Remove to delete it or them. OK Cancel The user's computer must pass one of the listed file information checks to pass this checking item. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. 628 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 629
the ZyWALL. You can also specify from which IP addresses the access can come. You can upload and download the ZyWALL's firmware and configuration files using FTP. Please also see Chapter 45 on page 693 for more information about firmware and configuration files. ZyWALL USG 20/20W User's Guide 629 - ZyXEL ZYWALL USG 20W | User Guide - Page 630
11 on page 670) to configure SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 630 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 631
back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 43.4 Date and Time For effective scheduling and logging, the ZyWALL system time must be accurate. The ZyWALL's Real Time Chip (RTC) keeps track of the time and date. There is also ZyWALL USG 20/20W User's Guide 631 - ZyXEL ZYWALL USG 20W | User Guide - Page 632
If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered. When you enter the time settings manually, the ZyWALL uses the new setting once you click Apply. 632 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 633
updated time from the time server or the last time configured manually. When you set Time and Date Setup to Manual, ZyWALL starts up. • When you click Apply or Synchronize Now in this screen. • 24-hour intervals after starting up. Time Server Address Enter the IP ZyWALL USG 20/20W User's Guide 633 - ZyXEL ZYWALL USG 20W | User Guide - Page 634
Configure from 1 to 5.5 (by 0.5 increments). Apply Reset For example, if you set this field to 3.5, ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. 634 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 635
1 Click System > Date/Time. 2 Select Get from Time Server under Time and Date Setup. 3 Under Time Zone Setup, select your Time Zone from the list. 4 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. ZyWALL USG 20/20W User's Guide 635 - ZyXEL ZYWALL USG 20W | User Guide - Page 636
-saved settings. 43.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 636 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 637
the time server. You can also configure the ZyWALL to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the ZyWALL sends to the specified DHCP client devices. Figure 372 Configuration > System > DNS ZyWALL USG 20/20W User's Guide 637 - ZyXEL ZYWALL USG 20W | User Guide - Page 638
is the domain zone for the www.zyxel.com.tw fully qualified domain name. Type A "*" means all domain zones. This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined). 638 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 639
name of the IP address(es) with which the computer is allowed or denied to send DNS queries. This displays whether the ZyWALL accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny). ZyWALL USG 20/20W User's Guide 639 - ZyXEL ZYWALL USG 20W | User Guide - Page 640
or a reverse lookup record. It is a mapping of an IP address to a domain name. 43.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 373 Configuration > System > DNS > Address/PTR Record Edit 640 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 641
zone for the www.zyxel.com.tw fully qualified domain name. 43.6.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 374 Configuration > System > DNS > Domain Zone Forwarder Add ZyWALL USG 20/20W User's Guide 641 - ZyXEL ZYWALL USG 20W | User Guide - Page 642
configure proper MX records for your domain or other domain, external e-mail from other mail servers will not be able to be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host. 642 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 643
and exit this screen. Click Cancel to exit this screen without saving 43.6.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 376 Configuration > System > DNS > Service Control Rule Add ZyWALL USG 20/20W User's Guide 643 - ZyXEL ZYWALL USG 20W | User Guide - Page 644
service control to block administrator HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen. 43.7.1 Service Access Limitations A service cannot be used to access the ZyWALL when: 644 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 645
Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the ZyWALL a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the ZyWALL. ZyWALL USG 20/20W User's Guide 645 - ZyXEL ZYWALL USG 20W | User Guide - Page 646
. 43.7.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. 646 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 647
WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. ZyWALL USG 20/20W User's Guide 647 - ZyXEL ZYWALL USG 20W | User Guide - Page 648
access. This is the object name of the IP address(es) with which the computer is allowed or denied to access. This displays whether the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). 648 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 649
the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Select a method the HTTPS or HTTP server uses to authenticate a client. You must have configured the authentication methods in the Auth. method screen. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 650
and exit this screen. Click Cancel to exit this screen without saving 43.7.6 Customizing the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can 650 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 651
43 System also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 33 on page 539 for more on access user accounts. Figure 380 Configuration > System > WWW > Login Page ZyWALL USG 20/20W User's Guide 651 - ZyXEL ZYWALL USG 20W | User Guide - Page 652
43 System The following figures identify the parts you can customize in the login and access pages. Figure 381 Login Page Customization Logo Title Message (color of all text) Background Figure 382 Background 652 You can specify colors in one of the following ways: ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 653
an access user logs into the Web Configurator to access network services like the Internet. Title Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen's text. ZyWALL USG 20/20W User's Guide 653 - ZyXEL ZYWALL USG 20W | User Guide - Page 654
is from the ZyWALL. You see the following Security Alert screen in Internet Explorer. Select Yes to proceed to the Web Configurator login screen; if you select No, then Web Configurator access is blocked. Figure 383 Security Alert Dialog Box (Internet Explorer) 654 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 655
. Select Accept this certificate permanently to import the ZyWALL's certificate into the SSL client. Figure 384 Security Certificate 1 (Netscape) displays warnings about the ZyWALL's HTTPS server certificate and what you can do to avoid seeing the warnings: ZyWALL USG 20/20W User's Guide 655 - ZyXEL ZYWALL USG 20W | User Guide - Page 656
SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). 656 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 657
a Certification Authority (CA) that is trusted by the ZyWALL (see the ZyWALL's Trusted CA Web Configurator screen). Figure 387 ZyWALL Trusted CA Screen The CA sends you a package containing Certificate and follow the wizard as shown earlier in this appendix. ZyWALL USG 20/20W User's Guide 657 - ZyXEL ZYWALL USG 20W | User Guide - Page 658
43 System 43.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double import a different certificate. Figure 390 Personal Certificate Import Wizard 2 658 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 659
3 Enter the password given to you by the CA. Figure 391 Personal Certificate Import Wizard 3 Chapter 43 System 4 Have the wizard select Place all certificates in the following store and choose a different location. Figure 392 Personal Certificate Import Wizard 4 ZyWALL USG 20/20W User's Guide 659 - ZyXEL ZYWALL USG 20W | User Guide - Page 660
Certificate Import Wizard 6 43.7.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter 'https://ZyWALL IP Address/ in your browser's web address field. Figure 395 Access the ZyWALL Via HTTPS 660 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 661
the Web Configurator login screen. Figure 397 Secure Web Configurator Login Screen 43.8 SSH You can use SSH (Secure SHell) to securely access the ZyWALL's command line interface. Specify which zones allow SSH access and from which IP address the access can come. ZyWALL USG 20/20W User's Guide 661 - ZyXEL ZYWALL USG 20W | User Guide - Page 662
the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 398 SSH Communication Over the WAN Example 43.8.1 How SSH Works checked against the saved version on the client computer. 662 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 663
over SSH. 43.8.4 Configuring SSH Click Configuration > System > SSH to change your ZyWALL's Secure Shell settings. Use this screen to specify from which zones SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 20/20W User's Guide 663 - ZyXEL ZYWALL USG 20W | User Guide - Page 664
entry or select it and click Edit to be able to modify the entry's settings. To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. 664 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 665
information (IP address, port number) for the ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 401 SSH Example 1: Store Host Key ZyWALL USG 20/20W User's Guide 665 - ZyXEL ZYWALL USG 20W | User Guide - Page 666
to the list of known hosts. [email protected]'s password: 3 The CLI screen displays next. 43.9 Telnet You can use Telnet to access the ZyWALL's command line interface. Specify which zones allow Telnet access and from which IP address the access can come. 666 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 667
Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service. Server Port typed. ZyWALL USG 20/20W User's Guide 667 - ZyXEL ZYWALL USG 20W | User Guide - Page 668
45 on page 693 for more information about firmware and configuration files. 43.10.1 Configuring FTP To change your ZyWALL's FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can 668 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 669
entry or select it and click Edit to be able to modify the entry's settings. To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. ZyWALL USG 20/20W User's Guide 669 - ZyXEL ZYWALL USG 20W | User Guide - Page 670
is a protocol used for exchanging management information between network devices. Your ZyWALL supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyWALL through the network. The ZyWALL supports SNMP version one (SNMPv1) 670 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 671
be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP Allows the manager to retrieve an object variable from the agent. ZyWALL USG 20/20W User's Guide 671 - ZyXEL ZYWALL USG 20W | User Guide - Page 672
link is up. This trap is sent when an SNMP request comes from non-authenticated hosts. 43.11.3 Configuring SNMP To change your ZyWALL's SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP 672 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 673
the password sent with each trap to the SNMP manager. The default is public and allows all requests. Destination Type the IP address of the station to send your SNMP traps to. Service Control This specifies from which computers you can access which ZyWALL zones. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 674
CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the Web Configurator or commands) without notifying the Vantage CNM administrator. 674 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 675
to forward UDP port 11864 traffic to the Vantage CNM server. If the Vantage CNM server is behind a firewall, you may have to create a rule on the firewall to allow UDP port 11864 traffic through to the Vantage CNM server (most (new) ZyXEL firewalls automatically allow this). ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 676
certificates. Vantage Certificate Apply Reset Select the Vantage CNM server's certificate. This applies when you enable HTTPS authentication. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 676 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 677
a display language for the ZyWALL's Web Configurator screens. You also need to open a new browsersession to display the screens in the new language. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. ZyWALL USG 20/20W User's Guide 677 - ZyXEL ZYWALL USG 20W | User Guide - Page 678
Chapter 43 System 678 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 679
this Chapter • Use the Email Daily Report screen (Section 44.2 on page 679) to configure where and how to send daily reports and what reports to send. • Use the Maintenance your ZyWALL. Note: Data collection may decrease the ZyWALL's traffic throughput rate. ZyWALL USG 20/20W User's Guide 679 - ZyXEL ZYWALL USG 20W | User Guide - Page 680
Chapter 44 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 410 Configuration > Log & Report > Email Daily Report 680 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 681
a system log and supports e-mail profiles and remote syslog servers. The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers. ZyWALL USG 20/20W User's Guide 681 - ZyXEL ZYWALL USG 20W | User Guide - Page 682
the same time. 44.3.1 Log Setting Summary To access this screen, click Configuration > Log & Report > Log Setting. Figure 411 Configuration > Log & Report > Log Setting 682 The following table describes the . To turn off an entry, select it and click Inactivate. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 683
Chapter 44 Log and Report Table 211 Configuration > Log & Report > Log Setting (continued log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL's Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog- log Edit icon. ZyWALL USG 20/20W User's Guide 683 - ZyXEL ZYWALL USG 20W | User Guide - Page 684
Chapter 44 Log and Report Figure 412 Configuration > Log & Report > Log Setting > Edit (System Log) 684 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 685
Configuration IP ZyWALL will e-mail logs to them. enable normal logs and debug logs (yellow check mark) create log messages, alerts, and debugging information for all categories. The ZyWALL does not e-mail debugging information, even if this setting is selected. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 686
Chapter 44 Log and Report Table 212 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL e-mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. Log Consolidation 686 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 687
Chapter 44 Log and Report Table 212 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION Active Select this to activate log previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 20/20W User's Guide 687 - ZyXEL ZYWALL USG 20W | User Guide - Page 688
the remote server (syslog). Go to the Log Settings Summary screen (see Section 44.3.1 on page 682), and click a remote server Edit icon. Figure 413 Configuration > Log & Report > Log Setting > Edit (Remote Server) 688 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 689
labels in this screen. Table 213 Configuration > Log & Report > Log information. It is read-only. VRPT/Syslog - ZyXEL's Vantage Report, syslog-compatible format. CEF/Syslog Server Address Type the server name or the IP address of the syslog server to which to ZyWALL USG 20/20W User's Guide 689 - ZyXEL ZYWALL USG 20W | User Guide - Page 690
of indicating which messages are included in each log and each alert. Please see Section 44.3.2 on page 683, where this process is discussed. (The Default category includes debugging messages generated by open source software.) 690 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 691
and Report The following table describes the fields in this screen. Table 214 Configuration > Log & Report > Log Setting > Active Log Summary LABEL System in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL USG 20/20W User's Guide 691 - ZyXEL ZYWALL USG 20W | User Guide - Page 692
Chapter 44 Log and Report Table 214 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Select which events you want to previous screen. Cancel Click this to return to the previous screen without saving your changes. 692 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 693
When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 20/20W User's Guide 693 - ZyXEL ZYWALL USG 20W | User Guide - Page 694
because the rest of the commands are executed in Configuration mode. Comments in Configuration Files or Shell Scripts In a configuration file or shell script, use "#" or "!" as the first character of a command line to have the ZyWALL treat the line as a comment. 694 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 695
or shell script is applied. Include setenv stop-on-error off in the configuration file or shell script. The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands. The ZyWALL still generates a log for any errors. ZyWALL USG 20/20W User's Guide 695 - ZyXEL ZYWALL USG 20W | User Guide - Page 696
errors in the startup-config.conf file and applies all of the valid commands. The ZyWALL still generates a log for any errors. Figure 416 Maintenance > File Manager > Configuration File 696 Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 697
to delete the configuration file. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file. Click a configuration file's row to select it and click Download to save the configuration to your computer. ZyWALL USG 20/20W User's Guide 697 - ZyXEL ZYWALL USG 20W | User Guide - Page 698
File Manager > Configuration File > Copy Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9 Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. 698 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 699
each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. ZyWALL USG 20/20W User's Guide 699 - ZyXEL ZYWALL USG 20W | User Guide - Page 700
may take up to two minutes. 45.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the ZyWALL. 700 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 701
before you can upload them. Click Upload to begin the upload process. This process may take up to two minutes. After you see the Firmware Upload in Process screen, wait two minutes before logging into the ZyWALL again. Figure 421 Firmware Upload In Process ZyWALL USG 20/20W User's Guide 701 - ZyXEL ZYWALL USG 20W | User Guide - Page 702
the screen. Figure 423 Firmware Upload Error 45.4 The Shell Script Screen Use shell script files to have the ZyWALL use commands that you ZyWALL restarts. You could use multiple write commands in a long script. Figure 424 Maintenance > File Manager > Shell Script 702 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 703
. Use up to 25 characters (including a-zAZ0-9 Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. ZyWALL USG 20/20W User's Guide 703 - ZyXEL ZYWALL USG 20W | User Guide - Page 704
to your ZyWALL. Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse... to find the .zysh file you want to upload. Click Upload to begin the upload process. This process may take up to several minutes. 704 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 705
device to your computer. 46.2 The Diagnostic Screen The Diagnostic screen provides an easy way for you to generate a file containing the ZyWALL's configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. ZyWALL USG 20/20W User's Guide 705 - ZyXEL ZYWALL USG 20W | User Guide - Page 706
files screen. This screen lists the files of diagnostic information the ZyWALL has collected and stored in a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 428 Maintenance > Diagnostics > Files 706 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 707
The Packet Capture Screen Use this screen to capture network traffic going through the ZyWALL's interfaces. Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. ZyWALL USG 20/20W User's Guide 707 - ZyXEL ZYWALL USG 20W | User Guide - Page 708
object for which to capture packets. Select any to capture packets for all hosts. Select User Defined to be able to enter an IP address. This field is configurable when you set the IP Type to any, tcp, or udp. Specify the port number of traffic to capture. 708 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 709
USB storage device connected to the ZyWALL. Status: Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the ZyWALL cannot mount it. none - -file suffix.cap", for example "vlan2-packet-capture.cap". ZyWALL USG 20/20W User's Guide 709 - ZyXEL ZYWALL USG 20W | User Guide - Page 710
ZyWALL or a connected USB storage device. You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. Figure 430 Maintenance > Diagnostics > Packet Capture > Files 710 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 711
. Size This column displays the size (in bytes) of a configuration file. Last Modified This column displays the date and time that the ZyWALL truncated the frame because the capture screen's Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. ZyWALL USG 20/20W User's Guide 711 - ZyXEL ZYWALL USG 20W | User Guide - Page 712
USB storage device if the process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics > Core Dump to open the following screen. Figure 432 Maintenance > Diagnostics > Core Dump 712 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 713
core dump to USB storage (if ready) Apply Reset Select this to have the ZyWALL save a process's core dump to an attached USB stored on the ZyWALL or a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 433 ZyWALL USG 20/20W User's Guide 713 - ZyXEL ZYWALL USG 20W | User Guide - Page 714
screen. Table 225 Maintenance > Diagnostics > System Log LABEL DESCRIPTION Remove Download Select files and click Remove to delete them from the ZyWALL. Use the [Shift] and/or [Ctrl] key to select multiple date and time that the individual files were saved. 714 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 715
routes to control 1-1 NAT by using the policy control-virtual- server-rules activate command. • select use policy routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection screen. ZyWALL USG 20/20W User's Guide 715 - ZyXEL ZYWALL USG 20W | User Guide - Page 716
Explore Note: Once a packet matches the criteria of a routing rule, the ZyWALL takes the corresponding action and does not perform any further flow checking. Figure Status (1-1 SNAT) Figure 438 Maintenance > Packet Flow Explore > Routing Status (SitetoSite VPN) 716 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 717
Status (Dynamic VPN) Figure 440 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 441 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 442 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL USG 20/20W User's Guide 717 - ZyXEL ZYWALL USG 20W | User Guide - Page 718
service object. any means all services. DSCP Code This is the DSCP value of incoming packets to which this policy route applies. See Section 13.2 on page 300 for more information. Next Hop Type This is the type of the next hop to which packets are directed. 718 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 719
. To access this screen, click Maintenance > Packet Flow Explore > SNAT Status. The order of the SNAT flow may vary depending on whether you: • select use default SNAT in the CONFIGURATION > Network > Interface > Trunk screen. ZyWALL USG 20/20W User's Guide 719 - ZyXEL ZYWALL USG 20W | User Guide - Page 720
command. Note: Once a packet matches the criteria of an SNAT rule, the ZyWALL takes the corresponding action and does not perform any further flow checking. Figure 443 (Loopback SNAT) Figure 446 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) 720 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 721
. SNAT This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the ZyWALL uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. ZyWALL USG 20/20W User's Guide 721 - ZyXEL ZYWALL USG 20W | User Guide - Page 722
Chapter 47 Packet Flow Explore 722 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 723
> Reboot Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the ZyWALL. ZyWALL USG 20/20W User's Guide 723 - ZyXEL ZYWALL USG 20W | User Guide - Page 724
Chapter 48 Reboot 724 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 725
off the ZyWALL or remove the power. Not doing so can cause the firmware to ZyWALL. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the ZyWALL. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 726
Chapter 49 Shutdown 726 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 727
the ZyWALL's password, use the RESET button. Press the button in for about 5 seconds (or until the PWR LED starts to blink), then release it. It returns the ZyWALL to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.; see your User's Guide for details). ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 728
I configured. The ZyWALL checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that the traffic would also match. The ZyWALL is not applying the custom firewall rule I configured. 728 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 729
updates the corresponding interface-based, LAN1 subnet address object. I cannot set up a PPP interface. You have to set up an ISP account before you create a PPPoE or PPTP interface. The data rates through my cellular connection are no-where near the rates I expected. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 730
interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface. Each VLAN interface is created on top of only one Ethernet interface. The ZyWALL is not applying an interface's configured ingress bandwidth limit. 730 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 731
set to Internal or External. The ZyWALL is not applying a policy route's port triggering settings. You also need to create a firewall rule to allow an incoming service. I cannot get Dynamic DNS to work. • You must have a public WAN IP address to use Dynamic DNS. ZyWALL USG 20/20W User's Guide 731 - ZyXEL ZYWALL USG 20W | User Guide - Page 732
into both ZyXEL IPSec routers and check the settings in each field methodically and slowly. Make sure both the ZyWALL and remote IPSec router have the same security settings for the VPN tunnel. It may help to display the settings for both routers side-by-side. 732 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 733
firewall rules check packets the ZyWALL sends before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 734
Transparent background is recommended. I logged into the SSL VPN but cannot see some of the resource links. Available resource links vary depending on the SSL application object's configuration. I changed the LAN IP address and can no longer access the Internet. 734 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 735
user group. I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. Make sure the ZyWALL's current date and time are correct. ZyWALL USG 20/20W User's Guide 735 - ZyXEL ZYWALL USG 20W | User Guide - Page 736
the service control rules and to-ZyWALL firewall rules. I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. 736 Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 737
for more on configuration files and shell scripts. I cannot get the firmware uploaded using the commands. The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. ZyWALL USG 20/20W User's Guide 737 - ZyXEL ZYWALL USG 20W | User Guide - Page 738
with the settings in the system-default.conf file. Note: This procedure removes the current configuration. If you want to reboot the device without changing the current configuration, see Chapter 48 on page 723. 1 Make sure the SYS LED is on and not blinking. 738 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 739
the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 50.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG 20/20W User's Guide 739 - ZyXEL ZYWALL USG 20W | User Guide - Page 740
Chapter 50 Troubleshooting 740 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 741
% (non-condensing) Mean Time Between Failures: 323,823 hours The ZyWALL has wall-mounting holes on the bottom panel. The centers of the holes are located 156 mm apart. It is recommended that you do NOT wall-mount the ZyWALL. A wall-mounting kit is not included. ZyWALL USG 20/20W User's Guide 741 - ZyXEL ZYWALL USG 20W | User Guide - Page 742
User Groups Maximum Users in One User Group OBJECTS Address Objects Address Groups Maximum address object in one group Service Objects 8 4 per interface 1 2 2 64 100 6000 1024 8K 128 up to 8 per PR rule up to interface limit 1000 500 500 64 5 16 64 100 25 64 200 742 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 743
default) 7 Maximum Number of Zones (user created) 8 Number of Trunks (system default) 1 Maximum Number of Trunks (user created) 2 IPSEC VPN Maximum Number of IPSec VPN Tunnels 5 CERTIFICATES Certificate Buffer Size 64 K BUILT-IN SERVICES Period 3600 ZyWALL USG 20/20W User's Guide 743 - ZyXEL ZYWALL USG 20W | User Guide - Page 744
, 1334, 1661, 1662, 2472 Interface-PPTP RFCs 2637, 3078 Interface-PPPOE RFC 2516 Interface-VLAN IEEE 802.1Q Dynamic Route, Show IP route RFCs 1058, 2082, 2453, 2328, 3101, 3137 Telnet server RFCs 1408, 1572 SSH server RFCs 4250, 4251, 4252, 4253, 4254 744 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 745
232 North American Plug Standards AC POWER ADAPTOR MODEL PSA18R-120P (ZA)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 20 W MAX. SAFETY STANDARDS UL, CUL (UL 60950-1 FIRST EDITION CSA C22.2 NO. 60950-1-03 1ST.) ZyWALL USG 20/20W User's Guide 745 - ZyXEL ZYWALL USG 20W | User Guide - Page 746
PSA18R-120P (ZA)-R 100-240VAC, 50/60HZ, 0.5A 12VDC, 3.5A 20 W MAX. JET Table 237 China Plug Standards AC POWER ADAPTOR MODEL INPUT POWER OUTPUT POWER POWER CONSUMPTION SAFETY STANDARDS PSA18R-120P (ZA)-R 100-240VAC, 50/60HZ, 0.5A 12VDC, 3.5A 20 W MAX. CCC 746 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 747
to a profile and the default policy is not set to block. %s: Service is not registered %s: website host The device allowed access to a web site. The content filtering service is unregistered and the default policy is not set to block. %s: website host ZyWALL USG 20/20W User's Guide 747 - ZyXEL ZYWALL USG 20W | User Guide - Page 748
web site was blocked due to: 1. Can't resolve rating server IP (No DNS) 2. Invalid service license 4. Rating service is restarting 5. Can't connect to rating server 6. Query failed a cookie and access was blocked according to a profile. %s: website host 748 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 749
list. %s: Keyword blocking %s: website host The web content matched a user defined keyword. %s: Blocking by default policy %s: website host No content filter policy is applied and access was specified index number been deactivated. (%d) has been turned off. ZyWALL USG 20/20W User's Guide 749 - ZyXEL ZYWALL USG 20W | User Guide - Page 750
email's From (first %s) and Subject (second %s) header values are listed. IP %s in DNSBL %s. From:%s Subject:%s The listed IP address (the first %s) was listed in the specified DNSBL (second %s). The e-mail sessions that the anti-spam feature can handle (%d). 750 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 751
address object (first %s) is not the right kind for the first WINS server specified in the listed SSL VPN policy (second %s). The listed address object (first %s) is not the right kind for the second WINS server specified in the listed SSL VPN policy (second %s). ZyWALL USG 20/20W User's Guide 751 - ZyXEL ZYWALL USG 20W | User Guide - Page 752
been modified. changed. SSL VPN policy rule %s The listed SSL VPN policy (%s) has been moved to the listed has been moved to %d. position (%d) in the list of SSL VPN policies. SSL VPN policy rule %s The listed SSL VPN policy has been removed. has been deleted. 752 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 753
(incorrect password or inexistent username) The listed user (%s) failed to log into SSL VPN because of entering an incorrect password or a user name that does not exist. %s: Failed to receive messages from uam daemon. Messages were not received from the UAM daemon. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 754
DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. ZySH daemon is instructed to reset by %d 1st:pid num System integrity error! Group OPS cannot close property group full! 1st:zysh list name Can't undefine %s 1st:zysh list name 754 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 755
at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! 1st:zysh table name ZyWALL USG 20/20W User's Guide 755 - ZyXEL ZYWALL USG 20W | User Guide - Page 756
handle length The ZyWALL's ADP feature detected a packet with a length over 16000 bytes. LAND attack packet. Source IP is the same as Destination IP. The ZyWALL's ADP feature detected traffic with the same IP address set as both the source and the destination. 756 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 757
the console port so the ZyWALL is blocking login attempts on the console port. Too many failed login attempts were made from an IP address so the ZyWALL is blocking login attempts from that IP address. %u.%u.%u.%u: the source address of the user's login attempt ZyWALL USG 20/20W User's Guide 757 - ZyXEL ZYWALL USG 20W | User Guide - Page 758
service name The ZyWALL blocked a login according to the access control configuration. User %s has been denied access from %s %s: service name The ZyWALL blocked a login attempt by the specified user name because of an invalid user name or password. 2nd %s: service ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 759
MyZyXEL.com server. Service expiration check has succeeded. Service expiration check has failed. Because of lack must fields. Server setting error. Resolve server IP has failed. Verify started to check whether or not the user name in MyZyXEL.com's database. ZyWALL USG 20/20W User's Guide 759 - ZyXEL ZYWALL USG 20W | User Guide - Page 760
The device cannot parse the response returned by the server. Maybe some required fields are missing. Server setting error. Update stop. The device could not resolve the update server's FQDN to an IP address through gethostbyname(). The update process stopped. 760 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 761
's FQDN to an IP address through gethostbyname(). service expiration day check immediately after device registration. The processes a service expiration day check every 24 hrs. Read data from EEPROM has failed. This error message is shown when getting MAC address. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 762
device can find this through either a service expiration day check via MyZyXEL.com server or by the device's own count. The device only supports SSLv3 protocol. %d: SSL version assigned by client. The device to this device. Cannot find SA according to the cookie. 762 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 763
the ID is IPv6 ID. [ID] : Tunnel [%s] Remote IP mismatch %s is the tunnel name. When negotiating Phase-1, the peer tunnel IP did not match the secure gateway address in VPN gateway. [ is the tunnel name. When negotiating Phase-1, the transform ID was invalid. ZyWALL USG 20/20W User's Guide 763 - ZyXEL ZYWALL USG 20W | User Guide - Page 764
manual %s is the tunnel name. The manual key tunnel cannot be key tunnel "%s" dialed. DPD response with invalid ID When receiving a DPD response with invalid ID ignored. DPD response with no active request When receiving a DPD response with no active query. 764 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 765
the gateway name. An administrator enabled the VPN gateway. XAUTH fail! My name: %s %s is the my xauth name. This indicates that my name is invalid. XAUTH fail! Remote user: %s %s is the remote xauth name. This indicates that a remote user's name is invalid. ZyWALL USG 20/20W User's Guide 765 - ZyXEL ZYWALL USG 20W | User Guide - Page 766
valid. XAUTH succeed! Remote %s is the remote xauth name. This indicate that a remote user: %s user's name is valid Dynamic Tunnel [%s:%s:0x%x:%s] built successfully The variables represent the phase 1 name, shortage, corrupt packet, invalid MAC, and so on). 766 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 767
is the new global index of rule %d is the global index of rule Firewall rules were flushed %d is the global index of rule, %s is appended/inserted/ modified 1st %s is from zone, 2nd %s is to zone, %d is the index of the rule 3rd %s is appended/inserted/modified ZyWALL USG 20/20W User's Guide 767 - ZyXEL ZYWALL USG 20W | User Guide - Page 768
is the new index of the rule Firewall %s %s rule %d 1st %s is from zone, 2nd %s is to zone, %d is the index of has been deleted. the rule Firewall %s %s rules have been flushed. 1st empty object group. uses empty user group! %d: the policy route rule number 768 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 769
The policy route %d uses empty service group Policy-route rule %d was ZyWALL will use the related policy route rules again. Trunk %s dead, related A trunk went down so the ZyWALL will stop using the related policy route rules policy route rules. will be disabled ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 770
assigned by user FTP port has been changed to port %s. An administrator changed the port number for FTP. %s is port number assigned by user FTP port has been changed to default port. An administrator changed the port number for FTP back to the default (21). 770 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 771
number An administrator appended a new rule. %u is rule number An administrator modified the rule %u. %u is rule number An administrator removed the rule %u. %u is rule number ZyWALL USG 20/20W User's Guide 771 - ZyXEL ZYWALL USG 20W | User Guide - Page 772
configured. %s is IP address of the DNS server. The maximum number of allowable rules has been reached. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. %u is the maximum number of access control rules. A new built-in service rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. 772 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 773
Log Descriptions Table 252 Built-in Services Logs (continued) LOG MESSAGE System Logs LOG MESSAGE DESCRIPTION Port %d is up!! When LINK is up, %d is the port number. Port %d is down!! When LINK is down, %d is the port number. %s is dead at mode enabled. ZyWALL USG 20/20W User's Guide 773 - ZyXEL ZYWALL USG 20W | User Guide - Page 774
manually. %s is the date and time. NTP update successful, The device successfully synchronized with a NTP time server . current time is %s %s is the date and time. NTP update failed The device was not able to synchronize with the NTP time server successfully. 774 ZyWALL USG 20/20W User - ZyXEL ZYWALL USG 20W | User Guide - Page 775
was blocked. Update the profile %s has failed because too many or too few hosts found. %s is the profile name. Update the profile %s has failed because of dyndns internal error Update profile failed because of a dynsdns internal error, %s is the profile name. ZyWALL USG 20/20W User's Guide 775 - ZyXEL ZYWALL USG 20W | User Guide - Page 776
the profile %s has failed because ping-check of WAN interface has failed. DDNS profile cannot be updated because the ping-check for WAN iface failed , %s is the profile name. Disable DDNS has succeeded. Disable DDNS. Enable DDNS has succeeded. Enable DDNS. 776 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 777
scripts were executed successfully. Port %d is up!! The specified port has it's link up. Port %d is down!! The specified port has it's link down. %s.arg %s: interface name Cannot open configuration file for connectivity check process. %s: interface name ZyWALL USG 20/20W User's Guide 777 - ZyXEL ZYWALL USG 20W | User Guide - Page 778
connectivity check process can't get IP address of interface. Can't get flags of %s interface %s: interface name. The connectivity check process can't get interface configuration. Can't get remote address of can't use broadcast address to check link-status. 778 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 779
The connectivity check process can't send ARP request packet. The interface routing can't forward packet. %s: interface name The %s routing status seted ACTIVATE by connectivity-check The routes has been enabled. RIP redistribute OSPF routes has been enabled. ZyWALL USG 20/20W User's Guide 779 - ZyXEL ZYWALL USG 20W | User Guide - Page 780
Name. changed to %s. RIP send-version on interface %s has been reset to current global version %s. RIP send-version on interface %s has been reset to current global version %s. 1st %s: Interface Name, 2nd %s: area, so area %s cannot be removed. %s: OSPF Area 780 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 781
invalid text authentication %s on interface %s. configuration. %s: Interface Name Table 256 NAT Logs port of H.323 ALG has been modified. Extra H.323 ALG port has been changed. Signal port of H.323 Default H.323 ALG port has been changed. ALG has been modified. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 782
or off. %s: Enable or Disable Extra signal port of SIP ALG has been modified. Extra SIP ALG port has been changed. Signal port of SIP ALG Default SIP ALG port has been changed. has been modified. Register SIP on page 784 for details about the error number. 782 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 783
#12 certificate "%s" from "My Certificate" failed The device was not able to export a PKCS#12 format certificate from My Certificates. %s is the certificate request name. ZyWALL USG 20/20W User's Guide 783 - ZyXEL ZYWALL USG 20W | User Guide - Page 784
is the certificate request name. Import PKCS#12 certificate "%s" with incorrect password An administrator used the wrong password when trying to import a PKCS#12 format certificate. %s is the certificate not valid (CA specific information missing). (Not used) 784 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 785
bridge interface and this interface is base interface of PPP or virtual interface. PPP and virtual will disable too. 1st %s is interface name, 2nd %s is interface. Interface %s has been An administrator changed an interface's configuration interface name. ZyWALL USG 20/20W User's Guide 785 - ZyXEL ZYWALL USG 20W | User Guide - Page 786
failed (the server must support CHAP and verify that the authentication failed, this does not include cases where the server does not support CHAP). CHAP: interface name. Interface %s is connected. A PPP interface connected successfully. %s: interface name. 786 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 787
has no member. A bridge interface has no member. %s: bridge interface name. "Interface ZyWALL failed to set the cellular device installed in (or connected to) the listed slot (%s) to use the frequency band you configured. The cellular device may not support ZyWALL USG 20/20W User's Guide 787 - ZyXEL ZYWALL USG 20W | User Guide - Page 788
service provider. The listed cellular interface (%d) cannot connect to the ISP. This could be due to an error or being out of range of the ISP's cellular station. "Interface cellular%d is configured and model) has been removed from the specified slot. 788 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 789
an interface. not accepted. Configured interface A reserved word was not permitted to be used in an interface name is reserved word. name. Configured interface name match reserved prefix. A reserved pre-fix was not permitted to be used in an interface name. ZyWALL USG 20/20W User's Guide 789 - ZyXEL ZYWALL USG 20W | User Guide - Page 790
a member of a trunk. since interface is the member of other trunk. Port-grouping is not support The interface does not support port grouping. This interface type can not set 3rd-dns. This type of interface does not support setting a third DNS server setting. 790 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 791
WLAN interface (first %s). %s, MAC: %s. WPA or WPA2 enterprise EAP timeout. Interface: %s, MAC: %s. There was an EAP timeout for a wireless client connected to the specified WLAN interface (first %s). The MAC address of the wireless client is listed (second %s). ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 792
%se: profile name. Account %s %s has been A user changed an ISP account profile's options. changed. 1st %s: profile type, 2nd %s: profile name. Account %s %s has been A user added a new ISP account profile. added. 1st %s: profile type, 2nd %s: profile name. 792 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 793
of changing Port Group. Disable DHCP client. An administrator used port-grouping to assign a port to a configuration failed, this log will be what CLI command is and what warning message is. 1st %s is CLI command. 2nd %s is warning message when apply CLI command. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 794
apply configuration file. After the system reset, it started to apply the configuration file. Running %s... %s is configuration file name assigned a client the IP address that to %s(%s) it requested. The DHCP client's hostname and MAC address are listed. 794 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 795
:%02X: %02X:%02X. The IP-MAC binding feature could not delete an IP-MAC binding hash table entry. The interface the packet came in through, the sender's IP address and MAC address, are also shown along with the binding type ("s" for static or "d" for dynamic). ZyWALL USG 20/20W User's Guide 795 - ZyXEL ZYWALL USG 20W | User Guide - Page 796
EPS object. Files information A user's computer did not match the user-defined file information check fail in %s check in the specified EPS object. OS type check fail A user's computer did not match the OS type check in the in %s specified EPS object. 796 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 797
A Log Descriptions Table 268 EPS Logs LOG MESSAGE DESCRIPTION Windows version check fail in %s A user's computer did not match the Windows version check in the specified EPS object. EPS checking result is pass. A user's computer passed the EPS check. ZyWALL USG 20/20W User's Guide 797 - ZyXEL ZYWALL USG 20W | User Guide - Page 798
Appendix A Log Descriptions 798 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 799
. BOOTP_SERVER UDP 67 DHCP Server. CU-SEEME TCP UDP 7648 24032 A popular videoconferencing solution from White Pines Software. DNS TCP/UDP 53 Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. ZyWALL USG 20/20W User's Guide 799 - ZyXEL ZYWALL USG 20W | User Guide - Page 800
Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). 800 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 801
Access Control System). TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. ZyWALL USG 20/20W User's Guide 801 - ZyXEL ZYWALL USG 20W | User Guide - Page 802
PORT(S) DESCRIPTION TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE TCP 7000 Another videoconferencing solution. 802 ZyWALL USG 20/20W - ZyXEL ZYWALL USG 20W | User Guide - Page 803
wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 804
between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. 804 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 805
are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or ZyWALL USG 20/20W User's Guide 805 - ZyXEL ZYWALL USG 20W | User Guide - Page 806
Appendix C Wireless LANs wireless gateway, but out-of-range of without the RTS (Request To Send)/CTS (Clear to Send) handshake. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" before they reach RTS/CTS size. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 807
: The wireless devices MUST use the same preamble mode in order to communicate. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point ZyWALL USG 20/20W User's Guide 807 - ZyXEL ZYWALL USG 20W | User Guide - Page 808
C Wireless LANs (and ZyWALL and on all wireless clients that you want to associate with it. IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional 808 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 809
server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. ZyWALL USG 20/20W User's Guide 809 - ZyXEL ZYWALL USG 20W | User Guide - Page 810
, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 810 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 811
reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. ZyWALL USG 20/20W User's Guide 811 - ZyXEL ZYWALL USG 20W | User Guide - Page 812
when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 812 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 813
Appendix C Wireless LANs use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol ( connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre- ZyWALL USG 20/20W User's Guide 813 - ZyXEL ZYWALL USG 20W | User Guide - Page 814
RADIUS server. 2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. 3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. 814 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 815
each wireless client's password and allows it to join the network only if the password matches. 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. ZyWALL USG 20/20W User's Guide 815 - ZyXEL ZYWALL USG 20W | User Guide - Page 816
Appendix C Wireless LANs 4 The AP and wireless clients use the TKIP or you configure these security features. Table 273 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY AES Yes Disable 816 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 817
air. Positioning the antennas properly increases the range and coverage area of a wireless LAN. Antenna Characteristics Frequency An antenna in the frequency of 2.4GHz (IEEE 802. for WLAN There are two types of antennas used for wireless LAN applications. ZyWALL USG 20/20W User's Guide 817 - ZyXEL ZYWALL USG 20W | User Guide - Page 818
Appendix C Wireless LANs • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 818 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 819
several organizations officially recognized by the most common web browsers, you will need to import the ZyXEL-created certificate into your web browser and flag that certificate as a trusted authority. Note: can also apply to Internet Explorer on Windows Vista. ZyWALL USG 20/20W User's Guide 819 - ZyXEL ZYWALL USG 20W | User Guide - Page 820
Appendix D Importing Certificates 1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with Bar, click Certificate Error > View certificates. Figure 457 Internet Explorer 7: Certificate Error 820 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 821
Appendix D Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 458 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next. Figure 459 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 20/20W User's Guide 821 - ZyXEL ZYWALL USG 20W | User Guide - Page 822
Explorer 7: Certificate Import Wizard 7 Otherwise, select Place all certificates in the following store and then click Browse. Figure 461 Internet Explorer 7: Certificate Import Wizard 822 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 823
OK. Figure 462 Internet Explorer 7: Select Certificate Store 9 In the Completing the Certificate Import Wizard screen, click Finish. Figure 463 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 20/20W User's Guide 823 - ZyXEL ZYWALL USG 20W | User Guide - Page 824
Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page's Website Identification information. Figure 466 Internet Explorer 7: Website Identification 824 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 825
Installing a Stand-Alone Certificate File in Internet Explorer Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone you how to remove a public key certificate in Internet Explorer 7. ZyWALL USG 20/20W User's Guide 825 - ZyXEL ZYWALL USG 20W | User Guide - Page 826
Appendix D Importing Certificates 1 Open Internet Explorer and click Tools > Internet Options. Figure 469 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates. Figure 470 Internet Explorer 7: Internet Options 826 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 827
Certificates confirmation, click Yes. Figure 472 Internet Explorer 7: Certificates 5 In the Root Certificate Store dialog box, click Yes. Figure 473 Internet Explorer 7: Root Certificate Store ZyWALL USG 20/20W User's Guide 827 - ZyXEL ZYWALL USG 20W | User Guide - Page 828
's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. 2 Select Accept this certificate permanently and click OK. Figure 474 Firefox 2: Website Certified by an Unknown Authority 828 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 829
475 Firefox 2: Page Info Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. ZyWALL USG 20/20W User's Guide 829 - ZyXEL ZYWALL USG 20W | User Guide - Page 830
Appendix D Importing Certificates 1 Open Firefox and click Tools > Options. Figure 476 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 477 Firefox 2: Options 830 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 831
visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page's security information. ZyWALL USG 20/20W User's Guide 831 - ZyXEL ZYWALL USG 20W | User Guide - Page 832
Firefox and click Tools > Options. Figure 480 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 481 Firefox 2: Options 832 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 833
just removed, a certification error appears. Opera The following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. ZyWALL USG 20/20W User's Guide 833 - ZyXEL ZYWALL USG 20W | User Guide - Page 834
Appendix D Importing Certificates 1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error view the web page's security details. Figure 485 Opera 9: Security information 834 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 835
Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Open Opera and click Tools > Preferences. Figure 486 Opera 9: Tools Menu ZyWALL USG 20/20W User's Guide 835 - ZyXEL ZYWALL USG 20W | User Guide - Page 836
Appendix D Importing Certificates 2 In Preferences, click Advanced > Security > Manage certificates. Figure 487 Opera 9: Preferences 836 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 837
Appendix D Importing Certificates 3 In the Certificates Manager, click Authorities > Import. Figure 488 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 489 Opera 9: Import certificate ZyWALL USG 20/20W User's Guide 837 - ZyXEL ZYWALL USG 20W | User Guide - Page 838
window to view the web page's security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9. 838 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 839
1 Open Opera and click Tools > Preferences. Figure 492 Opera 9: Tools Menu Appendix D Importing Certificates 2 In Preferences, Advanced > Security > Manage certificates. Figure 493 Opera 9: Preferences ZyWALL USG 20/20W User's Guide 839 - ZyXEL ZYWALL USG 20W | User Guide - Page 840
uses Konqueror 3.5 on openSUSE 10.3, however the screens apply to Konqueror 3.5 on all Linux KDE distributions. 1 If your device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. 840 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 841
Forever when prompted to accept the certificate. Figure 496 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page's security details. Figure 497 Konqueror 3.5: KDE SSL Information ZyWALL USG 20/20W User's Guide 841 - ZyXEL ZYWALL USG 20W | User Guide - Page 842
Certificates Installing a Stand-Alone Certificate File in Konqueror Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand certificate manager, Kleopatra. Figure 500 Konqueror 3.5: Kleopatra 842 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 843
click Settings > Configure Konqueror. Figure 501 Konqueror 3.5: Settings Menu 2 In the Configure dialog box, select Crypto. 3 On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 502 Konqueror 3.5: Configure ZyWALL USG 20/20W User's Guide 843 - ZyXEL ZYWALL USG 20W | User Guide - Page 844
: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. 844 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 845
SOFTWARE WILL INDICATE YOUR ASSENT TO THEM. IF YOU DO NOT AGREE TO THESE TERMS, THEN ZyXEL IS UNWILLING TO LICENSE THE SOFTWARE TO YOU, IN WHICH EVENT YOU SHOULD RETURN THE UNINSTALLED SOFTWARE of the Software, Documentation and all intellectual property rights ZyWALL USG 20/20W User's Guide 845 - ZyXEL ZYWALL USG 20W | User Guide - Page 846
by their respective terms. ZyXEL has provided, as part of support for such software. Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products. 5. Confidentiality 846 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 847
AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD. 7. Limitation of Liability IN NO EVENT WILL ZyXEL BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT ABOVE LIMITATION MAY NOT APPLY TO YOU. 8. Export Restrictions ZyWALL USG 20/20W User's Guide 847 - ZyXEL ZYWALL USG 20W | User Guide - Page 848
hereunder, the Software and Documentation shall not be assigned by you without the prior written consent of ZyXEL. Any waiver or modification of this License Agreement shall only be effective if it is in so as to reasonably effect the intention of the parties. 848 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 849
the applicable product or software, we will give to anyone who contacts us at the ZyXEL Technical Support ([email protected]), for a charge of no more than our cost of physically performing source is furnished to do so, subject to the following conditions: ZyWALL USG 20/20W User's Guide 849 - ZyXEL ZYWALL USG 20W | User Guide - Page 850
both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected]. OpenSSL License 850 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 851
not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * [email protected]. ZyWALL USG 20/20W User's Guide 851 - ZyXEL ZYWALL USG 20W | User Guide - Page 852
, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE 852 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 853
distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder used in a product, Eric Young should be given attribution ZyWALL USG 20/20W User's Guide 853 - ZyXEL ZYWALL USG 20W | User Guide - Page 854
([email protected])" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 854 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 855
, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY license is compatible with The GNU General Public License, Version 2 ZyWALL USG 20/20W User's Guide 855 - ZyXEL ZYWALL USG 20W | User Guide - Page 856
, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 856 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 857
whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such to software source code, documentation source, and configuration files. "Object" form shall mean any form original ZyWALL USG 20/20W User's Guide 857 - ZyXEL ZYWALL USG 20W | User Guide - Page 858
, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and 858 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 859
. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use associated with Your exercise of permissions under this License. ZyWALL USG 20/20W User's Guide 859 - ZyXEL ZYWALL USG 20W | User Guide - Page 860
Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However their name, without prior written permission of the Apache Software Foundation. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 861
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY think carefully about whether this license or the ordinary General ZyWALL USG 20/20W User's Guide 861 - ZyXEL ZYWALL USG 20W | User Guide - Page 862
to distribute copies of free software (and charge for this service if you wish); that you receive source code or can so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a 862 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 863
operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the form executables. The "Library", below, refers to any such ZyWALL USG 20/20W User's Guide 863 - ZyXEL ZYWALL USG 20W | User Guide - Page 864
License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 865
object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially ZyWALL USG 20/20W User's Guide 865 - ZyXEL ZYWALL USG 20W | User Guide - Page 866
already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 867
you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this ZyWALL USG 20/20W User's Guide 867 - ZyXEL ZYWALL USG 20W | User Guide - Page 868
, but may differ in detail to address new problems or concerns. Each version is given a distinguishing guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. 868 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 869
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16 . This Product includes arp-sk, bridge-utils, busybox, dhcpcd, dhcp-helper users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 870
freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 871
no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the the Program with the Program (or with a work based on the ZyWALL USG 20/20W User's Guide 871 - ZyXEL ZYWALL USG 20W | User Guide - Page 872
, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and 872 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 873
will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number published by the Free Software Foundation. If the ZyWALL USG 20/20W User's Guide 873 - ZyXEL ZYWALL USG 20W | User Guide - Page 874
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN under BSD license BSD Copyright (c) [dates as appropriate to package] 874 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 875
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ZyWALL USG 20/20W User's Guide 875 - ZyXEL ZYWALL USG 20W | User Guide - Page 876
, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY . OpenLDAP is a registered trademark of the OpenLDAP Foundation. 876 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 877
, and the entire risk of satisfactory quality, performance, accuracy, and effort is with the user. libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are Copyright (c) 1998, 1999 Glenn Randers-Pehrson, and are distributed according to the same ZyWALL USG 20/20W User's Guide 877 - ZyXEL ZYWALL USG 20W | User Guide - Page 878
code, or portions hereof, for any purpose, without fee, subject to the following restrictions: 1. The origin of this source code must not be misrepresented. 878 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 879
specifically permit, without fee, and encourage the use of this source code as a component to supporting the PNG file format in commercial products. If you use this source code in a product, This notice may not be removed or altered from any source distribution. ZyWALL USG 20/20W User's Guide 879 - ZyXEL ZYWALL USG 20W | User Guide - Page 880
Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. 1.8. "License" means this document. 880 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 881
power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. Source Code License. ZyWALL USG 20/20W User's Guide 881 - ZyXEL ZYWALL USG 20W | User Guide - Page 882
other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. 3. Distribution Obligations. 3.1. Application of License. 882 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 883
steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. ZyWALL USG 20/20W User's Guide 883 - ZyXEL ZYWALL USG 20W | User Guide - Page 884
rights relating to Covered Code. You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only terms which differ from this License are offered by You 884 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 885
to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "Mozilla", ZyWALL USG 20/20W User's Guide 885 - ZyXEL ZYWALL USG 20W | User Guide - Page 886
you (not the initial developer or any other contributor) assume the cost of any necessary servicing, repair or correction. This disclaimer of warranty constitutes an essential part of this license. No . If within 60 days of notice, a reasonable royalty and 886 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 887
this exclusion and limitation may not apply to you. 10. U.S. government end users The Covered Code is a "commercial item," as that term is defined in .7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein. ZyWALL USG 20/20W User's Guide 887 - ZyXEL ZYWALL USG 20W | User Guide - Page 888
" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. 888 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 889
the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. ZyWALL USG 20/20W User's Guide 889 - ZyXEL ZYWALL USG 20W | User Guide - Page 890
Law and trade secret law, and by international treaty provisions. All rights not granted to you herein are expressly reserved by ZyXEL. You may not remove any proprietary notice of ZyXEL or any of its licensors from any copy of the Software or Documentation. 890 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 891
for technical support and customer service related to its software and products. 5. Confidentiality You acknowledge that the Software contains proprietary trade secrets of ZyXEL and you the purpose of deriving the source code of the Software. 6. No Warranty ZyWALL USG 20/20W User's Guide 891 - ZyXEL ZYWALL USG 20W | User Guide - Page 892
of Liability IN NO EVENT WILL ZyXEL BE LIABLE TO YOU OR ANY ZyXEL AGAINST ALL CLAIMS, LOSSES, DAMAGES, LIABILITIES, COSTS AND EXPENSES, INCLUDING REASONABLE ATTORNEYS' FEES, TO THE EXTENT SUCH CLAIMS ARISE OUT OF ANY BREACH OF THIS SECTION 8. 9. Audit Rights 892 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 893
applicable product or software, we will give to anyone who contacts us at the ZyXEL Technical Support ([email protected]), for a charge of no more than our cost of physically performing source examples herein are fictitious unless otherwise noted. No part may ZyWALL USG 20/20W User's Guide 893 - ZyXEL ZYWALL USG 20W | User Guide - Page 894
for any purpose, except the express written permission of ZyXEL Communications Corporation. This Product includes ntp software under the the copyright notice and this permission notice appear in supporting documentation, and that the name University of Delaware not ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 895
The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions ZyWALL USG 20/20W User's Guide 895 - ZyXEL ZYWALL USG 20W | User Guide - Page 896
" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following 896 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 897
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND includes software written by Tim * Hudson ([email protected]). * */ ZyWALL USG 20/20W User's Guide 897 - ZyXEL ZYWALL USG 20W | User Guide - Page 898
distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the * modification, are permitted provided that the following conditions 898 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 899
THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ZyWALL USG 20/20W User's Guide 899 - ZyXEL ZYWALL USG 20W | User Guide - Page 900
Appendix E Open Software Announcements * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, code must retain the above copyright notice, this list of conditions and the following disclaimer. 900 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 901
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY License Version 2.0, January 2004 http://www.apache.org/licenses/ ZyWALL USG 20/20W User's Guide 901 - ZyXEL ZYWALL USG 20W | User Guide - Page 902
entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such limited to software source code, documentation source, and configuration files. "Object" form shall mean any form ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 903
any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; ZyWALL USG 20/20W User's Guide 903 - ZyXEL ZYWALL USG 20W | User Guide - Page 904
This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or 904 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 905
, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ZyWALL USG 20/20W User's Guide 905 - ZyXEL ZYWALL USG 20W | User Guide - Page 906
designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you rights or to ask you to surrender these rights. These restrictions 906 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 907
is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the license provides advantages in certain special circumstances. ZyWALL USG 20/20W User's Guide 907 - ZyXEL ZYWALL USG 20W | User Guide - Page 908
Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the and modification are not covered by this License; they 908 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 909
with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. ZyWALL USG 20/20W User's Guide 909 - ZyXEL ZYWALL USG 20W | User Guide - Page 910
the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 910 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 911
c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this the Library together in an executable that you distribute. ZyWALL USG 20/20W User's Guide 911 - ZyXEL ZYWALL USG 20W | User Guide - Page 912
unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in 912 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 913
will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE ZyWALL USG 20/20W User's Guide 913 - ZyXEL ZYWALL USG 20W | User Guide - Page 914
SUCHDAMAGES. END OF TERMS AND CONDITIONS. This Product includes arp-sk, bridge-utils, busybox, dhcpcd, dhcp-helper, hostapd, wireless_tools, gd, service if you wish), that you receive source code or can get it if you want it, that you can change the software 914 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 915
we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is , in any medium, provided that you conspicuously and appropriately ZyWALL USG 20/20W User's Guide 915 - ZyXEL ZYWALL USG 20W | User Guide - Page 916
no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the and 2 above provided that you also do one of the following: 916 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 917
or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted ZyWALL USG 20/20W User's Guide 917 - ZyXEL ZYWALL USG 20W | User Guide - Page 918
will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number Foundation; we sometimes make exceptions for this. 918 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 919
THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN notice, this list of conditions and the following disclaimer. ZyWALL USG 20/20W User's Guide 919 - ZyXEL ZYWALL USG 20W | User Guide - Page 920
, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 920 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 921
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY . This Product includes libpng software under the Libpng License ZyWALL USG 20/20W User's Guide 921 - ZyXEL ZYWALL USG 20W | User Guide - Page 922
satisfactory quality, performance, accuracy, and effort is with the user. libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are Copyright (c) 1998, 1999 Glenn Randers-Pehrson, Dilger Distributed according to the same disclaimer and license as 922 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 923
altered source distribution. The Contributing Authors and Group 42, Inc. specifically permit, without fee, and encourage the use of this source code as a component to supporting the PNG file ZyWALL USG 20/20W User's Guide 923 - ZyXEL ZYWALL USG 20W | User Guide - Page 924
is a certification mark of the Open Source Initiative. Glenn Randers-Pehrson glennrp at users.sourceforge.net February 25, 2010 This Product includes libmd5-rfc software under the Zlib/ under the MPL License Mozilla Public License Version 1.1 1. Definitions. 924 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 925
grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and all of the rights conveyed herein. ZyWALL USG 20/20W User's Guide 925 - ZyXEL ZYWALL USG 20W | User Guide - Page 926
, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. Source Code License. 2.1. The Initial Developer Grant. 926 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 927
) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. 3. Distribution Obligations. 3.1. Application of License. ZyWALL USG 20/20W User's Guide 927 - ZyXEL ZYWALL USG 20W | User Guide - Page 928
(such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. 928 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 929
rights relating to Covered Code. You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only terms which differ from this License are offered by You ZyWALL USG 20/20W User's Guide 929 - ZyXEL ZYWALL USG 20W | User Guide - Page 930
apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "Mozilla", 930 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 931
you (not the initial developer or any other contributor) assume the cost of any necessary servicing, repair or correction. This disclaimer of warranty constitutes an essential part of this license. . If within 60 days of notice, a reasonable royalty and ZyWALL USG 20/20W User's Guide 931 - ZyXEL ZYWALL USG 20W | User Guide - Page 932
this exclusion and limitation may not apply to you. 10. U.S. government end users The Covered Code is a "commercial item," as that term is defined in .7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein. 932 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 933
IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. ZyWALL USG 20/20W User's Guide 933 - ZyXEL ZYWALL USG 20W | User Guide - Page 934
Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. 934 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 935
of the ZyWALL is subject to the terms and conditions of any related service providers. Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc 15 of FCC rules. Operation is subject to the following two conditions: ZyWALL USG 20/20W User's Guide 935 - ZyXEL ZYWALL USG 20W | User Guide - Page 936
. This device has been tested and found to comply with accordance with the instructions, may cause TV technician for help. FCC Radiation Exposure Statement • This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. 936 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 937
is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. ZyWALL USG 20/20W User's Guide 937 - ZyXEL ZYWALL USG 20W | User Guide - Page 938
may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. 938 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 939
access point, See AP 248 access users 540, 541 custom page 650 forcing login 366 ZyWALL USG 20/20W User's Guide Index Index idle timeout 549 logging in 366 multiple logins 550 see also users 540 Web Configurator 552 access users, see also force user authentication policies account myZyXEL.com 213 - ZyXEL ZYWALL USG 20W | User Guide - Page 940
-encoding attacks 483 asymmetrical routes 381 allowing through the firewall 383 vs virtual interfaces 381 ATC 251 ATC+WMM 251 attacks Apache-whitespace 483 ASCII-encoding 483 bare byte encoding 483 base36-encoding 483 Denial of Service (DoS) 398 directory traversal 483 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 941
ZyWALL USG 20/20W User's Guide Index B backing up configuration files 696 backslashes 484 bad-length-options attack 485 bandwidth egress 245 ingress 245 bandwidth limit troubleshooting Basic Service Set, See BSS 803 Bind DN 576, 579 black list 527 anti-spam 522 bookmarks 444 boot module 701 bridge - ZyXEL ZYWALL USG 20W | User Guide - Page 942
with FTP 668 editing 693 how applied 694 lastgood.conf 696, 700 managing 696 not stopping or starting the ZyWALL 35 startup-config.conf 700 startup-config-bad.conf 696 syntax 694 system-default.conf 700 uploading 700 uploading with FTP 668 use without restart 693 942 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 943
configuration overview 98 mail exchanger 336 prerequisites 98 service providers 331 troubleshooting 731 Dead Peer Detection, see DPD default firewall behavior 374 interfaces and zones 90 login settings 741 Denial of Service Algorithm public-key algorithm, see DSA ZyWALL USG 20/20W User's Guide 943 - ZyXEL ZYWALL USG 20W | User Guide - Page 944
, see DDNS Dynamic Host Configuration Protocol, see DHCP. dynamic peers in IPSec 398 dynamic WEP key exchange 811 DynDNS 331 DynDNS see also DDNS 331 Dynu exceptional services 368 experimental-options attack 485 extended authentication and VPN gateways 394 IKE SA 420 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 945
381, 383 configuration overview 100 global rules 375 prerequisites 100 ZyWALL USG 20/20W User's Guide Index priority 384 rule criteria 375 see also to-ZyWALL firewall 374 session limits 376, 386 to-ZyWALL, see to-ZyWALL firewall triangle routes 381, 383 troubleshooting 728 firmware and restart 701 - ZyXEL ZYWALL USG 20W | User Guide - Page 946
password 420 peer identity 418 pre-shared key 417 proposal 415 see also VPN user name 420 IMAP 522 incoming bandwidth 245 Independent Basic Service Set See IBSS 803 ingress bandwidth 245 initialization vector (IV) 813 inline profile 472 interface status 170, 181 946 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 947
391 remote network 391 remote policy 399 replay detection 398 SA life time 399 SA monitor 196 SA see also IPSec SA 421 see also VPN site-to-site with dynamic peer 398 static site-to-site 398 ZyWALL USG 20/20W User's Guide 947 - ZyXEL ZYWALL USG 20W | User Guide - Page 948
user attributes 553 least load first load balancing 290 LED troubleshooting 727 legitimate e-mail 521 license key 215 upgrading 215 licensing 211 Lightweight Directory Access Protocol, see LDAP load balancing 289 algorithms 290, 294 least load first 290 round robin 295 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 949
VLAN 264 Ethernet interface 227 filter 262 range 168 mail sessions threshold 524 ZyWALL USG 20/20W User's Guide Index malware 499 managed web pages 498 management access troubleshooting 736 Management Information Base (MIB) 671, 672 manual key IPSec 399 MD5 416 memory usage 169, 172 message bar 52 - ZyXEL ZYWALL USG 20W | User Guide - Page 950
341 and policy routes 298, 305 and to-ZyWALL firewall 343 and VoIP pass through 354 and VPN 419 and VPN, see also VPN configuration overview 98 limitations 310 loopback 343 port forwarding, see NAT port translation, see NAT port triggering 310 port triggering, see also policy routes prerequisites 99 - ZyXEL ZYWALL USG 20W | User Guide - Page 951
220 and Ethernet interfaces 220 and physical ports 220 port scan, filtered 480 port scanning 479 port sweep 480 port translation, see NAT port triggering 310 and firewall 306, 731 and policy routes 306 and service groups 306 and services 306 troubleshooting 731 ZyWALL USG 20/20W User's Guide 951 - ZyXEL ZYWALL USG 20W | User Guide - Page 952
management CNM 675 configuration overview 105 FTP, see FTP prerequisites 105 see also service control 644 Telnet 666 to-ZyWALL firewall 375 WWW, see WWW remote network 391 remote user screen links 615 replay detection 398 reports anti-spam 204 collecting data 184 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 953
service control 129, 644 and to-ZyWALL firewall 644 and users 645 limitations 644 timeouts 645 service groups 562 and firewall 386 and port triggering 306 where used 104 service objects 561 and firewall 562 and IP protocols 562 and policy routes 562 service set 254 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 954
and LDAP 579 certificates 438 client 449 client virtual desktop logo 434 computer names 432 connection monitor 198 full tunnel mode 432 global setting 433 IP pool 432 network list 432 remote user login 438 remote user logout 444 954 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 955
20/20W User's Guide metric 309 prerequisites 98 statistics anti-spam 204 content filtering 200 daily e-mail report 680 traffic 183 status 165 status bar 52 warning message popup 52 stopping the ZyWALL 34, 35 stub area 316 STUN 353 and ALG 353 subscription services 212 content filtering 213 SSL VPN - ZyXEL ZYWALL USG 20W | User Guide - Page 956
policy routes 290, 305 configuration overview 96 member interface mode 294 member interfaces 294 prerequisites 96 see also load balancing 289 tutorial 113 where used 96 Trusted Certificates, see also certificates 603 TTCP-detected attack 485 tunnel encapsulation 399 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 957
content filtering 487 and firewall 386, 389 and policy routes 303, 304, 462, 464 ZyWALL USG 20/20W User's Guide Index configuration overview 104 user name rules 542 user objects 539 user portal links 615 logo 434 see SSL user screens 437, 443 user sessions, see sessions user SSL screens 437, 443 - ZyXEL ZYWALL USG 20W | User Guide - Page 958
HTTP redirect web site ZyXEL 4 web-based SSL application 615 configuration example 616 create 618 weblink 616 webroot-directory-traversal attack 485 weighted round robin (for load balancing) 290 white list (anti-spam) 521, 527, 529, 531 Wi-Fi Protected Access 812 958 ZyWALL USG 20/20W User's Guide - ZyXEL ZYWALL USG 20W | User Guide - Page 959
VPN 88, 327 and WWW 650 block intra-zone traffic 330, 382 configuration overview 98 default 90 extra-zone traffic 328 inter-zone traffic 328 intra-zone traffic 328 prerequisites 98 types of traffic 328 where used 98 ZyWALL terminology differences 91 ZyXEL web site 4 ZyWALL USG 20/20W User's Guide
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
-
743
-
744
-
745
-
746
-
747
-
748
-
749
-
750
-
751
-
752
-
753
-
754
-
755
-
756
-
757
-
758
-
759
-
760
-
761
-
762
-
763
-
764
-
765
-
766
-
767
-
768
-
769
-
770
-
771
-
772
-
773
-
774
-
775
-
776
-
777
-
778
-
779
-
780
-
781
-
782
-
783
-
784
-
785
-
786
-
787
-
788
-
789
-
790
-
791
-
792
-
793
-
794
-
795
-
796
-
797
-
798
-
799
-
800
-
801
-
802
-
803
-
804
-
805
-
806
-
807
-
808
-
809
-
810
-
811
-
812
-
813
-
814
-
815
-
816
-
817
-
818
-
819
-
820
-
821
-
822
-
823
-
824
-
825
-
826
-
827
-
828
-
829
-
830
-
831
-
832
-
833
-
834
-
835
-
836
-
837
-
838
-
839
-
840
-
841
-
842
-
843
-
844
-
845
-
846
-
847
-
848
-
849
-
850
-
851
-
852
-
853
-
854
-
855
-
856
-
857
-
858
-
859
-
860
-
861
-
862
-
863
-
864
-
865
-
866
-
867
-
868
-
869
-
870
-
871
-
872
-
873
-
874
-
875
-
876
-
877
-
878
-
879
-
880
-
881
-
882
-
883
-
884
-
885
-
886
-
887
-
888
-
889
-
890
-
891
-
892
-
893
-
894
-
895
-
896
-
897
-
898
-
899
-
900
-
901
-
902
-
903
-
904
-
905
-
906
-
907
-
908
-
909
-
910
-
911
-
912
-
913
-
914
-
915
-
916
-
917
-
918
-
919
-
920
-
921
-
922
-
923
-
924
-
925
-
926
-
927
-
928
-
929
-
930
-
931
-
932
-
933
-
934
-
935
-
936
-
937
-
938
-
939
-
940
-
941
-
942
-
943
-
944
-
945
-
946
-
947
-
948
-
949
-
950
-
951
-
952
-
953
-
954
-
955
-
956
-
957
-
958
-
959
 |
 |
www.zyxel.com
www.zyxel.com
ZyWALL USG 20/20W
Unified Security Gateway
Copyright © 2011
ZyXEL Communications Corporation
Version 2.21
Edition 4, 4/2011
Default Login Details
LAN Port
P2, P3
IP Address
User Name
admin
Password
1234