Home » ZyXEL Manuals » Networking » ZyXEL UAG715 » Manual Viewer

ZyXEL UAG715 User Guide - Page 241

Global Firewall Rules, Firewall Rule Criteria, User Specific Firewall Rules, Firewall and VPN

Add to My Manuals
Save this manual to your list of manuals

Page 241 highlights

Chapter 21 Firewall Global Firewall Rules Firewall rules with from any and/or to any as the packet direction are called global firewall rules. The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone. The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface. Firewall Rule Criteria The UAG checks the schedule, user name (user's login name on the UAG), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the UAG takes the action specified in the rule. User Specific Firewall Rules You can specify users or user groups in firewall rules. For example, to allow a specific user from any computer to access a zone by logging in to the UAG, you can set up a rule based on the user name only. If you also apply a schedule to the firewall rule, the user can only access the network at the scheduled time. A user-aware firewall rule is activated whenever the user logs in to the UAG and will be disabled after the user logs out of the UAG. Firewall and VPN Traffic After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure a new LAN1 to LAN1 firewall rule or use intra-zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-Device rules for VPN traffic destined for the UAG. Session Limits Accessing the UAG or network resources through the UAG requires a NAT session and corresponding firewall session. Peer to peer applications, such as file sharing applications, may use a large number of NAT sessions. A single client could use all of the available NAT sessions and prevent others from connecting to or through the UAG. The UAG lets you limit the number of concurrent NAT/firewall sessions a client can use. Finding Out More • See Section 21.4 on page 248 for an example of creating firewall rules as part of configuring user-aware access control. UAG715 User's Guide 241

Section	Page
UAG715	1
Contents Overview	3
Table of Contents	5
Introduction	19
1.1 Overview	19
1.1.1 Key Applications	19
1.2 Default Zones, Interfaces, and Ports	21
1.3 Management Overview	22
1.4 Web Configurator	22
1.4.1 Web Configurator Access	23
1.4.2 Web Configurator Screens Overview	23
1.4.3 Navigation Panel	26
1.4.4 Tables and Lists	30
1.5 Stopping the UAG	33
Hardware Installation and Connection	34
2.1 Rack-mounting	34
2.2 Front Panel	35
2.2.1 Front Panel LEDs	36
2.3 Rear Panel	36
Installation Setup Wizard	37
3.1 Installation Setup Wizard Screens	37
3.1.1 Internet Access Setup - WAN Interface	37
3.1.2 Internet Access: Ethernet	38
3.1.3 Internet Access: PPPoE	39
3.1.4 Internet Access: PPTP	41
3.1.5 ISP Parameters	41
3.1.6 Internet Access Setup - Second WAN Interface	42
3.1.7 Internet Access - Finish	43
3.2 Device Registration	44
Quick Setup Wizards	47
4.1 Quick Setup Overview	47
4.2 WAN Interface Quick Setup	47
4.2.1 Choose an Ethernet Interface	48
4.2.2 Select WAN Type	48
4.2.3 Configure WAN Settings	49
4.2.4 WAN and ISP Connection Settings	49
4.2.5 Quick Setup Interface Wizard: Summary	51
4.3 VPN Setup Wizard	52
4.3.1 Welcome	53
4.3.2 VPN Setup Wizard: Wizard Type	53
4.3.3 VPN Express Wizard - Scenario	54
4.3.4 VPN Express Wizard - Configuration	55
4.3.5 VPN Express Wizard - Summary	56
4.3.6 VPN Express Wizard - Finish	56
4.3.7 VPN Advanced Wizard - Scenario	57
4.3.8 VPN Advanced Wizard - Phase 1 Settings	58
4.3.9 VPN Advanced Wizard - Phase 2	59
4.3.10 VPN Advanced Wizard - Summary	60
4.3.11 VPN Advanced Wizard - Finish	61
Dashboard	63
5.1 Overview	63
5.1.1 What You Can Do in this Chapter	63
5.2 The Dashboard Screen	63
5.2.1 The CPU Usage Screen	68
5.2.2 The Memory Usage Screen	68
5.2.3 The Active Sessions Screen	69
5.2.4 The VPN Status Screen	70
5.2.5 The DHCP Table Screen	70
5.2.6 The Number of Login Users Screen	71
Monitor	73
6.1 Overview	73
6.1.1 What You Can Do in this Chapter	73
6.2 The Port Statistics Screen	74
6.2.1 The Port Statistics Graph Screen	75
6.3 Interface Status Screen	76
6.4 The Traffic Statistics Screen	78
6.5 The Session Monitor Screen	80
6.6 The DDNS Status Screen	82
6.7 IP/MAC Binding Monitor	83
6.8 The Login Users Screen	83
6.9 USB Storage Screen	84
6.10 VPN 1-1 Mapping Status	85
6.11 VPN 1-1 Mapping Statistics	86
6.12 The IPSec Monitor Screen	87
6.12.1 Regular Expressions in Searching IPSec SAs	88
6.13 The SSL Connection Monitor Screen	88
6.14 The Content Filter Statistics Screen	89
6.15 Content Filter Cache Screen	91
6.16 Log Screen	93
Registration	97
7.1 Overview	97
7.1.1 What You Can Do in this Chapter	97
7.1.2 What you Need to Know	97
7.2 Registration Screen	98
7.3 Service Screen	100
Interfaces	103
8.1 Interface Overview	103
8.1.1 What You Can Do in this Chapter	103
8.1.2 What You Need to Know	103
8.2 Port Role Screen	106
8.3 Ethernet Summary Screen	107
8.3.1 Ethernet Edit	108
8.3.2 Object References	115
8.4 PPP Interfaces	115
8.4.1 PPP Interface Summary	116
8.4.2 PPP Interface Add or Edit	117
8.5 VLAN Interfaces	121
8.5.1 VLAN Summary Screen	122
8.5.2 VLAN Add/Edit	123
8.6 Bridge Interfaces	128
8.6.1 Bridge Summary	130
8.6.2 Bridge Add/Edit	131
8.7 Virtual Interfaces	136
8.7.1 Virtual Interfaces Add/Edit	136
8.8 Interface Technical Reference	137
Trunks	143
9.1 Overview	143
9.1.1 What You Can Do in this Chapter	143
9.1.2 What You Need to Know	143
9.2 The Trunk Summary Screen	146
9.2.1 Configuring a User-Defined Trunk	148
9.2.2 Configuring the System Default Trunk	150
Policy and Static Routes	153
10.1 Policy and Static Routes Overview	153
10.1.1 What You Can Do in this Chapter	153
10.1.2 What You Need to Know	154
10.2 Policy Route Screen	155
10.2.1 Policy Route Edit Screen	157
10.3 IP Static Route Screen	161
10.3.1 Static Route Add/Edit Screen	162
10.4 Policy Routing Technical Reference	163
Routing Protocols	165
11.1 Routing Protocols Overview	165
11.1.1 What You Can Do in this Chapter	165
11.1.2 What You Need to Know	165
11.2 The RIP Screen	165
11.3 The OSPF Screen	167
11.3.1 Configuring the OSPF Screen	170
11.3.2 OSPF Area Add/Edit Screen	172
11.3.3 Virtual Link Add/Edit Screen	174
11.4 Routing Protocol Technical Reference	174
Zones	177
12.1 Zones Overview	177
12.1.1 What You Can Do in this Chapter	177
12.1.2 What You Need to Know	177
12.2 The Zone Screen	178
12.3 Zone Edit	179
DDNS	181
13.1 DDNS Overview	181
13.1.1 What You Can Do in this Chapter	181
13.1.2 What You Need to Know	181
13.2 The DDNS Screen	182
13.2.1 The Dynamic DNS Add/Edit Screen	183
NAT	187
14.1 NAT Overview	187
14.1.1 What You Can Do in this Chapter	187
14.1.2 What You Need to Know	187
14.2 The NAT Screen	188
14.2.1 The NAT Add/Edit Screen	189
14.3 NAT Technical Reference	191
VPN 1-1 Mapping	195
15.1 VPN 1-1 Mapping Overview	195
15.1.1 What You Can Do in this Chapter	195
15.1.2 What You Need to Know	196
15.2 The VPN 1-1 Mapping Screen	196
15.2.1 The VPN 1-1 Mapping Edit Screen	197
15.3 The VPN 1-1 Mapping Profile Screen	198
HTTP Redirect	201
16.1 Overview	201
16.1.1 What You Can Do in this Chapter	201
16.1.2 What You Need to Know	201
16.2 The HTTP Redirect Screen	202
16.2.1 The HTTP Redirect Edit Screen	203
SMTP Redirect	205
17.1 Overview	205
17.1.1 What You Can Do in this Chapter	205
17.1.2 What You Need to Know	205
17.2 The SMTP Redirect Screen	206
17.2.1 The SMTP Redirect Edit Screen	207
ALG	209
18.1 ALG Overview	209
18.1.1 What You Can Do in this Chapter	209
18.1.2 What You Need to Know	209
18.1.3 Before You Begin	212
18.2 The ALG Screen	212
18.3 ALG Technical Reference	214
IP/MAC Binding	217
19.1 IP/MAC Binding Overview	217
19.1.1 What You Can Do in this Chapter	217
19.1.2 What You Need to Know	217
19.2 IP/MAC Binding Summary	218
19.2.1 IP/MAC Binding Edit	219
19.2.2 Static DHCP Edit	220
19.3 IP/MAC Binding Exempt List	220
Web Authentication	223
20.1 Overview	223
20.1.1 What You Can Do in this Chapter	224
20.1.2 What You Need to Know	224
20.2 Web Authentication Screen	225
20.2.1 Creating/Editing an Authentication Policy	228
20.3 User-aware Access Control Example	230
20.3.1 Set Up User Accounts	230
20.3.2 Set Up User Groups	231
20.3.3 Set Up User Authentication Using the RADIUS Server	231
20.3.4 User Group Authentication Using the RADIUS Server	234
20.4 Endpoint Security (EPS) Example	235
20.4.1 Configure the Endpoint Security Objects	235
20.4.2 Configure the Authentication Policy	237
Firewall	239
21.1 Overview	239
21.1.1 What You Can Do in this Chapter	239
21.1.2 What You Need to Know	239
21.2 The Firewall Screen	242
21.2.1 Configuring the Firewall Screen	242
21.2.2 The Firewall Add/Edit Screen	245
21.3 The Session Limit Screen	246
21.3.1 The Session Limit Add/Edit Screen	247
21.4 Firewall Rule Configuration Example	248
21.5 Firewall Rule Example Applications	250
IPSec VPN	253
22.1 Virtual Private Networks (VPN) Overview	253
22.1.1 What You Can Do in this Chapter	254
22.1.2 What You Need to Know	254
22.1.3 Before You Begin	256
22.2 The VPN Connection Screen	256
22.2.1 The VPN Connection Add/Edit (IKE) Screen	257
22.2.2 The VPN Connection Add/Edit Manual Key Screen	263
22.3 The VPN Gateway Screen	265
22.3.1 The VPN Gateway Add/Edit Screen	266
22.4 IPSec VPN Background Information	272
SSL VPN	285
23.1 Overview	285
23.1.1 What You Can Do in this Chapter	285
23.1.2 What You Need to Know	285
23.2 The SSL Access Privilege Screen	286
23.2.1 The SSL Access Policy Add/Edit Screen	287
23.3 The SSL Global Setting Screen	290
23.3.1 How to Upload a Custom Logo	292
23.4 SSL VPN Example	293
SSL User Screens	295
24.1 Overview	295
24.1.1 What You Need to Know	295
24.2 Remote SSL User Login	296
24.3 The SSL VPN User Screens	299
24.4 Bookmarking the UAG	300
24.5 Logging Out of the SSL VPN User Screens	301
24.6 SSL User Application Screen	301
ZyWALL SecuExtender	303
25.1 The ZyWALL SecuExtender Icon	303
25.2 Status	303
25.3 View Log	304
25.4 Suspend and Resume the Connection	305
25.5 Stop the Connection	305
25.6 Uninstalling the ZyWALL SecuExtender	305
Bandwidth Management	307
26.1 Overview	307
26.1.1 What You Can Do in this Chapter	307
26.1.2 What You Need to Know	307
26.2 The Bandwidth Management Screen	311
26.2.1 The Bandwidth Management Add/Edit Screen	313
ADP	317
27.1 Overview	317
27.1.1 What You Can Do in this Chapter	317
27.1.2 What You Need To Know	317
27.1.3 Before You Begin	318
27.2 The ADP General Screen	318
27.3 The Profile Summary Screen	319
27.3.1 Configuring The ADP Profile Summary Screen	319
27.3.2 Base Profiles	320
27.3.3 Creating New ADP Profiles	321
27.3.4 Traffic Anomaly Profiles	321
27.3.5 Protocol Anomaly Profiles	324
27.3.6 Protocol Anomaly Configuration	324
27.4 ADP Technical Reference	327
Content Filtering	333
28.1 Overview	333
28.1.1 What You Can Do in this Chapter	333
28.1.2 What You Need to Know	333
28.1.3 Before You Begin	334
28.2 Content Filter General Screen	335
28.2.1 Content Filter Policy Add or Edit Screen	337
28.3 Content Filter Profile Screen	338
28.4 Content Filter Category Service Screen	339
28.4.1 Content Filter Blocked and Warning Messages	350
28.5 Content Filter Custom Service Screen	350
28.6 Content Filter Technical Reference	353
User/Group	355
29.1 Overview	355
29.1.1 What You Can Do in this Chapter	355
29.1.2 What You Need To Know	355
29.2 User Summary Screen	357
29.2.1 User Add/Edit Screen	358
29.3 User Group Summary Screen	360
29.3.1 Group Add/Edit Screen	361
29.4 The User/Group Setting Screen	362
29.4.1 Default User Settings Edit Screens	364
29.4.2 User Aware Login Example	365
29.5 User /Group Technical Reference	366
Addresses	368
30.1 Overview	368
30.1.1 What You Can Do in this Chapter	368
30.1.2 What You Need To Know	368
30.2 Address Summary Screen	368
30.2.1 Address Add/Edit Screen	369
30.3 Address Group Summary Screen	370
30.3.1 Address Group Add/Edit Screen	371
Services	373
31.1 Overview	373
31.1.1 What You Can Do in this Chapter	373
31.1.2 What You Need to Know	373
31.2 The Service Summary Screen	374
31.2.1 The Service Add/Edit Screen	375
31.3 The Service Group Summary Screen	376
31.3.1 The Service Group Add/Edit Screen	376
Schedules	378
32.1 Overview	378
32.1.1 What You Can Do in this Chapter	378
32.1.2 What You Need to Know	378
32.2 The Schedule Summary Screen	379
32.2.1 The One-Time Schedule Add/Edit Screen	380
32.2.2 The Recurring Schedule Add/Edit Screen	381
AAA Server	382
33.1 Overview	382
33.1.1 Directory Service (AD/LDAP)	382
33.1.2 RADIUS Server	382
33.1.3 What You Can Do in this Chapter	383
33.1.4 What You Need To Know	383
33.2 Active Directory or LDAP Server Summary	384
33.2.1 Adding an Active Directory or LDAP Server	385
33.3 RADIUS Server Summary	387
33.3.1 Adding a RADIUS Server	388
Authentication Method	390
34.1 Overview	390
34.1.1 What You Can Do in this Chapter	390
34.1.2 Before You Begin	390
34.1.3 Example: Selecting a VPN Authentication Method	390
34.2 Authentication Method Objects	391
34.2.1 Creating an Authentication Method Object	391
Certificates	394
35.1 Overview	394
35.1.1 What You Can Do in this Chapter	394
35.1.2 What You Need to Know	394
35.1.3 Verifying a Certificate	396
35.2 The My Certificates Screen	397
35.2.1 The My Certificates Add Screen	398
35.2.2 The My Certificates Edit Screen	401
35.2.3 The My Certificates Import Screen	404
35.3 The Trusted Certificates Screen	405
35.3.1 The Trusted Certificates Edit Screen	406
35.3.2 The Trusted Certificates Import Screen	409
ISP Accounts	411
36.1 Overview	411
36.1.1 What You Can Do in this Chapter	411
36.2 ISP Account Summary	411
36.2.1 ISP Account Edit	412
SSL Application	414
37.1 Overview	414
37.1.1 What You Can Do in this Chapter	414
37.1.2 What You Need to Know	414
37.1.3 Example: Specifying a Web Site for Access	415
37.2 The SSL Application Screen	416
37.2.1 Creating/Editing an SSL Application Object	417
Endpoint Security	419
38.1 Overview	419
38.1.1 What You Can Do in this Chapter	419
38.1.2 What You Need to Know	420
38.2 Endpoint Security Screen	420
38.3 Endpoint Security Add/Edit	421
System	427
39.1 Overview	427
39.1.1 What You Can Do in this Chapter	427
39.2 Host Name	428
39.3 USB Storage	428
39.4 Date and Time	429
39.4.1 Pre-defined NTP Time Servers List	432
39.4.2 Time Server Synchronization	432
39.5 Console Port Speed	433
39.6 DNS Overview	434
39.6.1 DNS Server Address Assignment	434
39.6.2 Configuring the DNS Screen	434
39.6.3 Address Record	436
39.6.4 PTR Record	436
39.6.5 Adding an Address/PTR Record	436
39.6.6 Domain Zone Forwarder	437
39.6.7 Adding a Domain Zone Forwarder	437
39.6.8 MX Record	438
39.6.9 Adding a MX Record	438
39.6.10 Adding a DNS Service Control Rule	439
39.7 WWW Overview	439
39.7.1 Service Access Limitations	440
39.7.2 System Timeout	440
39.7.3 HTTPS	440
39.7.4 Configuring WWW Service Control	441
39.7.5 Service Control Rules	444
39.7.6 Customizing the WWW Login Page	445
39.7.7 HTTPS Example	449
39.8 SSH	456
39.8.1 How SSH Works	457
39.8.2 SSH Implementation on the UAG	458
39.8.3 Requirements for Using SSH	458
39.8.4 Configuring SSH	458
39.8.5 Secure Telnet Using SSH Examples	459
39.9 Telnet	461
39.9.1 Configuring Telnet	461
39.10 FTP	462
39.10.1 Configuring FTP	462
39.11 SNMP	463
39.11.1 Supported MIBs	464
39.11.2 SNMP Traps	465
39.11.3 Configuring SNMP	465
Log and Report	467
40.1 Overview	467
40.1.1 What You Can Do In this Chapter	467
40.2 Email Daily Report	467
40.3 Log Setting Screens	469
40.3.1 Log Setting Summary	469
40.3.2 Edit System Log Settings	471
40.3.3 Edit Log on USB Storage Setting	473
40.3.4 Edit Remote Server Log Settings	475
40.3.5 Active Log Summary Screen	477
File Manager	481
41.1 Overview	481
41.1.1 What You Can Do in this Chapter	481
41.1.2 What you Need to Know	481
41.2 The Configuration File Screen	483
41.3 The Firmware Package Screen	487
41.4 The Shell Script Screen	489
Diagnostics	492
42.1 Overview	492
42.1.1 What You Can Do in this Chapter	492
42.2 The Diagnostics Screen	492
42.2.1 The Diagnostics Files Screen	493
42.3 The Packet Capture Screen	494
42.3.1 The Packet Capture Files Screen	496
42.4 Core Dump Screen	497
42.4.1 Core Dump Files Screen	497
42.5 The System Log Screen	498
Packet Flow Explore	500
43.1 Overview	500
43.1.1 What You Can Do in this Chapter	500
43.2 The Routing Status Screen	500
43.3 The SNAT Status Screen	505
Reboot	509
44.1 Overview	509
44.1.1 What You Need To Know	509
44.2 The Reboot Screen	509
Shutdown	510
45.1 Overview	510
45.1.1 What You Need To Know	510
45.2 The Shutdown Screen	510
Troubleshooting	511
46.1 Resetting the UAG	519
46.2 Getting More Troubleshooting Help	520
Legal Information	521

Match case Limit results 1 per page

Chapter 21 Firewall

UAG715 User’s Guide

241

Global Firewall Rules

Firewall rules with

from any

and/or

to any

as the packet direction are called global firewall rules.

The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is

not included in a zone. The

from any

rules apply to traffic coming from the interface and the

any

rules apply to traffic going to the interface.

Firewall Rule Criteria

The UAG checks the schedule, user name (user’s login name on the UAG), source IP address,

destination IP address and IP protocol type of network traffic against the firewall rules (in the order

you list them). When the traffic matches a rule, the UAG takes the action specified in the rule.

User Specific Firewall Rules

You can specify users or user groups in firewall rules. For example, to allow a specific user from any

computer to access a zone by logging in to the UAG, you can set up a rule based on the user name

only. If you also apply a schedule to the firewall rule, the user can only access the network at the

scheduled time. A user-aware firewall rule is activated whenever the user logs in to the UAG and

will be disabled after the user logs out of the UAG.

Firewall and VPN Traffic

After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN

traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure

a new LAN1 to LAN1 firewall rule or use intra-zone traffic blocking to allow or block VPN traffic

transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN

tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between

the VPN zone and other zones or

From VPN To-Device

rules for VPN traffic destined for the UAG.

Session Limits

Accessing the UAG or network resources through the UAG requires a NAT session and

corresponding firewall session. Peer to peer applications, such as file sharing applications, may use

a large number of NAT sessions. A single client could use all of the available NAT sessions and

prevent others from connecting to or through the UAG. The UAG lets you limit the number of

concurrent NAT/firewall sessions a client can use.

Finding Out More

• See

Section 21.4 on page 248

for an example of creating firewall rules as part of configuring

user-aware access control.