ZyXEL ZyWALL USG 50 User Manual
ZyXEL ZyWALL USG 50 Manual
 |
View all ZyXEL ZyWALL USG 50 manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL ZyWALL USG 50 manual content summary:
- ZyXEL ZyWALL USG 50 | User Manual - Page 1
ZyWALL USG 50 Unified Security Gateway Default Login Details LAN Port P3, P4 IP Address https://192.168.1.1 User Name admin Password 1234 www.zyxel.com Version 2.21 Edition 2, 11/2010 www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation - ZyXEL ZyWALL USG 50 | User Manual - Page 2
- ZyXEL ZyWALL USG 50 | User Manual - Page 3
the PDF file. E-mail [email protected] if you cannot find the information you require. Related Documentation • Quick Start Guide The Quick Start Guide is designed to show you how to make the ZyWALL hardware connections and access the Web Configurator wizards. (See the wizard real time help - ZyXEL ZyWALL USG 50 | User Manual - Page 4
User's Guide • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send - ZyXEL ZyWALL USG 50 | User Manual - Page 5
in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. ZyWALL USG 50 User's Guide 5 - ZyXEL ZyWALL USG 50 | User Manual - Page 6
may denote the "metric" value or the "scientific" value. For example, "k" for kilo may denote "1000" or "1024", "M" for mega may denote "1000000" or "1048576" and so on. • "e.g.," is a shorthand for "for instance", and "i.e.," means "that is" or "in other words". 6 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 7
Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 50 User's Guide 7 - ZyXEL ZyWALL USG 50 | User Manual - Page 8
install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device. • Do NOT open the device or unit. Opening USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Dispose them at the ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 9
DDNS ...315 NAT ...321 HTTP Redirect ...331 ALG ...335 IP/MAC Binding ...343 Authentication Policy ...349 Firewall ...357 IPSec VPN ...375 SSL VPN ...411 SSL User Screens ...421 SSL User Application Screens 431 ZyWALL SecuExtender ...433 Application Patrol ...437 Anti-Virus ...463 IDP ...479 ADP - ZyXEL ZyWALL USG 50 | User Manual - Page 10
Method ...627 Certificates ...633 ISP Accounts ...655 SSL Application ...659 Endpoint Security ...665 System ...675 Log and Report ...723 File Manager ...737 Diagnostics ...749 Reboot ...755 Shutdown ...757 Troubleshooting ...759 Product Specifications ...775 10 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 11
2.2.3 User-Aware Access Control 42 2.2.4 Multiple WAN Interfaces 42 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...45 3.3.2 Navigation Panel ...47 ZyWALL USG 50 User's Guide 11 - ZyXEL ZyWALL USG 50 | User Manual - Page 12
5.5.8 VPN Advanced Wizard - Finish 86 Chapter 6 Configuration Basics...87 6.1 Object-based Configuration 87 6.2 Zones, Interfaces, and Physical Ports 88 6.2.1 Interface Types ...89 6.2.2 Default Interface and Zone Configuration 89 6.3 Terminology in the ZyWALL 91 12 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 13
96 6.5.3 Licensing Update ...96 6.5.4 Interface ...96 6.5.5 Trunks ...97 6.5.6 Policy Routes ...97 6.5.7 Static Routes ...98 6.5.8 Zones ...98 6.5.9 DDNS ...99 6.5.10 NAT ...99 6.5.11 HTTP Redirect ...99 6.5.12 ALG ...100 6.5.13 Auth. Policy ...100 6.5.14 Firewall ...101 6.5.15 IPSec VPN ...102 - ZyXEL ZyWALL USG 50 | User Manual - Page 14
Firewall Rule for SIP 151 7.12 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 152 7.12.1 Create the Public IP Address Range Object 152 7.12.2 Configure the Policy Route 153 Part II: Technical Reference 155 Chapter 8 Dashboard ...157 14 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 15
The IDP Statistics Screen 196 9.15 The Content Filter Statistics Screen 198 9.16 Content Filter Cache Screen 200 9.17 The Anti-Spam Statistics Screen 203 9.18 The Anti-Spam Status Screen 205 9.19 Log Screen ...206 Chapter 10 Registration ...209 10.1 Overview ...209 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 16
276 12.3 Configuring a Trunk ...277 12.4 Trunk Technical Reference 279 Chapter 13 Policy and Static Routes ...281 13.1 Policy and Static Routes Overview 281 13.1.1 What You Can Do in this Chapter 281 13.1.2 What You Need to Know 282 13.2 Policy Route Screen ...284 16 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 17
Screen 318 Chapter 17 NAT...321 17.1 NAT Overview ...321 17.1.1 What You Can Do in this Chapter 321 17.1.2 What You Need to Know 322 17.2 The NAT Screen ...322 17.2.1 The NAT Add/Edit Screen 324 17.3 NAT Technical Reference 327 Chapter 18 HTTP Redirect ...331 ZyWALL USG 50 User's Guide 17 - ZyXEL ZyWALL USG 50 | User Manual - Page 18
in this Chapter 357 22.1.2 What You Need to Know 358 22.1.3 Firewall Rule Example Applications 360 22.1.4 Firewall Rule Configuration Example 363 22.2 The Firewall Screen ...365 22.2.1 Configuring the Firewall Screen 366 22.2.2 The Firewall Add/Edit Screen 369 18 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 19
SSL VPN User Screens 427 25.4 Bookmarking the ZyWALL 428 25.5 Logging Out of the SSL VPN User Screens 428 Chapter 26 SSL User Application Screens 431 26.1 SSL User Application Screens Overview 431 26.2 The Application Screen 431 Chapter 27 ZyWALL SecuExtender...433 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 20
Reference 477 Chapter 30 IDP ...479 30.1 Overview ...479 30.1.1 What You Can Do in this Chapter 479 30.1.2 What You Need To Know 479 30.1.3 Before You Begin 480 30.2 The IDP General Screen 481 30.3 Introducing IDP Profiles 483 30.3.1 Base Profiles ...484 20 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 21
490 30.6.3 IDP Service Groups 491 30.6.4 Profile > Query View Screen 493 30.6.5 Query Example ...495 30.7 Introducing IDP Custom Signatures 497 30.7.1 IP Packet Header 497 30.8 Configuring Custom Signatures 535 32.3 Content Filter Policy Add or Edit Screen 538 ZyWALL USG 50 User's Guide 21 - ZyXEL ZyWALL USG 50 | User Manual - Page 22
Table of Contents 32.4 Content Filter Profile Screen 540 32.5 Content Filter Default User Authentication Timeout Settings Edit Screens 594 35.4.2 User Aware Login Example 596 35.5 User /Group Technical Reference 597 Chapter 36 Addresses...599 36.1 Overview ...599 22 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 23
Directory or LDAP Server Summary 621 39.2.1 Adding an Active Directory or LDAP Server 621 39.3 RADIUS Server Summary 623 39.3.1 Adding a RADIUS Server 625 Chapter 40 Authentication Method ...627 40.1 Overview ...627 40.1.1 What You Can Do in this Chapter 627 ZyWALL USG 50 User's Guide 23 - ZyXEL ZyWALL USG 50 | User Manual - Page 24
Table of Contents 40.1.2 Before You Begin 627 40.1.3 Example: Selecting a VPN Authentication Method 627 Chapter 659 43.1.2 What You Need to Know 659 43.1.3 Example: Specifying a Web Site for Access 660 43.2 The SSL Application Screen 661 43.2.1 Creating/Editing 24 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 25
45.7.5 Secure Telnet Using SSH Examples 710 45.8 Telnet ...711 45.8.1 Configuring Telnet 712 45.9 FTP ...713 45.9.1 Configuring FTP ...713 45.10 SNMP ...715 45.10.1 Supported MIBs 717 45.10.2 SNMP Traps ...717 45.10.3 Configuring SNMP 717 45.11 Vantage CNM ...719 ZyWALL USG 50 User's Guide 25 - ZyXEL ZyWALL USG 50 | User Manual - Page 26
727 46.3.3 Edit Remote Server Log Settings 732 46.3.4 Active Log Summary Screen 734 Chapter 47 File Manager ...737 47.1 Overview ...737 47.1.1 What You Can Do in this Chapter 737 47.1.2 What you Need to Know 737 47.2 The Configuration File Screen 740 47.3 The Firmware Package Screen 744 47 - ZyXEL ZyWALL USG 50 | User Manual - Page 27
Help 774 Chapter 52 Product Specifications ...775 52.1 Power Adaptor Specifications 780 Appendix A Log Descriptions 783 Appendix B Common Services 841 Appendix C Importing Certificates 845 Appendix D Open Software Announcements 871 Appendix E Legal Information 917 Index...921 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 28
Table of Contents 28 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 29
PART I User's Guide 29 - ZyXEL ZyWALL USG 50 | User Manual - Page 30
30 - ZyXEL ZyWALL USG 50 | User Manual - Page 31
ports for connecting publicly accessible servers. The ZyWALL also provides two separate LAN networks. You can set ports to be part of the LAN1, or DMZ. Alternatively, you can deploy the ZyWALL as a transparent firewall in an existing network with minimal configuration. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 32
Installation Procedure 1 Align one bracket with the holes on one side of the ZyWALL and secure it with the included bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion. Figure 1 Attaching Mounting Brackets and Screws 32 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 33
on. Breathing The ZyWALL is in power saving mode. Red On There is a hardware component failure. Shut down the device, wait for a few minutes and then restart the device (see Section 1.5 on page 35). If the LED turns red again, then please contact your vendor. ZyWALL USG 50 User's Guide 33 - ZyXEL ZyWALL USG 50 | User Manual - Page 34
Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI. 34 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 35
Chapter 1 Introducing the ZyWALL Console Port You can use the console port to manage the ZyWALL using CLI commands. See the Command Reference Guide for more information about the CLI. The default settings for the console port are as follows. Table 2 Console Port Default Settings SETTING VALUE - ZyXEL ZyWALL USG 50 | User Manual - Page 36
Chapter 1 Introducing the ZyWALL The ZyWALL does not stop or start the system processes when you apply configuration files or run shell scripts although you may temporarily lose access to network resources. 36 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 37
Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other - ZyXEL ZyWALL USG 50 | User Manual - Page 38
inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Intrusion Detection and Prevention (IDP) IDP (Intrusion - ZyXEL ZyWALL USG 50 | User Manual - Page 39
option that gives SIP priority over all other traffic. This maximizes SIP traffic throughput for improved VoIP call sound quality. 2.2 Applications These are some example applications for your ZyWALL. See also Chapter 7 on page 109 for configuration tutorial examples. ZyWALL USG 50 User's Guide 39 - ZyXEL ZyWALL USG 50 | User Manual - Page 40
secure access to your network. You can also set up additional connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. 40 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 41
allows them to access network resources in the same way as if they were part of the internal network. Figure 6 Network Access Mode: Full Tunnel Mode 192.168.1.100 https;// LAN (192.168.1.X) Web Mail File Share Web-based Application Non-Web Application Server ZyWALL USG 50 User's Guide 41 - ZyXEL ZyWALL USG 50 | User Manual - Page 42
-Aware Access Control 2.2.4 Multiple WAN Interfaces Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 8 Applications: Multiple WAN Interfaces 42 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 43
• Enable JavaScripts (enabled by default) • Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.2 Web Configurator Access 1 Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 44
a new number the next time you log in. 4 Click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 10 on page 44) appears. Otherwise, the dashboard (Figure 11 on page 45) appears. Figure 10 Update Admin Info Screen 44 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 45
. Follow the directions in this screen. If you change the default password, the Login screen (Figure 9 on page 44) appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is using its default configuration (see Chapter 4 on page 59); otherwise the - ZyXEL ZyWALL USG 50 | User Manual - Page 46
interface (CLI). See the CLI Reference Guide for details on the commands. CLI Click this to open a popup window that displays the CLI commands sent by the Web Configurator. 3.3.1.1 About Click this to display basic information about the ZyWALL. Figure 13 Title Bar The following table describes - ZyXEL ZyWALL USG 50 | User Manual - Page 47
domain names. IP/MAC Binding Lists the devices that have received an IP address from ZyWALL interfaces using IP/MAC binding. Login Users Lists the users currently logged into the ZyWALL. Cellular Status Displays details about the ZyWALL's 3G connection status. ZyWALL USG 50 User's Guide 47 - ZyXEL ZyWALL USG 50 | User Manual - Page 48
licensed services. Signature Update Anti-Virus Update anti-virus signatures immediately or by a schedule. IDP/AppPatrol Update IDP signatures immediately or by a schedule. System Protect Update system-protect signatures immediately or by a schedule. Network 48 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 49
the ZyWALL's DDNS domain names. NAT Set up and manage port forwarding rules. HTTP Redirect Set up and manage HTTP redirection rules. ALG Configure SIP, H.323, and FTP pass-through settings. IP/MAC Binding Summary Configure IP to MAC address bindings for devices connected to each supported - ZyXEL ZyWALL USG 50 | User Manual - Page 50
users. Setting Manage default settings for all users, general settings for user sessions, and rules to force user authentication. Address Address Create and manage host, range, and network (subnet) addresses. Address Group Create and manage groups of addresses. 50 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 51
server settings for the ZyWALL. FTP Configure FTP server settings. SNMP Configure SNMP communities and services. Vantage CNM Configure and allow your ZyWALL to be managed by the Vantage CNM server. Language Select the Web Configurator language. Log & Report ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 52
remote syslog servers. 3.3.2.4 Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ZyWALL. Table 8 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and - ZyXEL ZyWALL USG 50 | User Manual - Page 53
and the individual object and click Refresh to show which configuration settings reference the object. The following example shows which configuration settings reference the ldap-users user object (in this case the first firewall rule). Figure 17 Object Reference ZyWALL USG 50 User's Guide 53 - ZyXEL ZyWALL USG 50 | User Manual - Page 54
Click Clear to remove the currently displayed information. See the Command Reference Guide for information about the commands. 3.3.4 Tables and Lists The Web Configurator tables and lists are quite flexible and provide several options for how to display their entries. 54 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 55
you can manipulate the Web Configurator tables. 1 Click a column heading to sort the table's entries according to that column's criteria. Figure 19 Sorting Table Entries by a Column's Criteria (, or =) or searching for text Figure 20 Common Table Column Options ZyWALL USG 50 User's Guide 55 - ZyXEL ZyWALL USG 50 | User Manual - Page 56
you drag the column to a valid new location. Figure 22 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Figure 23 Navigating Pages of Table Entries 56 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 57
the previous entry 6 (if there is one) gets pushed up (or down) one. 3.3.4.3 Working with Lists When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists ZyWALL USG 50 User's Guide 57 - ZyXEL ZyWALL USG 50 | User Manual - Page 58
Chapter 3 Web Configurator you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 25 Working with Lists 58 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 59
the installation setup wizard or click Next to start configuring for Internet access. 4.1.1 Internet Access Setup - WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface's type of encapsulation and method of IP address assignment. ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 60
assign you a fixed IP address. Select Static if the ISP assigned a fixed IP address. 4.1.2 Internet Access: Ethernet This screen is read-only if you set the previous screen's IP Address Assignment field to Auto. Use this screen to configure your IP address settings. 60 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 61
without it, you must know the IP address of a computer before you can access it. The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. ZyWALL USG 50 User's Guide 61 - ZyXEL ZyWALL USG 50 | User Manual - Page 62
blank. • Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server. 62 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 63
DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it. 4.1.4 Internet Access: PPTP Note: Enter the Internet access information exactly as given to you by your ISP. Figure 30 Internet Access: PPTP Encapsulation ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 64
without it, you must know the IP address of a computer before you can access it. The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. 64 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 65
two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 59). Figure 31 Internet Access: Step 3: Second WAN Interface ZyWALL USG 50 User's Guide 65 - ZyXEL ZyWALL USG 50 | User Manual - Page 66
Chapter 4 Installation Setup Wizard 4.1.7 Internet Access - Finish You have set up your ZyWALL to access the Internet. After configuring the WAN interface(s), a screen displays with your settings. If they are not correct, click Back. Figure 32 Internet Access: Ethernet Encapsulation Note: If you - ZyXEL ZyWALL USG 50 | User Manual - Page 67
not allowed. Type it again in the Confirm Password field. • E-Mail Address: Enter your e-mail address. Use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. • Country Code: Select your country from the drop-down box list. ZyWALL USG 50 User's Guide 67 - ZyXEL ZyWALL USG 50 | User Manual - Page 68
can try a trial service subscription. The trial period starts the day you activate the trial. After the trial expires, you can buy an iCard and enter the license key in the Registration > Service screen to extend the service. Figure 33 Registraton: Registered Device 68 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 69
creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 5.2 on page 70. • VPN SETUP Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for a secure connection to another computer or network. See Section 5.4 on page 76. ZyWALL USG 50 User's Guide 69 - ZyXEL ZyWALL USG 50 | User Manual - Page 70
you want to configure for a WAN connection and click Next. Figure 36 Choose an Ethernet Interface 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. 70 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 71
the interface should use a fixed or dynamic IP address. Figure 38 WAN Interface Setup: Step 2 • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. ZyWALL USG 50 User's Guide 71 - ZyXEL ZyWALL USG 50 | User Manual - Page 72
the labels in this screen. Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring. 72 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 73
ISP. Zone This field displays to which security zone this interface and Internet connection will belong. IP Address This field is read-only when the WAN interface uses a dynamic IP address. If your WAN interface uses a static IP address, enter it in this field. ZyWALL USG 50 User's Guide 73 - ZyXEL ZyWALL USG 50 | User Manual - Page 74
to the Internet. Service Name This field is read-only and only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account. Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. 74 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 75
to open the VPN Setup Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you can use later in configuring more VPN connections or other features. Click Next. Figure 41 VPN Quick Setup Wizard ZyWALL USG 50 User's Guide 75 - ZyXEL ZyWALL USG 50 | User Manual - Page 76
with another ZLD-based ZyWALL using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec device. 76 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 77
clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. ZyWALL USG 50 User's Guide 77 - ZyXEL ZyWALL USG 50 | User Manual - Page 78
is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password. Both ends of the VPN - ZyXEL ZyWALL USG 50 | User Manual - Page 79
editor to save these commands as a shell script file with a ".zysh" filename extension. Then you can use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list. ZyWALL USG 50 User's Guide 79 - ZyXEL ZyWALL USG 50 | User Manual - Page 80
Finish Now you can use the VPN tunnel. Figure 46 VPN Express Wizard: Step 6 Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 80 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 81
address. Only the remote IPSec device can initiate the VPN tunnel. • Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 82
Chapter 5 Quick Setup • Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation - phase 1 ( - ZyXEL ZyWALL USG 50 | User Manual - Page 83
(there is a NAT router between the IPSec devices). Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens or the User's Guide VPN, NAT, and NAT Traversal on page 403 for more information. • Dead Peer Detection (DPD) has the ZyWALL make sure the - ZyXEL ZyWALL USG 50 | User Manual - Page 84
. This must match the local IP address configured on the remote IPSec device. • Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 85
• Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL's command line interface. • Click Save to save the VPN rule. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 86
Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 51 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 86 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 87
apply the updated schedule. You can create address objects based on an interface's IP address, subnet, or gateway. The ZyWALL automatically updates every rule or setting that uses these objects whenever the interface's IP address settings change. For example, if you ZyWALL USG 50 User's Guide 87 - ZyXEL ZyWALL USG 50 | User Manual - Page 88
such as firewall, IDP, remote management, antivirus, and application patrol. Interfaces (Ethernet, VLAN,...) Interfaces are logical entities that (layer-3) packets pass through. Use interfaces in configuring VPN, zones, trunks, DDNS, policy routes, static routes, HTTP redirect, and NAT. Port roles - ZyXEL ZyWALL USG 50 | User Manual - Page 89
6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL's default zone member physical interfaces and the default configuration of those interfaces. The following figure uses letters to denote public IP addresses or part of a private IP address. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 90
Basics Table 14 Default Network Topology ZyWALL USG 50 Default Port, Interface, and Zone Configuration PORT P1, P2 P3, P4 INTERFACE ZONE wan1, wan2 WAN lan1 LAN1 P5 lan2 LAN2 P6 dmz DMZ CONSOLE n/a None IP ADDRESS AND DHCP SUGGESTED USE WITH SETTINGS DEFAULT SETTINGS DHCP clients - ZyXEL ZyWALL USG 50 | User Manual - Page 91
ZyWALL applies its features and checks. Traffic in > Defragmentation > ALG > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification > IDP > Anti-virus > Application Patrol > Content Filter > Anti-Spam > SNAT > Bandwidth Management > Traffic Out. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 92
. 6.4.1 Routing Table Checking Flow When the ZyWALL receives packets it defragments them and applies destination NAT. Then it examines the packets and determines how to route them. The checking flow is from top to bottom. As soon as the packets match an entry in one 92 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 93
clients use to access the server. A many 1 to 1 NAT entry works like multiple 1 to 1 NAT rules. It maps a range of private network servers that will initiate sessions to the outside clients to a range of public IP addresses. See Section 17.2.1 on page 324 for more. ZyWALL USG 50 User's Guide 93 - ZyXEL ZyWALL USG 50 | User Manual - Page 94
on to bandwidth management. Figure 54 NAT Table Checking Flow 1 SNAT defined in the policy routes. 2 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table. 3 NAT loopback is now included in the NAT table instead of requiring a separate policy route. 94 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 95
on page 90. Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry. ZyWALL USG 50 User's Guide 95 - ZyXEL ZyWALL USG 50 | User Manual - Page 96
trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, NAT, application patrol Example: The dmz interface is in the DMZ zone and uses a private IP address. To configure dmz's settings, click Network > Interface > Ethernet and then the dmz's Edit icon. 96 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 97
route. 3 Name the policy route. 4 Select the interface that the traffic comes in through (P3 in this example). 5 Select the FTP server's address as the source address. 6 You don't need to specify the destination address or the schedule. 7 For the service, select FTP. ZyWALL USG 50 User's Guide 97 - ZyXEL ZyWALL USG 50 | User Manual - Page 98
zone. MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, IDP, remote management, anti-virus, ADP, application patrol Example: For example, to create the DMZ-2 zone, click Network > Zone and then the Add icon. 98 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 99
, it does not check the to-ZyWALL firewall rules. MENU ITEM(S) Configuration > Network > NAT PREREQUISITES Interfaces, addresses (HOST) Example: Suppose you have an FTP server with a private IP address connected to a DMZ port. You could configure a NAT rule to forwards FTP sessions from the WAN to - ZyXEL ZyWALL USG 50 | User Manual - Page 100
Security (EPS) checking to make sure users' computers comply with defined corporate policies before they can access the network. MENU ITEM(S) Configuration > Auth. Policy Addresses, services, endpoint security objects, users, authentication PREREQUISITES methods 100 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 101
source or destination addresses (or address groups) and services (or service groups). Each of these objects must be configured in a different screen. To-ZyWALL firewall rules control access to the ZyWALL. Configure to-ZyWALL firewall rules for remote management. By default, the firewall only allows - ZyXEL ZyWALL USG 50 | User Manual - Page 102
16 SSL VPN Use SSL VPN to give remote users secure network access. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE - ZyXEL ZyWALL USG 50 | User Manual - Page 103
ITEM(S) Configuration > Anti-X > IDP PREREQUISITES Registration, zones 6.5.20 ADP MENU ITEM(S) Configuration > BWM PREREQUISITES Zones Use ADP to detect and take action on traffic and protocol anomalies. MENU ITEM(S) Configuration > Anti-X > ADP PREREQUISITES Zones ZyWALL USG 50 User's Guide 103 - ZyXEL ZyWALL USG 50 | User Manual - Page 104
configuration screen. 9 Enable the content filter. 10 Add a policy that uses the schedule, the filtering profile and the user that you created. 6.5.22 Anti-Spam Use anti-spam to detect and take action on spam mail. MENU ITEM(S) Configuration > Anti-X > Anti-Spam 104 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 105
(source, destination), content filter, user settings (force user authentication), address groups, remote management (System) service, service group Policy routes (criteria, port triggering), firewall, service groups, log (criteria) schedule Policy routes (criteria), authentication policies - ZyXEL ZyWALL USG 50 | User Manual - Page 106
objects) the access can come. MENU ITEM(S) Configuration > System > DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM, Language To-ZyWALL firewall, zones, addresses, address groups, certificates PREREQUISITES (WWW, SSH, FTP, Vantage CNM), authentication methods (WWW) 106 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 107
a series of CLI commands. These are useful for large, repetitive configuration changes (for example, creating a lot of VPN tunnels) and for troubleshooting. You can edit configuration files and shell scripts in any text editor. MENU ITEM(S) Maintenance > File Manager ZyWALL USG 50 User's Guide 107 - ZyXEL ZyWALL USG 50 | User Manual - Page 108
the device in preparation for disconnecting the power. Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ZyWALL or remove the power. Not doing so can cause the firmware to become corrupt. MENU ITEM(S) Maintenance > Shutdown 108 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 109
the following example configuration (see Section 6.2.2 on page 89 for the default configuration). • You want to be able to apply security settings specifically for all VPN tunnels so you create a new VPN zone. • The wan1 interface uses a static IP address of 1.2.3.4. ZyWALL USG 50 User's Guide 109 - ZyXEL ZyWALL USG 50 | User Manual - Page 110
server. Add it to the LAN zone so all of the LAN zone's security policies apply to it. Figure 55 Ethernet Interface, Port Roles, and Zone Configuration Example 7.1.1 Configure a WAN Ethernet Interface You need to assign the ZyWALL's wan1 interface a static IP address of 1.2.3.4. 110 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 111
7.1.3 Configure the DMZ Interface for a Local Network Here is how to set the dmz interface (created in the previous section) for a separate local network. It uses 192.168.4.1 as its IP address and has a DHCP server to distribute IP addresses to connected DHCP clients. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 112
the Subnet Mask to 255.255.255.0. Set DHCP to DHCP Server and click OK. Figure 58 Configuration > Network > Interface > Ethernet > Edit lan2 7.1.4 Configure Zones Do the following to create a VPN zone. 1 Click Configuration > Network > Zone and then the Add icon. 112 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 113
1 Make sure the 3G device's SIM card is installed. 2 Connect the 3G device to one of the ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. Select the 3G device's entry and click Edit. Figure 60 Configuration > Network > Interface > Cellular ZyWALL USG 50 User's Guide 113 - ZyXEL ZyWALL USG 50 | User Manual - Page 114
to the Dashboard. The Interface Status Summary section should contain a "cellular" entry. When its connection status is Connected you can use the 3G connection to access the Internet. Figure 62 Status 114 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 115
bandwidth on each of the WAN interfaces and configure the WAN_TRUNK trunk's load balancing settings. 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces Here is how to set a limit on how much traffic the ZyWALL tries to send out through each WAN interface. ZyWALL USG 50 User's Guide 115 - ZyXEL ZyWALL USG 50 | User Manual - Page 116
field. Click OK. Figure 64 Configuration > Network > Interface > Ethernet > Edit (wan1) 2 Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. 7.3.2 Configure the WAN Trunk 1 Click Configuration > Network > Interface > Trunk. Click the Add icon. 116 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 117
Chapter 7 Tutorials 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add wan2 and enter 1 in the Weight column. Click OK. Figure 65 Configuration > Network > Interface > Trunk > Add ZyWALL USG 50 User's Guide 117 - ZyXEL ZyWALL USG 50 | User Manual - Page 118
VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Figure 67 VPN Example LAN LAN 118 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 119
Address, select Interface and wan1. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in the Primary field. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK. Figure 68 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 50 User's Guide 119 - ZyXEL ZyWALL USG 50 | User Manual - Page 120
("VPN_REMOTE_SUBNET"), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK. Figure 69 Configuration > Object > Address > Add 3 Click Configuration > VPN > IPSec VPN > VPN Connection. Click the Add icon. 120 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 121
the IPSec_VPN zone. Make sure all firewalls between the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500. ZyWALL USG 50 User's Guide 121 - ZyXEL ZyWALL USG 50 | User Manual - Page 122
server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead. This example uses the Web Configurator. 1 Click Configuration > Object > User/Group > User. Click the Add icon. 122 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 123
Configuration > Object > User/Group > User > Add 3 Repeat this process to set up the remaining user accounts. 7.5.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group. Click the Add icon. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 124
using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the ZyWALL to use the authentication method. Finally, force users to log in to the ZyWALL before it routes traffic for them. 124 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 125
up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 126
Restrictions Use application patrol (AppPatrol) to enforce the web surfing and MSN policies. You must have already subscribed for the application patrol service. You can subscribe using the Configuration > Licensing > Registration screens or using one of the wizards. 126 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 127
Configuration > AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply. Figure 76 Configuration > AppPatrol > General 2 Click the Common tab and double-click the http entry. Figure 77 Configuration > AppPatrol > Common ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 128
-click the Default policy. Figure 78 Configuration > AppPatrol > Common > http 4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK. Figure 79 Configuration > AppPatrol > Common > http > Edit Default 128 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 129
AppPatrol > Common> http > Edit Default 7.5.5 Set Up MSN Policies Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days. 1 Click Configuration > Object > Schedule. Click the Add icon for recurring schedules. ZyWALL USG 50 User's Guide 129 - ZyXEL ZyWALL USG 50 | User Manual - Page 130
Set Up Firewall Rules Use the firewall to control access from LAN to the DMZ. 1 Click Configuration > Firewall > Add. Set the From field as LAN1 and the To field as DMZ. Set the Access field to deny, and click OK. Figure 82 Configuration > Firewall > LAN to DMZ > Add 130 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 131
If the RADIUS server has different user groups distinguished by the value of a specific attribute, you can configure the make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server. ZyWALL USG 50 User's Guide 131 - ZyXEL ZyWALL USG 50 | User Manual - Page 132
a user belongs. This example uses Class. This attribute's value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. Figure 84 Configuration > Object > AAA Server > RADIUS > Add 132 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 133
the Endpoint Security Objects Click Configuration > Object > Endpoint Security > Add to open the Endpoint Security Edit screen. • Select Endpoint must comply with all checking items. • Set the Endpoint Operating System to Windows and the Window Version to Windows 7. ZyWALL USG 50 User's Guide 133 - ZyXEL ZyWALL USG 50 | User Manual - Page 134
Anti-Virus software installed and move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list. The following figure shows the configuration screen example. Figure 86 Configuration > Object > Endpoint Security > Add 134 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 135
• Select Force User Authentication to redirect the HTTP traffic of users who are not yet logged in to the ZyWALL's login screen. • Enable EPS checking and move the EPS objects you created to the selected list. • Click OK. Figure 87 Configuration > Auth. Policy > Add ZyWALL USG 50 User's Guide 135 - ZyXEL ZyWALL USG 50 | User Manual - Page 136
the login screen. Figure 89 Example: Endpoint Security Error Message 7.8 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access (to the Web Configurator) and separate rules that control HTTP and HTTPS 136 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 137
VPN for example). See Chapter 45 on page 675 for more on service control. The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL. They do not distinguish between administrator management access and user access. If you configure service control to allow management - ZyXEL ZyWALL USG 50 | User Manual - Page 138
4 Select the new rule and click the Add icon. Figure 92 Configuration > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny. Click OK. Figure 93 Configuration > System > WWW > Service Control Rule Edit 138 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 139
on the LAN1 for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN. Here is an example of how to configure NAT and the firewall to have the ZyWALL forward H.323 traffic destined ZyWALL USG 50 User's Guide 139 - ZyXEL ZyWALL USG 50 | User Manual - Page 140
and click Apply. Figure 96 Configuration > Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56. 140 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 141
Configuration > Object > Address > Add to create an address object for the public WAN IP address (called WAN_IP-for-H323 here). Then use it again to create an address object for the H.323 device's private LAN1 IP address (called LAN_H323 here). Figure 97 Create Address Objects ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 142
Set Up a Firewall Rule For H.323 The default firewall rule for WAN-to-LAN traffic drops all traffic. Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56. 142 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 143
's LAN1 IP address object (LAN_H323). LAN_H323 is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. Set the Service to H.323. Click OK. Figure 99 Configuration > Firewall > Add 7.10 How to Allow Public Access to a Web Server This is an example of making - ZyXEL ZyWALL USG 50 | User Manual - Page 144
IP to the Public_HTTP_Server_IP object and the Mapped IP to the DMZ_HTTP object. • HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the Port Mapping Type to Port, the Protocol Type to TCP, and the original and mapped ports to 80. 144 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 145
by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. ZyWALL USG 50 User's Guide 145 - ZyXEL ZyWALL USG 50 | User Manual - Page 146
and the Service to HTTP, and click OK. Figure 104 Configuration > Firewall > Add 7.11 How to Use an IPPBX on the DMZ This is an example of making an IPPBX x6004 using SIP in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP 146 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 147
Chapter 7 Tutorials address 1.1.1.2 that you will use on the wan1 interface and map to the IPPBX's private IP address of 192.168.3.7. The local SIP clients are on the LAN. Figure 105 IPPBX Example Network Topology ZyWALL USG 50 User's Guide 147 - ZyXEL ZyWALL USG 50 | User Manual - Page 148
Address Objects Use Configuration > Object > Address > Add to create the address objects. 1 Create a host address object named IPPBX-DMZ for the IPPBX's private DMZ IP address of 192.168.3.9. Figure 107 Creating the Address Object for the IPPBX's Private IP Address 148 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 149
IPPBX's DMZ IP address object (IPPBX-DMZ). • Set the Port Mapping Type to Port, the Protocol Type to UDP and the original and mapped ports to 5060. • Keep Enable NAT Loopback selected to allow the LAN users to use the IPPBX (see NAT Loopback on page 327 for details). ZyWALL USG 50 User's Guide 149 - ZyXEL ZyWALL USG 50 | User Manual - Page 150
blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send SIP traffic to the IPPBX. If a domain name is registered for IP address 1.1.1.2, users can use it to connect to for making SIP calls. 150 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 151
110 Configuration > Firewall > Add 7.11.5 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN zone by default so you need to create a firewall rule to allow the IPPBX to send SIP traffic to the SIP clients on the LAN. ZyWALL USG 50 User's Guide 151 - ZyXEL ZyWALL USG 50 | User Manual - Page 152
Click Configuration > Object > Address > Add to create the address object that represents the range of static public IP addresses. In this example you name it Public-IPs and it goes from 1.1.1.10 to 1.1.1.17. Figure 112 Creating the Public IP Address Range Object 152 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 153
, it is recommended. This example uses LAN-to-WAN-Range. Specifying a Source Address is also optional although recommended. This example uses LAN_SUBNET1. Set the Source Network Address Translation to Public-IPs and click OK. Figure 113 Configuring the Policy Route ZyWALL USG 50 User's Guide 153 - ZyXEL ZyWALL USG 50 | User Manual - Page 154
Chapter 7 Tutorials 154 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 155
PART II Technical Reference 155 - ZyXEL ZyWALL USG 50 | User Manual - Page 156
156 - ZyXEL ZyWALL USG 50 | User Manual - Page 157
into the ZyWALL. 8.2 The Dashboard Screen The Dashboard screen displays when you log into the ZyWALL or click Dashboard in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and ZyWALL USG 50 User's Guide 157 - ZyXEL ZyWALL USG 50 | User Manual - Page 158
158 The following table describes the labels in this screen. Table 19 Dashboard LABEL DESCRIPTION Widget Setting Use this link to re-open closed widgets. Widgets that are already open (A) appear grayed . Slot This field displays the name of each extension slot. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 159
virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup). Device This identifies a device installed in one of the ZyWALL's extension slots or USB ports - ZyXEL ZyWALL USG 50 | User Manual - Page 160
interface (if it is the master) or the management IP address (if it is a backup). Use this field to get or to update the IP address for the interface. Click Renew to send a new DHCP request to a DHCP server. Click the Connect icon to have the ZyWALL try to connect a PPPoE/PPTP interface. If the - ZyXEL ZyWALL USG 50 | User Manual - Page 161
the system configuration. This shows how many licensed services there are. This is the current status of the license. This identifies the licensed service. This is the version number of the content filtering, anti-virus or IDP signatures (anti-virus and IDP). ZyWALL USG 50 User's Guide 161 - ZyXEL ZyWALL USG 50 | User Manual - Page 162
This is how many times the ZyWALL has detected the event described in the entry. 8.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyWALL's recent CPU usage. To access this screen, click CPU Usage in the dashboard. Figure 115 Dashboard > CPU Usage 162 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 163
usage. The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Click this to update the information in the window right away. ZyWALL USG 50 User's Guide 163 - ZyXEL ZyWALL USG 50 | User Manual - Page 164
session. The x-axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Click this to update the information in the window right away. 164 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 165
The DHCP Table Screen Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the dashboard. Figure 119 Dashboard > DHCP Table ZyWALL USG 50 User's Guide 165 - ZyXEL ZyWALL USG 50 | User Manual - Page 166
field, and then click Apply. 8.2.6 The Number of Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click the dashboard's Number of Login Users icon. Figure 120 Dashboard > Number of Login Users 166 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 167
for each user. See Chapter 35 on page 583. Type This field displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user's session. ZyWALL USG 50 User's Guide 167 - ZyXEL ZyWALL USG 50 | User Manual - Page 168
Chapter 8 Dashboard 168 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 169
11 on page 191) to display and manage active IPSec SAs. • Use the VPN Monitor > SSL screen (see Section 9.12 on page 193) to list the users currently logged into the VPN SSL client portal. You can also log out individual users and delete related session information. ZyWALL USG 50 User's Guide 169 - ZyXEL ZyWALL USG 50 | User Manual - Page 170
the labels in this screen. Table 26 Monitor > System Status > Port Statistics LABEL DESCRIPTION Poll Interval Enter how often you want this window to be updated automatically, and click Set Interval. Set Interval Click this to set the Poll Interval the screen uses. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 171
, in bytes per second, on the physical port in the one-second interval before the screen updated. This field displays how long the physical port has been connected. This field displays how long the ZyWALL has been running since it last restarted or was turned on. ZyWALL USG 50 User's Guide 171 - ZyXEL ZyWALL USG 50 | User Manual - Page 172
the transmission or reception occurred TX This line represents traffic transmitted from the ZyWALL on the physical port since it was last connected. RX This line represents the traffic received by the ZyWALL on the physical port since it was last connected. 172 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 173
there is a Expand icon (plus-sign) next to the name, click this to look at the status of virtual interfaces on top of this interface. ZyWALL USG 50 User's Guide 173 - ZyXEL ZyWALL USG 50 | User Manual - Page 174
to send a new DHCP request to a DHCP server. Click Connect to try to connect a PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. This table provides packet statistics for each interface. 174 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 175
cases because the ZyWALL counts HTTP GET packets. Please see Table 29 on page 176 for more information. • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how much traffic has been sent to and from each one ZyWALL USG 50 User's Guide 175 - ZyXEL ZyWALL USG 50 | User Manual - Page 176
your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge and PPPoE/PPTP interfaces. 176 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 177
the service was using. This field indicates whether the indicated protocol or service port is sending or receiving traffic. Ingress - traffic is coming into the router through the interface Egress - traffic is going out from the router through the interface ZyWALL USG 50 User's Guide 177 - ZyXEL ZyWALL USG 50 | User Manual - Page 178
the hit count limit. Table 30 Maximum Values for Reports manage sessions in this screen. The following information is displayed. • User who started the session • Protocol or service port used • Source address • Destination address • Number of bytes received (so far) 178 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 179
screen also refreshes automatically when you open and close the screen. The User, Service, Source Address, and Destination Address fields display if you view all sessions. Select your desired filter criteria and click the Search button to filter the list of sessions. ZyWALL USG 50 User's Guide 179 - ZyXEL ZyWALL USG 50 | User Manual - Page 180
IP address's sessions. This field displays the amount of information received by the source in the active session. This field displays the amount of information transmitted by the source in the active session. This field displays the length of the active session in seconds. 180 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 181
:second format). 9.7 IP/MAC Binding Monitor Click Monitor > System Status > IP/MAC Binding to open the IP/MAC Binding Monitor screen. This screen lists the devices that have received an IP address from ZyWALL interfaces with IP/MAC binding enabled and have ever ZyWALL USG 50 User's Guide 181 - ZyXEL ZyWALL USG 50 | User Manual - Page 182
to update the information in the screen. 9.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click Monitor > System Status > Login Users. Figure 128 Monitor > System Status > Login Users 182 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 183
displays the way the user logged in to the ZyWALL. IP address This field displays the IP address of the computer used to log in to the ZyWALL. Force Logout Click this icon to end a user's session. Refresh Click this button to update the information in the screen. 9.9 Cellular Status Screen - ZyXEL ZyWALL USG 50 | User Manual - Page 184
failed to create a PPP connection for the cellular interface. Need auth-password - You need to enter the password for the 3G card in the cellular edit screen. Device ready - The ZyWALL successfully applied all of your configuration and you can use the 3G connection. 184 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 185
helps identify your 3G device and SIM card. Click Monitor > System Status > More Information to display this screen. Note: This screen is only available when the 3G device is attached to and activated on the ZyWALL. Figure 130 Monitor > System Status > More Information ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 186
. Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the 3G SIM card. For example if protocols. Click Monitor > AppPatrol Statistics to open the following screen. 186 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 187
Statistics screen to configure what to display. Figure 131 Monitor > AppPatrol Statistics: General Setup The following table describes the labels in this screen. Table 37 Monitor > them. Statistics for the selected protocols display after you click Apply. ZyWALL USG 50 User's Guide 187 - ZyXEL ZyWALL USG 50 | User Manual - Page 188
the ZyWALL sends to the initiator of the connection. • A dotted line represents a protocol's outgoing bandwidth usage. This is the protocol's traffic that the ZyWALL sends out from the initiator of the connection. • Different colors represent different protocols. 188 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 189
application's traffic the ZyWALL identified by Connection examining the IP payload. Matched Service Ports Connection This is how much of the application's traffic the ZyWALL identified by examining OSI level-3 information such as IP addresses and port numbers. ZyWALL USG 50 User's Guide 189 - ZyXEL ZyWALL USG 50 | User Manual - Page 190
is the outbound traffic. Forwarded This is how much of the application's traffic the ZyWALL has sent (in Data service's name to display this screen with statistics for each of the service's application patrol rules. Figure 134 Monitor > AppPatrol Statistics > Service 190 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 191
access this screen, click Monitor > VPN Monitor > IPSec. The following screen appears. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. Figure 135 Monitor > VPN Monitor > IPSec ZyWALL USG 50 User's Guide 191 - ZyXEL ZyWALL USG 50 | User Manual - Page 192
to update the information in the display. 9.11.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use "a?c" (without the quotation marks) to specify abc, acc and so on. 192 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 193
in this screen. Table 41 Monitor > VPN Monitor > SSL LABEL DESCRIPTION Disconnect Select a connection and click this button to terminate the user's connection and delete corresponding session information from the ZyWALL. # This field displays the index number. ZyWALL USG 50 User's Guide 193 - ZyXEL ZyWALL USG 50 | User Manual - Page 194
Table 41 Monitor > VPN Monitor > SSL (continued) LABEL DESCRIPTION User This field displays the account user name used to establish this SSL VPN connection. Access This field displays the name of the SSL VPN application the user is accessing. Login Address This field displays the IP address - ZyXEL ZyWALL USG 50 | User Manual - Page 195
ZyWALL has detected. Occurrences This field displays how many times the ZyWALL has detected the event described in the entry. The statistics display as follows when you display the top entries by source. Figure 138 Monitor > Anti-X Statistics > Anti-Virus: Source IP ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 196
your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. Refresh Click this button to update the report display. Flush Data Click this button to discard all of the screen's statistics and update the report display. 196 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 197
the ZyWALL has reset. Top Entry By Use this field to have the following (read-only) table display the top IDP entries by Signature Name, Source or Destination. Select Signature Name to list the most common signatures that the ZyWALL has detected. Select Source to list the source IP addresses from - ZyXEL ZyWALL USG 50 | User Manual - Page 198
Anti-X Statistics > IDP: Destination 9.15 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 143 Monitor > Anti-X Statistics > Content Filter 198 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 199
Without Policy filtering service. Web Pages Passed This is the number of web pages to which the ZyWALL allowed access. Unsafe Web Pages This is the number of requested web pages that the ZyWALL's content filtering service identified as posing a threat to users. ZyWALL USG 50 User's Guide 199 - ZyXEL ZyWALL USG 50 | User Manual - Page 200
in the cache. You can remove individual entries from the cache. When you do this, the ZyWALL queries the external content filtering database the next time someone tries to access that web site. This allows you to check whether a web site's category has been changed. 200 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 201
The following table describes the labels in this screen. Table 45 Anti-X addresses from the cache manually. Remove Select one or more URL entries and click Delete to remove them from the cache. # This is the index number of a categorized web site address record. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 202
up the processing of web access requests but will also make it take longer for the ZyWALL to reflect changes in the external content filtering database. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 202 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 203
all of the screen's statistics and update the report display. Total Mails Scanned This field displays the number of e-mails that the ZyWALL's anti-spam feature has checked. Clear Mails This is the number of e-mails that the ZyWALL has determined to not be spam. ZyWALL USG 50 User's Guide 203 - ZyXEL ZyWALL USG 50 | User Manual - Page 204
ZyWALL has detected. This column displays when you display the entries by Sender Mail Address. This column displays the e-mail addresses from which the ZyWALL has detected the most spam. This field displays how many spam e-mails the ZyWALL detected from the sender. 204 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 205
relay IP addresses in e-mails. This is the total number of DNS queries the ZyWALL has sent to this DNSBL. This is the average for how long it takes to receive a reply from this DNSBL. This is how many DNS queries the ZyWALL sent to this DNSBL without receiving a reply. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 206
can select a specific category of log messages (for example, firewall or user). You can also look at the debugging log by selecting Debug sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. Figure 147 Monitor > Log 206 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 207
Type the source IP address of the incoming packet that generated the log message. Do not include the port in this filter. This displays when you show the filter. Type the IP address of the destination of . This field displays the time the log message was recorded. ZyWALL USG 50 User's Guide 207 - ZyXEL ZyWALL USG 50 | User Manual - Page 208
IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. 208 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 209
screen. Alternatively, go to http:// www.myZyXEL.com with the ZyWALL's serial number and LAN MAC address to register it. Refer to the web site's on-line help for details. Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL. ZyWALL USG 50 User's Guide 209 - ZyXEL ZyWALL USG 50 | User Manual - Page 210
Registration > Service screen. You must use the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. If you were already using an iCard anti-virus subscription, any remaining time on your earlier subscription is automatically added to the new subscription. 210 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 211
screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 148 Configuration > Licensing > Registration The following table describes the labels in - ZyXEL ZyWALL USG 50 | User Manual - Page 212
. IDP detects malicious or suspicious packets and responds immediately. Application patrol conveniently manages the use of various applications on the network. After the service is activated, the ZyWALL can download the up-to-date signature files from the update server (http:// myupdate.zywall.zyxel - ZyXEL ZyWALL USG 50 | User Manual - Page 213
a standard service subscription, purchase an iCard and enter the iCard's PIN number (license key) in this screen. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 150 Configuration > Licensing > Registration > Service ZyWALL USG 50 User's Guide 213 - ZyXEL ZyWALL USG 50 | User Manual - Page 214
. If a standard service subscription runs out, you need to buy a new iCard (specific to your ZyWALL) and enter the new PIN number to extend the service. Click this button to renew service license information (such as the registration status and expiration day). 214 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 215
interfaces on top of Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • Use the Trunk screens (Chapter 12 on page 271) to configure load balancing. ZyWALL USG 50 User's Guide 215 - ZyXEL ZyWALL USG 50 | User Manual - Page 216
load balancing between interfaces. Port groups and trunks have a lot of characteristics that are specific to each type of interface. See Section 11.2 on page 218 and Chapter 12 on page 271 for details. The other types of interfaces--Ethernet, PPP, cellular, VLAN, bridge, and 216 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 217
table. Table 52 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT / INTERFACE port group physical port Ethernet interface physical port VLAN interface bridge interface port group Ethernet interface Ethernet interface* VLAN interface* ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 218
connection between the physical ports at the layer-2 (data link, MAC address) level. This provides wire-speed throughput but no security. Note the following if you are configuring from a computer connected to a lan1, lan2 or dmz port and change the port's role: 218 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 219
change the port groups to their current configuration (last-saved values). 11.3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Configuration > Network > Interface > Ethernet. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 220
a significant amount of configuration and management. The ZyWALL supports two routing protocols, RIP and OSPF. See Chapter 14 on page 297 for background information about these routing protocols. Figure 152 Configuration > Network > Interface > Ethernet (USG 20W) 220 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 221
whenever the interface's IP address settings change. For example, if you change LAN1's IP address, the ZyWALL automatically updates the corresponding interface-based, LAN1 subnet address object. With RIP, you can use Ethernet interfaces to do the following things. ZyWALL USG 50 User's Guide 221 - ZyXEL ZyWALL USG 50 | User Manual - Page 222
• Enable and disable RIP in the underlying physical port or port group. • Select which direction(s) routing information is exchanged - The ZyWALL can receive routing information, send routing information, or do both. • Select which version of RIP to support in each direction - The ZyWALL supports - ZyXEL ZyWALL USG 50 | User Manual - Page 223
Chapter 11 Interfaces Figure 153 Configuration > Network > Interface > Ethernet > Edit (WAN) ZyWALL USG 50 User's Guide 223 - ZyXEL ZyWALL USG 50 | User Manual - Page 224
Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields. Advance Settings General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties 224 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 225
the Internet). The ZyWALL automatically adds this interface to the default WAN trunk. Interface Name Port Zone MAC Address Description IP Address Assignment Get Automatically For General, the rest of the screen's options do not automatically adjust and you must manually configure a policy route to - ZyXEL ZyWALL USG 50 | User Manual - Page 226
the gateway. Check Default Select this to use the default gateway for the connectivity check. Gateway Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. 226 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 227
ways to specify these IP addresses. Custom Defined - enter a static IP address. From ISP - select the DNS server that another interface received from its DHCP server. ZyWALL - the DHCP clients use the IP address of this interface and the ZyWALL works as a DNS relay. ZyWALL USG 50 User's Guide 227 - ZyXEL ZyWALL USG 50 | User Manual - Page 228
IP addresses. Enable Logs for IP/MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this interface attempts to use an IP address that is bound to another device's MAC address. Static DHCP Table Configure a list of static IP addresses the ZyWALL - ZyXEL ZyWALL USG 50 | User Manual - Page 229
, a manually specified MAC address, or clone the MAC address of another device or computer. Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address. By default, the ZyWALL uses the factory assigned MAC address to identify itself. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 230
Name This identifies the object for which the configuration settings that use it are displayed. Click the object's name to display the object's configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry. 230 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 231
one computer. Therefore, the subnet mask is always 255.255.255.255. In addition, the ZyWALL always treats the ISP as a gateway. At the time of writing, it is possible to set up the IP address of the gateway (ISP) using CLI commands but not in the Web Configurator. ZyWALL USG 50 User's Guide 231 - ZyXEL ZyWALL USG 50 | User Manual - Page 232
the interface. Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 230 for an example. # This field is a sequential value, and it is not associated with any interface. 232 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 233
. 11.4.2 PPP Interface Add or Edit Note: You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen. ZyWALL USG 50 User's Guide 233 - ZyXEL ZyWALL USG 50 | User Manual - Page 234
is explained in the following table. Table 58 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Click this button to display a greater or lesser number of configuration Settings / Hide fields. Advance Settings General Settings 234 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 235
In this case, the DHCP server configures the IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces. Use Fixed IP Address Select this if you want to specify the IP address manually. IP Address This field is enabled if you select Use Fixed - ZyXEL ZyWALL USG 50 | User Manual - Page 236
TRUNK Click WAN TRUNK to go to a screen where you can configure the interface as part of a WAN trunk for load balancing. Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface. 236 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 237
access to mobile devices. Note: The actual data rate you obtain varies depending on the 3G card you use, the signal strength to the service provider's base station, and so on. You can configure how the ZyWALL's the home network is too low or it is unavailable. ZyWALL USG 50 User's Guide 237 - ZyXEL ZyWALL USG 50 | User Manual - Page 238
Configuration > Network > Interface > Cellular. Note: Install (or connect) a compatible 3G USB to use a cellular connection. See Chapter 52 on page 775 for details. Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. 238 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 239
its last-saved settings. 11.5.1 Cellular Add/Edit Screen To change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays. ZyWALL USG 50 User's Guide 239 - ZyXEL ZyWALL USG 50 | User Manual - Page 240
Chapter 11 Interfaces Figure 159 Configuration > Network > Interface > Cellular > Add 240 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 241
card. Enter the APN from your service provider. Connections with different APNs may provide different services (such as Internet access or MMS (Multi-Media Messaging Service)) and charge method. You can enter up to 63 ASCII printable characters. Spaces are allowed. ZyWALL USG 50 User's Guide 241 - ZyXEL ZyWALL USG 50 | User Manual - Page 242
for example) provided by your ISP. If you enter the PIN code incorrectly, the 3G card may be blocked by your ISP and you cannot use the account to access the Internet. Interface Parameters If your ISP disabled PIN code authentication, enter an arbitrary number. 242 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 243
as part of a WAN trunk for load balancing. Configure Policy Route Click Policy Route to go to the policy route summary screen where you can configure a policy route to override the default routing and SNAT behavior for the interface. IP Address Assignment ZyWALL USG 50 User's Guide 243 - ZyXEL ZyWALL USG 50 | User Manual - Page 244
Table 61 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Get Select this option If your ISP did not assign you a fixed IP address. Automatically This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address - ZyXEL ZyWALL USG 50 | User Manual - Page 245
to set a limit on the upstream traffic (from the ZyWALL to the ISP). Select Download/Upload to set a limit on the total traffic in both directions. If you change the value after you configure and enable budget control, the ZyWALL resets the statistics. Reset time and Select the date on which the - ZyXEL ZyWALL USG 50 | User Manual - Page 246
: Before VLAN A B C In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router. Alternatively, you can divide the physical networks into three VLANs. 246 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 247
layer, IP addresses). It is handled by the router. This change the physical network without changing policies. In this example, the new switch handles the following types of traffic: • Inside VLAN 2. • Between the router and VLAN 1. • Between the router and VLAN 2. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 248
an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and To open the screen where you can create a virtual interface, select an interface and click Create Virtual Interface. 248 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 249
Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 11.6.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen - ZyXEL ZyWALL USG 50 | User Manual - Page 250
Chapter 11 Interfaces Figure 163 Configuration > Network > Interface > VLAN > Edit 250 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 251
. This field is enabled if you select Use Fixed IP Address. Enter the IP address of the gateway. The ZyWALL sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. ZyWALL USG 50 User's Guide 251 - ZyXEL ZyWALL USG 50 | User Manual - Page 252
name or IP address in the field next to it. Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check. DHCP Setting The DHCP settings are available for the OPT, LAN and DMZ interfaces. 252 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 253
Server, Second WINS Server Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 254
IP addresses. Enable Logs for IP/MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this VLAN attempts to use an IP address that is bound to another device's MAC address. Static DHCP Table Configure a list of static IP addresses the ZyWALL - ZyXEL ZyWALL USG 50 | User Manual - Page 255
for load balancing. Configure Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this VLAN. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 256
2 in the table. It also looks up 0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4. Table 64 Example: Bridge Table After Computer A Sends a Packet to Computer B MAC ADDRESS PORT 0A:0A:0A:0A:0A:0A 2 256 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 257
242.242.242/32 dmz In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed. ZyWALL USG 50 User's Guide 257 - ZyXEL ZyWALL USG 50 | User Manual - Page 258
interfaces. This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 258 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 259
parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears. ZyWALL USG 50 User's Guide 259 - ZyXEL ZyWALL USG 50 | User Manual - Page 260
Chapter 11 Interfaces Figure 165 Configuration > Network > Interface > Bridge > Add 260 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 261
In this case, the DHCP server configures the IP address, subnet mask, and gateway automatically. Select this if you want to specify the IP address, subnet mask, and gateway manually. This field is enabled if you select Use Fixed IP Address. Subnet Mask Enter the IP address for this interface. This - ZyXEL ZyWALL USG 50 | User Manual - Page 262
fields appear if the ZyWALL is a DHCP Relay. Relay Server 1 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the ZyWALL is a DHCP Server. 262 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 263
to another device's MAC address. Static DHCP Table Configure a list of static IP addresses the ZyWALL assigns to computers connected to the interface. Otherwise, the ZyWALL assigns an IP address dynamically using the interface's IP Pool Start Address and Pool Size. ZyWALL USG 50 User's Guide 263 - ZyXEL ZyWALL USG 50 | User Manual - Page 264
ZyWALL. Cancel Click Cancel to exit this screen without saving. 11.7.3 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click an Add icon next to an Ethernet 264 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 265
gateway (if any) on this interface. The ZyWALL decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the ZyWALL uses the one that was configured first. Interface Parameters ZyWALL USG 50 User's Guide 265 - ZyXEL ZyWALL USG 50 | User Manual - Page 266
If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface wan1. In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 266 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 267
interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on ge2. In this case, the ZyWALL creates the following entry in the routing table. Table 71 Example: Routing Table Entry for a Gateway IP ADDRESS(ES) DESTINATION 0.0.0.0/0 200 - ZyXEL ZyWALL USG 50 | User Manual - Page 268
manual configuration you have to do and usually uses available IP addresses more efficiently. In DHCP, every network has at least one DHCP server. When a computer (a DHCP client) joins the network, it submits a DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP - ZyXEL ZyWALL USG 50 | User Manual - Page 269
Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network's computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce - ZyXEL ZyWALL USG 50 | User Manual - Page 270
port 1723. It is used to start and manage the second one. 2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. 270 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 271
configure link sticking and view the list of configured trunks and which load balancing algorithm each trunk uses. • Use the Trunk Edit screen (Section 12.3 on page 277) to configure which interfaces belong to each trunk and the load balancing algorithm each trunk uses. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 272
's subsequent sessions came from a different WAN IP address, the server would deny them. Here is an example. Figure 168 Link Sticking 1 wan1 2 wan2 3 B LAN A 1 LAN user A logs into server B on the Internet. The ZyWALL uses wan1 to send the request to server B. 272 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 273
example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The ZyWALL calculates the load balancing index as shown in the table below. 2. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 274
and traffic to be sent through them. Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage. Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 275
Algorithm Example Finding Out More • See Section 6.5.5 on page 97 for related information on the Trunk screens. • See Section 7.3 on page 115 for an example of how to configure load balancing. • See Section 12.4 on page 279 for more background information on trunks. ZyWALL USG 50 User's Guide 275 - ZyXEL ZyWALL USG 50 | User Manual - Page 276
when a server requires authentication. Timeout This setting applies when you use load balancing and have multiple WAN interfaces set to active mode. Specify the time period during which sessions from one source to the same destination are to use the same link. 276 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 277
12 Trunks Table 74 Configuration > Network > Interface > Trunk (continued) LABEL DESCRIPTION Enable Default SNAT Select this to have the ZyWALL use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks. The ZyWALL automatically adds - ZyXEL ZyWALL USG 50 | User Manual - Page 278
the interfaces), the more traffic the ZyWALL sends through that interface. This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the ZyWALL is to allow to come in through the interface per second. 278 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 279
. This queue then moves to the back of the list. The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty. ZyWALL USG 50 User's Guide 279 - ZyXEL ZyWALL USG 50 | User Manual - Page 280
Chapter 12 Trunks 280 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 281
if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers. 13.1.1 What You Can Do in this Chapter • Use the Policy Route screens (see Section 13.2 on page 284) to list and configure policy routes. ZyWALL USG 50 User's Guide 281 - ZyXEL ZyWALL USG 50 | User Manual - Page 282
. To have the ZyWALL send data to devices not reachable through the default gateway, use static routes. Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 14 on page 297 for more on RIP and OSPF. 282 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 283
Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies. ZyWALL USG 50 User's Guide 283 - ZyXEL ZyWALL USG 50 | User Manual - Page 284
interface, VPN tunnel, or trunk. • Limiting the amount of bandwidth available and setting a priority for traffic. IPPR follows the existing packet filtering facility of RAS in style and in implementation. Figure 175 Configuration > Network > Routing > Policy Route 284 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 285
active at all times if enabled. This is the interface on which the packets are received. This is the name of the source IP address (group) object. any means all IP addresses. This is the name of the destination IP address (group) object. any means all IP addresses. ZyWALL USG 50 User's Guide 285 - ZyXEL ZyWALL USG 50 | User Manual - Page 286
does not perform NAT for this route. This is the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route. Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 286 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 287
need to use in this screen. Configuration Enable Select this to activate the policy. Description Enter a descriptive name of up to 31 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. ZyWALL USG 50 User's Guide 287 - ZyXEL ZyWALL USG 50 | User Manual - Page 288
when you select Gateway in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your ZyWALL's interface(s). 288 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 289
Address Translation Select default to have the ZyWALL set the DSCP value of the packets to 0. Use this field to specify a custom DSCP value. Use this section to configure NAT for the policy route. This section does not apply to policy routes that use a VPN tunnel as the next hop. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 290
use as the source IP address(es) of the packets that match this route. Configure trigger port forwarding to allow computers on the LAN to dynamically take turns using a service that uses a dedicated range of ports on the client side and a dedicated range of ports on the server side. Add Edit Remove - ZyXEL ZyWALL USG 50 | User Manual - Page 291
> Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. Figure 177 Configuration > Network > Routing > Static Route ZyWALL USG 50 User's Guide 291 - ZyXEL ZyWALL USG 50 | User Manual - Page 292
the destination IP address. Subnet Mask This is the IP subnet mask. Next-Hop This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward packets - ZyXEL ZyWALL USG 50 | User Manual - Page 293
Table 79 Configuration > Network > Routing > Static Route > Add (continued) LABEL DESCRIPTION Gateway IP Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward - ZyXEL ZyWALL USG 50 | User Manual - Page 294
to game server 1 using port 1234. The ZyWALL records the IP address of computer A when the packets match a policy with SNAT configured. 2 Game server 1 responds using a port number ranging between 5670 - 5678. The ZyWALL allows and forwards the traffic to computer A. 294 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 295
connect to remote server 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the connection is closed or times out. Figure 179 Trigger Port Forwarding Example Maximize Bandwidth - ZyXEL ZyWALL USG 50 | User Manual - Page 296
Chapter 13 Policy and Static Routes 296 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 297
RIP Network Size Small (with up to 15 routers) Metric Hop count Convergence Slow OSPF Large Bandwidth, hop count, throughput, round trip time and reliability. Fast Finding Out More See Section 14.4 on page 308 for background information on routing protocols. ZyWALL USG 50 User's Guide 297 - ZyXEL ZyWALL USG 50 | User Manual - Page 298
in RIP terms. • RIP uses UDP port 520. Use the RIP screen to specify the authentication method and maintain the policies for redistribution. Click Configuration > Network > Routing > RIP to open the following screen. Figure 180 Configuration > Network > Routing > RIP 298 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 299
your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. 14.3 The OSPF Screen OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 300
OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. • OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network. • OSPF responds to changes in the network, such as the loss of a router - ZyXEL ZyWALL USG 50 | User Manual - Page 301
backbone. In this example, areas 1, a default route to routers in the same area. • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 302
router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is illustrated in the following example. Figure 182 OSPF: Types of Routers virtual link through an intermediate area 302 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 303
Use the first OSPF screen to specify the OSPF router the ZyWALL uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them. ZyWALL USG 50 User's Guide 303 - ZyXEL ZyWALL USG 50 | User Manual - Page 304
for more information as well. Table 84 Configuration > Network > Routing Protocol > OSPF LABEL DESCRIPTION OSPF Router ID Select the 32-bit ID the ZyWALL uses in the OSPF AS. Default - the highest available IP address assigned to the interfaces is the ZyWALL's ID. Redistribute Active RIP Type - ZyXEL ZyWALL USG 50 | User Manual - Page 305
type is different from the Type field above. Authentication This field displays the default authentication method in the area. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 50 User's Guide 305 - ZyXEL ZyWALL USG 50 | User Manual - Page 306
This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). 306 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 307
changes back to the ZyWALL. Click Cancel to exit this screen without saving. 14.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 14.3.2 on page ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 308
> Network > Routing > OSPF > Add > Add The following table describes the labels in this screen. Table 86 Configuration > Network > Routing > OSPF > Add > Add LABEL DESCRIPTION Peer Router ID Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. Authentication Select - ZyXEL ZyWALL USG 50 | User Manual - Page 309
to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 310
Chapter 14 Routing Protocols 310 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 311
Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and/or VPN tunnels. The ZyWALL uses zones instead of interfaces in many security and policy settings, such as firewall rules, Anti-X, and remote management. Zones cannot overlap. Each - ZyXEL ZyWALL USG 50 | User Manual - Page 312
You can also set up firewall rules to control intra-zone traffic (for example, DMZto-DMZ), but or from any interface or VPN tunnel that is not assigned to a zone. For example, in Figure 187 on page example of configuring Ethernet interfaces, port groups, and zones. 312 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 313
To access this screen, click Configuration > Network > Zone. Configuration > Network > Zone The following table describes the labels in this screen. Table 87 Configuration > Network > Zone LABEL DESCRIPTION User Configuration / System Default The ZyWALL comes with pre-configured System Default - ZyXEL ZyWALL USG 50 | User Manual - Page 314
and VPN tunnels that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. Click OK to save your customized settings and exit this screen. Click Cancel to exit this screen without saving. 314 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 315
PROVIDER SERVICE TYPES SUPPORTED WEBSITE DynDNS Dynamic DNS, Static DNS, and Custom DNS www.dyndns.com Dynu Basic, Premium www.dynu.com No-IP No-IP www.no-ip.com Peanut Hull Peanut Hull www.oray.cn 3322 3322 Dynamic DNS, 3322 Static DNS www.3322.org ZyWALL USG 50 User's Guide 315 - ZyXEL ZyWALL USG 50 | User Manual - Page 316
16 DDNS Note: Record your DDNS account's user name, password, and domain name to use to configure the ZyWALL. After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. Finding Out More See Section 6.5.9 on - ZyXEL ZyWALL USG 50 | User Manual - Page 317
server checks the source IP address of the packets from the ZyWALL for the IP address to use for the domain name. Apply Reset custom - The IP address is static. Click this button to save your changes to the ZyWALL. Click this button to return the screen to its last-saved settings. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 318
an Add or Edit icon to open this screen. Figure 190 Configuration > Network > DDNS > Add The following table describes the labels in this screen. Table 91 Configuration > Network > DDNS > when you are editing an entry. Select the type of DDNS service you are using. 318 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 319
interface specified by the Primary Binding Interface settings is not available. Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface. Select None to not use a backup address. ZyWALL USG 50 User's Guide 319 - ZyXEL ZyWALL USG 50 | User Manual - Page 320
is not available. Once your mail server is available again, the DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. 320 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 321
Multiple Servers Behind NAT Example 17.1.1 What You Can Do in this Chapter Use the NAT screens (see Section 17.2 on page 322) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 322
table describes the labels in this screen. Table 92 Configuration > Network > NAT LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. 322 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 323
the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. ZyWALL USG 50 User's Guide 323 - ZyXEL ZyWALL USG 50 | User Manual - Page 324
to turn the NAT rule on or off. Rule Name Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. 324 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 325
all the HOST address objects in the ZyWALL. If you select one of them, this NAT rule supports the IP address specified by the address object. This field is available if Mapped IP is User Defined. Type the translated destination IP address that this NAT rule supports. ZyWALL USG 50 User's Guide 325 - ZyXEL ZyWALL USG 50 | User Manual - Page 326
to the Mapped IP device. For example, if you configure a NAT rule to forward traffic from the WAN to a LAN server, enabling NAT loopback allows users connected to other interfaces to also access the server. For LAN users, the ZyWALL uses the LAN interface's IP address as the source address for the - ZyXEL ZyWALL USG 50 | User Manual - Page 327
about NAT on the ZyWALL. NAT Loopback Suppose a NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule's original IP to access the mail server. ZyWALL USG 50 User's Guide 327 - ZyXEL ZyWALL USG 50 | User Manual - Page 328
192.168.1.89 SMTP 192.168.1.89 328 The LAN SMTP server replies to the ZyWALL's LAN IP address and the ZyWALL changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic's source matches the original destination address (1.1.1.1). If the ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 329
going through NAT, the source would not match the original destination address which would cause the LAN user's computer to shut down the session. Figure 196 LAN to LAN Return Traffic NAT Source 192.168.1.21 SMTP LAN Source 1.1.1.1 SMTP 192.168.1.21 192.168.1.89 ZyWALL USG 50 User's Guide 329 - ZyXEL ZyWALL USG 50 | User Manual - Page 330
Chapter 17 NAT 330 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 331
to get them from a server. Proxy server A then forwards the response to the client. Figure 197 HTTP Redirect Example LAN1 18.1.1 What You Can Do in this Chapter Use the HTTP Redirect screens (see Section 18.2 on page 333) to display and edit the HTTP redirect rules. ZyWALL USG 50 User's Guide 331 - ZyXEL ZyWALL USG 50 | User Manual - Page 332
and dmz. • a HTTP redirect rule to forward HTTP traffic from lan1 to proxy server A. For HTTP traffic between dmz and wan1: • a from DMZ to WAN firewall rule (default) to allow HTTP requests from dmz to wan1. Responses to these requests are allowed automatically. 332 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 333
the entry is inactive. Name This is the descriptive name of a rule. Interface This is the interface on which the request must be received. Proxy Server This is the IP address of the proxy server. ZyWALL USG 50 User's Guide 333 - ZyXEL ZyWALL USG 50 | User Manual - Page 334
forward it to the specified proxy server. Proxy Server Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 334 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 335
A and B and the SIP server. Figure 200 SIP ALG Example The ALG feature is only needed for traffic that goes through the ZyWALL's NAT. 19.1.1 What You Can Do in this Chapter Use the ALG screen (Section 19.2 on page 339) to set up SIP, H.323, and FTP ALG settings. ZyWALL USG 50 User's Guide 335 - ZyXEL ZyWALL USG 50 | User Manual - Page 336
The ALG on the ZyWALL supports all of the ZyWALL's NAT mapping types. FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and firewall rules if you want to allow access to the - ZyXEL ZyWALL USG 50 | User Manual - Page 337
for SIP traffic. Peer-to-Peer Calls and the ZyWALL The ZyWALL ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You must configure the firewall and NAT (port forwarding) to allow incoming (peer-topeer) calls from the WAN to a private IP address on the LAN (or DMZ). VoIP Calls from the - ZyXEL ZyWALL USG 50 | User Manual - Page 338
routing lets the ZyWALL correctly forward the return traffic for the calls initiated from the LAN IP addresses. For example, you configure firewall and NAT rules to allow LAN IP address A to receive calls through public WAN IP address 1. You configure different firewall and port forwarding rules to - ZyXEL ZyWALL USG 50 | User Manual - Page 339
on, configure the port numbers to which they apply, and configure SIP ALG time outs. Note: If the ZyWALL provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service's traffic. Figure 204 Configuration > Network > ALG ZyWALL USG 50 User's Guide 339 - ZyXEL ZyWALL USG 50 | User Manual - Page 340
323 device or server that will modify IP addresses and port numbers embedded in the H.323 data payload. If you are using a custom TCP port number (not 1720) for H.323 traffic, enter it here. If you are also using H.323 on an additional TCP port number, enter it here. 340 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 341
are set to active, you can configure routing policies to specify which interface the ALG-managed traffic uses. You could also have a trunk with one interface set to active and a second interface set to passive. The ZyWALL does not automatically change ALG-managed ZyWALL USG 50 User's Guide 341 - ZyXEL ZyWALL USG 50 | User Manual - Page 342
can manually force them to re-register. FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts handle voice data transfer. See RFC 1889 for details on RTP. 342 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 343
Can Do in this Chapter • Use the Summary and Edit screens (Section 20.2 on page 344) to bind IP addresses to MAC addresses. • Use the Exempt List screen (Section 20.3 on page 347) to configure ranges of IP addresses to which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 50 User's Guide 343 - ZyXEL ZyWALL USG 50 | User Manual - Page 344
ZyWALL's dynamic and static DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface's configuration screen. 20.2 IP - ZyXEL ZyWALL USG 50 | User Manual - Page 345
to make use only the intended users get to use specific IP addresses. Enable Logs for IP/ MAC Binding Violation Select this option to have the ZyWALL generate a log if a device connected to this interface attempts to use an IP address not assigned by the ZyWALL. ZyWALL USG 50 User's Guide 345 - ZyXEL ZyWALL USG 50 | User Manual - Page 346
the ZyWALL assigns the entry's IP address. Description This helps identify the entry. OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving. 20.2.2 Static DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC - ZyXEL ZyWALL USG 50 | User Manual - Page 347
Binding Table 99 Configuration > Network > IP/MAC Binding > Edit > Add (continued) LABEL DESCRIPTION MAC Address Enter the MAC address of the device to which the ZyWALL assigns the entry's IP address. Description Enter up to 64 printable ASCII characters to help identify the entry. For example - ZyXEL ZyWALL USG 50 | User Manual - Page 348
Chapter 20 IP/MAC Binding 348 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 349
the endpoint security check and is denied access. Figure 210 Authentication Policy Using Endpoint Security 21.1.1 What You Can Do in this Chapter Use the Configuration > Auth. Policy screens (Section 21.2 on page 350) to create and manage authentication policies. ZyWALL USG 50 User's Guide 349 - ZyXEL ZyWALL USG 50 | User Manual - Page 350
again. Finding Out More See Section 7.7 on page 133 for an example of how to use endpoint security and authentication policies. 21.2 Authentication Policy Screen The Authentication Policy screen displays the authentication policies you have configured on the ZyWALL. 350 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 351
Chapter 21 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 211 Configuration > Auth. Policy ZyWALL USG 50 User's Guide 351 - ZyXEL ZyWALL USG 50 | User Manual - Page 352
IP addresses. Figure 212 Configuration > Auth. Policy > Add Exceptional Service 352 Authentication Policy Summary Add Edit Remove Activate Inactivate Move In the table, select one or more entries and click Remove to delete it or them. Use this table to manage the ZyWALL ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 353
to return the screen to its last-saved settings. 21.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy. ZyWALL USG 50 User's Guide 353 - ZyXEL ZyWALL USG 50 | User Manual - Page 354
is any and not configurable for the default policy. Destination Address Select a destination address or address group for whom this policy applies. Select any if the policy is effective for every destination. This is any and not configurable for the default policy. 354 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 355
manually go to the login screen. The ZyWALL will not redirect them to the login screen. Log This field is available for the default policy. Select whether to have the ZyWALL to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. ZyWALL USG 50 User's Guide 355 - ZyXEL ZyWALL USG 50 | User Manual - Page 356
Chapter 21 Authentication Policy 356 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 357
(Section 22.2 on page 365) to enable or disable the firewall and asymmetrical routes, and manage and configure firewall rules. • Use the Session Limit screens (see Section 22.3 on page 370) to limit the number of concurrent NAT/firewall sessions a client can use. ZyWALL USG 50 User's Guide 357 - ZyXEL ZyWALL USG 50 | User Manual - Page 358
interfaces or VPN tunnels that are not assigned to a zone (extra-zone traffic). To-ZyWALL Rules Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default: • The firewall allows only LAN, or WAN computers to access or manage the ZyWALL. 358 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 359
on page 675 for more information about service control (remote management). The ZyWALL checks the firewall rules before the service control rules for traffic destined for the ZyWALL. You can configure a To-ZyWALL firewall rule (with From Any To ZyWALL direction) for traffic from an interface which - ZyXEL ZyWALL USG 50 | User Manual - Page 360
users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need 360 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 361
sure that the CEO's computer always uses the same IP address, make sure it either: • Has a static IP address, or • You configure a static DHCP entry for it so the ZyWALL always assigns it the same IP address (see DHCP Settings on page 268 for information on DHCP). ZyWALL USG 50 User's Guide 361 - ZyXEL ZyWALL USG 50 | User Manual - Page 362
address. Your firewall would have the following configuration. Table 106 Limited LAN1 to WAN IRC Traffic Example 2 # USER SOURCE DESTINATION SCHEDULE SERVICE 1 CEO Any Any Any IRC 2 Any Any Any Any IRC 3 Any Any Any Any Any ACTION Allow Deny Allow ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 363
Example: Firewall Screen 2 At the top of the screen, click Create new Object > Address. 3 The screen for configuring an address object opens. Configure it as follows and click OK. Figure 218 Firewall Example: Create an Address Object 4 Click Create new Object > Service. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 364
the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. Figure 220 Firewall Example: Edit a Firewall Rule 364 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 365
steps and figure describe such a scenario. 1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN. 2 The ZyWALL reroutes the packet to gateway A, which is in Subnet 2. 3 The reply from the WAN goes to the ZyWALL. ZyWALL USG 50 User's Guide 365 - ZyXEL ZyWALL USG 50 | User Manual - Page 366
rules. So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as the destination. See Section 7.9 on page 139 for an example. 366 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 367
screen. Table 107 Configuration > Firewall LABEL DESCRIPTION General Settings Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control when the firewall is activated. Allow Asymmetrical Route If an alternate gateway on the LAN has an IP address in - ZyXEL ZyWALL USG 50 | User Manual - Page 368
at all times if enabled. This is the user name or user group name to which this firewall rule applies. This displays the source address object to which this firewall rule applies. This displays the destination address object to which this firewall rule applies. 368 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 369
. Enable Select this check box to activate the firewall rule. From To For through-ZyWALL rules, select the direction of travel of packets to which the rule applies. any means all interfaces or VPN tunnels. ZyWALL means packets destined for the ZyWALL itself. ZyWALL USG 50 User's Guide 369 - ZyXEL ZyWALL USG 50 | User Manual - Page 370
. 22.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to display the Firewall Session Limit screen. Use this screen to limit the number of concurrent NAT/ firewall sessions a client can use. You can apply a default limit for all users and 370 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 371
screen. Table 109 Configuration > Firewall > Session Limit LABEL DESCRIPTION General Settings Enable Session Select this check box to control the number of concurrent sessions hosts limit can have. Default Session Use this field to set a common limit to the number of concurrent NAT/ per - ZyXEL ZyWALL USG 50 | User Manual - Page 372
Use to configure any new settings objects that you need to use in this screen. Enable Rule Select this check box to turn on this session limit rule. Description Enter information to help you identify this rule. Use up to 64 printable ASCII characters. Spaces are allowed. 372 ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 373
can have. For this rule's users and addresses, this setting overrides the Default Session per Host setting in the general Firewall Session Limit screen. Click OK to save your customized settings and exit this screen. Click Cancel to exit this screen without saving. ZyWALL USG 50 User's Guide 373 - ZyXEL ZyWALL USG 50 | User Manual - Page 374
Chapter 22 Firewall 374 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 375
specify which VPN gateway a VPN connection policy uses and which devices (behind the IPSec routers) can use the VPN tunnel and the IPSec SA settings (phase 2 settings). You can also activate / deactivate and connect / disconnect each VPN connection (each IPSec SA). ZyWALL USG 50 User's Guide 375 - ZyXEL ZyWALL USG 50 | User Manual - Page 376
same way data is normally transmitted in the networks. Between routers X and Y, the data is protected by tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. 376 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 377
to configure your VPN connection settings. Table 111 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH REMOTE ACCESS DYNAMIC PEER (SERVER ROLE) REMOTE ACCESS (CLIENT ROLE) Choose this if the remote IPSec router has a static IP address or a domain name. This ZyWALL can initiate - ZyXEL ZyWALL USG 50 | User Manual - Page 378
VPN to open the VPN Connection screen. The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. In addition, it also lets you activate / deactivate and connect / disconnect each VPN connection (each IPSec 378 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 379
Table 112 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Use Policy Route to control dynamic IPSec rules Select this to be able to use policy routes to manually specify the destination addresses of dynamic IPSec rules. You must manually create these policy routes. The ZyWALL - ZyXEL ZyWALL USG 50 | User Manual - Page 380
To access this screen, go to the Configuration > VPN Connection screen (see Section 23.2 on page 378), and click either the Add icon or an Edit icon. If you click the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears. 380 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 381
Chapter 23 IPSec VPN Figure 230 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) ZyWALL USG 50 User's Guide 381 - ZyXEL ZyWALL USG 50 | User Manual - Page 382
this if the remote IPSec router has a static IP address or a domain name. This ZyWALL can initiate the VPN tunnel. Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has a dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel. Remote Access (Server Role - ZyXEL ZyWALL USG 50 | User Manual - Page 383
free access between the local and remote networks. Selecting this restricts who can use the VPN tunnel. The ZyWALL drops traffic with source and destination IP addresses that do not match the local and remote policy. Phase 2 Settings SA Life Time Type the maximum number of seconds the IPSec SA - ZyXEL ZyWALL USG 50 | User Manual - Page 384
(PFS) The ZyWALL and the remote IPSec router must both have a proposal that uses the same authentication algorithm. Select whether or not you want to enable Perfect Forward Secrecy (PFS) and, if you do, which Diffie-Hellman key group to use for encryption. Choices are: none - disable PFS DH1 - ZyXEL ZyWALL USG 50 | User Manual - Page 385
23 IPSec VPN Table 113 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Check Method Select how the ZyWALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyWALL regularly ping the address you - ZyXEL ZyWALL USG 50 | User Manual - Page 386
port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range. OK Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. 386 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 387
. See Section 23.2 on page 378 for descriptions of the other fields. Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key LABEL DESCRIPTION Manual Key My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid. ZyWALL USG 50 User's Guide 387 - ZyXEL ZyWALL USG 50 | User Manual - Page 388
Chapter 23 IPSec VPN Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Gateway Address Type the IP address of the remote IPSec router in the IPSec SA. SPI Type a unique SPI (Security Parameter Index) between 256 and 4095. The - ZyXEL ZyWALL USG 50 | User Manual - Page 389
. For example, if you enter 12345678901234567890 for a MD5 authentication key, the ZyWALL only uses 1234567890123456. The ZyWALL still stores the longer key. Click OK to save your settings and exit this screen. Click Cancel to exit this screen without saving. ZyWALL USG 50 User's Guide 389 - ZyXEL ZyWALL USG 50 | User Manual - Page 390
the VPN gateway My address This field displays the interface or a domain name the ZyWALL uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway. ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 391
Chapter 23 IPSec VPN Table 115 Configuration > VPN > IPSec VPN > VPN Gateway (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 23.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/ - ZyXEL ZyWALL USG 50 | User Manual - Page 392
configuration fields. General Settings VPN Gateway Name Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Gateway Settings ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 393
For example, "0x0123456789ABCDEF" is in hexadecimal format; in "0123456789ABCDEF" is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. The ZyWALL and remote IPSec router must use the same pre-shared key. ZyWALL USG 50 User's Guide 393 - ZyXEL ZyWALL USG 50 | User Manual - Page 394
the Local ID Type. IP - type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP address specified in the My Address field. This is not recommended in the following situations: • There is a NAT router between the ZyWALL and remote IPSec router. • You want the remote IPSec router to be able to - ZyXEL ZyWALL USG 50 | User Manual - Page 395
23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Peer ID Type Select which type of identification is used to identify the remote IPSec router during authentication. Choices are: IP - the remote IPSec router is identified by an IP address - ZyXEL ZyWALL USG 50 | User Manual - Page 396
This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type. If the ZyWALL and remote IPSec router do not use certificates, IP - type an IP address; see the note at the end of this description - ZyXEL ZyWALL USG 50 | User Manual - Page 397
Chapter 23 IPSec VPN Table 116 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Negotiation Mode Select the negotiation mode to use to negotiate the IKE SA. Choices are Main - this encrypts the ZyWALL's and remote IPSec router's identities but takes more time - ZyXEL ZyWALL USG 50 | User Manual - Page 398
are one or more NAT routers between the ZyWALL and remote IPSec router, and these routers do not support IPSec pass-thru or a similar feature. Dead Peer Detection (DPD) The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward packets with UDP port 500 and UDP - ZyXEL ZyWALL USG 50 | User Manual - Page 399
IP address of a port or interface, as well. You can also specify the IP address of the remote IPSec router as 0.0.0.0. This means that the remote IPSec router can have any IP address. In this case, only the remote IPSec router can initiate an IKE SA because the ZyWALL does not know the IP address - ZyXEL ZyWALL USG 50 | User Manual - Page 400
Hellman (DH) Key Exchange on page 400 for more information about DH key groups. Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption 400 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 401
content You have to create (and distribute) a pre-shared key. The ZyWALL and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The ZyWALL and the remote IPSec router must use the same pre-shared key. ZyWALL USG 50 User's Guide 401 - ZyXEL ZyWALL USG 50 | User Manual - Page 402
In contrast, in Table 118 on page 402, the ZyWALL and the remote IPSec router cannot authenticate each other and, therefore, cannot establish an IKE SA. Table 117 VPN Example: Matching ID Type and Content ZYWALL REMOTE IPSEC ROUTER Local ID type: E-mail Local ID type: IP Local ID content: tom - ZyXEL ZyWALL USG 50 | User Manual - Page 403
for authentication. For example, the remote IPSec router may be a telecommuter who does not have a static IP address. VPN, NAT, and NAT Traversal In the following example, there is another router (A) between router X and router Y. Figure 237 VPN/NAT Example X A ZyWALL USG 50 User's Guide Y 403 - ZyXEL ZyWALL USG 50 | User Manual - Page 404
packets. If you configure router A to forward these packets unchanged, router X and router Y can establish a VPN tunnel. You have to do the following things to set up NAT traversal. • Enable NAT traversal on the ZyWALL and remote IPSec router. • Configure the NAT router to forward packets with the - ZyXEL ZyWALL USG 50 | User Manual - Page 405
, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The ZyWALL and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. ZyWALL USG 50 User's Guide 405 - ZyXEL ZyWALL USG 50 | User Manual - Page 406
remote IPSec router (for example, for remote management), not between computers on the local and remote networks. Note: The ZyWALL and remote IPSec router must use the same encapsulation. These modes are illustrated below. Figure 238 VPN: Transport and Tunnel Mode Encapsulation Original Packet IP - ZyXEL ZyWALL USG 50 | User Manual - Page 407
up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not - ZyXEL ZyWALL USG 50 | User Manual - Page 408
remote IPSec router may not route messages for computer M through the IPSec SA because computer M's IP address is not part of its local policy. To set up this NAT, you have to specify the following information: • Source - the original source address; most likely, computer M's network. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 409
destination address; in Figure 239 on page 408, the IP address of the mail server in the local network (A). • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. ZyWALL USG 50 User's Guide 409 - ZyXEL ZyWALL USG 50 | User Manual - Page 410
Chapter 23 IPSec VPN 410 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 411
configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on page 416) to set the IP address of the ZyWALL (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user - ZyXEL ZyWALL USG 50 | User Manual - Page 412
. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. SSL Access Policy Objects The SSL access policies reference the following objects. If you update this information, in response to changes, the ZyWALL automatically propagates the - ZyXEL ZyWALL USG 50 | User Manual - Page 413
displays the user account or user group name(s) associated to an SSL access policy. Access Policy Summary This field displays up to three names. This field displays details about the SSL application object this policy uses including its name, type, and address. ZyWALL USG 50 User's Guide 413 - ZyXEL ZyWALL USG 50 | User Manual - Page 414
. Reset Click Reset to discard all changes. 24.2.1 The SSL Access Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. Figure 242 VPN > SSL VPN > Access Privilege > Add/Edit 414 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 415
and down arrows to change it's position in the list. To make the endpoint security check as efficient as possible, arrange the endpoint security objects in order with the one that the most users should match first and the one that the least users should match last. ZyWALL USG 50 User's Guide 415 - ZyXEL ZyWALL USG 50 | User Manual - Page 416
to discard all changes and return to the main Access Privilege screen. 24.3 The SSL Global Setting Screen Click VPN > SSL VPN and click the Global Setting tab to display the following screen. Use this screen to set the IP address of the ZyWALL (or a gateway device) 416 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 417
use for SSL VPN login. The domain name must be registered to one of the ZyWALL's IP addresses or be one of the ZyWALL's DDNS entries. You can specify up to two domain names so you could use one domain name for each of two WAN ports. Do not include the host. For example, www.zyxel.com is a fully - ZyXEL ZyWALL USG 50 | User Manual - Page 418
Upload to transfer the specified graphic file from your computer to the ZyWALL. Click Reset Logo to Default to display the ZyXEL company logo on the remote user's web browser. Click Apply to save the changes and/or start the logo file upload process. Click Reset to return the screen to its last - ZyXEL ZyWALL USG 50 | User Manual - Page 419
the ZyWALL login screen's SSL VPN button to establish an SSL VPN connection. See the User's Guide Section 25.2 on page 422 for details. 1 Display the ZyWALL's login screen and enter your user account information (the user name and password). Click SSL VPN. Figure 245 Login Screen ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 420
user account is not set up for SSL VPN access, an "SSL VPN connection is not activated" message displays in the Login screen. Clear the Login to SSL VPN check box and try logging in again. For more information on user portal screens, refer to Chapter 25 on page 421. 420 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 421
the ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if you were on the local network. See Chapter 27 on page 433 for more on the ZyWALL SecuExtender. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 422
845 for more information. Finding Out More See Chapter 24 on page 411 for how to configure SSL VPN on the ZyWALL. 25.2 Remote User Login This section shows you how to access and log into the network through the ZyWALL. Example screens for Internet Explorer are shown. 422 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 423
. Enter the user name and password of your login account. If a token password is also required, enter it in the One-Time Password field. 4 Click SSL VPN to log in and establish an SSL VPN connection to the network to access network resources. Figure 250 Login Screen ZyWALL USG 50 User's Guide 423 - ZyXEL ZyWALL USG 50 | User Manual - Page 424
click OK, Yes or Continue. Figure 251 Java Needed Message 6 The ZyWALL tries to install the SecuExtender client. As shown next, you may have to click some pop-ups to get your browser to allow the installation. Figure 252 ActiveX Object Installation Blocked by Browser 424 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 425
need to click something to get your browser to allow this. In Internet Explorer, click Run. Figure 254 SecuExtender Progress 9 Click Next to use the setup wizard to install the SecuExtender client on your computer. Figure 255 SecuExtender Progress ZyWALL USG 50 User's Guide 425 - ZyXEL ZyWALL USG 50 | User Manual - Page 426
256 Hardware Installation Warning 11 The Application screen displays showing the list of resources available to you. See Figure 257 on page 427 for a screen example. Note: Available resource links vary depending on the configuration your network administrator made. 426 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 427
this icon to display the on-line help window. 5 Select your preferred language for the interface. 6 This part of the screen displays a list of the resources available to you. In the Application screen, click on a link to access or display the access method. ZyWALL USG 50 User's Guide 427 - ZyXEL ZyWALL USG 50 | User Manual - Page 428
25.5 Logging Out of the SSL VPN User Screens To properly terminate a connection, click on the Logout icon in any remote user screen. 1 Click the Logout icon in any remote user screen. 2 A prompt window displays. Click OK to continue. Figure 259 Logout: Prompt 428 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 429
Chapter 25 SSL User Screens 3 An information screen displays to indicate that the SSL VPN connection is about to terminate. Figure 260 Logout: Connection Termination Progress ZyWALL USG 50 User's Guide 429 - ZyXEL ZyWALL USG 50 | User Manual - Page 430
Chapter 25 SSL User Screens 430 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 431
displays whether the application supports Virtual Network Computing (VNC) or Remote Desktop Protocol (RDP). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. Figure 261 Application ZyWALL USG 50 User's Guide 431 - ZyXEL ZyWALL USG 50 | User Manual - Page 432
Chapter 26 SSL User Application Screens 432 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 433
The ZyWALL automatically loads the ZyWALL SecuExtender client program to your computer after a successful login. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as if you were on the local network. • Use applications like e-mail, file transfer, and remote desktop - ZyXEL ZyWALL USG 50 | User Manual - Page 434
server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. These are the networks (including netmask) that you can access through the SSL VPN connection. This is how long the computer has been connected to the SSL VPN tunnel. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 435
through the SSL VPN connection. 27.3 View Log If you have problems with the ZyWALL SecuExtender, customer support may request you to provide information from the log. Right-click the ZyWALL SecuExtender icon in the system tray and select Log to open a notepad file of the ZyWALL SecuExtender's log - ZyXEL ZyWALL USG 50 | User Manual - Page 436
. 1 Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall. 2 In the confirmation screen, click Yes. Figure 265 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender. Figure 266 ZyWALL SecuExtender Uninstallation 436 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 437
see Section 28.4 on page 456) to control what the ZyWALL does when it does not recognize the application, and it identifies the conditions that refine this. It also lets you open the Other Configuration Add/ Edit screen to create new conditions or edit existing ones. ZyWALL USG 50 User's Guide 437 - ZyXEL ZyWALL USG 50 | User Manual - Page 438
the ZyWALL identifies a lot of "false positives" for a particular application. Custom Ports for SIP and the SIP ALG Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG (see Chapter 19 on page 335) to use the same port 438 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 439
, that is from which zone the connection was initiated and to which zone the connection is going. A connection has outbound and inbound packet flows. The ZyWALL controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel. ZyWALL USG 50 User's Guide 439 - ZyXEL ZyWALL USG 50 | User Manual - Page 440
a LAN1 to WAN policy for example. • Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN1 so outbound means the traffic traveling from the LAN1 to the WAN. Each of the WAN zone's two interfaces can send the limit of 200 kbps of traffic. 440 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 441
bandwidth. Bandwidth Management Behavior The following sections show how bandwidth management behaves with various settings. For example, you configure DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum ZyWALL USG 50 User's Guide 441 - ZyXEL ZyWALL USG 50 | User Manual - Page 442
of 300 kbps and server B gets its configured rate of 200 kbps. Then the ZyWALL divides the remaining bandwidth (1000 - 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets. 442 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 443
Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps. Table 127 Maximize Bandwidth Usage Effect POLICY CONFIGURED sections give some simplified examples of using application patrol policies to manage applications competing for that ZyWALL USG 50 User's Guide 443 - ZyXEL ZyWALL USG 50 | User Manual - Page 444
(to the LAN and DMZ from the WAN) is also limited to 200 kbps. The ZyWALL applies this limit before sending the traffic to LAN or DMZ. • Highest priority (1). Set policies for other applications to lower priorities so the SIP traffic always gets the best treatment. 444 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 445
lower priorities so the local users' HTTP traffic gets sent before non-SIP traffic. • Enable maximize bandwidth usage so the HTTP traffic can borrow unused bandwidth. Figure 272 HTTP Any to WAN Bandwidth Management Example Outbound: 200 kbps BWM BWM Inbound: 500 kbps ZyWALL USG 50 User's Guide 445 - ZyXEL ZyWALL USG 50 | User Manual - Page 446
28.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so you allow remote users 300 kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for downloads (inbound). • Third highest priority (3). • Disable maximize bandwidth usage since you do - ZyXEL ZyWALL USG 50 | User Manual - Page 447
setting to have individual policy routes or application patrol policies apply bandwidth management. This same setting also appears in the Network > Routing > Policy Route screen. Enabling or disabling it in one screen also enables or disables it in the other screen. ZyWALL USG 50 User's Guide 447 - ZyXEL ZyWALL USG 50 | User Manual - Page 448
application patrol Common, Instant Messenger, Peer to Peer, VoIP, or Streaming screen to manage traffic of individual applications. Use the Common screen (shown here as an example) to manage traffic of the most commonly used web, file transfer and e-mail protocols. 448 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 449
is inactive. Service This field displays the name of the application. Default Access This field displays what the ZyWALL does with packets for this application. Choices are: forward, drop, and reject. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the - ZyXEL ZyWALL USG 50 | User Manual - Page 450
This is available if the Classification is Service Ports. You can view and edit the list of ports used to identify this application. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. 450 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 451
the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. ZyWALL USG 50 User's Guide 451 - ZyXEL ZyWALL USG 50 | User Manual - Page 452
automatically treated as being set to the lowest priority (7) regardless of this field's configuration. Log This field shows whether the ZyWALL generates a log (log), a log and alert (log alert) or neither (no) when the application's traffic matches this policy. 452 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 453
that you need to use in this screen. Enable Policy Select this check box to turn on this policy for the application. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 50 User's Guide 453 - ZyXEL ZyWALL USG 50 | User Manual - Page 454
classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 293 for more details. Select preserve to have the ZyWALL keep the packets' original DSCP value. Select default to have the ZyWALL set the DSCP value of the packets to 0. 454 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 455
files. Configure these fields to set the amount of bandwidth the application can use. These fields only apply when Access is set to forward. Inbound kbps You must also enable bandwidth management in if higher priority traffic uses all of the actual bandwidth. ZyWALL USG 50 User's Guide 455 - ZyXEL ZyWALL USG 50 | User Manual - Page 456
, similar to the sequence of rules used by firewalls, to specify what the ZyWALL should do more precisely. You can also control the bandwidth used by these other applications.This screen also allows you to add, edit, and remove conditions to this default policy. 456 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 457
of the traffic to which this policy applies. This is the destination zone of the traffic to which this policy applies. This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. ZyWALL USG 50 User's Guide 457 - ZyXEL ZyWALL USG 50 | User Manual - Page 458
bandwidth before traffic with a lower priority. The ZyWALL ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field's configuration. 458 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 459
configure any new settings objects that you need to use in this screen. Enable Select this check box to turn on this policy. Port Use this field to specify a specific port number to which to apply this policy. Type zero, if this policy applies for every port number. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 460
the packets' original DSCP value. Bandwidth Management Select default to have the ZyWALL set the DSCP value of the packets to 0. Configure these fields to set the amount of bandwidth the application can use. These fields only apply when Access is set to forward. 460 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 461
enabled. Log This field controls what kind of record the ZyWALL creates when traffic matches this policy. See Chapter 46 on page 723 for more on logs. no - the ZyWALL does not record anything log - the ZyWALL creates a record in the log log alert - the ZyWALL creates an alert ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 462
Chapter 28 Application Patrol Table 134 AppPatrol > Other > Edit (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ZyWALL. Cancel Click Cancel to exit this screen without saving your changes. 462 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 463
. • Use the Black/White List screen (Section 29.3 on page 471) to set up antivirus black (blocked) and white (allowed) lists of virus file patterns. • Use the Signature screen (Section 29.6 on page 474) to search signatures to get more information about signatures. ZyWALL USG 50 User's Guide 463 - ZyXEL ZyWALL USG 50 | User Manual - Page 464
virus scanning process on the ZyWALL. 1 The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through standard ports. 2 If the packets are not session connection setup packets (such as SYN, ACK and FIN), the ZyWALL records the sequence of the packets. 464 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 465
the changed settings). 4 The ZyWALL does not scan the following file/traffic types: • Simultaneous downloads of a file using multiple connections. For example, when you use FlashGet to download sections of a file simultaneously. • Encrypted traffic. This could be password-protected files or VPN - ZyXEL ZyWALL USG 50 | User Manual - Page 466
or lesser number of configuration fields. Enable AntiVirus and AntiSpyware Select this check box to check traffic for viruses and spyware. The following table lists policies that define which traffic the ZyWALL scans and the action it takes upon finding a virus. 466 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 467
Status IMAP4 applies to traffic using TCP port 143. The following fields display information about the current state of your subscription for virus signatures. This field displays whether a service is activated (Licensed) or not (Not Licensed) or expired (Expired). ZyWALL USG 50 User's Guide 467 - ZyXEL ZyWALL USG 50 | User Manual - Page 468
the date and time the set was released. Update Signatures Click this link to go to the screen you can use to download signatures from the update server. Apply Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. 468 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 469
to traffic using TCP ports 80, 8080 and 3128. FTP applies to traffic using the TCP port number specified for FTP in the ALG screen. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. IMAP4 applies to traffic using TCP port 143. ZyWALL USG 50 User's Guide 469 - ZyXEL ZyWALL USG 50 | User Manual - Page 470
(the file does not have to have a "zip" or "rar" file extension). The ZyWALL first decompresses the ZIP file and then scans the contents for viruses. Note: The ZyWALL decompresses a ZIP file once. The ZyWALL does NOT decompress any ZIP file(s) within a ZIP file. 470 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 471
black (blocked) list of virus file patterns. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. Figure 284 Configuration > Anti-X > Anti-Virus > Black/White List > Black List ZyWALL USG 50 User's Guide 471 - ZyXEL ZyWALL USG 50 | User Manual - Page 472
a file pattern that should cause the ZyWALL to log and delete a file. • For a white list entry, enter a file pattern that should cause the ZyWALL to allow a file. Figure 285 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or White List) > Add 472 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 473
changes. 29.5 Anti-Virus White List Click Configuration > Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next. Use the Black/White List screen to set up Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 474
Click Apply to save your changes. Click Reset to return the screen to its last-saved settings. 29.6 Signature Searching Click Configuration > Anti-X > Anti-Virus > Signature to display this screen. Use this screen to locate signatures and display details about them. 474 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 475
becoming unresponsive, just click No to continue. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. Figure 287 Configuration > Anti-X > Anti-Virus > Signature: Search by Severity ZyWALL USG 50 User's Guide 475 - ZyXEL ZyWALL USG 50 | User Manual - Page 476
Anti-Virus The following table describes the labels in this screen. Table 140 Configuration > Anti-X > ZyWALL search the signatures based on your specified criteria. Click Export to have the ZyWALL save all of the anti-virus signatures to your computer in a .txt file 476 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 477
of infected networked computers can grow exponentially. Types of Anti-Virus Scanner The section describes two types of anti-virus scanner: host-based and networkbased. ZyWALL USG 50 User's Guide 477 - ZyXEL ZyWALL USG 50 | User Manual - Page 478
-virus (HAV) scanner is often software installed on computers and/or servers in the network. It inspects files for virus patterns as they are moved reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. 478 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 479
-X > IDP > Custom change the action in the profile screens. Packet inspection signatures examine OSI (Open ZyWALL interfaces and VPN connections used for configuring security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 480
as new signatures are created as new attacks evolve. When the trial subscription expires, purchase and enter a license key using the same screens to continue the subscription. • Configure zones on the ZyWALL - see Chapter 15 on page 311 for more information. 480 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 481
packet inspection signatures. If you don't have a standard license, you can register for a once-off trial one. Policies Use this list to specify which IDP profile the ZyWALL uses for traffic flowing in a specific direction. Edit the policies directly in the table. ZyWALL USG 50 User's Guide 481 - ZyXEL ZyWALL USG 50 | User Manual - Page 482
, Not Licensed or Expired indicates whether you have subscribed for IDP services or not or your registration has expired. This field shows Trial, Standard or None depending on whether you subscribed to the IDP trial, bought an iCard for IDP service or neither. 482 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 483
subscribe for IDP service in order to be able to download new signatures. In general, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior (see Section 31.1 on page 513 for information on anomaly detection). ZyWALL USG 50 User's Guide 483 - ZyXEL ZyWALL USG 50 | User Manual - Page 484
Configuration > Anti-X > IDP > Profile screen, click Add to display the following screen. Figure 289 Base Profiles The following table describes this screen. Table 143 Base Profiles BASE PROFILE DESCRIPTION none All signatures are disabled (one) are disabled. 484 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 485
. Table 144 Configuration > Anti-X > IDP > Profile LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This is the entry's index number in the list. ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 486
opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue. 3 Type a new profile name 4 Enable or disable individual signatures. 5 Edit the default log options and actions. 486 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 487
select. Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7. 30.6.1 Profile > Group View Screen Figure 291 Configuration > Anti-X > IDP > Profile > Edit: Group View ZyWALL USG 50 User's Guide 487 - ZyXEL ZyWALL USG 50 | User Manual - Page 488
service group to have the ZyWALL create a log when a packet matches a signature(s). log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). 488 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 489
or attacks that could be false alarms. Policy Type Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc. This is the attack type as defined on the ZyWALL. See Table 146 on page 490 for a description of each type. ZyWALL USG 50 User's Guide 489 - ZyXEL ZyWALL USG 50 | User Manual - Page 490
is not to steal information, but to disable a device or network on the Internet. A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system. 490 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 491
on web servers such as IIS (Internet Information Services). 30.6.3 IDP Service Groups An IDP service group is a set of related packet inspection signatures. Table 147 WEB_PHP WEB_CGI IDP Service Groups WEB_MISC WEB_ATTACKS WEB_IIS TFTP WEB_FRONTPAGE TELNET ZyWALL USG 50 User's Guide 491 - ZyXEL ZyWALL USG 50 | User Manual - Page 492
apply to all signatures within that group. If you select original setting for service group logs and/or actions, all signatures within that group are returned to their last-saved settings. Figure 292 Configuration > Anti-X > IDP > Profile > Edit > IDP Service Group 492 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 493
service category, log options or actions. Figure 293 Configuration > Anti-X > IDP > Profile: Query View The following table describes the fields specific to this screen's query view. Table 148 Configuration > Anti-X > IDP the ID of the signature(s) you want to find. ZyWALL USG 50 User's Guide 493 - ZyXEL ZyWALL USG 50 | User Manual - Page 494
page without saving any changes. Click Save to save the configuration to the ZyWALL, but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. 494 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 495
30.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attack Type: DDoS • Platform: Windows 2000 and Windows XP computers • Service: Any Chapter 30 IDP ZyWALL USG 50 User's Guide 495 - ZyXEL ZyWALL USG 50 | User Manual - Page 496
Chapter 30 IDP • Actions: Any Figure 294 Query Example Search Criteria Figure 295 Query Example Search Results 496 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 497
during reassembly of fragmented datagrams. Flags Flags are used to control whether routers are allowed to fragment a packet and to indicate the parts of a packet to the receiver. Fragment Offset This is a byte count from the start of the original sent packet. ZyWALL USG 50 User's Guide 497 - ZyXEL ZyWALL USG 50 | User Manual - Page 498
router record its IP address and time), End of IP List and No IP Options. Padding Padding is used as a filler to ensure that the IP packet is a multiple of 32 bits. 30.8 Configuring Custom Signatures Select Configuration > Anti-X > IDP save them to your computer. 498 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 499
then the ZyWALL will reject-both. Figure 297 Configuration > Anti-X > IDP > Custom Signatures The following table describes the fields in this screen. Table 150 Configuration > Anti-X > IDP > Custom the signature and the type of attack it is supposed to prevent. ZyWALL USG 50 User's Guide 499 - ZyXEL ZyWALL USG 50 | User Manual - Page 500
in the screen as shown in Figure 297 on page 499. A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger. 500 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 501
Chapter 30 IDP Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 298 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit ZyWALL USG 50 User's Guide 501 - ZyXEL ZyWALL USG 50 | User Manual - Page 502
router is an example of a network device. Service Select the IDP service group that the intrusion exploits or targets. See Table 147 on page 491 for a list of IDP service Protocol Configure signatures for IP version 4. Type Of Service Type of service in an IP header ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 503
destination IP addresses. Transport Protocol The following fields vary depending on whether you choose TCP, UDP or ICMP. Transport Protocol: TCP Port Select the check box and then enter the source and destination TCP port numbers that will trigger this signature. ZyWALL USG 50 User's Guide 503 - ZyXEL ZyWALL USG 50 | User Manual - Page 504
IDP Table 151 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION Flow If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers and destination UDP port numbers that will ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 505
, such as %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer. For example, the URI: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver will get normalized into: /winnt/system32/cmd.exe?/c+ver ZyWALL USG 50 User's Guide 505 - ZyXEL ZyWALL USG 50 | User Manual - Page 506
information about the attack as you can. The more specific your signature, the less chance it will cause false positives. As an example, say you want to check if your router is being overloaded with DNS queries so you create a signature to detect DNS query traffic. 506 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 507
Chapter 30 IDP 30.8.2.2 Analyze Packets Use the packet capture screen (see Section 48.3 on that the protocol is UDP and the port is 53. The type of DNS packet is standard query and the Flag is 0x0100 with an offset of 2. Therefore enter |010| as the first pattern. ZyWALL USG 50 User's Guide 507 - ZyXEL ZyWALL USG 50 | User Manual - Page 508
Custom Signature 30.8.3 Applying Custom Signatures After you create your custom signature, it becomes available in the IDP service group category in the Configuration > Anti-X > IDP > Profile > Edit screen. Custom signatures have an SID from 9000000 to 9999999. 508 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 509
are configured to generate a log and alert. All IDP signatures come under the IDP category. The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The ZyWALL USG 50 User's Guide 509 - ZyXEL ZyWALL USG 50 | User Manual - Page 510
as log them. Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems. 510 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 511
are some equivalent Snort terms in the ZyWALL. Table 152 ZyWALL - Snort Equivalent Terms ZYWALL TERM SNORT EQUIVALENT TERM Type Of Service tos Identification id Fragmentation fragbits Fragmentation Offset fragoffset Time to Live ttl IP Options ipopts ZyWALL USG 50 User's Guide 511 - ZyXEL ZyWALL USG 50 | User Manual - Page 512
(Snort rule options) Payload Size dsize Offset (relative to start of payload) offset Relative to end of last match distance Content content Case-insensitive nocase Decode as URI uricontent Note: Not all Snort functionality is supported in the ZyWALL. 512 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 513
. 31.1.3 What You Need To Know Traffic Anomalies Traffic anomaly rules look for abnormal behavior or events such as port scanning, sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic anomaly rules may be updated when you upload new firmware. ZyWALL USG 50 User's Guide 513 - ZyXEL ZyWALL USG 50 | User Manual - Page 514
for IDP information. • See Section 30.1.2 on page 479 for IDP-related term definitions. • See Section 31.4 on page 525 for background information on these screens. 31.1.4 Before You Begin Configure the ZyWALL's zones - see Chapter 15 on page 311 for more information. 514 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 515
Configuration > Anti-X > ADP > General The following table describes the screens in this screen. Table 153 Configuration > Anti-X > ADP > General LABEL DESCRIPTION General Settings Enable and click Inactivate. Move To change an entry's position in the numbered ZyWALL USG 50 User's Guide 515 - ZyXEL ZyWALL USG 50 | User Manual - Page 516
Click Apply to save your changes. Reset Click Reset to return the screen to its last-saved settings. 31.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing profile • Delete an existing profile 516 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 517
them. OK Click OK to save your changes. Cancel Click Cancel to exit this screen without saving your changes. 31.3.2 Configuring The ADP Profile Summary Screen Select Configuration > Anti-X > ADP > Profile. Figure 305 Configuration > Anti-X > ADP > Profile ZyWALL USG 50 User's Guide 517 - ZyXEL ZyWALL USG 50 | User Manual - Page 518
in an ADP profile. Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. In the Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the Add icon and choose a base profile. If you made changes to other screens 518 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 519
Chapter 31 ADP belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. Figure 306 Profiles: Traffic Anomaly ZyWALL USG 50 User's Guide 519 - ZyXEL ZyWALL USG 50 | User Manual - Page 520
# Status block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. This is the entry's index number in the list. The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. 520 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 521
Chapter 31 ADP Table 156 Configuration > ADP > Profile > Traffic Anomaly (continued) LABEL tab. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. ZyWALL USG 50 User's Guide 521 - ZyXEL ZyWALL USG 50 | User Manual - Page 522
Chapter 31 ADP Figure 307 Profiles: Protocol Anomaly 522 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 523
Chapter 31 ADP The following table describes the fields in this screen. Table 157 Configuration > ADP > Profile > ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule. See Chapter 46 on page 723 for more on logs. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 524
723 for more on logs. Select what the ZyWALL should do when a packet matches a rule. none: The ZyWALL takes no action when a packet matches the signature(s). block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified. 524 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 525
in use by the remote computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router. ZyWALL USG 50 User's Guide 525 - ZyXEL ZyWALL USG 50 | User Manual - Page 526
filtered port scan examples. • TCP Filtered Portscan • TCP Filtered Decoy Portscan • TCP Filtered Portsweep • UDP Filtered Portscan • IP Filtered Portscan • UDP Filtered Decoy Portscan • UDP Filtered Portsweep • IP Filtered Decoy Portscan • IP Filtered Portsweep 526 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 527
(B), but the network of the spoofed source IP address (C). Figure 308 Smurf Attack TCP SYN Flood Attack Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then ZyWALL USG 50 User's Guide 527 - ZyXEL ZyWALL USG 50 | User Manual - Page 528
attack, hackers flood SYN packets into a network with a spoofed source IP address of the network itself. This makes it appear as if the computers in the network sent the packets to themselves, so the network is unavailable while they try to respond to themselves. 528 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 529
/../xyz" get normalized to "/abc/xyz". Also, "/abc/./xyz" gets normalized to "/abc/xyz". If a user wants to configure an alert, then specify "yes", otherwise "no". This alert may give false positives since some web sites refer to files using directory traversals. ZyWALL USG 50 User's Guide 529 - ZyXEL ZyWALL USG 50 | User Manual - Page 530
ATTACK This rule emulates the IIS %u encoding scheme. The %u encoding scheme starts with a %u followed by 4 characters, servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. 530 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 531
Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION WEBROOT-DIRECTORYTRAVERSAL ATTACK This is when a directory traversal traverses past the web server access to address header length. This may cause some applications to crash. ZyWALL USG 50 User's Guide 531 - ZyXEL ZyWALL USG 50 | User Manual - Page 532
Chapter 31 ADP Table 158 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION TRUNCATED-HEADER ATTACK This is when an ICMP packet ICMP datagram length of less than the ICMP Time Stamp header length. This may cause some applications to crash. 532 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 533
to do the following. • Use schedule objects to define when to apply a content filter profile. • Use address and/or user/group objects to define to whose web access to apply the content filter profile. • Apply a content filter profile that you have custom-tailored. ZyWALL USG 50 User's Guide 533 - ZyXEL ZyWALL USG 50 | User Manual - Page 534
, with the URL www.zyxel.com.tw/news/ pressroom.php, the domain name is www.zyxel.com.tw. The file path is the characters that come after the first slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is news/pressroom.php. 534 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 535
database content filtering (see the Licensing > Registration screens). 32.2 Content Filter General Screen Click Configuration > Anti-X > Content Filter > General to open the Content Filter General screen. Use this screen to enable content filtering, view and order ZyWALL USG 50 User's Guide 535 - ZyXEL ZyWALL USG 50 | User Manual - Page 536
ZyWALL collect category-based Report Service content filtering statistics. Policies This is a list of the configured content filter policies. Block web access when no policy is applied Select this check box to stop users from accessing the Internet by default . 536 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 537
users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message. Use "http://" or "https://" followed by up to 262 characters (0-9azA-Z For example, http://192.168.1.17/ blocked access. ZyWALL USG 50 User's Guide 537 - ZyXEL ZyWALL USG 50 | User Manual - Page 538
ZyWALL. Click Reset to return the screen to its last-saved settings. 32.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen. Use this screen to configure a content 538 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 539
use this policy. OK Cancel Select any to have the content filter policy apply to all of the web access requests that the ZyWALL receives from any user. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User's Guide 539 - ZyXEL ZyWALL USG 50 | User Manual - Page 540
Filter > Filter Profile to open the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Figure 313 Configuration > Anti-X > Content Filter > Filter Profile The following table describes the labels in this - ZyXEL ZyWALL USG 50 | User Manual - Page 541
Chapter 32 Content Filtering See Chapter 33 on page 557 for how to view content filtering reports. Figure 314 Configuration > Anti-X > Content Filter > Filter Profile > Add ZyWALL USG 50 User's Guide 541 - ZyXEL ZyWALL USG 50 | User Manual - Page 542
. Enable external database content filtering to have the ZyWALL check an external database to find to which category a requested web page belongs. The ZyWALL then blocks or forwards access to the web page depending on the configuration of the rest of this page. 542 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 543
with the category of the blocked web page. Select Warn to display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG 50 User's Guide 543 - ZyXEL ZyWALL USG 50 | User Manual - Page 544
Table 162 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued) LABEL DESCRIPTION Action When Category Select Pass to allow users to access any requested web page if Server capture sensitive data (i.e. credit card numbers, pin numbers). 544 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 545
addresses, name, social security number, IP address, etc. A site is not classified as spyware if the user is reasonably notified that the software will perform these actions (that is, it alerts that it will send personal information, be installed products offered. ZyWALL USG 50 User's Guide 545 - ZyXEL ZyWALL USG 50 | User Manual - Page 546
access to computer systems and/or computerized communication systems. Hacking encompasses instructions on illegal or questionable tactics, such as creating viruses, distributing cracked or pirated software, or distributing other protected intellectual property. 546 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 547
or offer methods, means of instruction, or other resources to affect services. Brokerage/Trading This category includes pages that provide or advertise trading of securities and management of investment assets (online support or host online sweepstakes and giveaways. ZyWALL USG 50 User's Guide 547 - ZyXEL ZyWALL USG 50 | User Manual - Page 548
list services. Blogs/Newsgroups This category includes pages that offer access to Usenet news groups or other messaging or bulletin board systems. Also, blog specific sites or an individual with his own blog. This does not include social networking communities with blogs. 548 ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 549
online community. Typically members describe themselves in personal web page profiles and form interactive networks, linking them with other members based on common interests or acquaintances. Instant messaging, file of daily life. This services, cooking and recipes. ZyWALL USG 50 User's Guide 549 - ZyXEL ZyWALL USG 50 | User Manual - Page 550
nature are included. These sites are salacious that are bereft of historical context, educational value or artistic merit created solely to debase, dehumanize or shock. Examples include necrophilia, cannibalism, scat and amputee fetish sites. 550 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 551
Table 162 Configuration Servers This category includes servers that provide commercial hosting for a variety of content such as images and media files. These types of servers are typically used in conjunction with other web servers to optimize content retrieval speeds. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 552
Filtering Table 162 Configuration > changes. 32.5.1 Content Filter Blocked and Warning Messages These are the content filtering warning messages. The messages for blocked access are the same but do not include the buttons. Figure 315 Content Filter Warning Messages 552 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 553
character cannot be a number. This value is case-sensitive. Enable Custom Service Select this check box to allow trusted web sites and block forbidden web sites. Content filter list customization may be enabled and disabled without re-entering these site names. ZyWALL USG 50 User's Guide 553 - ZyXEL ZyWALL USG 50 | User Manual - Page 554
. Sites that you want to block access to, regardless of their content rating, can be allowed by adding them to this list. Click this to create a new entry. Select an entry and click this to be able to modify it. Select an entry and click this to delete it. 554 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 555
part of the phrase (such as Bad for example). Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. 32.7 Content Filter Technical Reference This section provides content filtering background information. ZyWALL USG 50 User's Guide 555 - ZyXEL ZyWALL USG 50 | User Manual - Page 556
filter server sends the category information back to the ZyWALL, which then blocks and/or logs access to the web site based on the settings in the content filter profile. The web site's address and category are then stored in the ZyWALL's content filter cache. 556 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 557
register your device and activate the subscription services. 33.2 Viewing Content Filter Reports Content filtering reports are generated statistics and charts of access attempts to web sites belonging to the trial (up to 30 days). 1 Go to http://www.myZyXEL.com. ZyWALL USG 50 User's Guide 557 - ZyXEL ZyWALL USG 50 | User Manual - Page 558
Chapter 33 Content Filter Reports 2 Fill in your myZyXEL.com account information and click Login. Figure 318 myZyXEL.com: Login 558 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 559
and/or MAC address under Registered ZyXEL Products (the ZyWALL 70 is shown as an example here). You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see Figure 320 on page 560). Figure 319 myZyXEL.com: Welcome ZyWALL USG 50 User's Guide 559 - ZyXEL ZyWALL USG 50 | User Manual - Page 560
the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 320 myZyXEL.com: Service Management 5 In the Web Filter Home screen, click the Reports tab. Figure 321 Content Filter Reports Main Screen 560 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 561
want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen. ZyWALL USG 50 User's Guide 561 - ZyXEL ZyWALL USG 50 | User Manual - Page 562
Chapter 33 Content Filter Reports 8 A chart and/or list of requested web site categories display in the lower half of the screen. Figure 323 Global Report Screen Example 562 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 563
Chapter 33 Content Filter Reports 9 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. Figure 324 Requested URLs Example ZyWALL USG 50 User's Guide 563 - ZyXEL ZyWALL USG 50 | User Manual - Page 564
Chapter 33 Content Filter Reports 564 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 565
configured white list helps keep important e-mail from being incorrectly classified as spam. The white list can also increases the ZyWALL's anti-spam speed and efficiency by not having the ZyWALL perform the full anti-spam checking process on legitimate e-mail. ZyWALL USG 50 User's Guide 565 - ZyXEL ZyWALL USG 50 | User Manual - Page 566
Chapter 34 Anti-Spam Black List Configure black list entries to identify spam. The black list entries have the ZyWALL classify any e-mail that is from or forwarded by a specified IP address or uses a specified header field and header value as being spam. If an e-mail does not match any of the white - ZyXEL ZyWALL USG 50 | User Manual - Page 567
-spam. 34.2 Before You Begin Configure your zones before you configure anti-spam. 34.3 The Anti-Spam General Screen Click Configuration > Anti-X > Anti-Spam to open the Anti-Spam General screen. Use this screen to turn the anti-spam feature on or off and manage anti- ZyWALL USG 50 User's Guide 567 - ZyXEL ZyWALL USG 50 | User Manual - Page 568
entry and click Add to create a new entry after the selected entry. Select an entry and click this to be able to modify it. 568 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 569
-Spam Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configuration screen as shown next. Use this screen to configure an anti-spam policy that controls what traffic direction of e-mail to ZyWALL USG 50 User's Guide 569 - ZyXEL ZyWALL USG 50 | User Manual - Page 570
traffic to scan for spam. The anti-spam policy has the ZyWALL scan traffic coming from the From zone and going to the To zone. Select which protocols of traffic to scan for spam. SMTP applies to traffic using TCP port 25. POP3 applies to traffic using TCP port 110. 570 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 571
List screen. Configure the black list to identify spam e-mail. You can create black list entries based on the sender's or relay server's IP address or e-mail address. You can also create entries that check for particular e-mail header fields with specific values or ZyWALL USG 50 User's Guide 571 - ZyXEL ZyWALL USG 50 | User Manual - Page 572
This field displays the subject content, source or relay IP address, source e-mail address, or header value for which the entry checks. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 572 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 573
enable the anti-spam feature in the anti-spam general screen, and configure an anti-spam policy to use the list. Use this field to base the entry on the e-mail's subject, source or relay IP address, source e-mail address, or header. Select Subject to have the ZyWALL ZyWALL USG 50 User's Guide 573 - ZyXEL ZyWALL USG 50 | User Manual - Page 574
marks) to specify abc, acc and so on. • You can also use a wildcard (*). For example, if you configure *def.com, any email address that ends in def.com matches. So "mail.def.com" matches. • The wildcard can be anywhere in the text string and you can use more than one wildcard. You cannot use two - ZyXEL ZyWALL USG 50 | User Manual - Page 575
table describes the labels in this screen. Table 168 Configuration > Anti-X > Anti-Spam > Black/White List > White List LABEL DESCRIPTION General Settings Enable White List Select this check box to have the ZyWALL forward is the entry's index number in the list. ZyWALL USG 50 User's Guide 575 - ZyXEL ZyWALL USG 50 | User Manual - Page 576
DNSBL to display the anti-spam DNSBL screen. Use this screen to configure the ZyWALL to check the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Figure 330 Configuration > Anti-X > Anti-Spam > DNSBL 576 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 577
list maintained by one of the DNSBL domains listed in the ZyWALL. This tag is only added if the anti-spam policy is configured to forward spam mail with a spam tag. Max. IPs Set the maximum number of sender and relay server IP addresses in Checking Per Mail the mail header to check against the - ZyXEL ZyWALL USG 50 | User Manual - Page 578
have no effect. • The ZyWALL records DNSBL responses for IP addresses in a cache for up to 72 hours. The ZyWALL checks an e-mail's sender and relay IP addresses against the cache first and only sends DNSBL queries for IP addresses that are not in the cache. 578 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 579
list. 4 The ZyWALL immediately classifies the e-mail as spam and takes the action for spam that you defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 50 User's Guide 579 - ZyXEL ZyWALL USG 50 | User Manual - Page 580
in its list (not spam). 4 Now that the ZyWALL has received at least one non-spam reply for each of the email's routing IP addresses, the ZyWALL immediately classifies the e-mail as legitimate and forwards it. The ZyWALL does not wait for any more DNSBL replies. 580 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 581
list. 4 The ZyWALL immediately classifies the e-mail as spam and takes the action for spam that you defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to drop the mail. The ZyWALL does not wait for any more DNSBL replies. ZyWALL USG 50 User's Guide 581 - ZyXEL ZyWALL USG 50 | User Manual - Page 582
Chapter 34 Anti-Spam 582 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 583
access to configuration and services in the ZyWALL. User Types These are the types of user accounts the ZyWALL uses. Table 170 Types of User Accounts TYPE ABILITIES LOGIN METHOD(S) Admin Users admin Change ZyWALL configuration (web, CLI) WWW, TELNET, SSH, FTP, Console ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 584
Chapter 35 User/Group Table 170 Types of User Accounts (continued) TYPE ABILITIES LOGIN METHOD(S) limited-admin Look at ZyWALL configuration (web, CLI) WWW, TELNET, SSH, Console Access Users user Perform basic diagnostics (CLI) Access network services WWW, TELNET, SSH Browse user-mode - ZyXEL ZyWALL USG 50 | User Manual - Page 585
order to log in. • See Section 7.5 on page 122 for an example of configuring user accounts and user groups as part of user-aware access control. • See Section 7.6 on page 131 for an example of how to use a RADIUS server to authenticate user accounts based on groups. ZyWALL USG 50 User's Guide 585 - ZyXEL ZyWALL USG 50 | User Manual - Page 586
access this screen, login to the Web Configurator, and click Configuration > Object > User/Group. Figure 334 Configuration > Object > User/Group The following table describes the labels in this screen. Table 171 Configuration is no unicode support) • _ [underscores] 586 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 587
• root • uucp • zyxel • bin • games • news • shutdown • daemon • halt • nobody • sshd To access this screen, go to the User screen (see Section 35.2 on page 586), and click either the Add icon or an Edit icon. Figure 335 Configuration > User/Group > User > Add ZyWALL USG 50 User's Guide 587 - ZyXEL ZyWALL USG 50 | User Manual - Page 588
configuration of the ZyWALL but not to change it • user - this user has access to the ZyWALL's services but cannot look at the configuration • guest - this user has access to the ZyWALL's services but cannot look at the configuration • ext-user - this user account is maintained in a remote server - ZyXEL ZyWALL USG 50 | User Manual - Page 589
it before doing so. Removing a group does not remove the user accounts in the group. Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 230 for an example. ZyWALL USG 50 User's Guide 589 - ZyXEL ZyWALL USG 50 | User Manual - Page 590
access this screen, go to the Group screen (see Section 35.3 on page 589), and click either the Add icon or an Edit icon. Figure 337 Configuration > User/Group > Group > Add The following table describes the labels in this screen. Table 174 Configuration and spaces. 590 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 591
your changes. 35.4 Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them. ZyWALL USG 50 User's Guide 591 - ZyXEL ZyWALL USG 50 | User Manual - Page 592
manually configure any user account's authentication timeout settings. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. # This field is a sequential value, and it is not associated with a specific entry. 592 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 593
reached. This is applicable for access users. User Logon Settings This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user. ZyWALL USG 50 User's Guide 593 - ZyXEL ZyWALL USG 50 | User Manual - Page 594
the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. 594 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 595
• limited-admin - this user can look at the configuration of the ZyWALL but not to change it • user - this user has access to the ZyWALL's services but cannot look at the configuration • ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts - ZyXEL ZyWALL USG 50 | User Manual - Page 596
the amount of lease time that remains, though the user might be able to reset it. Remaining time before auth. timeout This field displays the amount of time that remains before the ZyWALL automatically logs the access user out, regardless of the lease time. 596 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 597
you might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 47 on page 737 for more information about shell scripts. ZyWALL USG 50 User's Guide 597 - ZyXEL ZyWALL USG 50 | User Manual - Page 598
Chapter 35 User/Group 598 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 599
for using multiple static public WAN IP addresses for LAN to WAN traffic. 36.2 Address Summary Screen The address screens are used to create, maintain, and remove addresses. There are the types of address objects. • HOST - a host address is defined by an IP Address. ZyWALL USG 50 User's Guide 599 - ZyXEL ZyWALL USG 50 | User Manual - Page 600
Ending IP Address. • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the ZyWALL. To access this screen, click Configuration > Object > Address > Address. Click a column's heading cell to sort the table - ZyXEL ZyWALL USG 50 | User Manual - Page 601
GATEWAY. IP Address Starting IP Address Ending IP Address Network Netmask Note: The ZyWALL automatically updates address objects that are based on an interface's IP address, subnet, or gateway if the interface's IP address settings change. For example, if you change ge1's IP address, the ZyWALL - ZyXEL ZyWALL USG 50 | User Manual - Page 602
.3.2 on page 230 for an example. # This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. Description This field displays the description of each address group, if any. 602 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 603
the arrow button to move them. OK Cancel Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User's Guide 603 - ZyXEL ZyWALL USG 50 | User Manual - Page 604
Chapter 36 Addresses 604 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 605
configure the ZyWALL's list of services and their definitions. • Use the Service Group screens (Section 37.2 on page 606) to view and configure the ZyWALL's list of service groups. 37.1.2 What You Need to Know IP Protocols IP or that the messages arrive at all. ZyWALL USG 50 User's Guide 605 - ZyXEL ZyWALL USG 50 | User Manual - Page 606
of all services and their definitions. In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column's heading cell to sort the table 606 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 607
use the entry. See Section 11.3.2 on page 230 for an example. # This field is a sequential value, and it is not associated with a specific service. Name This field displays the name of each service. Content This field displays a description of each service. ZyWALL USG 50 User's Guide 607 - ZyXEL ZyWALL USG 50 | User Manual - Page 608
to the ZyWALL. Click Cancel to exit this screen without saving your changes. 37.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. 608 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 609
displays the name of each service group. Description By default, the ZyWALL uses services starting with "Default_Allow_" in the firewall rules to allow certain services to connect to the ZyWALL. This field displays the description of each service group, if any. ZyWALL USG 50 User's Guide 609 - ZyXEL ZyWALL USG 50 | User Manual - Page 610
the arrow button to move them. OK Cancel Move any members you do not want included to the Available list. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. 610 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 611
and end at a specific stop time on selected days of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring schedules always begin and end in the same day. Recurring schedules are useful for defining the workday and off-work hours. ZyWALL USG 50 User's Guide 611 - ZyXEL ZyWALL USG 50 | User Manual - Page 612
ZyWALL. To access this screen, click Configuration > Object > Schedule. Figure 351 Configuration > Object > Schedule 612 The following table References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 230 for an example. # ends. Time ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 613
> Edit (One Time) LABEL DESCRIPTION Configuration Name Type the name used to refer to the one-time schedule. You may use 131 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL USG 50 User's Guide 613 - ZyXEL ZyWALL USG 50 | User Manual - Page 614
Table 188 Configuration when the schedule ends. Year - changes. 38.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen 614 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 615
the schedule ends each day. Hour - 0 - 23 Weekly Week Days OK Cancel Minute - 0 - 59 Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving your changes. ZyWALL USG 50 User's Guide 615 - ZyXEL ZyWALL USG 50 | User Manual - Page 616
Chapter 38 Schedules 616 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 617
ZyWALL tries to bind (or log in) to the LDAP/AD server. 3 When the binding process is successful, the ZyWALL checks the user information in the directory against the user name and password pair. 4 If it matches, the user is allowed access. Otherwise, access is blocked. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 618
> AAA Server screens. 6 Give the OTP tokens to (local or remote) users. 39.1.4 What You Can Do in this Chapter • Use the Configuration > Object > AAA Server > Active Directory (or LDAP) screens (Section 39.2 on page 621) to configure Active Directory or LDAP server objects. 618 ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 619
server. RADIUS authentication allows you to validate a large number of users from a central location. Directory Structure The directory entries are arranged in a hierarchical order much like a tree structure. Normally, the directory structure reflects the geographical or ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 620
. When a bind DN is not specified, the ZyWALL will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. Finding Out More • See Section 7.5.3 on page 124 for an example of how to set up user authentication using a radius server. 620 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 621
DN This specifies a directory. For example, o=ZyXEL, c=US. 39.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the ZyWALL USG 50 User's Guide 621 - ZyXEL ZyWALL USG 50 | User Manual - Page 622
server, enter its address here. Address Port Specify the port number on the AD or LDAP server to which the ZyWALL sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP server(s) in this group. 622 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 623
. Enter the account's user name in the Username field and click Test. Click OK to save the changes. Click Cancel to discard the changes. 39.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the ZyWALL can use in authenticating users. ZyWALL USG 50 User's Guide 623 - ZyXEL ZyWALL USG 50 | User Manual - Page 624
a directory. For example, o=ZyXEL, c=US. Host Enter the IP address (in dotted decimal notation) or the domain name (up to 63 alphanumeric characters) of a RADIUS server. Authentication Port The default port of the RADIUS server for authentication is 1812. You need not change this value unless - ZyXEL ZyWALL USG 50 | User Manual - Page 625
1 and 65535. Backup Server If the RADIUS server has a backup server, enter its address here. Address Backup Specify the port number on the RADIUS server to which the ZyWALL Authentication sends authentication requests. Enter a number between 1 and 65535. Port ZyWALL USG 50 User's Guide 625 - ZyXEL ZyWALL USG 50 | User Manual - Page 626
like "sales", "RD", and "management". Then you could also create a extgroup-user user object for each group. One with "sales" as the group identifier, another for "RD" and a third for "management". Click OK to save the changes. Click Cancel to discard the changes. 626 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 627
chapter on VPN for more information. Follow the steps below to specify the authentication method for a VPN connection. 1 Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen. 2 Click Show Advance Setting and select Enable Extended Authentication. ZyWALL USG 50 User's Guide 627 - ZyXEL ZyWALL USG 50 | User Manual - Page 628
Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 11.3.2 on page 230 for an example. # This field displays the index number. Method Name This field displays a descriptive name for identification purposes. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 629
servers you specify, the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn't match the one on the first authentication server. Note: You can NOT select two server objects of the same type. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 630
If two accounts with the same username exist on two authentication servers you specify, the ZyWALL does not continue the search on the second authentication server when you enter the username and password that doesn't match the one on the first authentication server. 630 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 631
Table 195 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Add icon Click Add to add a new entry. Click Edit to edit the settings of an entry. OK Cancel Click Delete to delete an entry. Click OK to save the changes. Click Cancel to discard the changes. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 632
Chapter 40 Authentication Method 632 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 633
process works as follows. 1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). ZyWALL USG 50 User's Guide 633 - ZyXEL ZyWALL USG 50 | User Manual - Page 634
the public key openly available. This on the type of connection. For example, a VPN tunnel might use the triple DES Certification authorities maintain directory servers with databases of valid and ZyWALL act as a certification authority and sign its own certificates. 634 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 635
Factory Default Certificate The ZyWALL generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File to where you have the certificate saved on your computer. ZyWALL USG 50 User's Guide 635 - ZyXEL ZyWALL USG 50 | User Manual - Page 636
a ".cer" or ".crt" file name extension. Figure 364 Remote Host Certificates 3 Double-click the certificate's icon to open the Certificate window. Click the Details based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 636 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 637
page 230 for an example. # This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. ZyWALL USG 50 User's Guide 637 - ZyXEL ZyWALL USG 50 | User Manual - Page 638
Chapter 41 Certificates Table 196 Configuration > Object > Certificate > My Certificates (continued) LABEL DESCRIPTION Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the 638 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 639
Chapter 41 Certificates ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 367 Configuration > Object > Certificate > My Certificates > Add ZyWALL USG 50 User's Guide 639 - ZyXEL ZyWALL USG 50 | User Manual - Page 640
table describes the labels in this screen. Table 197 Configuration a Host IP Address, Host Domain ZyWALL generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. 640 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 641
certification authority's certificate already imported in the Trusted Certificates screen. Click Trusted CAs to go to the Trusted Certificates screen where you can view (and manage) the ZyWALL's list of certificates of trusted certification authorities. ZyWALL USG 50 User's Guide 641 - ZyXEL ZyWALL USG 50 | User Manual - Page 642
and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyWALL to enroll a certificate online. 642 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 643
> Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate's name. Figure 368 Configuration > Object > Certificate > My Certificates > Edit ZyWALL USG 50 User's Guide 643 - ZyXEL ZyWALL USG 50 | User Manual - Page 644
Chapter 41 Certificates The following table describes the labels in this screen. Table 198 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field the certificate has expired. "none" displays for a certification request. 644 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 645
the file on a management computer for later manual enrollment. Export Export Certificate Only Password Export password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 646
Type in the location of the file you want to upload in this field or click Browse to find it. Browse You cannot import a certificate with the same name as a certificate that is already in the ZyWALL. Click Browse to find the certificate file you want to upload. 646 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 647
. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action. ZyWALL USG 50 User's Guide 647 - ZyXEL ZyWALL USG 50 | User Manual - Page 648
Trusted Certificates and then a certificate's Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate's name and set whether or not you want the ZyWALL to check a certification 648 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 649
Chapter 41 Certificates authority's list of revoked certificates before trusting a certificate issued by the certification authority. Figure 371 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG 50 User's Guide 649 - ZyXEL ZyWALL USG 50 | User Manual - Page 650
authority). Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority). Certificate Information These read-only fields display detailed information about the certificate. 650 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 651
certificate's path. MD5 Fingerprint This is the certificate's message digest that the ZyWALL calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. ZyWALL USG 50 User's Guide 651 - ZyXEL ZyWALL USG 50 | User Manual - Page 652
Follow the instructions in this screen to save a trusted certificate to the ZyWALL. Note: You must remove any spaces from the certificate's filename before you can import the certificate. Figure 372 Configuration > Object > Certificate > Trusted Certificates > Import 652 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 653
is a reduction in network traffic since the ZyWALL only gets information on the certificates that it needs to verify, not a huge list. When the ZyWALL requests certificate status information, the OCSP server returns a "expired", "current" or "unknown" response. ZyWALL USG 50 User's Guide 653 - ZyXEL ZyWALL USG 50 | User Manual - Page 654
Chapter 41 Certificates 654 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 655
.2 on page 655) to create and manage ISP accounts in the ZyWALL. 42.2 ISP Account Summary This screen provides a summary of ISP accounts in the ZyWALL. To access this screen, click Configuration > Object > ISP Account. Figure 373 Configuration > Object > ISP Account ZyWALL USG 50 User's Guide 655 - ZyXEL ZyWALL USG 50 | User Manual - Page 656
as well. Table 203 Configuration > Object > open this window, open the ISP Account screen. (See Section 42.2 on page 655.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. Figure 374 Configuration > Object > ISP Account > Edit 656 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 657
blank. If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank. If this ISP account uses the PPTP protocol, this field is not displayed. ZyWALL USG 50 User's Guide 657 - ZyXEL ZyWALL USG 50 | User Manual - Page 658
ZyWALL automatically disconnects from the PPPoE/PPTP server. This value must be an integer between 0 and 360. If this value is zero, this timeout is disabled. OK Click OK to save your changes back to the ZyWALL any changes to the profile (if it already exists). 658 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 659
or Windows file server which remote users can access using a standard web browser (Section 43.2.1 on page 662). 43.1.2 What You Need to Know Application Types You can configure the following SSL application on the ZyWALL. • Web-based A web-based application allows remote users to access an intranet - ZyXEL ZyWALL USG 50 | User Manual - Page 660
, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs. The LAN computer to be managed must have VNC (Virtual Network Computing) or RDP (Remote Desktop Protocol) server software installed - ZyXEL ZyWALL USG 50 | User Manual - Page 661
Web Site for Access 43.2 The SSL Application Screen The main SSL Application screen displays a list of the configured SSL application objects. Click Configuration > Object > SSL Application in the navigation panel. Figure 377 Configuration > Object > SSL Application ZyWALL USG 50 User's Guide 661 - ZyXEL ZyWALL USG 50 | User Manual - Page 662
the name of the object. Address This field displays the IP address/URL of the application server or the location of a file share. Type This field shows whether the object is a file-sharing, web-server, Outlook Web Access, Virtual Network Computing, or Remote Desktop Protocol SSL application. 43 - ZyXEL ZyWALL USG 50 | User Manual - Page 663
. This field displays if the Server Type is set to Web Server or OWA. This field is optional. You only need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on the user screen. ZyWALL USG 50 User's Guide 663 - ZyXEL ZyWALL USG 50 | User Manual - Page 664
Server Address(es) This field displays if the Server Type is set to RDP or VNC. Specify the IP address or Fully-Qualified Domain Name (FQDN) of the computer(s) that you want to allow the remote users to manage. Starting Port This field displays if the Server Type is set to RDP or VNC. Ending Port - ZyXEL ZyWALL USG 50 | User Manual - Page 665
SSL VPN's endpoint security object and is granted access to the system resource defined in the SSL VPN access policy; in this example a web server. SSL VPN user C fails all of the SSL VPN's endpoint security check and is not given any access. Figure 379 Endpoint Security ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 666
access. Requirements User computers must have Sun's Java (Java Runtime Environment or 'JRE') installed and enabled with a minimum version of 1.4. Finding Out More See Section 7.7 on page 133 for an example of how to use endpoint security and authentication policies. 666 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 667
be using. Checking Failure Message Enter a message to display when a user's computer fails the endpoint security check. Use up to 1023 characters (0-9a-zA-Z For example, "Endpoint Security checking failed. Please contact your network administrator for help.". ZyWALL USG 50 User's Guide 667 - ZyXEL ZyWALL USG 50 | User Manual - Page 668
Chapter 44 Endpoint Security Table 207 Configuration > Object > Endpoint Security (continued) LABEL DESCRIPTION Apply Click this button to save your changes to the ZyWALL. Reset Click this button to return the screen to its last-saved settings. 668 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 669
Chapter 44 Endpoint Security 44.3 Endpoint Security Add/Edit Click Configuration > Object > Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. ZyWALL USG 50 User's Guide 669 - ZyXEL ZyWALL USG 50 | User Manual - Page 670
Chapter 44 Endpoint Security Figure 381 Configuration > Object > Endpoint Security > Add 670 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 671
patches that the user's computer must have installed. The user's computer must have all of the listed Windows security patches installed to pass this checking item. Click Add to create a new entry. Select one or more entries and click Remove to delete it or them. ZyWALL USG 50 User's Guide 671 - ZyXEL ZyWALL USG 50 | User Manual - Page 672
extension for Linux operating systems. Click Add to create a new entry. Select one or more entries and click Remove to delete it or them. 672 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 673
or more entries and click Remove to delete it or them. OK Cancel The user's computer must pass one of the listed file information checks to pass this checking item. Click OK to save your changes back to the ZyWALL. Click Cancel to exit this screen without saving. ZyWALL USG 50 User's Guide 673 - ZyXEL ZyWALL USG 50 | User Manual - Page 674
Chapter 44 Endpoint Security 674 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 675
manage and monitor the ZyWALL through the network. Use the System > SNMP screen (see Section 45.10 on page 715) to configure SNMP settings, including from which zones SNMP can be used to access the ZyWALL. You can also specify from which IP addresses the access can come. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 676
name is propagated to DHCP clients connected to interfaces with the DHCP server enabled. This name can be up to 254 alphanumeric characters long. Spaces are not allowed, but dashes "-" are accepted. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen - ZyXEL ZyWALL USG 50 | User Manual - Page 677
. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered. When you enter the time settings manually, the ZyWALL uses the new setting once you click Apply. ZyWALL USG 50 User's Guide 677 - ZyXEL ZyWALL USG 50 | User Manual - Page 678
-dd) This field displays the last updated date from the time server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the ZyWALL get the time and date from - ZyXEL ZyWALL USG 50 | User Manual - Page 679
, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried. ZyWALL USG 50 User's Guide 679 - ZyXEL ZyWALL USG 50 | User Manual - Page 680
1 Click System > Date/Time. 2 Select Get from Time Server under Time and Date Setup. 3 Under Time Zone Setup, select your Time Zone from the list. 4 As an option you can select the Enable Daylight Saving check box to adjust the ZyWALL clock for daylight savings. 680 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 681
last-saved settings. 45.5 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. ZyWALL USG 50 User's Guide 681 - ZyXEL ZyWALL USG 50 | User Manual - Page 682
• You can manually enter the IP addresses of other DNS servers. 45.5.2 Configuring the DNS Screen Click Configuration > System > DNS to change your ZyWALL's DNS settings. Use the DNS screen to configure the ZyWALL to use a DNS server to resolve domain names for ZyWALL system features like VPN, DDNS - ZyXEL ZyWALL USG 50 | User Manual - Page 683
.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. Type A "*" means all domain zones. This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined). ZyWALL USG 50 User's Guide 683 - ZyXEL ZyWALL USG 50 | User Manual - Page 684
not an editable rule. To apply other behavior, configure a rule that traffic will match so the ZyWALL will not have to use the default policy. This is the zone on the ZyWALL the user is allowed or denied to access. This is the object name of the IP address(es) with which the computer is allowed or - ZyXEL ZyWALL USG 50 | User Manual - Page 685
or a reverse lookup record. It is a mapping of an IP address to a domain name. 45.5.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 387 Configuration > System > DNS > Address/PTR Record Edit ZyWALL USG 50 User's Guide 685 - ZyXEL ZyWALL USG 50 | User Manual - Page 686
domain zone for the www.zyxel.com.tw fully qualified domain name. 45.5.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 388 Configuration > System > DNS > Domain Zone Forwarder Add 686 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 687
not configure proper MX records for your domain or other domain, external e-mail from other mail servers will not be able to be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host. ZyWALL USG 50 User's Guide 687 - ZyXEL ZyWALL USG 50 | User Manual - Page 688
and exit this screen. Cancel Click Cancel to exit this screen without saving 45.5.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 390 Configuration > System > DNS > Service Control Rule Add 688 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 689
of configuring service control to block administrator HTTPS access from all zones except the LAN. To stop a service from accessing the ZyWALL, clear Enable in the corresponding service screen. 45.6.1 Service Access Limitations A service cannot be used to access the ZyWALL when: ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 690
The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. 4 There is a firewall rule that blocks it. 45.6.2 System Timeout There is a lease timeout for administrators. The ZyWALL automatically logs you out if the management session remains - ZyXEL ZyWALL USG 50 | User Manual - Page 691
attempts. 45.6.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ZyWALL using HTTP or HTTPS. You can also specify which IP addresses the access can come from. ZyWALL USG 50 User's Guide 691 - ZyXEL ZyWALL USG 50 | User Manual - Page 692
> WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL Web Configurator using secure HTTPs connections. 692 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 693
) LABEL DESCRIPTION Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the ZyWALL, for example 8443, then you must notify people who need to access the ZyWALL Web Configurator to use "https://ZyWALL IP Address:8443" as - ZyXEL ZyWALL USG 50 | User Manual - Page 694
the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Select a method the HTTPS or HTTP server uses to authenticate a client. You must have configured the authentication methods in the Auth. method screen. 694 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 695
and exit this screen. Click Cancel to exit this screen without saving 45.6.6 Customizing the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can ZyWALL USG 50 User's Guide 695 - ZyXEL ZyWALL USG 50 | User Manual - Page 696
Chapter 45 System also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 35 on page 583 for more on access user accounts. Figure 394 Configuration > System > WWW > Login Page 696 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 697
Logo Title Message (color of all text) Background Figure 396 Access Page Customization Logo Title Note Message (last line of text) Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: ZyWALL USG 50 User's Guide 697 - ZyXEL ZyWALL USG 50 | User Manual - Page 698
after an access user logs into the Web Configurator to access network services like the Internet. Title Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces are allowed. Message Color Specify the color of the screen's text. 698 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 699
-saved settings. 45.6.7 HTTPS Example If you haven't changed the default HTTPS port on the ZyWALL, then in your browser enter "https://ZyWALL IP Address/" as the web site address where "ZyWALL IP Address" is the IP address or domain name of the ZyWALL you wish to access. 45.6.7.1 Internet Explorer - ZyXEL ZyWALL USG 50 | User Manual - Page 700
attempt to access the ZyWALL HTTPS server, a Website Certified by an Unknown Authority screen pops up asking if you trust the server certificate. Click displays warnings about the ZyWALL's HTTPS server certificate and what you can do to avoid seeing the warnings: 700 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 701
The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). ZyWALL USG 50 User's Guide 701 - ZyXEL ZyWALL USG 50 | User Manual - Page 702
(s). 45.6.7.5.1 Installing the CA's Certificate 1 Double click the CA's trusted certificate to produce a screen similar to the one shown next. Figure 402 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 702 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 703
403 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 404 Personal Certificate Import Wizard 2 ZyWALL USG 50 User's Guide 703 - ZyXEL ZyWALL USG 50 | User Manual - Page 704
Chapter 45 System 3 Enter the password given to you by the CA. Figure 405 Personal Certificate Import Wizard 3 4 Have the wizard determine where all certificates in the following store and choose a different location. Figure 406 Personal Certificate Import Wizard 4 704 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 705
Certificate Import Wizard 6 45.6.7.6 Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter 'https://ZyWALL IP Address/ in your browser's web address field. Figure 409 Access the ZyWALL Via HTTPS ZyWALL USG 50 User's Guide 705 - ZyXEL ZyWALL USG 50 | User Manual - Page 706
see the Web Configurator login screen. Figure 411 Secure Web Configurator Login Screen 45.7 SSH You can use SSH (Secure SHell) to securely access the ZyWALL's command line interface. Specify which zones allow SSH access and from which IP address the access can come. 706 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 707
Internet uses SSH to securely connect to the WAN port of the ZyWALL for a management session. Figure 412 SSH Communication Over the WAN Example 45.7.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 413 How SSH - ZyXEL ZyWALL USG 50 | User Manual - Page 708
over SSH. 45.7.4 Configuring SSH Click Configuration > System > SSH to change your ZyWALL's Secure Shell settings. Use this screen to specify from which zones SSH can be used to manage the ZyWALL. You can also specify from which IP addresses the access can come. 708 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 709
the IP address(es) in the Service Control table to access the ZyWALL CLI using this service. Version 1 Select the check box to have the ZyWALL use both SSH version 1 and version 2 protocols. If you clear the check box, the ZyWALL uses only SSH version 2 protocol. Server Port You may change the - ZyXEL ZyWALL USG 50 | User Manual - Page 710
information (IP address, port number) for the ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 415 SSH Example 1: Store Host Key 710 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 711
) to the list of known hosts. [email protected]'s password: 3 The CLI screen displays next. 45.8 Telnet You can use Telnet to access the ZyWALL's command line interface. Specify which zones allow Telnet access and from which IP address the access can come. ZyWALL USG 50 User's Guide 711 - ZyXEL ZyWALL USG 50 | User Manual - Page 712
the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL CLI using this service. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Service - ZyXEL ZyWALL USG 50 | User Manual - Page 713
with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 45.9 FTP You can upload and download the ZyWALL's firmware and - ZyXEL ZyWALL USG 50 | User Manual - Page 714
the computer with the IP address that matches the IP address(es) in the Service Control table to access the ZyWALL using this service. TLS required Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication. Server Port Server Certificate Service Control Add Edit - ZyXEL ZyWALL USG 50 | User Manual - Page 715
the computer with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 45.10 SNMP Simple Network Management Protocol is - ZyXEL ZyWALL USG 50 | User Manual - Page 716
. SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. 716 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 717
link is up. This trap is sent when an SNMP request comes from non-authenticated hosts. 45.10.3 Configuring SNMP To change your ZyWALL's SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP ZyWALL USG 50 User's Guide 717 - ZyXEL ZyWALL USG 50 | User Manual - Page 718
the password sent with each trap to the SNMP manager. The default is public and allows all requests. Destination Type the IP address of the station to send your SNMP traps to. Service Control This specifies from which computers you can access which ZyWALL zones. 718 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 719
with the IP address specified above can access the ZyWALL zone(s) configured in the Zone field (Accept) or not (Deny). Click Apply to save your changes back to the ZyWALL. Click Reset to return the screen to its last-saved settings. 45.11 Vantage CNM Vantage CNM (Centralized Network Management) is - ZyXEL ZyWALL USG 50 | User Manual - Page 720
. If the Vantage CNM server is on a different subnet to the ZyWALL and is behind a NAT router, enter the WAN IP address of the NAT router here and configure the NAT router to forward UDP port 11864 traffic to the Vantage CNM server. If the Vantage CNM server is behind a firewall, you may have to - ZyXEL ZyWALL USG 50 | User Manual - Page 721
certificates. Vantage Certificate Select the Vantage CNM server's certificate. This applies when you enable HTTPS authentication. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG 50 User's Guide 721 - ZyXEL ZyWALL USG 50 | User Manual - Page 722
for the ZyWALL's Web Configurator screens. You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to return the screen to its last-saved settings. 722 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 723
this Chapter • Use the Email Daily Report screen (Section 46.2 on page 723) to configure where and how to send daily reports and what reports to send. • Use the Maintenance through your ZyWALL. Note: Data collection may decrease the ZyWALL's traffic throughput rate. ZyWALL USG 50 User's Guide 723 - ZyXEL ZyWALL USG 50 | User Manual - Page 724
Chapter 46 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ZyWALL e-mail you system statistics every day. Figure 424 Configuration > Log & Report > Email Daily Report 724 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 725
a system log and supports e-mail profiles and remote syslog servers. The system log is available on the View Log tab, the e-mail profiles are used to mail log messages to the specified destinations, and the other four logs are stored on specified syslog servers. ZyWALL USG 50 User's Guide 725 - ZyXEL ZyWALL USG 50 | User Manual - Page 726
LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 727
Table 229 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific log. Name This field displays the name of the log (system log or one of the remote servers Edit icon. ZyWALL USG 50 User's Guide 727 - ZyXEL ZyWALL USG 50 | User Manual - Page 728
Chapter 46 Log and Report Figure 426 Configuration > Log & Report > Log Setting > Edit (System Log) 728 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 729
logs enabled, the ZyWALL will e-mail logs to them. enable normal logs and debug logs (yellow check mark) create log messages, alerts, and debugging information for all categories. The ZyWALL does not e-mail debugging information, even if this setting is selected. ZyWALL USG 50 User's Guide 729 - ZyXEL ZyWALL USG 50 | User Manual - Page 730
included in log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 2. The ZyWALL does not e-mail debugging information, even if it is recorded in the System log. 730 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 731
Chapter 46 Log and Report Table 230 Configuration > Log & Report > Log Setting > Edit ( end of the Message field. OK Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 732
screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 46.3.1 on page 726), and click a remote server Edit icon. Figure 427 Configuration > Log & Report > Log Setting > Edit (Remote Server) 732 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 733
files in the syslog server. Please see the documentation for your syslog program for more information. Use the Selection drop-down list to change the log settings for all of the log categories. disable all logs (red X) - do not send the remote server logs for any log category. enable normal - ZyXEL ZyWALL USG 50 | User Manual - Page 734
remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names).To access . (The Default category includes debugging messages generated by open source software.) 734 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 735
, and it is not associated with a specific address. This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. ZyWALL USG 50 User's Guide 735 - ZyXEL ZyWALL USG 50 | User Manual - Page 736
enable normal logs and debug logs (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Click this to return to the previous screen without saving your changes. 736 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 737
Scripts When you apply a configuration file, the ZyWALL uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change. ZyWALL USG 50 User's Guide 737 - ZyXEL ZyWALL USG 50 | User Manual - Page 738
address-object TW_SUBNET exit # enable Telnet access (not enabled by default, unlike other services) ip telnet server # open WAN-to-ZyWALL firewall for TW_TEAM for remote management firewall WAN ZyWALL insert 4 sourceip TW_TEAM service TELNET action allow exit write While configuration files - ZyXEL ZyWALL USG 50 | User Manual - Page 739
file or shell script is applied. Include setenv stop-on-error off in the configuration file or shell script. The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands. The ZyWALL still generates a log for any errors. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 740
any errors in the startup-config.conf file and applies all of the valid commands. The ZyWALL still generates a log for any errors. Figure 430 Maintenance > File Manager > Configuration File 740 Do not turn off the ZyWALL while configuration file upload is in progress. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 741
in this screen. Table 234 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ZyWALL. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and - ZyXEL ZyWALL USG 50 | User Manual - Page 742
> File Manager > Configuration File > Copy Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9 Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. 742 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 743
for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. ZyWALL USG 50 User's Guide 743 - ZyXEL ZyWALL USG 50 | User Manual - Page 744
file and click Apply to reset all of the ZyWALL settings to the factory defaults. This configuration file is included when you upload a firmware package. The startup-config.conf file is the configuration file that the ZyWALL is currently using. If you make and save changes during your management - ZyXEL ZyWALL USG 50 | User Manual - Page 745
minutes. Do not turn off or reset the ZyWALL while the firmware update is in progress! Figure 434 Maintenance > File Manager > Firmware Package The following table describes the labels in this screen. Table 235 Maintenance > File Manager > Firmware Package LABEL DESCRIPTION Boot Module This is - ZyXEL ZyWALL USG 50 | User Manual - Page 746
" filename extension. Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the ZyWALL at the same time. 746 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 747
to delete the shell script file. Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file. Download Click a shell script file's row to select it and click Download to save the configuration to your computer. ZyWALL USG 50 User's Guide 747 - ZyXEL ZyWALL USG 50 | User Manual - Page 748
Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. 748 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 749
a file containing the ZyWALL's configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 441 Maintenance > Diagnostics ZyWALL USG 50 User's Guide 749 - ZyXEL ZyWALL USG 50 | User Manual - Page 750
network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this. Figure 442 Maintenance > Diagnostics > Packet Capture 750 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 751
to enter an IP address. Host Port This field is configurable when you set the IP Type to any, tcp, or udp. Specify the port number of traffic to capture. File Size Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the ZyWALL, including any existing - ZyXEL ZyWALL USG 50 | User Manual - Page 752
Select files and click Remove to delete them from the ZyWALL. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. 752 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 753
that the size of frame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes. The ZyWALL truncated the frame because the capture screen's Number Of Bytes To Capture (Per Packet) field was set to 1500 bytes. Figure 444 Packet Capture File Example ZyWALL USG 50 User's Guide 753 - ZyXEL ZyWALL USG 50 | User Manual - Page 754
Chapter 48 Diagnostics 754 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 755
> Reboot Click the Reboot button to restart the ZyWALL. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the ZyWALL. ZyWALL USG 50 User's Guide 755 - ZyXEL ZyWALL USG 50 | User Manual - Page 756
Chapter 49 Reboot 756 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 757
Figure 446 Maintenance > Shutdown Click the Shutdown button to shut down the ZyWALL. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the ZyWALL. ZyWALL USG 50 User's Guide 757 - ZyXEL ZyWALL USG 50 | User Manual - Page 758
Chapter 50 Shutdown 758 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 759
ZyWALL's password, use the RESET button. Press the button in for about 5 seconds (or until the PWR LED starts to blink), then release it. It returns the ZyWALL to the factory defaults (password is 1234, LAN IP address 192.168.1.1 etc.; see your User's Guide for details). ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 760
ZyWALL is connected to the Internet. I downloaded updated anti-virus or IDP/application patrol signatures. Why has the ZyWALL not re-booted yet? The ZyWALL does not have to reboot when you upload new signatures. The content filter category service is not working. 760 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 761
created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface. ZyWALL USG 50 User's Guide 761 - ZyXEL ZyWALL USG 50 | User Manual - Page 762
have a compatible 3G device installed or connected. See Chapter 52 on page 775 for details. • Make sure you have the cellular interface enabled. • Make sure the cellular interface has the correct user name, password, and PIN code configured with the correct casing. 762 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 763
Chapter 51 Troubleshooting • If the ZyWALL has multiple WAN interfaces, make sure their IP addresses are on different subnets. I cannot configure a particular VLAN interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface. Each VLAN interface - ZyXEL ZyWALL USG 50 | User Manual - Page 764
cannot unzip password protected ZIP files or a ZIP file within another ZIP file. There are also limits to the number of ZIP files that the ZyWALL can concurrently unzip. The ZyWALL's performance seems slower after configuring IDP. Depending on your network topology and traffic load, binding every - ZyXEL ZyWALL USG 50 | User Manual - Page 765
, password, and domain name and have entered them properly in the ZyWALL. • You may need to configure the DDNS entry's IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the ZyWALL and the DDNS server. ZyWALL USG 50 User's Guide 765 - ZyXEL ZyWALL USG 50 | User Manual - Page 766
Chapter 51 Troubleshooting • The ZyWALL may not determine the proper IP address if there is an HTTP proxy server between the ZyWALL and the DDNS server. I cannot create a second HTTP redirect rule for an incoming interface. You can configure up to one HTTP redirect rule for each (incoming) interface - ZyXEL ZyWALL USG 50 | User Manual - Page 767
ZyWALL and remote IPSec router (for example, by using a packet sniffer). Check the configuration for the following ZyWALL features. • The ZyWALL does not put IPSec SAs in the routing table. You must create a policy route for each VPN tunnel. See Chapter 13 on page 281. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 768
51 Troubleshooting • Make sure the To-ZyWALL firewall rules allow IPSec VPN traffic to the ZyWALL. IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for NAT traversal. If you enable this, make sure the To-ZyWALL firewall - ZyXEL ZyWALL USG 50 | User Manual - Page 769
IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface. I configured application patrol to allow and manage access to a specific service but access is blocked. • If you want to use a service, make sure both the firewall - ZyXEL ZyWALL USG 50 | User Manual - Page 770
same user group. I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is not being applied at the configured times. 770 Make sure the ZyWALL's current date and time are correct. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 771
the service control rules and to-ZyWALL firewall rules. I uploaded a logo to display on the upper left corner of the Web Configurator login screen and access page but it does not display properly. Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 772
737 for more on configuration files and shell scripts. I cannot get the firmware uploaded using the commands. 772 The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 773
startup-config.conf file with the settings in the system-default.conf file. Note: This procedure removes the current configuration. If you want to reboot the device without changing the current configuration, see Chapter 49 on page 755. 1 Make sure the SYS LED is on and not blinking. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 774
the RESET button, and wait for the ZyWALL to restart. You should be able to access the ZyWALL using the default settings. 51.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. 774 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 775
basic device specifications. Table 240 Default Login Information ATTRIBUTE SPECIFICATION Default IP Address (P3, P4) 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) (P3, P4) Default Password 1234 This table provides hardware specifications. Table 241 Hardware Specifications - ZyXEL ZyWALL USG 50 | User Manual - Page 776
Default Ports USER PROFILES Maximum Local Users Maximum Admin Users Maximum User Groups Maximum Users in One User Group OBJECTS Address Objects 16 4 per interface 2 4 4 128 200 10,000 1024 8K 256 up to 8 per PR rule up to interface limit 1000 500 1000 16 16 8 128 5 32 128 200 776 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 777
Entries Maximum DHCP Host Pool 48 6 6 8 per service 96 Maximum Number of DDNS Profiles DHCP Relay 5 2 per interface CENTRALIZED LOG Log Entries Debug Log Entries Admin E-mail Addresses 512 1024 2 Syslog Servers 4 IDP Maximum Number of IDP Profiles 8 ZyWALL USG 50 User's Guide 777 - ZyXEL ZyWALL USG 50 | User Manual - Page 778
Black List Entries Maximum Number of Anti-Virus Statistics Maximum Anti-Virus Statistics Ranking SSL VPN Maximum SSL VPN Connections OTHERS Maximum Number of OSPF Areas 64 5 500 10 30 ZIP files 4 RAR-LZSS or 1 RAR-PPM 16 128 128 500 10 2 (license upgradable to 5) 16 778 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 779
, 1305 Used by SSH service RFCs 4250, 4251, 4252, 4253, 4254 Used by Time service RFCs 3339 Used by Telnet service RFCs 318, 854, 1413 Used by SIP ALG RFCs 3261, 3264 DHCP relay RFC 1541 ZySH W3C XML standard ARP RFC 826 IP/IPv4 RFC 791 TCP RFC 793 ZyWALL USG 50 User's Guide 779 - ZyXEL ZyWALL USG 50 | User Manual - Page 780
POWER OUTPUT POWER POWER CONSUMPTION SAFETY STANDARDS PSA18R-120P (ZA)-R 100-240VAC, 50/60HZ, 0.5A 12VDC, 3.5A 20 W MAX. JET Table 249 China Plug Standards AC POWER ADAPTOR MODEL INPUT POWER OUTPUT POWER PSA18R-120P (ZA)-R 100-240VAC, 50/60HZ, 0.5A 12VDC, 3.5A 780 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 781
Table 249 China Plug Standards POWER CONSUMPTION SAFETY STANDARDS 20 W MAX. CCC Chapter 52 Product Specifications ZyWALL USG 50 User's Guide 781 - ZyXEL ZyWALL USG 50 | User Manual - Page 782
Chapter 52 Product Specifications 782 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 783
according to a profile and the default policy is not set to block. %s: Service is not registered %s: website host The device allowed access to a web site. The content filtering service is unregistered and the default policy is not set to block. %s: website host ZyWALL USG 50 User's Guide 783 - ZyXEL ZyWALL USG 50 | User Manual - Page 784
. %s: Contains Java applet %s: website host The web site contains Java applet and access was blocked according to a profile. %s: Contains cookie %s: website host The web site contains a cookie and access was blocked according to a profile. %s: website host 784 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 785
default policy %s: website host No content filter policy is applied and access was blocked since the default action is block. %s: website host Table been modified. has been changed. Anti-Spam policy %d . has been added to the end of the list. Anti-Spam policy ZyWALL USG 50 User's Guide 785 - ZyXEL ZyWALL USG 50 | User Manual - Page 786
Table specified index number been modified. (%d) has been changed. Black List rule %d has The anti- -spam DNSBL (DNS Black List) server checking has been activated. turned on values are listed. IP %s in DNSBL %s. From:%s Subject:%s The listed IP address (the first %s) ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 787
listed address object (first %s) is not the right kind for the first WINS server specified in the listed SSL VPN policy (second %s). The listed address object (first %s) is not the right kind for the second WINS server specified in the listed SSL VPN policy (second %s). ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 788
has been modified. changed. SSL VPN policy rule %s The listed SSL VPN policy (%s) has been moved to the listed has been moved to %d. position (%d) in the list of SSL VPN policies. SSL VPN policy rule %s The listed SSL VPN policy has been removed. has been deleted. 788 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 789
incorrect password or inexistent username) The listed user (%s) failed to log into SSL VPN because of entering an incorrect password or a user name that does not exist. %s: Failed to receive messages from uam daemon. Messages were not received from the UAM daemon. ZyWALL USG 50 User's Guide 789 - ZyXEL ZyWALL USG 50 | User Manual - Page 790
with internal system errors. Table 255 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue. Maybe someone starts another zysh daemon. ZySH daemon is instructed to reset by %d 1st:pid list is full! 1st:zysh list name Can't undefine %s 1st:zysh list name 790 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 791
%s: invalid old/new index! 1st:zysh table name Unable to move entry #%d! 1st:zysh entry num %s: apply failed at initial stage! 1st:zysh table name %s: apply failed at main stage! 1st:zysh table name %s: apply failed at closing stage! 1st:zysh table name ZyWALL USG 50 User's Guide 791 - ZyXEL ZyWALL USG 50 | User Manual - Page 792
handle length The ZyWALL's ADP feature detected a packet with a length over 16000 bytes. LAND attack packet. Source IP is the same as Destination IP. The ZyWALL's ADP feature detected traffic with the same IP address set as both the source and the destination. 792 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 793
%s matched the Black-List %s 3rd %s: The file pattern that the file matched. A file matched a file pattern in the anti-virus black list. 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. 3rd %s: The file pattern that the file matched. ZyWALL USG 50 User's Guide 793 - ZyXEL ZyWALL USG 50 | User Manual - Page 794
user documentation to recover the default database file. When the ZyWALL started it could not find the anti-virus signature file. See the CLI reference guide for how to restore the default system database. Update signature version has failed. An attempt to update the anti-virus signature version - ZyXEL ZyWALL USG 50 | User Manual - Page 795
error. 1st %s: The protocol of the packet. 2nd %s: The filename of the related file. Update signature info has failed. 3rd %s: Whether the file was deleted (DESTROY) or forwarded (PASS). Updating of the signature file information failed due to an internal error. ZyWALL USG 50 User's Guide 795 - ZyXEL ZyWALL USG 50 | User Manual - Page 796
on the console port so the ZyWALL is blocking login attempts on the console port. Too many failed login attempts were made from an IP address so the ZyWALL is blocking login attempts from that IP address. %u.%u.%u.%u: the source address of the user's login attempt 796 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 797
been denied The ZyWALL blocked a login according to the access control access from %s configuration. User %s has been denied access from %s %s: service name The ZyWALL blocked a login attempt by the specified user name because of an invalid user name or password. 2nd %s: service name Table 259 - ZyXEL ZyWALL USG 50 | User Manual - Page 798
(). The device could not process an HTTPS connection because it could not verify the myZyXEL.com server's certificate. The device could not connect to the MyZyXEL.com server. The device started to check whether or not the user name in MyZyXEL.com's database. 798 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 799
The update server was busy so the device will wait for the specified number of seconds and send the download request to the update server again. Device has latest file. No need to update. The device already has the latest version of the file so no update is needed. ZyWALL USG 50 User's Guide 799 - ZyXEL ZyWALL USG 50 | User Manual - Page 800
update server's FQDN to an IP address through gethostbyname(). The update process stopped. Build query message failed. Some information was missing in the packets that the device sent to the server. Starting signature update. The device started an IDP signature update. IDP signature download - ZyXEL ZyWALL USG 50 | User Manual - Page 801
. %d: SSL version assigned by client. The device needs to load the trusted root certificate before the device can verify a server's certificate. This log displays if the device failed to load it. Verification of a server's certificate failed because it has expired. ZyWALL USG 50 User's Guide 801 - ZyXEL ZyWALL USG 50 | User Manual - Page 802
an internal system error. The device failed in turning off IDP. The device turned on the use of the IDP signature file. The device turned off the use of the IDP signature file. The device failed to turn on the IDP engine. The device failed to turn off the IDP engine. 802 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 803
the number of the custom signature (third num) that was not added display. Get custom signature number error. The device failed to get the custom IDP signature number. ZyWALL USG 50 User's Guide 803 - ZyXEL ZyWALL USG 50 | User Manual - Page 804
had an error. The device did not have enough available memory. The setting for IDP activation has not changed. System-protect error. Create IDP proc failed. IDP activation failed. Activation of the IDP system-protect function failed due to an internal system error. 804 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 805
feature was successfully turned on. The IDP system-protect feature was successfully turned off. Checking for duplicated signature IDs failed. There was an error while allocating memory. Checking for duplicated signature IDs failed. Opening a temporary file failed. ZyWALL USG 50 User's Guide 805 - ZyXEL ZyWALL USG 50 | User Manual - Page 806
file. See the CLI reference guide for how to restore the default system database. IDP signature size is The IDP signature set is too large (exceeds the ZyWALL's over system limitation. system limitation). 806 Table 261 Application Patrol MESSAGE EXPLANATION Service=%s Mode=%s Rule=%s Access - ZyXEL ZyWALL USG 50 | User Manual - Page 807
enabled. The bandwidth graph has been turned on for the listed protocol's traffic. Bandwidth graph of protocol %s has been disabled. The bandwidth graph has been turned off for the listed protocol's traffic. Default port MSN user has logged in or logged out. ZyWALL USG 50 User's Guide 807 - ZyXEL ZyWALL USG 50 | User Manual - Page 808
Table 262 IKE Logs LOG MESSAGE DESCRIPTION Peer has not announced The remote IPSec router Remote IP mismatch %s is the tunnel name. When negotiating Phase-1, the peer tunnel IP did not match the secure gateway address in VPN gateway. [SA] : Malformed IPSec 808 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 809
device does not support the PFS specified address. Could not dial dynamic %s is the tunnel name. The tunnel is a dynamic tunnel and tunnel "%s" the device cannot dial it. Could not dial %s is the tunnel name. The tunnel setting is not complete. incomplete tunnel "%s" ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 810
Table 262 IKE Logs (continued) LOG MESSAGE DESCRIPTION Could not dial manual %s is the tunnel name. The manual /responder cookie pair. The IPSec tunnel "%s" %s is the VPN gateway %s was disabled %s is the gateway name. An administrator disabled the VPN gateway. 810 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 811
received corrupt IPsec packets and could not process them. An outgoing packet needed to be transformed but was longer than 65535. When performing inbound processing for incoming IPSEC packets and ICMPs related to them, the engine cannot obtain the transform context. ZyWALL USG 50 User's Guide 811 - ZyXEL ZyWALL USG 50 | User Manual - Page 812
, 2nd %d is the new global index of rule Firewall rule %d has been deleted. %d is the global index of rule Firewall rules have been flushed. Firewall rules were flushed Firewall rule %d was %s. %d is the global index of rule, %s is appended/inserted/ modified 812 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 813
has been enabled. The Asymmetrical Route Asymmetrical Route has been turned off. has been disabled. Table 265 Sessions manager. The policy route %d Allocating policy routing rule fails: insufficient memory. allocates memory fail! %d: the policy route rule number ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 814
policy route rules will be reenabled A trunk came back up so the ZyWALL will use the related policy route rules again. Trunk %s dead, related A trunk went down so the ZyWALL will stop using the related policy route rules policy route rules. will be disabled 814 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 815
name assigned by user FTP port has been changed to port %s. An administrator changed the port number for FTP. %s is port number assigned by user FTP port has been changed to default port. An administrator changed the port number for FTP back to the default (21). ZyWALL USG 50 User's Guide 815 - ZyXEL ZyWALL USG 50 | User Manual - Page 816
An administrator changed the console port baud rate back to reset to %d. the default (115200). DHCP's DNS option:%s has changed. %d is default baud rate DHCP pool's DNS option support from WAN is rule number An administrator removed the rule %u. %u is rule number 816 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 817
is the IP address of the DNS server Wizard adds DNS server %s failed because Zone Forwarder numbers have reached the maximum number of 32. Wizard apply DNS server fail because the device already has the maximum number of DNS records configured. %s is IP address of the DNS server. Access control - ZyXEL ZyWALL USG 50 | User Manual - Page 818
of %d%%: memthreshold-min. DHCP Server executed with cautious mode enabled When local storage usage drops below threshold-min, %s: partition_name file system drops below the threshold of %d%%: disk-threshold-min. DHCP Server executed with cautious mode enabled. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 819
changed manually. %s is the date and time. NTP update successful, The device successfully synchronized with a NTP time server . current time is %s %s is the date and time. NTP update failed The device was not able to synchronize with the NTP time server successfully. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 820
%s has failed because of strange server response. Update profile failed because the response was strange, %s is the profile name. Update the profile %s has succeeded because the IP address of FQDN %s was not changed. Update profile succeeded, because the IP address of profile is unchanged, %s is - ZyXEL ZyWALL USG 50 | User Manual - Page 821
. Update the profile %s has failed because ping-check of WAN interface has failed. DDNS profile cannot be updated because the ping-check for WAN iface failed , %s is the profile name. Disable DDNS has succeeded. Disable DDNS. Enable DDNS has succeeded. Enable DDNS. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 822
Can't open link_up2 Cannot recover routing status which is link-down. Can not open %s.pid Cannot open connectivity check process ID file. Can not open %s.arg %s: interface name Cannot open configuration file for connectivity check process. %s: interface name 822 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 823
interface name The connectivity check process can't get broadcast address of interface %s: interface name The connectivity check process can't use multicast address to check link-status. The connectivity check process can't use broadcast address to check link-status. ZyWALL USG 50 User's Guide 823 - ZyXEL ZyWALL USG 50 | User Manual - Page 824
id and key have been changed. id and key have been changed. RIP global version has RIP global version has been changed to version 1 or 2. been changed to %s. RIP redistribute OSPF routes has been enabled. RIP redistribute OSPF routes has been enabled. 824 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 825
RIP v2-broadcast on interface %s has been disabled. RIP v2-broadcast on interface %s has been disabled. %s: Interface Name Area %s cannot be removed. This area is in use. One or more interfaces are still using this area, so area %s cannot be removed. %s: OSPF Area ZyWALL USG 50 User's Guide 825 - ZyXEL ZyWALL USG 50 | User Manual - Page 826
H.323 ALG has succeeded. The H.323 ALG has been turned on or off. %s: Enable or Disable Extra signal port of H.323 ALG has been modified. Extra H.323 ALG port has been changed. Signal port of H.323 Default H.323 ALG port has been changed. ALG has been modified. 826 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 827
Table 271 NAT Logs (continued) LOG MESSAGE DESCRIPTION %s SIP ALG has succeeded. The SIP ALG has been turned on or off. %s: Enable or Disable Extra signal port of SIP ALG has been modified. Extra SIP ALG port has been changed. Signal port of SIP ALG Default SIP ALG port has been changed - ZyXEL ZyWALL USG 50 | User Manual - Page 828
Appendix A Log Descriptions Table 272 PKI Logs (continued) LOG MESSAGE DESCRIPTION Prepare to import "%s" %s is the name of a certificate request. into "My not able to export a PKCS#12 format certificate from My Certificates. %s is the certificate request name. 828 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 829
failed. 10 Certificate was not found (anywhere). 11 Certificate chain looped (did not find trusted root). 12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing). 14 (Not used) ZyWALL USG 50 User's Guide 829 - ZyXEL ZyWALL USG 50 | User Manual - Page 830
configured a PPP interface, PPP interface MTU > (base interface MTU - 8), PPP interface may not run correctly because PPP packets will be fragmented by base interface and the peer will not receive correct PPP packets. 1st %s: PPP interface name, 2nd %s: ethernet interface name. 830 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 831
failed (the server must support CHAP and verify that the authentication failed, this does not include cases where the server does not support CHAP). CHAP: interface name. Interface %s is connected. A PPP interface connected successfully. %s: interface name. ZyWALL USG 50 User's Guide 831 - ZyXEL ZyWALL USG 50 | User Manual - Page 832
the device. The ZyWALL failed to set the cellular device installed in (or connected to) the listed slot (%s) to use the frequency band you configured. The cellular device may not support the band or you device associated with the listed cellular interface (%d). 832 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 833
Access Point Name) configured. "Interface cellular%d is configured with incorrect phone number. The listed cellular interface (%d) does not have the correct phone number configured. "Interface cellular%d is configured with incorrect username or password slot. ZyWALL USG 50 User's Guide 833 - ZyXEL ZyWALL USG 50 | User Manual - Page 834
for an interface. not accepted. Configured interface A reserved word was not permitted to be used in an interface name is reserved word. name. Configured interface name match reserved prefix. A reserved pre-fix was not permitted to be used in an interface name. 834 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 835
is a member of a trunk. since interface is the member of other trunk. Port-grouping is not support The interface does not support port grouping. This interface type can not set 3rd-dns. This type of interface does not support setting a third DNS server setting. ZyWALL USG 50 User's Guide 835 - ZyXEL ZyWALL USG 50 | User Manual - Page 836
and this representative interface is set to DHCP client and has more than one member in its group. In this case the DHCP client will renew. %s: interface name. Port Grouping %s has been changed. An administrator configured port-grouping, %s: interface name. 836 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 837
is. 1st %s is CLI command. Resetting system... System resetted. Now apply %s.. 2nd %s is warning message when apply CLI command. Before apply configuration file. After the system reset, it started to apply the configuration file. %s is configuration file name. ZyWALL USG 50 User's Guide 837 - ZyXEL ZyWALL USG 50 | User Manual - Page 838
. Cannot resolve mail server address %s. The (listed) SMTP address configured for the daily e-mail report function is incorrect. Mail server The user name or password configured for authenticating authentication failed. with the e-mail server is incorrect. 838 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 839
account. Failed to connect to mail server %s. The ZyWALL could not connect to the SMTP e-mail server (%s). The address configured for the server may be incorrect or there may be a problem with the ZyWALL's or the server's network connection. Table 281 IP-MAC Binding Logs LOG MESSAGE DESCRIPTION - ZyXEL ZyWALL USG 50 | User Manual - Page 840
Table 283 EPS Logs LOG MESSAGE DESCRIPTION Windows service pack check fail in %s The Windows service pack on a user's computer did not match the specified EPS object. Windows auto update check fail in %s The Windows automatic update passed the EPS check. 840 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 841
68 DHCP Client. BOOTP_SERVER UDP 67 DHCP Server. CU-SEEME TCP UDP 7648 24032 A popular videoconferencing solution from White Pines Software. DNS TCP/UDP 53 Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. ZyWALL USG 50 User's Guide 841 - ZyXEL ZyWALL USG 50 | User Manual - Page 842
Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). 842 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 843
Access Controller Access Control System). TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 844
PORT(S) DESCRIPTION TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE TCP 7000 Another videoconferencing solution. 844 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 845
. Many ZyXEL products, such as the ZyWALL, issue their the URL in your web browser's address bar begins with https:// or there example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 846
Appendix C Importing Certificates 1 If your device's Web Configurator is set to use SSL certification, then the first Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates. Figure 449 Internet Explorer 7: Certificate Error 846 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 847
Appendix C Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 450 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next. Figure 451 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 50 User's Guide 847 - ZyXEL ZyWALL USG 50 | User Manual - Page 848
Explorer 7: Certificate Import Wizard 7 Otherwise, select Place all certificates in the following store and then click Browse. Figure 453 Internet Explorer 7: Certificate Import Wizard 848 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 849
OK. Figure 454 Internet Explorer 7: Select Certificate Store 9 In the Completing the Certificate Import Wizard screen, click Finish. Figure 455 Internet Explorer 7: Certificate Import Wizard ZyWALL USG 50 User's Guide 849 - ZyXEL ZyWALL USG 50 | User Manual - Page 850
Wizard 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page's Website Identification information. Figure 458 Internet Explorer 7: Website Identification 850 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 851
7: Open File - Security Warning 3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 845 to complete the installation process. Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer 7. ZyWALL USG 50 User - ZyXEL ZyWALL USG 50 | User Manual - Page 852
Appendix C Importing Certificates 1 Open Internet Explorer and click Tools > Internet Options. Figure 461 Internet Explorer 7: Tools Menu 2 In the Internet Options dialog box, click Content > Certificates. Figure 462 Internet Explorer 7: Internet Options 852 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 853
Certificates confirmation, click Yes. Figure 464 Internet Explorer 7: Certificates 5 In the Root Certificate Store dialog box, click Yes. Figure 465 Internet Explorer 7: Root Certificate Store ZyWALL USG 50 User's Guide 853 - ZyXEL ZyWALL USG 50 | User Manual - Page 854
device's Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. 2 Select Accept this certificate permanently and click OK. Figure 466 Firefox 2: Website Certified by an Unknown Authority 854 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 855
Figure 467 Firefox 2: Page Info Installing a Stand-Alone Certificate File in Firefox Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. ZyWALL USG 50 User's Guide 855 - ZyXEL ZyWALL USG 50 | User Manual - Page 856
Appendix C Importing Certificates 1 Open Firefox and click Tools > Options. Figure 468 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 469 Firefox 2: Options 856 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 857
Manager 4 Use the Select File dialog box to locate the certificate and then click Open. Figure 471 Firefox 2: Select File 5 The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page's security information. ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 858
Firefox This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 472 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates. Figure 473 Firefox 2: Options 858 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 859
want to remove, and then click Delete. Figure 474 Firefox 2: Certificate Manager 4 In the Delete Web Site Certificates dialog box, click OK. Figure following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 860
the certificate. Figure 476 Opera 9: Certificate signer not found 3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page's security details. Figure 477 Opera 9: Security information 860 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 861
File in Opera Rather than browsing to a ZyXEL Web Configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. 1 Open Opera and click Tools > Preferences. Figure 478 Opera 9: Tools Menu ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 862
Appendix C Importing Certificates 2 In Preferences, click Advanced > Security > Manage certificates. Figure 479 Opera 9: Preferences 862 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 863
Appendix C Importing Certificates 3 In the Certificates Manager, click Authorities > Import. Figure 480 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open. Figure 481 Opera 9: Import certificate ZyWALL USG 50 User's Guide 863 - ZyXEL ZyWALL USG 50 | User Manual - Page 864
7 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page's security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9. 864 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 865
1 Open Opera and click Tools > Preferences. Figure 484 Opera 9: Tools Menu Appendix C Importing Certificates 2 In Preferences, Advanced > Security > Manage certificates. Figure 485 Opera 9: Preferences ZyWALL USG 50 User's Guide 865 - ZyXEL ZyWALL USG 50 | User Manual - Page 866
you want to remove, and then click Delete. Figure 486 Opera 9: Certificate manager 4 The next time you go to the web site that issued the Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. 866 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 867
Forever when prompted to accept the certificate. Figure 488 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page's security details. Figure 489 Konqueror 3.5: KDE SSL Information ZyWALL USG 50 User's Guide 867 - ZyXEL ZyWALL USG 50 | User Manual - Page 868
3.5: Public Key Certificate File 2 In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 491 Konqueror 3.5: Certificate Import Result The public key certificate appears in the KDE certificate manager, Kleopatra. Figure 492 Konqueror 3.5: Kleopatra 868 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 869
and click Settings > Configure Konqueror. Figure 493 Konqueror 3.5: Settings Menu 2 In the Configure dialog box, select Crypto. 3 On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 494 Konqueror 3.5: Configure ZyWALL USG 50 User's Guide 869 - ZyXEL ZyWALL USG 50 | User Manual - Page 870
: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. 870 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 871
Announcements End-User License Agreement for "ZyWALL USG 50" WARNING: ZyXEL Communications Corp. IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. PLEASE READ THE TERMS CAREFULLY BEFORE COMPLETING THE INSTALLATION - ZyXEL ZyWALL USG 50 | User Manual - Page 872
no express or implied obligation to provide any technical or other support for such software. Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products. 5. Confidentiality 872 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 873
TO THE PURCHASE PRICE, BUT SHALL IN NO EVENT EXCEED THE PRODUCT'S PRICE. BECAUSE SOME STATES/COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. 8. Export Restrictions ZyWALL USG 50 User's Guide 873 - ZyXEL ZyWALL USG 50 | User Manual - Page 874
Open Software Announcements THIS LICENSE Rights ZyXEL SHALL License Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this License Agreement shall be interpreted so as to reasonably effect the intention of the parties. 874 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 875
open source code licenses. Further, for at least three (3) years from the date of distribution of the applicable product or software, we will give to anyone who contacts us at the ZyXEL Technical Support (support@zyxel to do so, subject to the following conditions: ZyWALL USG 50 User's Guide 875 - ZyXEL ZyWALL USG 50 | User Manual - Page 876
License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected]. OpenSSL License 876 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 877
Appendix D Open Software Announcements Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. * * Redistribution and use in source from this software without * prior written permission. For written permission, please contact * [email protected]. ZyWALL USG 50 User's Guide 877 - ZyXEL ZyWALL USG 50 | User Manual - Page 878
Appendix D Open Software Announcements * * 5. Products derived from CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER POSSIBILITY OF SUCH DAMAGE 878 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 879
Open Software Announcements * * This product includes cryptographic software written by Eric Young * ([email protected]). This product includes software written by Tim * Hudson ([email protected]). * */ Original SSLeay License , Eric Young should be given attribution ZyWALL USG 50 User's Guide 879 - ZyXEL ZyWALL USG 50 | User Manual - Page 880
Appendix D Open Software Announcements * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 880 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 881
Open GOODS * OR SERVICES; LOSS OF USE be changed. i.e. License a 3-clause BSD-style license This is a Free Software License This license is compatible with The GNU General Public License, Version 1 This license is compatible with The GNU General Public License, Version 2 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 882
, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION OF SUCH DAMAGE. This Product includes bind and dhcp software under the ISC License ISC license Copyright (c) 4-digit year, Company or Person's ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 883
in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original ZyWALL USG 50 User's Guide 883 - ZyXEL ZyWALL USG 50 | User Manual - Page 884
of the Work or Derivative Works hereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and 884 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 885
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. ZyWALL USG 50 User's Guide 885 - ZyXEL ZyWALL USG 50 | User Manual - Page 886
Open Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License any such warranty or additional liability. END OF TERMS AND CONDITIONS Version 1.1 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 887
License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 888
. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a 888 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 889
is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such ZyWALL USG 50 User's Guide 889 - ZyXEL ZyWALL USG 50 | User Manual - Page 890
are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as 890 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 891
of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially ZyWALL USG 50 User's Guide 891 - ZyXEL ZyWALL USG 50 | User Manual - Page 892
already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not 892 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 893
Appendix D Open Software Announcements include things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must of this License, they do not excuse you from the conditions of this ZyWALL USG 50 User's Guide 893 - ZyXEL ZyWALL USG 50 | User Manual - Page 894
Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. 894 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 895
Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors ZyWALL USG 50 User's Guide 895 - ZyXEL ZyWALL USG 50 | User Manual - Page 896
a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 897
entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the ZyWALL USG 50 User's Guide 897 - ZyXEL ZyWALL USG 50 | User Manual - Page 898
distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and 898 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 899
number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the ZyWALL USG 50 User's Guide 899 - ZyXEL ZyWALL USG 50 | User Manual - Page 900
Open Software Announcements Program does not specify a version number of this License THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12 POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS All license BSD Copyright (c) [dates as appropriate to package] 900 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 901
Open LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; License Copyright (c) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files ZyWALL USG 50 User's Guide 901 - ZyXEL ZyWALL USG 50 | User Manual - Page 902
Open Software Product includes openldap software under the OpenLdap License The Public License Version 2.8, 17 August 2003 Redistribution and INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 903
copy and the notices in the file png.h that is included in the libpng distribution, the latter shall prevail. COPYRIGHT NOTICE, DISCLAIMER, and LICENSE: If you modify libpng you Copyright (c) 1998, 1999 Glenn Randers-Pehrson, and are distributed according to the same ZyWALL USG 50 User's Guide 903 - ZyXEL ZyWALL USG 50 | User Manual - Page 904
Appendix D Open Software Announcements disclaimer and license as libpng-0.96, with the following individuals added to the list of Contributing Authors: Tom Lane fee, subject to the following restrictions: 1. The origin of this source code must not be misrepresented. 904 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 905
permit, without fee, and encourage the use of this source code as a component to supporting the PNG file format in commercial products. If you use this source code in a product, acknowledgment is This notice may not be removed or altered from any source distribution. ZyWALL USG 50 User's Guide 905 - ZyXEL ZyWALL USG 50 | User Manual - Page 906
or entity identified as the Initial Developer in the Source Code notice required by Exhibit A. 1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. 1.8. "License" means this document. 906 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 907
definition files, scripts used to control compilation and installation management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. Source Code License. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 908
Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work . 3. Distribution Obligations. 3.1. Application of License. 908 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 909
modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. ZyWALL USG 50 User's Guide 909 - ZyXEL ZyWALL USG 50 | User Manual - Page 910
or alter the recipient's rights in the Source Code version from the rights set forth in this License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are offered by You 910 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 911
this License. 6.3. Derivative Works If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "Mozilla", ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 912
other contributor) assume the cost of any necessary servicing, repair or correction. This disclaimer of warranty constitutes an essential part of this license. No use of any covered code is authorized Participant. If within 60 days of notice, a reasonable royalty and 912 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 913
Open license. 8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, or any End Users acquire Covered Code with only those rights set forth herein. ZyWALL USG 50 User's Guide 913 - ZyXEL ZyWALL USG 50 | User Manual - Page 914
License at http://www.mozilla.org/MPL/ Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. 914 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 915
] License." NOTE: The text of this Exhibit A may differ slightly from the text of the notices in the Source Code files of the Original Code. You should use the text of this Exhibit A rather than the text found in the Original Code Source Code for Your Modifications. ZyWALL USG 50 User's Guide 915 - ZyXEL ZyWALL USG 50 | User Manual - Page 916
Appendix D Open Software Announcements 916 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 917
change without notice. Your use of the ZyWALL is subject to the terms and conditions of any related service providers. Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL FCC rules. Operation is subject to the following two conditions: ZyWALL USG 50 User's Guide 917 - ZyXEL ZyWALL USG 50 | User Manual - Page 918
from that to which the receiver is connected. 4 Consult the dealer or an experienced radio/TV technician for help. FCC Radiation Exposure Statement • This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. 注意 ! 918 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 919
Notices Changes or certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 920
You may also refer to the warranty policy for the region in which you bought the device at http:// www.zyxel.com/web/support_warranty_info.php. Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. 920 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 921
350 idle timeout 593 logging in 350 multiple logins 594 see also users 584 Web Configurator 596 ZyWALL USG 50 User's Guide Index Index access users, see also force user authentication policies account myZyXEL.com 211, 212 user 583 accounting server 617 Active Directory, see AD active protocol 405 - ZyXEL ZyWALL USG 50 | User Manual - Page 922
registration status 467 scanner types 477 signatures 474 statistics 194 trial service activation 212 troubleshooting 760, 763 troubleshooting signatures update 760 virus 464 virus types 477 white list 470, 474 worm 464 Apache server 529, 530 Apache-whitespace attack 529 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 923
service ports 438 statistics 187 trial service activation 212 troubleshooting 760, 766, 769 troubleshooting signatures update 760 unidentified applications 456 vs firewall IPSec 384 LDAP/AD 619 server 617 authentication algorithms 309, 399, 400 and active protocol 400 ZyWALL USG 50 User's Guide 923 - ZyXEL ZyWALL USG 50 | User Manual - Page 924
services 352 authentication type 73, 657 Authentication, Authorization, Accounting servers, see AAA server authorization server 617 B backdoor attacks 491 backing up configuration files table troubleshooting 762 Centralized Network Management see Vantage CNM 676, 719 924 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 925
file troubleshooting 772 configuration files 737 at restart 740 backing up 740 downloading 741 downloading with FTP 713 editing 737 how applied 738 lastgood.conf 740, 744 managing 740 not stopping or starting the ZyWALL 36 startup-config-bad.conf 740 startup-config.conf 744 syntax 738 system-default - ZyXEL ZyWALL USG 50 | User Manual - Page 926
of files (in anti-virus) 470 default firewall behavior 358 interfaces and zones 89 LAN IP address 32 login settings 775 Denial of Service (DoS) attacks 490 Denial of Service (Dos) attacks 382 DES 400 device access troubleshooting 759 device introduction 31 DHCP 268, 676 and DNS servers 269 - ZyXEL ZyWALL USG 50 | User Manual - Page 927
end-point security 671 ESP 383, 405 and transport mode 406 Ethernet interfaces 109, 216 and OSPF 222 and RIP 221 and routing protocols 220 basic characteristics 217 examples (tutorials) 109 exceptional services 352 experimental-options attack 531 extended authentication ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 928
file infector 477 file manager 737 configuration overview 107 filtered port scan 526 Firefox 43 firewall 357, 358 actions 370 and address groups 354, 370 and address objects 354, 370 and ALG 335, 338 and application patrol 438 and HTTP redirect 332 and H.323 (ALG) 336 and IPSec SA 360 and IPSec VPN - ZyXEL ZyWALL USG 50 | User Manual - Page 929
HTTPS 691 HTTP redirect 331 and application patrol 332 and firewall 332 and interfaces 334 and policy routes 332 configuration overview 99 packet flow 332 prerequisites 100 troubleshooting 766 HTTPS 137, 690 and certificates 690 authenticating clients 690 avoiding warning messages 700 example 699 vs - ZyXEL ZyWALL USG 50 | User Manual - Page 930
-ZyWALL firewall 768 authentication algorithms 399, 400 content 402 Dead Peer Detection (DPD) 398 Diffie-Hellman key group 401 encryption algorithms 400 extended authentication 404 ID type 402 IP address, remote IPSec router 399 IP address, ZyXEL device 399 local identity 402 main mode 399, 403 NAT - ZyXEL ZyWALL USG 50 | User Manual - Page 931
source NAT for inbound traffic 409 source NAT for outbound traffic 408 status 191 transport mode 406 tunnel mode 406 when IKE SA is disconnected 405 IPSec VPN configuration overview 102 prerequisites 100, 102 see also IPSec troubleshooting 767 tutorial 118 where used 102 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 932
735 debugging 206 regular 206 types of 206 log options 470, 570 (IDP) 488, 490, 521, 524 logged in users 166 login custom page 695 default settings 775 SSL user 422 logo troubleshooting 771 logo in SSL 418 logout SSL user 428 Web Configurator 46 logs and firewall 355, 370 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 933
327 port forwarding, see NAT port translation, see NAT port triggering 294 port triggering, see also policy routes prerequisites 99 traversal 404 trigger port, see also policy routes tutorial 143, 146 NBNS 228, 253, 263, 269, 416 NetBIOS Broadcast over IPSec 382 ZyWALL USG 50 User's Guide 933 - ZyXEL ZyWALL USG 50 | User Manual - Page 934
Server, see NBNS NetMeeting 342 see also H.323 Netscape Navigator 43 network access mode 40 full tunnel 41, 411 Network Address Translation, see NAT network list, see SSL 416 network policy, see VPN connections Network Time Protocol (NTP) 679 network-based intrusions 511 Nimda 511 Nmap 525 no IP - ZyXEL ZyWALL USG 50 | User Manual - Page 935
526 port sweep 526 port translation, see NAT port triggering 294 and firewall 290, 765 and policy routes 290 and service groups 290 and services 290 troubleshooting 765 Post Office Protocol, see POP 566 power off 35, 757 power on 35 PPP 270 troubleshooting 762 ZyWALL USG 50 User's Guide 935 - ZyXEL ZyWALL USG 50 | User Manual - Page 936
660 Remote Desktop Protocol see RDP remote management CNM 720 configuration overview 106 FTP, see FTP prerequisites 106 see also service control 689 Telnet 711 to-ZyWALL firewall 359 WWW, see WWW remote network 375 remote user screen links 659 replay detection 382 reports anti-spam 203 ZyWALL USG 50 - ZyXEL ZyWALL USG 50 | User Manual - Page 937
algorithms 309 and Ethernet interfaces 220 ZyWALL USG 50 User's Guide RSA 640, 644, 651 RTP 342 see also ALG 342 Index S safety warnings 8 same IP 503 scan attacks 491 scanner types 477 SCEP (Simple Certificate Enrollment Protocol) 641 schedule troubleshooting 770 schedules 611 and content - ZyXEL ZyWALL USG 50 | User Manual - Page 938
511 rule options 511 signatures 511 Source Network Address Translation, see SNAT spam 490, 565 specifications 775 device 775 feature 776 hardware 775 spillover (for load balancing) 274 spyware 545 SQL slammer 511 SSH 706 and address groups 710 and address objects 710 938 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 939
-based example 660 where used 105 SSL policy add 414 edit 414 objects used 412 ZyWALL USG 50 User's Guide Index SSL VPN 411 access policy 411 configuration overview 102 full tunnel mode 41, 411 network access mode 40 prerequisites 102 remote desktop connections 660 see also SSL 411 troubleshooting - ZyXEL ZyWALL USG 50 | User Manual - Page 940
528 throughput rate troubleshooting 772 TightVNC 660 time 676 time servers (default) 679 time to live 498 timestamp 498 token 618 to-ZyWALL firewall 358 and NAT 327 and NAT traversal (VPN) 768 and OSPF 300 and remote management 359 and RIP 298 and service control 689 and VPN 768 global rules - ZyXEL ZyWALL USG 50 | User Manual - Page 941
ext-user 770 firewall 761 firmware package 769 firmware upload 772 FTP 766 HTTP redirect 766 H.323 766 IDP 760, 764 IDP signatures update 760 interface 761 Internet access 760, 769 IPSec VPN 767 LEDs 759 logo 771 logs 772 management access 771 packet capture 773 packet flow 91 performance 763, 764, - ZyXEL ZyWALL USG 50 | User Manual - Page 942
Network Computing see VNC Virtual Private Network, see VPN virus 491 attack 464, 491 boot sector 477 e-mail 477 file infector 477 life cycle 477 macro 477 mutation 477 polymorphic 477 scan 464 VLAN 246 advantages 247 and MAC address 247 ID 247 troubleshooting 763 942 ZyWALL USG 50 User's Guide - ZyXEL ZyWALL USG 50 | User Manual - Page 943
43 access 43 access users 596 requirements 43 supported browsers 43 ZyWALL USG 50 User's Guide Index web features ActiveX 554 cookies 554 Java 554 web proxy servers 554 web proxy servers 332, 554 see also HTTP redirect web site ZyXEL 4 web-based SSL application 659 configuration example 660 create - ZyXEL ZyWALL USG 50 | User Manual - Page 944
VPN 88, 311 and WWW 695 block intra-zone traffic 314, 366 configuration overview 98 default 89 extra-zone traffic 312 inter-zone traffic 312 intra-zone traffic 312 prerequisites 98 types of traffic 312 where used 98 ZyWALL terminology differences 91 ZyXEL web site 4 944 ZyWALL USG 50 User's Guide
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
-
743
-
744
-
745
-
746
-
747
-
748
-
749
-
750
-
751
-
752
-
753
-
754
-
755
-
756
-
757
-
758
-
759
-
760
-
761
-
762
-
763
-
764
-
765
-
766
-
767
-
768
-
769
-
770
-
771
-
772
-
773
-
774
-
775
-
776
-
777
-
778
-
779
-
780
-
781
-
782
-
783
-
784
-
785
-
786
-
787
-
788
-
789
-
790
-
791
-
792
-
793
-
794
-
795
-
796
-
797
-
798
-
799
-
800
-
801
-
802
-
803
-
804
-
805
-
806
-
807
-
808
-
809
-
810
-
811
-
812
-
813
-
814
-
815
-
816
-
817
-
818
-
819
-
820
-
821
-
822
-
823
-
824
-
825
-
826
-
827
-
828
-
829
-
830
-
831
-
832
-
833
-
834
-
835
-
836
-
837
-
838
-
839
-
840
-
841
-
842
-
843
-
844
-
845
-
846
-
847
-
848
-
849
-
850
-
851
-
852
-
853
-
854
-
855
-
856
-
857
-
858
-
859
-
860
-
861
-
862
-
863
-
864
-
865
-
866
-
867
-
868
-
869
-
870
-
871
-
872
-
873
-
874
-
875
-
876
-
877
-
878
-
879
-
880
-
881
-
882
-
883
-
884
-
885
-
886
-
887
-
888
-
889
-
890
-
891
-
892
-
893
-
894
-
895
-
896
-
897
-
898
-
899
-
900
-
901
-
902
-
903
-
904
-
905
-
906
-
907
-
908
-
909
-
910
-
911
-
912
-
913
-
914
-
915
-
916
-
917
-
918
-
919
-
920
-
921
-
922
-
923
-
924
-
925
-
926
-
927
-
928
-
929
-
930
-
931
-
932
-
933
-
934
-
935
-
936
-
937
-
938
-
939
-
940
-
941
-
942
-
943
-
944
 |
 |
www.zyxel.com
www.zyxel.com
ZyWALL USG 50
Unified Security Gateway
Copyright © 2010
ZyXEL Communications Corporation
Version 2.21
Edition 2, 11/2010
Default Login Details
LAN Port
P3, P4
IP Address
User Name
admin
Password
1234