ZyXEL USG FLEX 700 User Guide
ZyXEL USG FLEX 700 Manual
 |
View all ZyXEL USG FLEX 700 manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL USG FLEX 700 manual content summary:
- ZyXEL USG FLEX 700 | User Guide - Page 1
User's Guide ZyWALL USG FLEX Series Default Login Details LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Version 4.60 Edition 1, 10/2020 Copyright © 2020 Zyxel Communications Corporation - ZyXEL USG FLEX 700 | User Guide - Page 2
Device. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. • More Information Go to support.zyxel.com to find other information on Zyxel Device. ZyWALL USG FLEX Series User's Guide 2 - ZyXEL USG FLEX 700 | User Guide - Page 3
Figures in this user guide may use the following generic icons. The Zyxel Device icon is not an exact representation of your device. Zyxel Device Generic Router Wireless Router / Access Point Switch Internet Firewall Server Network Cloud Smartphone USB Dongle ZyWALL USG FLEX Series User - ZyXEL USG FLEX 700 | User Guide - Page 4
...124 Licensing ...196 Wireless ...202 Interfaces ...228 Routing ...325 DDNS ...352 NAT ...358 Redirect Service ...375 ALG ...381 UPnP ...388 IP/MAC Binding ...403 Layer 2 Isolation ...408 DNS Inbound 675 SSL Inspection ...693 IP Exception ...707 Object ...710 ZyWALL USG FLEX Series User's Guide 4 - ZyXEL USG FLEX 700 | User Guide - Page 5
Contents Overview Device HA ...826 Cloud CNM ...833 System ...841 Log and Report ...902 File Manager ...915 Diagnostics ...931 Packet Flow Explore ...952 Shutdown ...959 Troubleshooting ...963 ZyWALL USG FLEX Series User's Guide 5 - ZyXEL USG FLEX 700 | User Guide - Page 6
59 2.1.7 Internet Access: Congratulations 60 2.1.8 Date and Time Settings ...61 2.1.9 Register Device ...61 2.1.10 Activate Service ...63 2.1.11 Service Settings ...64 2.1.12 Service Settings: SecuReporter 65 2.1.13 Wireless Settings: Management Mode 66 ZyWALL USG FLEX Series User's Guide 6 - ZyXEL USG FLEX 700 | User Guide - Page 7
Configuration Provisioning Express Wizard - Summary 100 4.4.4 VPN Settings for Configuration Provisioning Express Wizard - Finish 101 4.4.5 VPN Settings for Configuration Provisioning Advanced Wizard - Scenario 102 ZyWALL USG FLEX Series User's Guide 7 - ZyXEL USG FLEX 700 | User Guide - Page 8
Status Screen ...128 6.4 The Traffic Statistics Screen ...132 6.5 The Session Monitor Screen ...135 6.6 The Login Users Screen ...137 6.7 Dynamic Guest ...138 6.8 IGMP Statistics ...139 ZyWALL USG FLEX Series User's Guide 8 - ZyXEL USG FLEX 700 | User Guide - Page 9
Cache List ...189 6.38 Log Screens ...190 6.38.1 View Log ...191 6.38.2 View AP Log ...192 6.38.3 Dynamic Users Log ...194 Chapter 7 Licensing ...196 ZyWALL USG FLEX Series User's Guide 9 - ZyXEL USG FLEX 700 | User Guide - Page 10
to Know ...196 7.1.2 Registration Screen ...197 7.1.3 Service Screen ...197 7.2 Signature Update ...199 7.2.1 What you the Zyxel Device 203 8.2.2 Connecting an AP to the Zyxel Device Manually 203 8.2.3 Connecting an AP to the Zyxel Device Using DHCP Option ZyWALL USG FLEX Series User's Guide 10 - ZyXEL USG FLEX 700 | User Guide - Page 11
.3.1 Static Route Add/Edit Screen 334 10.4 Policy Routing Technical Reference 336 10.5 Routing Protocols Overview ...336 10.5.1 What You Need to Know 337 ZyWALL USG FLEX Series User's Guide 11 - ZyXEL USG FLEX 700 | User Guide - Page 12
Virtual Server Load Balancer Screen 370 12.6.1 Adding/Editing a Virtual Server Load Balancing Rule 371 Chapter 13 Redirect Service ...375 13.1 Overview ...375 13.1.1 HTTP Redirect ...375 13.1.2 SMTP Redirect ...375 13.1.3 What You Can Do in this Chapter 376 ZyWALL USG FLEX Series User's Guide 12 - ZyXEL USG FLEX 700 | User Guide - Page 13
Table of Contents 13.1.4 What You Need to Know 376 13.2 The Redirect Service Screen ...378 13.2.1 The Redirect Service Edit Screen 379 Chapter 14 ALG...381 14.1 ALG Overview ...381 14.1.1 What 17.3 White List Screen ...409 17.3.1 Add/Edit White List Rule 410 ZyWALL USG FLEX Series User's Guide 13 - ZyXEL USG FLEX 700 | User Guide - Page 14
Chapter 460 21.1.2 What You Need to Know 460 21.2 L2TP VPN Screen ...461 21.2.1 Example: L2TP and Zyxel Device Behind a NAT Router 463 ZyWALL USG FLEX Series User's Guide 14 - ZyXEL USG FLEX 700 | User Guide - Page 15
24.4.3 The Billing Profile Add/Edit Screen 522 24.5 The Billing > Discount Screen ...523 24.5.1 The Discount Add/Edit Screen 525 24.6 The Billing > Payment Service Screen 525 24.6.1 The Payment Service > Desktop / Mobile View Screen 527 ZyWALL USG FLEX Series User's Guide 15 - ZyXEL USG FLEX 700 | User Guide - Page 16
IP 555 28.4.2 Walled Garden Login Example 555 Chapter 29 Advertisement Screen ...557 29.1 Advertisement Overview ...557 29.1.1 Adding/Editing an Advertisement URL 558 ZyWALL USG FLEX Series User's Guide 16 - ZyXEL USG FLEX 700 | User Guide - Page 17
.2.2 Content Filter Add Profile Category Service 601 32.2.3 Content Filter Add Filter Profile Custom Service 614 32.3 Content Filter Trusted Web Sites Screen 616 32.4 Content Filter Forbidden Web Sites Screen 617 32.5 Content Filter Technical Reference 618 ZyWALL USG FLEX Series User's Guide 17 - ZyXEL USG FLEX 700 | User Guide - Page 18
Custom Signatures 658 35.3.2 Custom Signature Example 662 35.3.3 Applying Custom Signatures 664 35.3.4 Verifying Custom Signatures 665 35.4 The White List Screen ...665 ZyWALL USG FLEX Series User's Guide 18 - ZyXEL USG FLEX 700 | User Guide - Page 19
Profiles 700 37.3 Exclude List Screen ...701 37.4 Certificate Update Screen ...703 37.5 Install a CA Certificate in a Browser 704 Chapter 38 IP Exception...707 38.1 Overview ...707 38.2 The IP Exception Screen ...707 38.2.1 The IP Exception Add/Edit Screen 708 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 20
39.8.1 What You Need to Know 779 39.8.2 The Schedule Screen ...780 39.8.3 The Schedule Group Screen 783 39.9 AAA Server Overview ...784 39.9.1 Directory Service (AD/LDAP 785 39.9.2 RADIUS Server ...785 39.9.3 ASAS ...785 39.9.4 What You Need To Know 786 ZyWALL USG FLEX Series User's Guide 20 - ZyXEL USG FLEX 700 | User Guide - Page 21
.3 Cloud CNM SecuReporter ...836 Chapter 42 System...841 42.1 Overview ...841 42.1.1 What You Can Do in this Chapter 841 42.2 Host Name ...842 ZyWALL USG FLEX Series User's Guide 21 - ZyXEL USG FLEX 700 | User Guide - Page 22
878 42.9 Telnet ...879 42.9.1 Configuring Telnet ...879 42.9.2 Service Control Rules ...881 42.10 FTP ...881 42.10.1 Configuring FTP ...881 42.10.2 Service Control Rules ...883 42.11 SNMP ...883 42.11.1 SNMPv3 and Security ...884 42.11.2 Supported MIBs ...885 ZyWALL USG FLEX Series User's Guide 22 - ZyXEL USG FLEX 700 | User Guide - Page 23
Traps ...885 42.11.4 Configuring SNMP ...885 42.11.5 Add SNMPv3 User ...887 42.11.6 Service Control Rules ...888 42.12 Authentication Server ...889 42.12.1 Add/Edit Trusted RADIUS Client 890 42 .4 The Shell Script Screen ...928 Chapter 45 Diagnostics ...931 ZyWALL USG FLEX Series User's Guide 23 - ZyXEL USG FLEX 700 | User Guide - Page 24
: Appendices and Troubleshooting 962 Chapter 48 Troubleshooting...963 48.1 Resetting the Zyxel Device ...976 48.2 Getting More Troubleshooting Help 976 Appendix A Customer Support ...977 Appendix B Product Features ...983 Appendix C Legal Information ...986 ZyWALL USG FLEX Series User's Guide 24 - ZyXEL USG FLEX 700 | User Guide - Page 25
Table of Contents Index ...996 ZyWALL USG FLEX Series User's Guide 25 - ZyXEL USG FLEX 700 | User Guide - Page 26
PART I User's Guide 26 - ZyXEL USG FLEX 700 | User Guide - Page 27
YES YES NO USG FLEX 500 YES CLI only YES YES YES YES YES YES YES NO YES NO YES YES YES YES YES YES YES NO USG FLEX 700 YES CLI only YES YES YES YES YES YES YES NO YES NO YES YES YES YES YES YES YES NO ZyWALL USG FLEX Series User's Guide 27 - ZyXEL USG FLEX 700 | User Guide - Page 28
USG FLEX 200 YES YES 1 year YES NO USG FLEX 500 YES YES 1 year YES NO USG FLEX 700 services at myZyxel. You may need your Zyxel Device's serial number and LAN MAC address to register it at myZyxel. See the label at the back of the Zyxel Device's for details. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 29
Chapter 1 Introduction 1.2.1 Grace Period SecuReporter and service licenses have a 15-day grace period after a license expires. Services will continue to work in this period during firewall. Figure 2 Applications: Security Router Applications: Security Router ZyWALL USG FLEX Series User's Guide 29 - ZyXEL USG FLEX 700 | User Guide - Page 30
Chapter 1 Introduction IPv6 Routing The Zyxel Device supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You may also create IPv6 policy routes and IPv6 objects. The he can access network resources in the same way as if he were part of the internal network. ZyWALL USG FLEX Series User's Guide 30 - ZyXEL USG FLEX 700 | User Guide - Page 31
same port, or different ports, including cellular interfaces. In either case, you can balance the traffic loads between them. Figure 7 Applications: Multiple WAN Interfaces ZyWALL USG FLEX Series User's Guide 31 - ZyXEL USG FLEX 700 | User Guide - Page 32
example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are: Table 2 Console Port Default Settings an SNMP manager. See Section 42.11 on page 883. ZyWALL USG FLEX Series User's Guide 32 - ZyXEL USG FLEX 700 | User Guide - Page 33
hardware is properly connected. See the Quick Start Guide. 2 In your browser go to http://192.168.1.1. By default, the Zyxel Device automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears. ZyWALL USG FLEX Series User's Guide 33 - ZyXEL USG FLEX 700 | User Guide - Page 34
the statement, then click Acknowledge to proceed. Note: If you are using an Internet Explorer browser, the Terms of Use will be downloaded automatically. ZyWALL USG FLEX Series User's Guide 34 - ZyXEL USG FLEX 700 | User Guide - Page 35
Chapter 1 Introduction 6 The Network Risk Warning screen displays any unregistered or disabled security services. If your Zyxel Device is not registered, you will see a prompt to register it. Select how often to display the screen and click OK. ZyWALL USG FLEX Series User's Guide 35 - ZyXEL USG FLEX 700 | User Guide - Page 36
-time never Router(config)# service-register _setremind every-time Router(config)# See the Command Line Interface (CLI) Reference Guide (RG) for details on all supported commands. 7 Follow the directions : • A - title bar • B - navigation panel • C - main window ZyWALL USG FLEX Series User's Guide 36 - ZyXEL USG FLEX 700 | User Guide - Page 37
CLI) commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands. CLI Reference Site Map Forum Help About Logout Logging in to the Zyxel Click this to log out of the Web Configurator. ZyWALL USG FLEX Series User's Guide 37 - ZyXEL USG FLEX 700 | User Guide - Page 38
from which you can run CLI commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands. Logging in to the Zyxel Device with HTTPS, so you can open one or multiple console windows. ZyWALL USG FLEX Series User's Guide 38 - ZyXEL USG FLEX 700 | User Guide - Page 39
this screen. Table 5 Reference LABEL DESCRIPTION Type Select an object type to see the services. Name This identifies the object for which the configuration settings that use it are configuration item has a description configured, it displays here. ZyWALL USG FLEX Series User's Guide 39 - ZyXEL USG FLEX 700 | User Guide - Page 40
the panel or drag to resize it. The following sections introduce the Zyxel Device's navigation panel menus and their screens. Figure 16 Navigation Panel ZyWALL USG FLEX Series User's Guide 40 - ZyXEL USG FLEX 700 | User Guide - Page 41
These are accounts that are created automatically and allowed to access the Zyxel Device's services for a certain period of time. IGMP Statistics IGMP Statistics Collect and display IGMP traffic usage and associated wireless stations for a managed AP. ZyWALL USG FLEX Series User's Guide 41 - ZyXEL USG FLEX 700 | User Guide - Page 42
FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. ZyWALL USG FLEX Series User's Guide 42 - ZyXEL USG FLEX 700 | User Guide - Page 43
Configuration Configure manual or automatic Service Redirect Service Set up and manage HTTP and SMTP redirection rules. ALG ALG Configure SIP, H.323, and FTP pass-through settings. UPnP UPnP Configure interfaces that allow UPnP and NAT-PMP connections. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 44
Configure IP to MAC address bindings for devices connected to each supported interface. Exempt List Configure ranges of IP addresses to which the price plans. Payment Service Enable online payment service and configure the service pages. Printer Manager . ZyWALL USG FLEX Series User's Guide 44 - ZyXEL USG FLEX 700 | User Guide - Page 45
manage ADP bindings. Profile Create and manage ADP profiles. Session Control Security Service Session Control Limit the number of concurrent client NAT/security policy sessions. Zone Zone Configure zone templates used to define various policies. ZyWALL USG FLEX Series User's Guide 45 - ZyXEL USG FLEX 700 | User Guide - Page 46
manually configure country-to-IP address mappings for geographic address objects that can be used in security policies. Service Service Create and manage TCP and UDP services. Service Group Create and manage groups of services active and passive devices ZyWALL USG FLEX Series User's Guide 46 - ZyXEL USG FLEX 700 | User Guide - Page 47
speed. DNS DNS Configure the DNS server and address records for the Zyxel Device. WWW Service Control Configure HTTP, HTTPS, and general authentication. Login Page Configure how the login and Manage and run shell script files for the Zyxel Device. ZyWALL USG FLEX Series User's Guide 47 - ZyXEL USG FLEX 700 | User Guide - Page 48
Ping or Traceroute to help you identify problems. Routing Traces Configure traceroute to identify where packets are dropped for troubleshooting. Wireless Frame Capture Capture wireless frames from • Select which columns to display • Group entries by field ZyWALL USG FLEX Series User's Guide 48 - ZyXEL USG FLEX 700 | User Guide - Page 49
entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. Figure 22 Common Table Icons ZyWALL USG FLEX Series User's Guide 49 - ZyXEL USG FLEX 700 | User Guide - Page 50
[Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 23 Working with Lists ZyWALL USG FLEX Series User's Guide 50 - ZyXEL USG FLEX 700 | User Guide - Page 51
4.25 or later, you have to register your Zyxel Device and activate the corresponding service at myZyxel (through your Zyxel Device). This chapter provides information on configuring the Web type of encapsulation and method of IP address assignment. ZyWALL USG FLEX Series User's Guide 51 - ZyXEL USG FLEX 700 | User Guide - Page 52
. The following fields display if you selected static IP address assignment. • IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address. ZyWALL USG FLEX Series User's Guide 52 - ZyXEL USG FLEX 700 | User Guide - Page 53
Internet Access: PPPoE 2.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long. ZyWALL USG FLEX Series User's Guide 53 - ZyXEL USG FLEX 700 | User Guide - Page 54
and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL USG FLEX Series User's Guide 54 - ZyXEL USG FLEX 700 | User Guide - Page 55
of the router through which this WAN connection will send traffic (the default gateway). • Server IP: Type the IP address of the PPTP server. ZyWALL USG FLEX Series User's Guide 55 - ZyXEL USG FLEX 700 | User Guide - Page 56
and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL USG FLEX Series User's Guide 56 - ZyXEL USG FLEX 700 | User Guide - Page 57
: This identifies the Ethernet interface you configure to connect with a modem or router. • Type a Base IP Address (static) assigned to you by your ISP. ZyWALL USG FLEX Series User's Guide 57 - ZyXEL USG FLEX 700 | User Guide - Page 58
and DNS server information as part of your Internet access information, re-enter them exactly as given. If it fails again, check with your Internet service provider or administrator for correct IP address, subnet mask and gateway address and other WAN settings. ZyWALL USG FLEX Series User's Guide 58 - ZyXEL USG FLEX 700 | User Guide - Page 59
can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 2.1.1 on page 51). ZyWALL USG FLEX Series User's Guide 59 - ZyXEL USG FLEX 700 | User Guide - Page 60
the settings correctly. If you have, check that you got the correct settings from your ISP or network administrator. Figure 31 Internet Access: Summary ZyWALL USG FLEX Series User's Guide 60 - ZyXEL USG FLEX 700 | User Guide - Page 61
this screen to register your device at portal.myzyxel.com. Note: The Zyxel Device must be connected to the Internet in order to register. ZyWALL USG FLEX Series User's Guide 61 - ZyXEL USG FLEX 700 | User Guide - Page 62
Zyxel Device's for details. Figure 34 myZyxel Login Click Refresh or use the Configuration > Licensing > Registration screen to update your Zyxel Device registration status. ZyWALL USG FLEX Series User's Guide 62 - ZyXEL USG FLEX 700 | User Guide - Page 63
for the services supported by your model. See Subscription Services Available on page 196 for more information on the subscription services for the two types of security packs. Here are the services available for or external threats, and report on network usage. ZyWALL USG FLEX Series User's Guide 63 - ZyXEL USG FLEX 700 | User Guide - Page 64
Chapter 2 Initial Setup Wizard Figure 36 USG FLEX 500 Activate Service Click Refresh and wait a few moments for the registration information to update in this screen. anomalies, notify you of potential internal or external threats, and report on network usage. ZyWALL USG FLEX Series User's Guide 64 - ZyXEL USG FLEX 700 | User Guide - Page 65
Chapter 2 Initial Setup Wizard Figure 37 USG FLEX Service Settings 2.1.12 Service Settings: SecuReporter Use this screen to add the Zyxel Device to a new or existing names, MAC addresses, email addresses, and host names, will be identifiable in downloaded logs. ZyWALL USG FLEX Series User's Guide 65 - ZyXEL USG FLEX 700 | User Guide - Page 66
Zyxel Device to manage APs in the same network as the Zyxel Device. Both modes cannot work simultaneously. Click Next to continue the wizard. ZyWALL USG FLEX Series User's Guide 66 - ZyXEL USG FLEX 700 | User Guide - Page 67
authentication. • Pre-Shared Key - Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters. ZyWALL USG FLEX Series User's Guide 67 - ZyXEL USG FLEX 700 | User Guide - Page 68
42 Wireless Settings: SSID & Security 2.1.16 Remote Management Select this to allow access to the Zyxel Device using HTTP or HTTPS from the Internet. ZyWALL USG FLEX Series User's Guide 68 - ZyXEL USG FLEX 700 | User Guide - Page 69
Chapter 2 Initial Setup Wizard Figure 43 Remote Management HTTPS is added to the Default_Allow_WAN_to_ZyWALL rule in Object > Service > Service Group screen when you enable Remote Management. Figure 44 Object > Service > Service Group - HTTPS ZyWALL USG FLEX Series User's Guide 69 - ZyXEL USG FLEX 700 | User Guide - Page 70
4 Ethernet Ports Console Port 1 (RJ45) 1 (RJ45) USG FLEX 200 2 1 2 4 1 (DB9) USG FLEX 500 2 1 - 7 1 (DB9) USG FLEX 700 2 2 - 12 1 (DB9) For information on interface names panel. Figure 45 USG FLEX 100 Front Panel Figure 46 USG FLEX 100W Front Panel ZyWALL USG FLEX Series User's Guide 70 - ZyXEL USG FLEX 700 | User Guide - Page 71
Chapter 3 Hardware, Interfaces and Zones Figure 47 USG FLEX 200 Front Panel Figure 48 USG FLEX 500 Front Panel Figure 49 USG FLEX 700 Front Panel The following table describes the front panel LEDs. Table or receiving packets on this port at 100/1000 Mbps. ZyWALL USG FLEX Series User's Guide 71 - ZyXEL USG FLEX 700 | User Guide - Page 72
> System Log) and storage (see Configuration > System > USB Storage). These are 1G RJ-45 Ethernet ports. P2-P8 ( USG FLEX 500) P1-P12 (USG FLEX 700) 3.1.2 Rear Panels The connection ports are located on the rear panel. Figure 50 USG FLEX 100 Rear Panel ZyWALL USG FLEX Series User's Guide 72 - ZyXEL USG FLEX 700 | User Guide - Page 73
3 Hardware, Interfaces and Zones Figure 51 USG FLEX 100W Rear Panel Figure 52 USG FLEX 200 Rear Panel Figure 53 USG FLEX 500 Rear Panel Figure 54 USG FLEX 700 Rear Panel Note: Make sure you connect on what the Ethernet device at the other end can support. ZyWALL USG FLEX Series User's Guide 73 - ZyXEL USG FLEX 700 | User Guide - Page 74
USG FLEX Series Installation Comparison Table USG FLEX MODELS USG FLEX 100 USG FLEX 100W Rubber feet for desktop Yes Yes placement Wall Mounting Yes Yes Rack Mounting No No USG FLEX 200 Yes Yes No USG FLEX 500 Yes No Yes USG FLEX 700 circulation. ZyWALL USG FLEX Series User's Guide 74 - ZyXEL USG FLEX 700 | User Guide - Page 75
in a wiring closet with other equipment using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the ZyWALL does not screws). 2 Attach the other bracket in a similar fashion. ZyWALL USG FLEX Series User's Guide 75 - ZyXEL USG FLEX 700 | User Guide - Page 76
mm (6.85") USG FLEX 100W 174 mm (6.85") USG FLEX 200 206 mm (8.11") 1 Drill into a wall two holes 3 mm - 4 mm (0.12" - 0.16") wide, 20 mm - 30 mm (0.79" - 1.18") deep and a distance X (see the preceding table) apart. Place two screw anchors in the holes. ZyWALL USG FLEX Series User's Guide 76 - ZyXEL USG FLEX 700 | User Guide - Page 77
zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use "the WAN interface" rather than "wan1" or "wan2", "ge2" or" ge3". ZyWALL USG FLEX Series User's Guide 77 - ZyXEL USG FLEX 700 | User Guide - Page 78
of writing. Table 16 Default Physical Port - Interface Mapping PORT / INTERFACE • USG FLEX 100 • USG FLEX 100W • USG FLEX 200 • USG FLEX 500 • USG FLEX 700 P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 so can cause the firmware to become corrupt. ZyWALL USG FLEX Series User's Guide 78 - ZyXEL USG FLEX 700 | User Guide - Page 79
setup screens in the Web Configurator. See the feature-specific chapters in this User's Guide for background information. In the Web Configurator, click Quick Setup to open the first Quick Setup screen. Figure 60 USG FLEX Quick Setup • WAN Interface Click this link to open a wizard to set up a WAN - ZyXEL USG FLEX 700 | User Guide - Page 80
Setup Wizard 4.2.1 Choose an Ethernet Interface Select a WAN interface (names vary by model) that you want to configure for a WAN connection and click Next. ZyWALL USG FLEX Series User's Guide 80 - ZyXEL USG FLEX 700 | User Guide - Page 81
ISP gave it to you. 4.2.3 Configure WAN IP Settings Use this screen to select whether the interface should use a fixed or dynamic IP address. ZyWALL USG FLEX Series User's Guide 81 - ZyXEL USG FLEX 700 | User Guide - Page 82
access information exactly as your ISP gave it to you. Note: Enter the Internet access information exactly as your ISP gave it to you. ZyWALL USG FLEX Series User's Guide 82 - ZyXEL USG FLEX 700 | User Guide - Page 83
Chapter 4 Quick Setup Wizards Figure 66 WAN and ISP Connection Settings: (PPTP) Figure 67 WAN and ISP Connection Settings: (PPPoE) ZyWALL USG FLEX Series User's Guide 83 - ZyXEL USG FLEX 700 | User Guide - Page 84
connection. • Encapsulation: This displays the type of Internet connection you are configuring. • Service Name: Type the PPPoE service name if you were given one by your ISP. • Authentication Type: Use the the (static) IP address assigned to you by your ISP. ZyWALL USG FLEX Series User's Guide 84 - ZyXEL USG FLEX 700 | User Guide - Page 85
an example WAN interface's settings. Figure 69 Interface Wizard: Summary WAN • Encapsulation: This displays what encapsulation this interface uses to connect to the Internet. ZyWALL USG FLEX Series User's Guide 85 - ZyXEL USG FLEX 700 | User Guide - Page 86
Name: This field only appears for a PPPoE interface. It displays the PPPoE service name specified in the ISP account. • Server IP: This field only appears for a . • VPN Settings configures a VPN tunnel for a secure connection to another computer or network. ZyWALL USG FLEX Series User's Guide 86 - ZyXEL USG FLEX 700 | User Guide - Page 87
use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. Figure 72 VPN Setup Wizard: Wizard Type ZyWALL USG FLEX Series User's Guide 87 - ZyXEL USG FLEX 700 | User Guide - Page 88
session secret from which encryption keys are derived. IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise users. Only the clients can initiate the VPN tunnel. ZyWALL USG FLEX Series User's Guide 88 - ZyXEL USG FLEX 700 | User Guide - Page 89
the VPN tunnel's configuration and commands that you can copy and paste into another ZLD-based Zyxel Device's command line interface to configure it. ZyWALL USG FLEX Series User's Guide 89 - ZyXEL USG FLEX 700 | User Guide - Page 90
the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list. 4.3.6 VPN Express Wizard - Finish Now the appear in the VPN > IPSec VPN > VPN Connection screen. ZyWALL USG FLEX Series User's Guide 90 - ZyXEL USG FLEX 700 | User Guide - Page 91
Click the Advanced radio button as shown in Figure 72 on page 87 to display the following screen. Figure 77 VPN Advanced Wizard: Scenario ZyWALL USG FLEX Series User's Guide 91 - ZyXEL USG FLEX 700 | User Guide - Page 92
secret from which encryption keys are derived. IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). ZyWALL USG FLEX Series User's Guide 92 - ZyXEL USG FLEX 700 | User Guide - Page 93
on your Zyxel Device. • Negotiation Mode: This displays Main or Aggressive: • Main encrypts the ZyWALL/USG's and remote IPSec router's identities but takes more time to establish the IKE SA. • Aggressive is NAT (there is a NAT router between the IPSec devices). ZyWALL USG FLEX Series User's Guide 93 - ZyXEL USG FLEX 700 | User Guide - Page 94
address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device. ZyWALL USG FLEX Series User's Guide 94 - ZyXEL USG FLEX 700 | User Guide - Page 95
tunnel. • Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. ZyWALL USG FLEX Series User's Guide 95 - ZyXEL USG FLEX 700 | User Guide - Page 96
the IKE SA. • Aggressive is faster but does not encrypt the identities. The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a security. • SHA1 gives higher security. • SHA256 gives the highest security. ZyWALL USG FLEX Series User's Guide 96 - ZyXEL USG FLEX 700 | User Guide - Page 97
the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Figure 81 VPN Wizard: Finish Click Close to exit the wizard. ZyWALL USG FLEX Series User's Guide 97 - ZyXEL USG FLEX 700 | User Guide - Page 98
: Wizard Type 4.4.1 Configuration Provisioning Express Wizard - VPN Settings Click the Express radio button as shown in the previous screen to display the following screen. ZyWALL USG FLEX Series User's Guide 98 - ZyXEL USG FLEX 700 | User Guide - Page 99
secret from which encryption keys are derived. • IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP is important when connecting to existing enterprise Wizard - Configuration Click Next to continue the wizard. ZyWALL USG FLEX Series User's Guide 99 - ZyXEL USG FLEX 700 | User Guide - Page 100
of the VPN tunnel's configuration and commands you can copy and paste into another ZLD-based Zyxel Device's command line interface to configure it. ZyWALL USG FLEX Series User's Guide 100 - ZyXEL USG FLEX 700 | User Guide - Page 101
IP address of the Zyxel Device in the Zyxel Device IPSec VPN Client to get all these VPN settings automatically from the Zyxel Device. ZyWALL USG FLEX Series User's Guide 101 - ZyXEL USG FLEX 700 | User Guide - Page 102
button as shown in Figure 82 on page 98 to display the following screen. Figure 87 VPN for Configuration Provisioning Advanced Wizard: Scenario Settings ZyWALL USG FLEX Series User's Guide 102 - ZyXEL USG FLEX 700 | User Guide - Page 103
derived. • IKEv2 supports Extended Authentication Protocol (EAP) authentication, and IKEv1 supports X-Auth. EAP USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a secure gateway must have the same negotiation mode. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 104
packet data. MD5 gives minimal security. SHA1 gives higher security and SHA256 gives the highest security. The stronger the algorithm, the slower it is. ZyWALL USG FLEX Series User's Guide 104 - ZyXEL USG FLEX 700 | User Guide - Page 105
when the SA life time expires. 4.4.8 VPN Settings for Configuration Provisioning Advanced Wizard Summary This is a read-only summary of the VPN tunnel settings. ZyWALL USG FLEX Series User's Guide 105 - ZyXEL USG FLEX 700 | User Guide - Page 106
: Any displays in this field because it is not configurable in this wizard. Phase 1 • Negotiation Mode: This displays Main or Aggressive: • Main encrypts the ZyWALL/USG's and remote IPSec router's identities but takes more time to establish the IKE SA. ZyWALL USG FLEX Series User's Guide 106 - ZyXEL USG FLEX 700 | User Guide - Page 107
4 Quick Setup Wizards • Aggressive is faster but does not encrypt the identities. The ZyWALL/USG and the remote IPSec router must use the same negotiation mode. Multiple SAs connecting through a get from the Zyxel Device. Click Save to save the VPN rule. ZyWALL USG FLEX Series User's Guide 107 - ZyXEL USG FLEX 700 | User Guide - Page 108
up an L2TP VPN rule. Click Configuration > Quick Setup > VPN Setup and select VPN Settings for L2TP VPN Settings to see the following screen. ZyWALL USG FLEX Series User's Guide 108 - ZyXEL USG FLEX 700 | User Guide - Page 109
. This value is case-sensitive. • My Address (interface): Select one of the interfaces from the pull down menu to apply the L2TP VPN rule. ZyWALL USG FLEX Series User's Guide 109 - ZyXEL USG FLEX 700 | User Guide - Page 110
VPN, DDNS and the time server. 4.5.3 VPN Settings for L2TP VPN Setting Wizard - Summary This is a read-only summary of the L2TP VPN settings. ZyWALL USG FLEX Series User's Guide 110 - ZyXEL USG FLEX 700 | User Guide - Page 111
address pool used to assign to the L2TP VPN clients. Click Save to complete the L2TP VPN Setting and the following screen will show. ZyWALL USG FLEX Series User's Guide 111 - ZyXEL USG FLEX 700 | User Guide - Page 112
rule settings appear in the Configuration > VPN > L2TP VPN screen and also in the Configuration > VPN > IPSec VPN > VPN Connection and VPN Gateway screen. ZyWALL USG FLEX Series User's Guide 112 - ZyXEL USG FLEX 700 | User Guide - Page 113
general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re- troubleshooting, and other information. The following screen is an example of a Brand 2.0 web configurator web style. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 114
Chapter 5 Dashboard Figure 97 Dashboard USG FLEX The following table describes the labels in this screen. Table 20 Dashboard LABEL DESCRIPTION Refresh Now cursor over a connected interface or slot. Name This field displays the name of each interface. ZyWALL USG FLEX Series User's Guide 114 - ZyXEL USG FLEX 700 | User Guide - Page 115
domain name. Serial Number This field displays the serial number of this Zyxel Device. The serial number is used for device tracking and control. ZyWALL USG FLEX Series User's Guide 115 - ZyXEL USG FLEX 700 | User Guide - Page 116
changes to the date, time and time zone information. 5.2.3 Tx/Rx Statistics This screen displays a line graph of packet statistics for each physical port. ZyWALL USG FLEX Series User's Guide 116 - ZyXEL USG FLEX 700 | User Guide - Page 117
the destination address (if any) in the packet that generated the log. 5.2.5 System Resources Screen Click the bar to see a graphic on that resource. ZyWALL USG FLEX Series User's Guide 117 - ZyXEL USG FLEX 700 | User Guide - Page 118
look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. The following screen will show. ZyWALL USG FLEX Series User's Guide 118 - ZyXEL USG FLEX 700 | User Guide - Page 119
, clear this field, and then click Apply. 5.2.7 Number of Login Users Screen Click the Number of Login Users link to see the following screen. ZyWALL USG FLEX Series User's Guide 119 - ZyXEL USG FLEX 700 | User Guide - Page 120
> Current Login User 5.2.9 VPN Status Click on the link to look at the VPN tunnels that are currently established. Figure 106 Dashboard > VPN Status ZyWALL USG FLEX Series User's Guide 120 - ZyXEL USG FLEX 700 | User Guide - Page 121
Advanced Threat Protection Screen Use the Advanced Threat Protection screen to check security status information about the Zyxel Device. Figure 108 Dashboard > Advanced Threat Protection - USG FLEX Series This screen gives the following information: ZyWALL USG FLEX Series User's Guide 121 - ZyXEL USG FLEX 700 | User Guide - Page 122
the most • Reputation filter reports • URL Threat filter reports • Threat statistics Click the Refresh icon to update the information in the window right away. ZyWALL USG FLEX Series User's Guide 122 - ZyXEL USG FLEX 700 | User Guide - Page 123
PART II Technical Reference 123 - ZyXEL USG FLEX 700 | User Guide - Page 124
the System Status > Session Monitor screen (see Section 6.5 on page 135) to view sessions by user or service. • Use the System Status > Login Users screen (Section 6.6 on page 137) to look at a to a virtual server between multiple real (physical) servers. ZyWALL USG FLEX Series User's Guide 124 - ZyXEL USG FLEX 700 | User Guide - Page 125
. You can change the way the log is displayed, you can email the log, and you can also clear the log in this screen. ZyWALL USG FLEX Series User's Guide 125 - ZyXEL USG FLEX 700 | User Guide - Page 126
the physical port since it was last connected. This field displays the number of collisions on the physical port since it was last connected. ZyWALL USG FLEX Series User's Guide 126 - ZyXEL USG FLEX 700 | User Guide - Page 127
. bps The y-axis represents the speed of transmission or reception. time The x-axis shows the time period over which the transmission or reception occurred ZyWALL USG FLEX Series User's Guide 127 - ZyXEL USG FLEX 700 | User Guide - Page 128
screen lists all of the Zyxel Device's interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Summary to access this screen. ZyWALL USG FLEX Series User's Guide 128 - ZyXEL USG FLEX 700 | User Guide - Page 129
, click this to look at the status of virtual interfaces on top of this interface. Port/Binding This field displays the physical port number. ZyWALL USG FLEX Series User's Guide 129 - ZyXEL USG FLEX 700 | User Guide - Page 130
DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface does not provide any services to the network. Action Use this field to get or to update the IP address for the interface. Click entry is active and dimmed when the entry is inactive. ZyWALL USG FLEX Series User's Guide 130 - ZyXEL USG FLEX 700 | User Guide - Page 131
. This is either the static IPv6 address of the interface (if it is the master) or the management IPv6 address (if it is a backup). ZyWALL USG FLEX Series User's Guide 131 - ZyXEL USG FLEX 700 | User Guide - Page 132
packets. Please see Table 32 on page 133 for more information. • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic and how ; you have to start and stop it manually on the Traffic Statistics screen. ZyWALL USG FLEX Series User's Guide 132 - ZyXEL USG FLEX 700 | User Guide - Page 133
the most traffic and how much traffic has been sent to and from each one. • Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one. • Web Site Hits - displays the the byte count limit. See Table 33 on page 134. ZyWALL USG FLEX Series User's Guide 133 - ZyXEL USG FLEX 700 | User Guide - Page 134
bytes, Kbytes, Mbytes, Gbytes, or Tbytes, depending on the amount of traffic for the particular protocol or service port. The count starts over at zero if the number of bytes passes the byte count limit. See Table . 264 hits; this is over 1.8 x 1019 hits. ZyWALL USG FLEX Series User's Guide 134 - ZyXEL USG FLEX 700 | User Guide - Page 135
by the User, Service, Source Address, and Destination Address, and display each session individually (sorted by user). Click this button to update the information on the screen. The screen also refreshes automatically when you open and close the screen. ZyWALL USG FLEX Series User's Guide 135 - ZyXEL USG FLEX 700 | User Guide - Page 136
pull down menu on the right to choose sorting method. This field displays the user in each active session. Service If you are looking at the sessions by users (or all sessions) report, click + or - to display the length of the active session in seconds. ZyWALL USG FLEX Series User's Guide 136 - ZyXEL USG FLEX 700 | User Guide - Page 137
when you move your mouse over it. If the external user matches two external-group objects, both external-group object names will be shown. ZyWALL USG FLEX Series User's Guide 137 - ZyXEL USG FLEX 700 | User Guide - Page 138
user name and password that allows a guest user to access the Internet or the Zyxel Device's services in a specified period of time. Multiple dynamic guest accounts can be automatically generated at one time of Internet access for the dynamic user account. ZyWALL USG FLEX Series User's Guide 138 - ZyXEL USG FLEX 700 | User Guide - Page 139
of company newsletters, updating address book of mobile computer users in the field allowing more efficient use of resources when supporting these types of applications. Click Monitor > System Status > IGMP Statistics to open the following screen. ZyWALL USG FLEX Series User's Guide 139 - ZyXEL USG FLEX 700 | User Guide - Page 140
the Zyxel Device's DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen. Figure 117 Monitor > System Status > DDNS Status ZyWALL USG FLEX Series User's Guide 140 - ZyXEL USG FLEX 700 | User Guide - Page 141
displays the name used to identify this device on the network (the computer name). The Zyxel Device learns these from the DHCP client requests. ZyWALL USG FLEX Series User's Guide 141 - ZyXEL USG FLEX 700 | User Guide - Page 142
. Extension Slot This field displays where the entry's cellular card is located. Connected Device This field displays the model name of the cellular card. ZyWALL USG FLEX Series User's Guide 142 - ZyXEL USG FLEX 700 | User Guide - Page 143
connection. Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired. ZyWALL USG FLEX Series User's Guide 143 - ZyXEL USG FLEX 700 | User Guide - Page 144
is located. Service Provider This displays the name of your network service provider. This shows Limited Service if the service provider has stopped service to the mobile broadband card. For example if the bill has not been paid or the account has expired. ZyWALL USG FLEX Series User's Guide 144 - ZyXEL USG FLEX 700 | User Guide - Page 145
strength mainly depends on the antenna output power and the distance between your Zyxel Device and the service provider's base station. This shows the name of the company that produced the mobile broadband number of the UPnP-created NAT mapping rule entry. ZyWALL USG FLEX Series User's Guide 145 - ZyXEL USG FLEX 700 | User Guide - Page 146
field displays how much of the USB storage device's capacity is currently being used out of its total capacity and what percentage that makes. ZyWALL USG FLEX Series User's Guide 146 - ZyXEL USG FLEX 700 | User Guide - Page 147
supports. Ready - you can have the Zyxel Device use the USB storage device. Click Remove Now to stop the Zyxel Device from using the USB storage device so you can remove it. Unused - the connected USB storage device was manually to see the following screen ZyWALL USG FLEX Series User's Guide 147 - ZyXEL USG FLEX 700 | User Guide - Page 148
P3 as the first internal interface port number. IP Address MAC Address Refresh For Zyxel Devices that support Port Role, if ports 3 to 5 are grouped together and there is a connection to P5 Address or Configuration > Object > Address/Geo IP > Address Group. ZyWALL USG FLEX Series User's Guide 148 - ZyXEL USG FLEX 700 | User Guide - Page 149
. IPv6 FQDN Object Cache List You must first configure IPv6 FQDN objects in Configuration > Object > Address/Geo IP in the IPv6 Address Configuration field. ZyWALL USG FLEX Series User's Guide 149 - ZyXEL USG FLEX 700 | User Guide - Page 150
for more information on virtual load balancing server. Click Monitor > Virtual Server LB to see the following screen Figure 125 Monitor > Virtual Server LB ZyWALL USG FLEX Series User's Guide 150 - ZyXEL USG FLEX 700 | User Guide - Page 151
service. Refresh Click this button to update the information on the screen. 6.17 AP Information: AP List The AP Information menu contains AP List, Radio List, Top N APs and Single AP screens. Click Monitor > Wireless > AP Information to display the AP List screen. ZyWALL USG FLEX Series - ZyXEL USG FLEX 700 | User Guide - Page 152
Conflict: APs with configurations in conflict with the Zyxel Device (see More Details) • Non Support: APs with features not supported by the Zyxel Device (see More Details) • Updating: APs that are have updated this button to force the AP(s) to restart. ZyWALL USG FLEX Series User's Guide 152 - ZyXEL USG FLEX 700 | User Guide - Page 153
before the APs can use DCS. More Information Radio Information Query Controller Log Nebula Note: DCS is not supported on the radio which is working in repeater AP mode. Select an AP and click this to view button. This field displays the CPU Usage of the AP. ZyWALL USG FLEX Series User's Guide 153 - ZyXEL USG FLEX 700 | User Guide - Page 154
power adapter and/or through a PoE switch/injector using IEEE 802.3at PoE plus. The PoE device that supports IEEE 802.3at PoE Plus can supply power of up to 30W per Ethernet port. Limited - the AP AP's uplink port speed and duplex mode (Full or Half). ZyWALL USG FLEX Series User's Guide 154 - ZyXEL USG FLEX 700 | User Guide - Page 155
with other BLE enabled devices using advertisements. N/A displays if the AP does not support BLE. Unavailable displays if the AP supports Bluetooth, but there is no BLE USB dongle connected to the USB port of screen. Use this screen to look at configuration ZyWALL USG FLEX Series User's Guide 155 - ZyXEL USG FLEX 700 | User Guide - Page 156
. Non Support If any of the AP's configuration conflicts with the Zyxel Device's settings for the AP, this field displays which configuration conflicts. It displays n/a if none of the AP's configuration conflicts with the Zyxel Device's settings for the AP. ZyWALL USG FLEX Series User's Guide 156 - ZyXEL USG FLEX 700 | User Guide - Page 157
internal interface port number. IP Address MAC Address Station Count Last Update OK Cancel For Zyxel Devices that support Port Role, if ports 3 to 5 are grouped together and there is a connection to P5 only to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 157 - ZyXEL USG FLEX 700 | User Guide - Page 158
Chapter 6 Monitor 6.17.2 AP List: Edit AP Select an AP and click the Edit Selected Rule button in the Monitor > Wireless > AP Information > AP List table to display this screen. Figure 128 Monitor > Wireless > AP Information > AP List > Edit AP ZyWALL USG FLEX Series User's Guide 158 - ZyXEL USG FLEX 700 | User Guide - Page 159
an SSID profile with the radio. Select an SSID and click this button to reassign it. The selected SSID becomes editable immediately upon clicking. ZyWALL USG FLEX Series User's Guide 159 - ZyXEL USG FLEX 700 | User Guide - Page 160
Address Select this if you want to specify the IP address, subnet mask, gateway and DNS server address manually. IP Address Enter the IP address for the AP. Subnet Mask Enter the subnet mask of the AP the LEDs will stay lit after theZyxel Device is ready. ZyWALL USG FLEX Series User's Guide 160 - ZyXEL USG FLEX 700 | User Guide - Page 161
DESCRIPTION Power Setting Select this check box if you are using a PoE injector that does not support PoE negotiation. Otherwise, the Zyxel Device cannot draw full power from the power sourcing equipment. , and it is not associated with a specific radio. ZyWALL USG FLEX Series User's Guide 161 - ZyXEL USG FLEX 700 | User Guide - Page 162
does not allow you to adjust coverage depending on the orientation of the antenna for each radio using the web configurator or a physical switch. ZyWALL USG FLEX Series User's Guide 162 - ZyXEL USG FLEX 700 | User Guide - Page 163
, select an entry and click the More Information button on the Radio List screen. Figure 130 Monitor > Wireless > AP Information > Radio List > More Information ZyWALL USG FLEX Series User's Guide 163 - ZyXEL USG FLEX 700 | User Guide - Page 164
number of connected wireless stations. x-axis The x-axis represents the time over which a wireless client was connected. Refresh Click Refresh to update this screen. ZyWALL USG FLEX Series User's Guide 164 - ZyXEL USG FLEX 700 | User Guide - Page 165
all the wireless stations that have connected to the AP for the preceding 24 hours. The y-axis represents the number of connected wireless stations. ZyWALL USG FLEX Series User's Guide 165 - ZyXEL USG FLEX 700 | User Guide - Page 166
represents the amount of traffic in megabytes/gigabytes. x-axis The x-axis represents the time over which wireless traffic flows transmitting from/to the AP. ZyWALL USG FLEX Series User's Guide 166 - ZyXEL USG FLEX 700 | User Guide - Page 167
the managed AP first associated with the root AP or repeater. This field displays the MAC address of the managed AP (in repeater mode). ZyWALL USG FLEX Series User's Guide 167 - ZyXEL USG FLEX 700 | User Guide - Page 168
SSID is defined, Security Mode This indicates which secure encryption methods is being used by the SSID. Refresh Click Refresh to update this screen. ZyWALL USG FLEX Series User's Guide 168 - ZyXEL USG FLEX 700 | User Guide - Page 169
displays the IP address of the station. This field displays the number of the channel used by the station to connect to the network. ZyWALL USG FLEX Series User's Guide 169 - ZyXEL USG FLEX 700 | User Guide - Page 170
This displays the supported standard currently being used by the station or the standards supported by the station. 802.11 Features This displays whether the station supports IEEE802.11r, IEEE . Figure 136 Monitor > Wireless > Station Info > Top N Stations ZyWALL USG FLEX Series User's Guide 170 - ZyXEL USG FLEX 700 | User Guide - Page 171
hours. y-axis This axis represents the amount of data moved across this station in megabytes per second. Refresh Click Refresh to update this screen. ZyWALL USG FLEX Series User's Guide 171 - ZyXEL USG FLEX 700 | User Guide - Page 172
This indicates the 802.11 mode (a/b/g/n) transmitted by the detected device. Security This indicates the encryption method (if any) used by the detected device. ZyWALL USG FLEX Series User's Guide 172 - ZyXEL USG FLEX 700 | User Guide - Page 173
firmware version of the printer. MAC This shows n/a when the printer status is sync fail. This field displays the MAC address of the printer. ZyWALL USG FLEX Series User's Guide 173 - ZyXEL USG FLEX 700 | User Guide - Page 174
. This field displays N/A if the IPSec SA uses manual keys. Timeout This field displays how many seconds remain in the SA life time, before the Zyxel Device automatically disconnects the IPSec SA. This field displays N/A if the IPSec SA uses manual keys. ZyWALL USG FLEX Series User's Guide 174 - ZyXEL USG FLEX 700 | User Guide - Page 175
users and delete related session information. Once a user logs out, the corresponding entry is removed from the screen. Figure 141 Monitor > VPN Monitor > SSL ZyWALL USG FLEX Series User's Guide 175 - ZyXEL USG FLEX 700 | User Guide - Page 176
the L2TP VPN tunnel. Public IP This field displays the public IP address that the remote user is using to connect to the Internet. ZyWALL USG FLEX Series User's Guide 176 - ZyXEL USG FLEX 700 | User Guide - Page 177
matched an application policy set to "reject". This is how much of the application's traffic the Zyxel Device identified by examining the IP payload. ZyWALL USG FLEX Series User's Guide 177 - ZyXEL USG FLEX 700 | User Guide - Page 178
back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. Click this button to update the report display. ZyWALL USG FLEX Series User's Guide 178 - ZyXEL USG FLEX 700 | User Guide - Page 179
they contained one of the content filtering custom service's list of forbidden keywords. 6.33 The Anti-Malware Screen Click Monitor > Security Statistics > Anti-Malware > Summary to display the following screen. This screen displays anti-malware statistics. ZyWALL USG FLEX Series User's Guide 179 - ZyXEL USG FLEX 700 | User Guide - Page 180
to add it to the anti-malware white list. Select an entry and click this to remove it from the anti-malware white list. ZyWALL USG FLEX Series User's Guide 180 - ZyXEL USG FLEX 700 | User Guide - Page 181
. Figure 148 Monitor > Security Statistics > Anti-Malware > Summary: Destination IP The statistics display as follows when you display the top entries by destination IPv6. ZyWALL USG FLEX Series User's Guide 181 - ZyXEL USG FLEX 700 | User Guide - Page 182
displays the total number of URLs that have been scanned. This field displays the total number of the hit counts on the scanned URLs. ZyWALL USG FLEX Series User's Guide 182 - ZyXEL USG FLEX 700 | User Guide - Page 183
> Summary to display the following screen. This screen displays IDP (Intrusion Detection and Prevention) statistics. Figure 151 Monitor > Security Statistics > IDP > Summary: Signature Name ZyWALL USG FLEX Series User's Guide 183 - ZyXEL USG FLEX 700 | User Guide - Page 184
the entry. Click this to add this signature to the IDP white list. Click this to remove this signature from the IDP white list. ZyWALL USG FLEX Series User's Guide 184 - ZyXEL USG FLEX 700 | User Guide - Page 185
Monitor > Security Statistics > Email Security > Summary to display the following screen. This screen displays spam statistics. Figure 154 Monitor > Security Statistics > Email Security > Summary ZyWALL USG FLEX Series User's Guide 185 - ZyXEL USG FLEX 700 | User Guide - Page 186
Device can check the sender and relay IP addresses in an email's header against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). This is the number of emails that had a sender or relay Device forwards or drops sessions that exceed this threshold. ZyWALL USG FLEX Series User's Guide 186 - ZyXEL USG FLEX 700 | User Guide - Page 187
client and email server (or two email servers) connect through the Zyxel Device. Click this button to update the information displayed on this screen. ZyWALL USG FLEX Series User's Guide 187 - ZyXEL USG FLEX 700 | User Guide - Page 188
Zyxel Device uses SSL Inspection to decrypt SSL traffic, sends it to the Security Service engines for inspection, then encrypts traffic that passes inspection and forwards it. You must . Figure 156 Monitor > Security Statistics > SSL Inspection > Summaryt ZyWALL USG FLEX Series User's Guide 188 - ZyXEL USG FLEX 700 | User Guide - Page 189
(KB) of data that was decrypted for Security Service inspection. This shows the number of kilobytes (KB) of data that was re-encrypted after Security Service inspection and then forwarded. This shows the number option to add that traffic to the Exclude List. ZyWALL USG FLEX Series User's Guide 189 - ZyXEL USG FLEX 700 | User Guide - Page 190
this SSL session. SSL Version This field shows the SSL version. SSLv3/TLS1.0 is currently supported. Destination This displays the IP address and port number of the SSL traffic destination server. Debug Log. All debugging messages have the same priority. ZyWALL USG FLEX Series User's Guide 190 - ZyXEL USG FLEX 700 | User Guide - Page 191
shown, the Category, Priority, Source Address, Destination Address, Source Interface, Destination Interface, Service, Keyword, Protocol and Search fields are available. Select the type of log message(s) This field is grayed out if the Category is Debug Log. ZyWALL USG FLEX Series User's Guide 191 - ZyXEL USG FLEX 700 | User Guide - Page 192
quotes, and brackets are not allowed. Protocol This displays when you show the filter. Select a service protocol whose log messages you would like to see. Search This displays when you show the filter. > Log > View AP Log to open the following screen. ZyWALL USG FLEX Series User's Guide 192 - ZyXEL USG FLEX 700 | User Guide - Page 193
when the log message was generated. Select a policy service available from Zyxel Device from the pull down menu. Type a keyword of the policy service available from Zyxel Device to search for a log. Select the protocol of the AP from the pull down menu. ZyWALL USG FLEX Series User's Guide 193 - ZyXEL USG FLEX 700 | User Guide - Page 194
to specify a time period. The Zyxel Device displays log messages only for the accounts created during the specified time period after you click Search. ZyWALL USG FLEX Series User's Guide 194 - ZyXEL USG FLEX 700 | User Guide - Page 195
. Payment Info This field displays the method of payment for each account. Phone Num This field displays the telephone number for the user account. ZyWALL USG FLEX Series User's Guide 195 - ZyXEL USG FLEX 700 | User Guide - Page 196
. The subscription services you can use on the Zyxel Device vary depending on the security pack license you purchase. See the table below for services available in each pack. You can purchase an iCard and enter its license key at myZyxel to extend a service. ZyWALL USG FLEX Series User's Guide 196 - ZyXEL USG FLEX 700 | User Guide - Page 197
an iCard and enter the iCard's PIN number (license key) at myZyxel. Click Activate in this screen to enable both Trial and Standard services on this Zyxel Device. Click Configuration > Licensing > Registration > Service to open the screen as shown next. ZyWALL USG FLEX Series User's Guide 197 - ZyXEL USG FLEX 700 | User Guide - Page 198
> Registration > Service - USG FLEX 500 The following table describes the labels in this screen. Table 80 Configuration > Licensing > Registration > Service LABEL DESCRIPTION Service Status # This and use the Zyxel Device Hotspot at the same time. ZyWALL USG FLEX Series User's Guide 198 - ZyXEL USG FLEX 700 | User Guide - Page 199
a service registration to update the system-protection signatures. • Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. • Your custom signature configurations are not over-written when you download new signatures. ZyWALL USG FLEX - ZyXEL USG FLEX 700 | User Guide - Page 200
the time and day specified. You should select a time when your network is not busy for minimal interruption. 7.2.3 Auto Update Click the Schedule icon of a service to display the following screen. ZyWALL USG FLEX Series User's Guide 200 - ZyXEL USG FLEX 700 | User Guide - Page 201
for new signatures once a week on the day and at the time specified. Click this button to save your changes to the Zyxel Device. ZyWALL USG FLEX Series User's Guide 201 - ZyXEL USG FLEX 700 | User Guide - Page 202
supported Access Points (APs). Supported APs should be in managed mode. See the product page Licenses tab for a list of supported -powered Wi-Fi tags be part of Ekahau RTLS (Real Time Location Service). RTLS can track the location of APs managed by the Zyxel Device USG FLEX Series User's Guide 202 - ZyXEL USG FLEX 700 | User Guide - Page 203
select Manual. 5 Under Primary static AC IP, enter the IP address of the Zyxel Device. 6 Click Apply. The Zyxel Device can now manage the AP. 8.2.3 Connecting an AP to the Zyxel Device Using DHCP Option 138 1 Ensure that the Zyxel Device has a static IP address. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 204
currently or used to be connected to the Zyxel Device. Select NebulaFlexPRO to show the APs that can work in Nebula cloud management mode. ZyWALL USG FLEX Series User's Guide 204 - ZyXEL USG FLEX 700 | User Guide - Page 205
selected AP doesn't support suppression mode. Select an AP and click this button to run the locator feature. The AP's Locator LED will start to blink for 10 minutes by default. It will show the actual location of the AP between several devices on the network. ZyWALL USG FLEX Series User's Guide 205 - ZyXEL USG FLEX 700 | User Guide - Page 206
the Zyxel Device last started up. This displays the AP LED status. N/A displays if the AP does not support LED suppression mode and/or have a locator LED to show the actual location of the AP. A gray to the Zyxel Device. Click Refresh to update the AP list. ZyWALL USG FLEX Series User's Guide 206 - ZyXEL USG FLEX 700 | User Guide - Page 207
Chapter 8 Wireless 8.3.1.1 Edit AP List Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen. Figure 167 Configuration > Wireless > AP Management > Mgnt. AP List > Edit AP List ZyWALL USG FLEX Series User's Guide 207 - ZyXEL USG FLEX 700 | User Guide - Page 208
Each AP can belong to up to two groups. Select this option to overwrite the AP radio settings with the settings you configure here. ZyWALL USG FLEX Series User's Guide 208 - ZyXEL USG FLEX 700 | User Guide - Page 209
it cannot receive connections from wireless clients. Root AP means the radio acts as an AP and also supports the wireless connections with other APs (in repeater mode) to form a ZyMesh to extend its wireless setting to match the configuration in this screen. ZyWALL USG FLEX Series User's Guide 209 - ZyXEL USG FLEX 700 | User Guide - Page 210
address manually. IP supports LED suppression mode. Select this option to enable the AP's LED suppression mode. All the LEDs of the AP will turn off after the AP is ready. If the check box is unchecked, it means the LEDs will stay lit after the AP is ready. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 211
the power mode to full power if you are using a PoE injector that does not support PoE negotiation. Otherwise, the AP cannot draw full power from the power sourcing equipment. Enable this screen. Figure 168 Configuration > Wireless > AP Management > AP Policy ZyWALL USG FLEX Series User's Guide 211 - ZyXEL USG FLEX 700 | User Guide - Page 212
AP(s) automatically send broadcast packets to find any other available AP controllers. Select Manual to replace the AP controller's IP address configured on the managed AP(s) with this screen. Figure 169 Configuration > Wireless > AP Management > AP Group ZyWALL USG FLEX Series User's Guide 212 - ZyXEL USG FLEX 700 | User Guide - Page 213
profile before the APs can use DCS. # Group Name Member Count Apply Reset Note: DCS is not supported on the radio which is working in repeater AP mode. This is the index number of the group in Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 213 - ZyXEL USG FLEX 700 | User Guide - Page 214
button in the Configuration > Wireless > AP Management > AP Group table to display this screen. Figure 170 Configuration > Wireless > AP Management > AP Group > Add/Edit ZyWALL USG FLEX Series User's Guide 214 - ZyXEL USG FLEX 700 | User Guide - Page 215
cannot receive connections from wireless clients. Root AP means the radio acts as an AP and also supports the wireless connections with other APs (in repeater mode) to form a ZyMesh to extend its wireless reduces the Zyxel Device's effective broadcast radius. ZyWALL USG FLEX Series User's Guide 215 - ZyXEL USG FLEX 700 | User Guide - Page 216
the Zyxel Device. Use this section to configure wireless network traffic load balancing between the managed APs in this group. Note: Load balancing is not supported on the radio which is working in root AP or repeater AP mode. ZyWALL USG FLEX Series User's Guide 216 - ZyXEL USG FLEX 700 | User Guide - Page 217
group. Select the APs that you want to add to the group you are editing, and click the right arrow button to add them. ZyWALL USG FLEX Series User's Guide 217 - ZyXEL USG FLEX 700 | User Guide - Page 218
group will be deselected. 8.3.4 Firmware The Zyxel Device stores an AP firmware in order to manage supported APs. This screen allows the Zyxel Device to check for and download new AP firmware when it becomes is using before downloading the new AP firmware. ZyWALL USG FLEX Series User's Guide 218 - ZyXEL USG FLEX 700 | User Guide - Page 219
version on the Zyxel Device. The Zyxel Device must have the latest AP firmware to manage all supported APs. This field displays if there is a later AP firmware version available on the firmware the latest AP firmware version available on the firmware server. ZyWALL USG FLEX Series User's Guide 219 - ZyXEL USG FLEX 700 | User Guide - Page 220
control of the network administrator, and which can potentially open up holes in a network's security. Click Configuration > Wireless > Rogue AP to access this screen. ZyWALL USG FLEX Series User's Guide 220 - ZyXEL USG FLEX 700 | User Guide - Page 221
rogue status. Edit Select an AP in the list to edit and reassign its status. Remove Select an AP in the list to remove. ZyWALL USG FLEX Series User's Guide 221 - ZyXEL USG FLEX 700 | User Guide - Page 222
the selected AP. Dis-Containment A quarantined AP cannot grant access to any network services. Any stations that attempt to connect to a quarantined AP are disconnected automatically. Click for the AP's description. Spaces and underscores are allowed. ZyWALL USG FLEX Series User's Guide 222 - ZyXEL USG FLEX 700 | User Guide - Page 223
service coverage areas. Apply Reset When the failed AP is working again, its neighbor APs return their output power to the original level. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 224
(Section 8.6.3 on page 225) to use the managed APs as part of an Ekahau RTLS (Real Time Location Service) to track the location of Ekahau Wi-Fi tags. 8.6.2 Before You Begin You need: • At least three the Ekahau Wi-Fi tags • A dedicated RTLS SSID is recommended ZyWALL USG FLEX Series User's Guide 224 - ZyXEL USG FLEX 700 | User Guide - Page 225
tags. IP Address Specify the IP address of the Ekahau RTLS Controller. Server Port Specify the server port number of the Ekahau RTLS Controller. ZyWALL USG FLEX Series User's Guide 225 - ZyXEL USG FLEX 700 | User Guide - Page 226
If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has trio. Figure 178 An Example Four-Channel Deployment ZyWALL USG FLEX Series User's Guide 226 - ZyXEL USG FLEX 700 | User Guide - Page 227
the AP hits its bandwidth cap then all new connections must basically wait for their turn or get shunted to the nearest identical AP. ZyWALL USG FLEX Series User's Guide 227 - ZyXEL USG FLEX 700 | User Guide - Page 228
balancing. 9.1.2 What You Need to Know Interface Characteristics Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface). ZyWALL USG FLEX Series User's Guide 228 - ZyXEL USG FLEX 700 | User Guide - Page 229
Device. You can also assign an IP address and subnet mask to the bridge. • PPP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP/L2TP interfaces. • Cellular Yes Yes Interface Parameters VIRTUAL ** No Yes No Yes ZyWALL USG FLEX Series User's Guide 229 - ZyXEL USG FLEX 700 | User Guide - Page 230
interface VLAN interface bridge interface physical port Ethernet interface Ethernet interface* PPP interface VLAN interface* Ethernet interface* VLAN interface* bridge interface WAN1, WAN2, OPT* ZyWALL USG FLEX Series User's Guide 230 - ZyXEL USG FLEX 700 | User Guide - Page 231
a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) from the left is the network prefix. ZyWALL USG FLEX Series User's Guide 231 - ZyXEL USG FLEX 700 | User Guide - Page 232
Router Advertisement An IPv6 router sends router advertisement messages periodically to advertise its presence and other parameters to the hosts on the same network. ZyWALL USG FLEX Series User's Guide 232 - ZyXEL USG FLEX 700 | User Guide - Page 233
to Do First For IPv6 settings, go to the Configuration > System > IPv6 screen to enable IPv6 support on the Zyxel Device first. 9.2 Port Role To access this screen, click Configuration > Network > Figure 180 Configuration > Network > Interface > Port Role ZyWALL USG FLEX Series User's Guide 233 - ZyXEL USG FLEX 700 | User Guide - Page 234
to display the configuration screen. Note: You cannot configure the speed and duplex mode of fiber ports. Figure 181 Configuration > Network > Interface > Port Configuration ZyWALL USG FLEX Series User's Guide 234 - ZyXEL USG FLEX 700 | User Guide - Page 235
amount of bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. Use supports the following routing protocols: RIP, OSPF and BGP. See Chapter 10 on page 336 for background information about these routing protocols. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 236
dimmed when the entry is inactive. Name This field displays the name of the interface. Description This field displays the description of the interface. ZyWALL USG FLEX Series User's Guide 236 - ZyXEL USG FLEX 700 | User Guide - Page 237
, send routing information, or do both. • Select which version of RIP to support in each direction - The Zyxel Device supports RIP-1, RIP-2, and both versions. • Select the broadcasting method used by RIP-2 identify the DR or BDR if one does not exist. ZyWALL USG FLEX Series User's Guide 237 - ZyXEL USG FLEX 700 | User Guide - Page 238
closer to the multicast server (MS). • Enable IGMP Downstream on the Zyxel Device interface which connects to the multicast hosts. Figure 183 IGMP Proxy ZyWALL USG FLEX Series User's Guide 238 - ZyXEL USG FLEX 700 | User Guide - Page 239
Chapter 9 Interfaces Figure 184 Configuration > Network > Interface > Ethernet > Edit (External Type) ZyWALL USG FLEX Series User's Guide 239 - ZyXEL USG FLEX 700 | User Guide - Page 240
Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (External Type ZyWALL USG FLEX Series User's Guide 240 - ZyXEL USG FLEX 700 | User Guide - Page 241
Chapter 9 Interfaces Figure 185 Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL USG FLEX Series User's Guide 241 - ZyXEL USG FLEX 700 | User Guide - Page 242
Chapter 9 Interfaces Configuration > Network > Interface > Ethernet > Edit (Internal Type) ZyWALL USG FLEX Series User's Guide 242 - ZyXEL USG FLEX 700 | User Guide - Page 243
Chapter 9 Interfaces Figure 186 Configuration > Network > Interface > Ethernet > Edit (OPT) ZyWALL USG FLEX Series User's Guide 243 - ZyXEL USG FLEX 700 | User Guide - Page 244
not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface. Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long. ZyWALL USG FLEX Series User's Guide 244 - ZyXEL USG FLEX 700 | User Guide - Page 245
you want to specify the IP address, subnet mask, and gateway manually. IP Address Enter the IP address for this interface. Subnet the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP USG FLEX Series User's Guide 245 - ZyXEL USG FLEX 700 | User Guide - Page 246
is unique and used for identification purposes when the interface is exchanging DHCPv6 messages with others. See DHCPv6 on page 233 for more information. ZyWALL USG FLEX Series User's Guide 246 - ZyXEL USG FLEX 700 | User Guide - Page 247
Device. This helps hosts to choose their default router especially when there are multiple IPv6 router on the network. Note: Make sure the hosts also support router preference to make this function work. ZyWALL USG FLEX Series User's Guide 247 - ZyXEL USG FLEX 700 | User Guide - Page 248
this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL USG FLEX Series User's Guide 248 - ZyXEL USG FLEX 700 | User Guide - Page 249
when Interface Type is internal or general. Select what type of DHCP service the Zyxel Device provides to the network. Choices are: None - the Zyxel Device does not provide any DHCP the network. These fields appear if the Zyxel Device is a DHCP Server. ZyWALL USG FLEX Series User's Guide 249 - ZyXEL USG FLEX 700 | User Guide - Page 250
and the Zyxel Device works as a DNS relay. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the DHCP option. This is the value set for the DHCP option. ZyWALL USG FLEX Series User's Guide 250 - ZyXEL USG FLEX 700 | User Guide - Page 251
interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make and 65,535) to route packets through this interface. ZyWALL USG FLEX Series User's Guide 251 - ZyXEL USG FLEX 700 | User Guide - Page 252
use either the factory assigned default MAC address, a manually specified MAC address, or clone the MAC address of interface ARP requests on behalf of a device on its internal interface. Interfaces supported are: Add • Ethernet • VLAN • Bridge See Section 9.4.2 on USG FLEX Series User's Guide 252 - ZyXEL USG FLEX 700 | User Guide - Page 253
summary screen where you can manually Route associate traffic with this interface. You must manually configure a policy route requests on behalf of a device on its internal interface. Interfaces supported are: • Ethernet • VLAN • Bridge The Zyxel Device sends its USG FLEX Series User's Guide 253 - ZyXEL USG FLEX 700 | User Guide - Page 254
requests on behalf of a device on a supported interface, select the interface, click Add or make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual interfaces do not provide DHCP services, and they do not verify that USG FLEX Series User's Guide 254 - ZyXEL USG FLEX 700 | User Guide - Page 255
to open the References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. ZyWALL USG FLEX Series User's Guide 255 - ZyXEL USG FLEX 700 | User Guide - Page 256
it is not associated with any entry. Service This is the type of setting that references the selected object. Click a service's name to display the service's configuration screen in the main window. Priority Click Cancel to exit without saving the setting. ZyWALL USG FLEX Series User's Guide 256 - ZyXEL USG FLEX 700 | User Guide - Page 257
of industry consortium compliance. First Information, Second Information If you selected VIVS (125), enter additional information for the corresponding enterprise number in these fields. ZyWALL USG FLEX Series User's Guide 257 - ZyXEL USG FLEX 700 | User Guide - Page 258
connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP/L2TP software on each computer on the network. ZyWALL USG FLEX Series User's Guide 258 - ZyXEL USG FLEX 700 | User Guide - Page 259
Summary This screen lists every PPPoE/PPTP/L2TP interface. To access this screen, click Configuration > Network > Interface > PPP. Figure 194 Configuration > Network > Interface > PPP ZyWALL USG FLEX Series User's Guide 259 - ZyXEL USG FLEX 700 | User Guide - Page 260
interface, select it and click Connect. You might use this in testing the interface or to manually establish the connection for a Dial-on-Demand PPPoE/PPTP interface. Disconnect References To disconnect an icon or an Edit icon on the PPP Interface screen. ZyWALL USG FLEX Series User's Guide 260 - ZyXEL USG FLEX 700 | User Guide - Page 261
Chapter 9 Interfaces Figure 195 Configuration > Network > Interface > PPP > Add ZyWALL USG FLEX Series User's Guide 261 - ZyXEL USG FLEX 700 | User Guide - Page 262
for the ISP account. This field is read-only. It displays the PPPoE service name specified in the ISP account. This field is blank if the ISP account manually. This field is enabled if you select Use Fixed IP Address. Enter the IP address for this interface. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 263
OK and reopen this screen. Select Client to obtain an IP address and DNS information from the service provider for the interface. Otherwise, select N/A to disable the function. This field displays the DHCP others. See DHCPv6 on page 233 for more information. ZyWALL USG FLEX Series User's Guide 263 - ZyXEL USG FLEX 700 | User Guide - Page 264
number of consecutive failures before the Zyxel Device stops routing through the gateway. Select this to use the default gateway for the connectivity check. ZyWALL USG FLEX Series User's Guide 264 - ZyXEL USG FLEX 700 | User Guide - Page 265
Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface. OK are the 4G candidate systems. 4G only supports allIP-based packet-switched telephony services and is required to offer Gigabit speed USG FLEX Series User's Guide 265 - ZyXEL USG FLEX 700 | User Guide - Page 266
. IS-95 is also known as TIA-EIA-95. Slow 2.5G Packetswitched GPRS (General Packet Radio Services), High-Speed Circuit-Switched Data (HSCSD), etc. CDMA2000 is a hybrid 2.5G / 3G protocol of Device with multiple WAN interfaces must be on different subnets. ZyWALL USG FLEX Series User's Guide 266 - ZyXEL USG FLEX 700 | User Guide - Page 267
click Connect. You might use this in testing the interface or to manually establish the connection. To disconnect an interface, select it and click supported mobile broadband dongle devices. You should have an Internet connection to access this website. ZyWALL USG FLEX Series User's Guide 267 - ZyXEL USG FLEX 700 | User Guide - Page 268
greater than the current version number, then click this button to download the latest list of supported mobile broadband dongle devices to the Zyxel Device. Apply Click Apply to save your changes back mobile broadband device in the previous pop-up window. ZyWALL USG FLEX Series User's Guide 268 - ZyXEL USG FLEX 700 | User Guide - Page 269
Chapter 9 Interfaces Figure 197 Configuration > Network > Interface > Cellular > Add / Edit ZyWALL USG FLEX Series User's Guide 269 - ZyXEL USG FLEX 700 | User Guide - Page 270
profile (use Profile 1 unless your ISP instructed you to do otherwise). APN Select Custom to be able to manually input the APN (Access Point Name) provided by your service provider. This field card. The Zyxel Device supports PAP (Password Authentication Protocol) USG FLEX Series User's Guide 270 - ZyXEL USG FLEX 700 | User Guide - Page 271
card's profile. If this field is configurable, enter the password for this SIM card exactly as the service provider gave it to you. Retype to Confirm SIM Card Setting PIN Code You can use 0 ~ seconds to wait for a response before the attempt is a failure. ZyWALL USG FLEX Series User's Guide 271 - ZyXEL USG FLEX 700 | User Guide - Page 272
service available to you in your region. Select auto to have the card connect to an available network. Choose this option if you do not know what networks are available. You may want to manually only appears when a USG dongle for 4G technology is inserted. ZyWALL USG FLEX Series User's Guide 272 - ZyXEL USG FLEX 700 | User Guide - Page 273
1 to 99 in the percentage fields. If you change the value after you configure and enable budget control, the Zyxel Device resets the statistics. ZyWALL USG FLEX Series User's Guide 273 - ZyXEL USG FLEX 700 | User Guide - Page 274
over an IPv4 network. At the time of writing, the Zyxel Device only supports GRE tunneling in IPv4 networks. Figure 198 GRE Tunnel Example IPv6 Over IPv4 set up a manual IPv6-in-IPv4 tunnel or an automatic 6to4 tunnel. The following describes each method: ZyWALL USG FLEX Series User's Guide 274 - ZyXEL USG FLEX 700 | User Guide - Page 275
such as two branch offices. Figure 200 IPv6-in-IPv4 Tunnel In the Zyxel Device, you must also manually configure a policy route for an IPv6-in-IPv4 tunnel to make the tunnel work. 6to4 Tunneling This mode 29. The IPv6 address prefix becomes 2002:ca9c:1e29::/48. ZyWALL USG FLEX Series User's Guide 275 - ZyXEL USG FLEX 700 | User Guide - Page 276
) icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface. ZyWALL USG FLEX Series User's Guide 276 - ZyXEL USG FLEX 700 | User Guide - Page 277
Add or Edit Screen This screen lets you configure a tunnel interface. Click Configuration > Network > Interface > Tunnel > Add (or Edit) to open the following screen. ZyWALL USG FLEX Series User's Guide 277 - ZyXEL USG FLEX 700 | User Guide - Page 278
a greater or lesser number of configuration fields. General Settings Enable Select this to enable this interface. Clear this to disable this interface. Interface Properties ZyWALL USG FLEX Series User's Guide 278 - ZyXEL USG FLEX 700 | User Guide - Page 279
the source address for the packets this interface tunnels to the remote gateway. The remote gateway sends traffic to this interface or IP address. ZyWALL USG FLEX Series User's Guide 279 - ZyXEL USG FLEX 700 | User Guide - Page 280
WAN trunk load balancing. Click this link to go to the screen where you can manually configure a policy route to associate traffic with this interface. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 280 - ZyXEL USG FLEX 700 | User Guide - Page 281
- If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN. ZyWALL USG FLEX Series User's Guide 281 - ZyXEL USG FLEX 700 | User Guide - Page 282
to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. 9.8.1 VLAN Summary Screen This screen Interface > VLAN. Figure 206 Configuration > Network > Interface > VLAN ZyWALL USG FLEX Series User's Guide 282 - ZyXEL USG FLEX 700 | User Guide - Page 283
Add/Edit Select an existing entry on the previous screen and click Edit or click Add to create a new entry. The following screen appears. ZyWALL USG FLEX Series User's Guide 283 - ZyXEL USG FLEX 700 | User Guide - Page 284
Chapter 9 Interfaces Figure 207 Configuration > Network > Interface > VLAN > Add /Edit ZyWALL USG FLEX Series User's Guide 284 - ZyXEL USG FLEX 700 | User Guide - Page 285
Chapter 9 Interfaces ZyWALL USG FLEX Series User's Guide 285 - ZyXEL USG FLEX 700 | User Guide - Page 286
ID For general, the rest of the screen's options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface. This field is read-only VLAN. Allowed values are 1 4094. (0 and 4095 are reserved.) ZyWALL USG FLEX Series User's Guide 286 - ZyXEL USG FLEX 700 | User Guide - Page 287
if you want to specify the IP address, subnet mask, and gateway manually. This field is enabled if you select Use Fixed IP Address. the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP USG FLEX Series User's Guide 287 - ZyXEL USG FLEX 700 | User Guide - Page 288
messages with others. See DHCPv6 on page 233 for more information. Select this to have the DUID generated from the interface's default MAC address. ZyWALL USG FLEX Series User's Guide 288 - ZyXEL USG FLEX 700 | User Guide - Page 289
Device. This helps hosts to choose their default router especially when there are multiple IPv6 router on the network. Note: Make sure the hosts also support router preference to make this function work. ZyWALL USG FLEX Series User's Guide 289 - ZyXEL USG FLEX 700 | User Guide - Page 290
this interface. If a larger packet arrives, the Zyxel Device divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. ZyWALL USG FLEX Series User's Guide 290 - ZyXEL USG FLEX 700 | User Guide - Page 291
to the network. Choices are: None - the Zyxel Device does not provide any DHCP services. There is already a DHCP server on the network. DHCP Relay - the Zyxel Device routes network address), last address (broadcast address) and the interface's IP address. ZyWALL USG FLEX Series User's Guide 291 - ZyXEL USG FLEX 700 | User Guide - Page 292
DNS relay. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The specific MAC addresses for this VLAN. This stops anyone else from manually using a bound IP address on another device connected to this USG FLEX Series User's Guide 292 - ZyXEL USG FLEX 700 | User Guide - Page 293
the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. ZyWALL USG FLEX Series User's Guide 293 - ZyXEL USG FLEX 700 | User Guide - Page 294
requests on behalf of a device on its internal interface. Interfaces supported are: Add • Ethernet • VLAN • Bridge See Section 9.4.2 . Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this VLAN. Click USG FLEX Series User's Guide 294 - ZyXEL USG FLEX 700 | User Guide - Page 295
interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole Zyxel Device as a transparent bridge, add all of the Zyxel Device's interfaces to a bridge interface. ZyWALL USG FLEX Series User's Guide 295 - ZyXEL USG FLEX 700 | User Guide - Page 296
interfaces used for your IPv6 network on this screen. To access this screen, click Configuration > Network > Interface > Bridge. Figure 208 Configuration > Network > Interface > Bridge ZyWALL USG FLEX Series User's Guide 296 - ZyXEL USG FLEX 700 | User Guide - Page 297
check for each bridge interface. To access this screen, click the Add or Edit icon on the Bridge Summary screen. The following screen appears. ZyWALL USG FLEX Series User's Guide 297 - ZyXEL USG FLEX 700 | User Guide - Page 298
Chapter 9 Interfaces Figure 209 Configuration > Network > Interface > Bridge > Add / Edit ZyWALL USG FLEX Series User's Guide 298 - ZyXEL USG FLEX 700 | User Guide - Page 299
Chapter 9 Interfaces ZyWALL USG FLEX Series User's Guide 299 - ZyXEL USG FLEX 700 | User Guide - Page 300
Configuration For general, the rest of the screen's options do not automatically adjust and you must manually configure a policy route to add routing and SNAT settings for the interface. This field is are allowed, but the string can't start with a space. ZyWALL USG FLEX Series User's Guide 300 - ZyXEL USG FLEX 700 | User Guide - Page 301
if you want to specify the IP address, subnet mask, and gateway manually. This field is enabled if you select Use Fixed IP Address. the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP USG FLEX Series User's Guide 301 - ZyXEL USG FLEX 700 | User Guide - Page 302
others. See DHCPv6 on page 233 for more information. Select this if you want the DUID is generated from the interface's default MAC address. ZyWALL USG FLEX Series User's Guide 302 - ZyXEL USG FLEX 700 | User Guide - Page 303
obtain DNS information through DHCPv6. Clear this to have the Zyxel Device indicate to hosts that DNS information is not available in this network. ZyWALL USG FLEX Series User's Guide 303 - ZyXEL USG FLEX 700 | User Guide - Page 304
especially when there are multiple IPv6 router on the network. Note: Make sure the hosts also support router preference to make this function work. MTU Hop Limit The Maximum Transmission Unit. Type interface to the network. Allowed values are 0 - 1048576. ZyWALL USG FLEX Series User's Guide 304 - ZyXEL USG FLEX 700 | User Guide - Page 305
the Zyxel Device works as a DNS relay. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of default router, select Custom Defined and enter the IP address. ZyWALL USG FLEX Series User's Guide 305 - ZyXEL USG FLEX 700 | User Guide - Page 306
interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make characters, and it can be up to 60 characters long. ZyWALL USG FLEX Series User's Guide 306 - ZyXEL USG FLEX 700 | User Guide - Page 307
Zyxel Device to answer external interface ARP requests on behalf of a device on its internal interface. Interfaces supported are: Add • Ethernet • VLAN • Bridge See Section 9.4.2 on page 253 for more information. entry and click Remove to delete that entry. ZyWALL USG FLEX Series User's Guide 307 - ZyXEL USG FLEX 700 | User Guide - Page 308
Configure Policy Click Policy Route to go to the screen where you can manually configure a policy route to Route associate traffic with this bridge interface. dynamic peer is not supported • The IPSec VTI is limited to IP unicast and multicast traffic only. ZyWALL USG FLEX Series User's Guide 308 - ZyXEL USG FLEX 700 | User Guide - Page 309
for a VPN Tunnel Interface scenario first. To access this screen, click the Add or Edit icon in Network > Interface > VTI. The following screen appears. ZyWALL USG FLEX Series User's Guide 309 - ZyXEL USG FLEX 700 | User Guide - Page 310
tunnel interface in vtix format, where x is a number from 0 to the maximum number of VPN connections allowed for this model. For example, enter vti10. ZyWALL USG FLEX Series User's Guide 310 - ZyXEL USG FLEX 700 | User Guide - Page 311
gateways have the same priority, the Zyxel Device uses the one that was configured first. Enable IGMP Support Select this to allow the Zyxel Device to act as an IGMP proxy for hosts connected on the Section 10.6 on page 337 for more information about RIP. ZyWALL USG FLEX Series User's Guide 311 - ZyXEL USG FLEX 700 | User Guide - Page 312
Policy Route to go to the screen where you can manually configure a policy route to Route associate traffic with this bridge interface. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 312 - ZyXEL USG FLEX 700 | User Guide - Page 313
another ISP) set to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface's connection is up. • Use the Trunk summary screen (Section 9.12 on instead of wan1's IP address and rejects the request. ZyWALL USG FLEX Series User's Guide 313 - ZyXEL USG FLEX 700 | User Guide - Page 314
BALANCING INDEX (M/A) 0.8 0.77 Weighted Round Robin Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming ZyWALL USG FLEX Series User's Guide 314 - ZyXEL USG FLEX 700 | User Guide - Page 315
800K. The Zyxel Device sends network traffic of new sessions that exceed this limit to the secondary WAN interface. Figure 215 Spillover Algorithm Example ZyWALL USG FLEX Series User's Guide 315 - ZyXEL USG FLEX 700 | User Guide - Page 316
system WAN trunk or one of the user configured WAN trunks as the default trunk for routing traffic from internal interfaces to external interfaces. ZyWALL USG FLEX Series User's Guide 316 - ZyXEL USG FLEX 700 | User Guide - Page 317
to open the following screen. Use this screen to create or edit a WAN trunk entry. Figure 217 Configuration > Network > Interface > Trunk > Add (or Edit) ZyWALL USG FLEX Series User's Guide 317 - ZyXEL USG FLEX 700 | User Guide - Page 318
to each member interface. The higher an interface's weight is (relative to the weights of the interfaces), the more sessions that interface should handle. ZyWALL USG FLEX Series User's Guide 318 - ZyXEL USG FLEX 700 | User Guide - Page 319
each member interface equally and is not allowed to be changed for the default trunk. Figure 218 Configuration > Network > Interface > Trunk > Edit (System Default) ZyWALL USG FLEX Series User's Guide 319 - ZyXEL USG FLEX 700 | User Guide - Page 320
Device. Click Cancel to exit this screen without saving. 9.13 Interface Technical Reference Here is more detailed information about interfaces on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 320 - ZyXEL USG FLEX 700 | User Guide - Page 321
Virtual interfaces, however, cannot be DHCP clients. You have to assign the IP address and subnet mask manually. In general, the IP address and subnet mask of each interface should not overlap, though it is . In this case, you should specify the metric. ZyWALL USG FLEX Series User's Guide 321 - ZyXEL USG FLEX 700 | User Guide - Page 322
the Zyxel Device does not support ingress bandwidth management. If you the network. This reduces the amount of manual configuration you have to do and usually In the Zyxel Device, some interfaces can provide DHCP services to the network. In this case, the interface can USG FLEX Series User's Guide 322 - ZyXEL USG FLEX 700 | User Guide - Page 323
servers that provide DNS services for DHCP clients. You can specify each IP address manually (for example, a services. This makes it easier for the service provider to offer the service • PPPoE does not usually require any special configuration of the modem. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 324
more complicated to set up. It supports up to 256 bit session keys using the IPSec protocol. When security is a priority, L2TP is a good option as it requires certificates unlike PPTP. It uses the following ports: UDP 500, Protocol 50, UDP 1701 and UDP 4500. ZyWALL USG FLEX Series User's Guide 324 - ZyXEL USG FLEX 700 | User Guide - Page 325
Internet through the Zyxel Device's default gateway (R1). You create one policy route to connect to services offered by your ISP behind router R2. You create another policy route to communicate with a 10.3 on page 334) to list and configure static routes. ZyWALL USG FLEX Series User's Guide 325 - ZyXEL USG FLEX 700 | User Guide - Page 326
. DiffServ QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of ZyWALL USG FLEX Series User's Guide 326 - ZyXEL USG FLEX 700 | User Guide - Page 327
DSCP Marking and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2- on configuration walkthroughs, troubleshooting, and other information. ZyWALL USG FLEX Series User's Guide 327 - ZyXEL USG FLEX 700 | User Guide - Page 328
the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. ZyWALL USG FLEX Series User's Guide 328 - ZyXEL USG FLEX 700 | User Guide - Page 329
marker. default means traffic with a DSCP value of 0. This is usually best effort traffic Service Source Port Next-Hop DSCP Marking The "af" entries stand for Assured Forwarding. The number following settings except the Address Translation (SNAT) settings. ZyWALL USG FLEX Series User's Guide 329 - ZyXEL USG FLEX 700 | User Guide - Page 330
Chapter 10 Routing Figure 222 Configuration > Network > Routing > Policy Route > Add/Edit (IPv4 Configuration) ZyWALL USG FLEX Series User's Guide 330 - ZyXEL USG FLEX 700 | User Guide - Page 331
network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. ZyWALL USG FLEX Series User's Guide 331 - ZyXEL USG FLEX 700 | User Guide - Page 332
0. This is usually best effort traffic User-Defined DSCP Code Schedule Service Source Port Next-Hop Type The "af" choices stand for Assured . Trunk Interface Leave this cleared if you want to manually specify the destination address. This field displays when you USG FLEX Series User's Guide 332 - ZyXEL USG FLEX 700 | User Guide - Page 333
next to it. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 333 - ZyXEL USG FLEX 700 | User Guide - Page 334
route index number and click Add or Edit. The screen shown next appears. Use this screen to configure the required information for a static route. ZyWALL USG FLEX Series User's Guide 334 - ZyXEL USG FLEX 700 | User Guide - Page 335
, 2 or 3 is usually a good number. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 335 - ZyXEL USG FLEX 700 | User Guide - Page 336
table it uses to make routing decisions. In turn, the Zyxel Device can also use routing protocols to propagate routing information to other routers. ZyWALL USG FLEX Series User's Guide 336 - ZyXEL USG FLEX 700 | User Guide - Page 337
to configure eBGP (exterior Border Gate Protocol). 10.5.1 What You Need to Know The Zyxel Device supports two standards, RIP and OSPF, for routing protocols. RIP and OSPF are compared here and discussed further > Routing > RIP to open the following screen. ZyWALL USG FLEX Series User's Guide 337 - ZyXEL USG FLEX 700 | User Guide - Page 338
used. Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 338 - ZyXEL USG FLEX 700 | User Guide - Page 339
System (AS). OSPF offers some advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently. Each type of area is illustrated in the following figure. ZyWALL USG FLEX Series User's Guide 339 - ZyXEL USG FLEX 700 | User Guide - Page 340
0. By default, every router in area 0 is a backbone router, and so is every ABR. Each type of router is illustrated in the following example. ZyWALL USG FLEX Series User's Guide 340 - ZyXEL USG FLEX 700 | User Guide - Page 341
backbone. You cannot create a virtual link to a router in a different area. OSPF Configuration Follow these steps when you configure OSPF on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 341 - ZyXEL USG FLEX 700 | User Guide - Page 342
. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. ZyWALL USG FLEX Series User's Guide 342 - ZyXEL USG FLEX 700 | User Guide - Page 343
screen (see Section 10.7 on page 339), and click either the Add icon or an Edit icon. Figure 232 Configuration > Network > Routing > OSPF > Add ZyWALL USG FLEX Series User's Guide 343 - ZyXEL USG FLEX 700 | User Guide - Page 344
is not associated with a specific area. This is the 32-bit ID (in IP address format) of the other ABR in the virtual link. ZyWALL USG FLEX Series User's Guide 344 - ZyXEL USG FLEX 700 | User Guide - Page 345
the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an following. Figure 233 Configuration > Network > Routing > OSPF > Add > Add ZyWALL USG FLEX Series User's Guide 345 - ZyXEL USG FLEX 700 | User Guide - Page 346
Cancel to exit this screen without saving. 10.8 BGP (Border Gateway Protocol) The Zyxel Device supports eBGP (exterior Border Gate Protocol) to route IPv4 traffic between routers in different Autonomous Systems on autonomous systems. Figure 234 eBGP Concept ZyWALL USG FLEX Series User's Guide 346 - ZyXEL USG FLEX 700 | User Guide - Page 347
BGP packets to enter the Zyxel Device from the WAN. 1 Go to Configuration > Object > Service > Service Group 2 Select the Default_Allow_WAN_To_ZyWALL rule and click Edit. 3 Move BGP from Available to Member. 4 > Routing > BGP to open the following screen. ZyWALL USG FLEX Series User's Guide 347 - ZyXEL USG FLEX 700 | User Guide - Page 348
Add Edit Remove # IP Address AS Number Network Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. Click this to configure BGP criteria for a new peer BGP router. open a screen where you can modify the entry's settings. ZyWALL USG FLEX Series User's Guide 348 - ZyXEL USG FLEX 700 | User Guide - Page 349
Number Type a number from 1 to 4294967295 in this field. Get the number from your service provider. Enable EBGP Multihop Select this to allow the Zyxel Device to attempt BGP connections to Enter a maximum hop count from . The default is 255. ZyWALL USG FLEX Series User's Guide 349 - ZyXEL USG FLEX 700 | User Guide - Page 350
provider MPLS network. • PE: The provider edge router is located at the edge of the service provider MPLS network. • MPLS: MultiProtocol Label Switching (MPLS) forwards data from one network node to the next based on path labels rather than network addresses. ZyWALL USG FLEX Series User's Guide 350 - ZyXEL USG FLEX 700 | User Guide - Page 351
in Configuration > Network > Routing > BGP > Add Neighbors. Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. 3 Configure the network for BGP routes in the neighboring AS. Note: You may configure up to 16 network routes. ZyWALL USG FLEX Series User's Guide 351 - ZyXEL USG FLEX 700 | User Guide - Page 352
DNS account with a supported DNS service provider before you can use Dynamic DNS services with the Zyxel Device. When registration is complete, the DNS service provider gives you a to the DDNS service provider, which helps redirect traffic accordingly. ZyWALL USG FLEX Series User's Guide 352 - ZyXEL USG FLEX 700 | User Guide - Page 353
is inactive. This field displays the descriptive profile name for this entry. This field displays which DDNS service you are using. This field displays each domain name the Zyxel Device can route. This field domain name. custom - The IP address is static. ZyWALL USG FLEX Series User's Guide 353 - ZyXEL USG FLEX 700 | User Guide - Page 354
existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen. Figure 240 Configuration > Network > DDNS > Add ZyWALL USG FLEX Series User's Guide 354 - ZyXEL USG FLEX 700 | User Guide - Page 355
alphanumeric characters and the underscore. Spaces are not allowed. For a Dynu DDNS entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website. ZyWALL USG FLEX Series User's Guide 355 - ZyXEL USG FLEX 700 | User Guide - Page 356
name. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. ZyWALL USG FLEX Series User's Guide 356 - ZyXEL USG FLEX 700 | User Guide - Page 357
to access the server that will host the DDSN service. This field displays when you select User custom from the DDNS Type field above. These are the options supported at the time of writing: OK Cancel • . Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 357 - ZyXEL USG FLEX 700 | User Guide - Page 358
manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones. ZyWALL USG FLEX Series User's Guide 358 - ZyXEL USG FLEX 700 | User Guide - Page 359
Datagram Service 143 TCP Interim Mail Access Protocol (IMAP) 161 UDP SNMP 179 TCP Border Gateway Protocol (BGP) 389 TCP/UDP Lightweight Directory Access Protocol (LDAP) 443 TCP HTTPS 445 TCP Microsoft - DS 636 TCP LDAP over TLS/SSL (LDAPS) 953 TCP BIND DNS ZyWALL USG FLEX - ZyXEL USG FLEX 700 | User Guide - Page 360
the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. Figure 243 Configuration > Network > NAT The following table describes as they are applied in order of their numbering. ZyWALL USG FLEX Series User's Guide 360 - ZyXEL USG FLEX 700 | User Guide - Page 361
displays the new destination IP address for the packet. Protocol This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the Then, click on an Add icon or Edit icon to open the following screen. ZyWALL USG FLEX Series User's Guide 361 - ZyXEL USG FLEX 700 | User Guide - Page 362
. Select the interface on which packets for the NAT rule must be received. It can be an Ethernet, VLAN, bridge, or PPPoE/PPTP interface. ZyWALL USG FLEX Series User's Guide 362 - ZyXEL USG FLEX 700 | User Guide - Page 363
manually enter service requesting the connection. This field is available if Mapping Type is Port. Enter the external destination port this NAT rule supports. This field is available if Mapping Type is Port. Enter the translated destination port if this NAT rule forwards the packet. ZyWALL USG FLEX - ZyXEL USG FLEX 700 | User Guide - Page 364
is Ports. Enter the beginning of the range of original destination ports this NAT rule supports. This field is available if Mapping Type is Ports. Enter the end of the range of original destination example) and gets the SMTP server's mapped public IP address of 1.1.1.1. ZyWALL USG FLEX Series User's Guide 364 - ZyXEL USG FLEX 700 | User Guide - Page 365
going through NAT, the source would not match the original destination address which would cause the LAN user's computer to shut down the session. ZyWALL USG FLEX Series User's Guide 365 - ZyXEL USG FLEX 700 | User Guide - Page 366
You are hosting a very popular website on your network, which attracts a lot of traffic and causes problems with your HTTP web server. To resolve this, you set up three identical web servers on the DMZ 1.1.1.2. Figure 248 Virtual Server on the WAN- Example 1 ZyWALL USG FLEX Series User's Guide 366 - ZyXEL USG FLEX 700 | User Guide - Page 367
SMTP service by connecting to 10.0.1.100 port 25. Clients see a single mail server. Figure 249 Virtual Server on the LAN - Example 2 12.5.3 Virtual Server Load Balancing Process The following is an overview of how the Virtual Server Load Balancing process works. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 368
balancing rule. Each load balancing rule consists of an incoming interface, an external IP address, a service type, a load balancing algorithm, and a list of real servers. Note: One real server Note: Virtual servers and real servers only support IPv4 addresses. ZyWALL USG FLEX Series User's Guide 368 - ZyXEL USG FLEX 700 | User Guide - Page 369
Zyxel Device. Table 148 Virtual Service Load Balancing Limits PARAMETER MODEL Maximum Number of Load Balancing Rules per Zyxel Device VPN50, USG FLEX 100, USG FLEX 100W, ATP100, ATP100W VPN100, USG FLEX 200, ATP200 VPN300, USG FLEX 500, ATP500, USG FLEX 700, ATP700, ATP800, VPN1000 Maximum - ZyXEL USG FLEX 700 | User Guide - Page 370
it is not associated with a specific entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG FLEX Series User's Guide 370 - ZyXEL USG FLEX 700 | User Guide - Page 371
DESCRIPTION Health Status This field displays whether the real server is reachable for a particular service. Name This field displays the name of the entry. External IP This field Configuration > Network > NAT > Virtual Server Load Balancing > Add/Edit ZyWALL USG FLEX Series User's Guide 371 - ZyXEL USG FLEX 700 | User Guide - Page 372
. • HTTP: Web service • HTTPS: Secure web service • TCP: A general network protocol that shows the server is accepting TCP connections • SMTP: Mail service • DNS: Dynamic Name Service • PING: A general network protocol that shows the server is reachable ZyWALL USG FLEX Series User's Guide 372 - ZyXEL USG FLEX 700 | User Guide - Page 373
default is 5. Retry- Sets the number of times the Zyxel Device resends a health check request before marking the server as unavailable. The default is 1. ZyWALL USG FLEX Series User's Guide 373 - ZyXEL USG FLEX 700 | User Guide - Page 374
a server on the LAN. This field displays the External Port or the port based on the External Service selected above. You may change the port here. The weight represents the processing power of this server ) or saving any changes (if it already exists). ZyWALL USG FLEX Series User's Guide 374 - ZyXEL USG FLEX 700 | User Guide - Page 375
CHAPTER 13 Redirect Service 13.1 Overview Redirect Service redirects HTTP and SMTP traffic. 13.1.1 HTTP Redirect HTTP redirect forwards the client's HTTP request (except be delivered to the recipient. The Zyxel Device forwards SMTP traffic using TCP port 25. ZyWALL USG FLEX Series User's Guide 375 - ZyXEL USG FLEX 700 | User Guide - Page 376
web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the requested Policy 2 Application Patrol 3 HTTP Redirect 4 Policy Route ZyWALL USG FLEX Series User's Guide 376 - ZyXEL USG FLEX 700 | User Guide - Page 377
to the same incoming interface and service as a SMTP redirect rule, manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet. To make the example in Figure 254 on page 376 work, make sure you have the following settings. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 378
policy route to forward SMTP messages from SMTP server A to the Internet. 13.2 The Redirect Service Screen To configure redirection of a HTTP or SMTP request, click Configuration > Network > HTTP value, and it is not associated with a specific entry. ZyWALL USG FLEX Series User's Guide 378 - ZyXEL USG FLEX 700 | User Guide - Page 379
.2.1 The Redirect Service Edit Screen Click Network > Redirect Service to open the Redirect Service screen. Then click the Add or Edit icon to open the Redirect Service Edit screen where you can configure the rule. Figure 256 Network > Redirect Service > Edit ZyWALL USG FLEX Series User's Guide 379 - ZyXEL USG FLEX 700 | User Guide - Page 380
. Table 153 Network > Redirect Service > Edit LABEL DESCRIPTION Enable Use this option to turn the Redirect Service rule on or off. Service Select the service to be redirected: HTTP Redirect or Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 380 - ZyXEL USG FLEX 700 | User Guide - Page 381
data and video conferencing. • FTP - File Transfer Protocol - an Internet file transfer service. The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A on the Zyxel Device supports all of the Zyxel Device's NAT mapping types. ZyWALL USG FLEX Series User's Guide 381 - ZyXEL USG FLEX 700 | User Guide - Page 382
from the WAN. Bandwidth management can be applied to FTP ALG traffic. H.323 ALG • The H.323 ALG supports peer-to-peer H.323 calls. • The H.323 ALG handles H.323 calls that go through NAT or that to pass through. • The Zyxel Device allows SIP audio connections. ZyWALL USG FLEX Series User's Guide 382 - ZyXEL USG FLEX 700 | User Guide - Page 383
configure different security policy and port forwarding rules to allow LAN IP address B to receive calls through public WAN IP address 2. You configure corresponding ZyWALL USG FLEX Series User's Guide 383 - ZyXEL USG FLEX 700 | User Guide - Page 384
or on, configure the port numbers to which they apply, and configure SIP ALG time outs. Note: If the Zyxel Device provides an ALG for a service, you must enable the ALG in order to use the application patrol on that service's traffic. ZyWALL USG FLEX Series User's Guide 384 - ZyXEL USG FLEX 700 | User Guide - Page 385
expires, the Zyxel Device deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation. ZyWALL USG FLEX Series User's Guide 385 - ZyXEL USG FLEX 700 | User Guide - Page 386
Port Enable H.323 ALG Enable H.323 Transformations You should disable this if have registered for cloud VoIP services. If you are using a custom UDP port number (not 5060) for SIP traffic, enter it detailed information about the Application Layer Gateway. ZyWALL USG FLEX Series User's Guide 386 - ZyXEL USG FLEX 700 | User Guide - Page 387
register automatically at set intervals or the users can manually force them to re-register. FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over TCP/ voice data transfer. See RFC 1889 for details on RTP. ZyWALL USG FLEX Series User's Guide 387 - ZyXEL USG FLEX 700 | User Guide - Page 388
service descriptions. NAT traversal allows the following: • Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT. ZyWALL USG FLEX - ZyXEL USG FLEX 700 | User Guide - Page 389
and NAT-PMP The automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and the screen shown next. Figure 262 Configuration > Network > UPnP ZyWALL USG FLEX Series User's Guide 389 - ZyXEL USG FLEX 700 | User Guide - Page 390
applications. The Available list displays the name(s) of the internal interface(s) on which the Zyxel Device supports UPnP and/or NAT-PMP. Apply Reset To enable UPnP and/or NAT-PMP on an interface, Control Panel and then the Network and Sharing Center. ZyWALL USG FLEX Series User's Guide 390 - ZyXEL USG FLEX 700 | User Guide - Page 391
and devices on the network and other computers on the network to find your computer. This makes it easier to share files and printers. ZyWALL USG FLEX Series User's Guide 391 - ZyXEL USG FLEX 700 | User Guide - Page 392
. 2 Right-click the device icon and select Properties. Figure 263 Network Connections 3 In the Internet Connection Properties window, click Settings to see port mappings. ZyWALL USG FLEX Series User's Guide 392 - ZyXEL USG FLEX 700 | User Guide - Page 393
Chapter 15 UPnP Figure 264 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. Figure 265 Internet Connection Properties: Advanced Settings ZyWALL USG FLEX Series User's Guide 393 - ZyXEL USG FLEX 700 | User Guide - Page 394
the LAN port of the Zyxel Device. Turn on your computer and the Zyxel Device. 1 Click the start icon, Settings and then Network & Internet. ZyWALL USG FLEX Series User's Guide 394 - ZyXEL USG FLEX 700 | User Guide - Page 395
Chapter 15 UPnP 2 Click Network and Sharing Center. 3 Click Change advanced sharing settings. ZyWALL USG FLEX Series User's Guide 395 - ZyXEL USG FLEX 700 | User Guide - Page 396
UPnP-enabled Network Device Before you follow these steps, make sure you already have UPnP activated on the Zyxel Device and in your computer. ZyWALL USG FLEX Series User's Guide 396 - ZyXEL USG FLEX 700 | User Guide - Page 397
Properties window, click Settings to see port mappings. Figure 270 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. ZyWALL USG FLEX Series User's Guide 397 - ZyXEL USG FLEX 700 | User Guide - Page 398
, right click the network icon in the system tray and click Open Network & Internet settings. Click Network and Sharing Center and click the Connections. ZyWALL USG FLEX Series User's Guide 398 - ZyXEL USG FLEX 700 | User Guide - Page 399
do not know the IP address of the Zyxel Device. Follow the steps below to access the web configurator. 1 Open Windows Explorer. 2 Click Network. ZyWALL USG FLEX Series User's Guide 399 - ZyXEL USG FLEX 700 | User Guide - Page 400
-click on the icon for your Zyxel Device and select Properties. Click the Network Device tab. A window displays with information about the Zyxel Device. ZyWALL USG FLEX Series User's Guide 400 - ZyXEL USG FLEX 700 | User Guide - Page 401
Configurator Easy Access in Windows 10 Follow the steps below to access the Web Configurator. 1 Open File Explorer. 2 Click Network. Figure 278 Network Connections ZyWALL USG FLEX Series User's Guide 401 - ZyXEL USG FLEX 700 | User Guide - Page 402
Device and select Properties. Click the Network Device tab. A window displays information about the Zyxel Device. Figure 280 Network Connections: Network Infrastructure: Properties: Example ZyWALL USG FLEX Series User's Guide 402 - ZyXEL USG FLEX 700 | User Guide - Page 403
each IP address. The Zyxel Device then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the Zyxel Device. Suppose you on the Zyxel Device's dynamic and static DHCP entries. ZyWALL USG FLEX Series User's Guide 403 - ZyXEL USG FLEX 700 | User Guide - Page 404
and dimmed when the entry is inactive. Interface This is the name of an interface that supports IP/MAC binding. Number of Binding This field displays the interface's total number of IP/MAC bindings and IP addresses that the interface has assigned by DHCP. ZyWALL USG FLEX Series User's Guide 404 - ZyXEL USG FLEX 700 | User Guide - Page 405
enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make open a screen where you can modify the entry's settings. ZyWALL USG FLEX Series User's Guide 405 - ZyXEL USG FLEX 700 | User Guide - Page 406
the computer's owner. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 406 - ZyXEL USG FLEX 700 | User Guide - Page 407
. A window displays asking you to confirm that you want to delete it. Apply Click Apply to save your changes back to the Zyxel Device. ZyWALL USG FLEX Series User's Guide 407 - ZyXEL USG FLEX 700 | User Guide - Page 408
screen allows you to enable Layer-2 isolation on the Zyxel Device and specific internal interface(s). To access this screen click Configuration > Network > Layer 2 Isolation. ZyWALL USG FLEX Series User's Guide 408 - ZyXEL USG FLEX 700 | User Guide - Page 409
other devices in the layer-2-isolation-enabled internal interface(s) except for broadcast packets. To access this screen click Configuration > Network > Layer 2 Isolation > White List. ZyWALL USG FLEX Series User's Guide 409 - ZyXEL USG FLEX 700 | User Guide - Page 410
know the IP address of each connected device that you want to allow to be accessed by other devices when layer-2 isolation is enabled. ZyWALL USG FLEX Series User's Guide 410 - ZyXEL USG FLEX 700 | User Guide - Page 411
allowed. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 411 - ZyXEL USG FLEX 700 | User Guide - Page 412
load balancing rules. • Use the Inbound LB Add/Edit screen (see Section 18.2.1 on page 414) to add or edit a DNS load balancing rule. ZyWALL USG FLEX Series User's Guide 412 - ZyXEL USG FLEX 700 | User Guide - Page 413
load balancing rule. Query Domain Name This field displays the domain name for which the Zyxel Device manages load balancing between the specified interfaces. ZyWALL USG FLEX Series User's Guide 413 - ZyXEL USG FLEX 700 | User Guide - Page 414
hosts only by configuring the Query From settings. Click Configuration > Network > Inbound LB and then the Add or Edit icon to open this screen. ZyWALL USG FLEX Series User's Guide 414 - ZyXEL USG FLEX 700 | User Guide - Page 415
to other configured DNS servers to resolve the name. You have to configure this field to the client's IP address when iteration is used. ZyWALL USG FLEX Series User's Guide 415 - ZyXEL USG FLEX 700 | User Guide - Page 416
DNS load balancing rule. Click Configuration > Network > DNS Inbound LB > Add or Edit and then an Add or Edit icon to open this screen. ZyWALL USG FLEX Series User's Guide 416 - ZyXEL USG FLEX 700 | User Guide - Page 417
to the DNS query senders. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 417 - ZyXEL USG FLEX 700 | User Guide - Page 418
Example Internet Key Exchange (IKE): IKEv1 and IKEv2 The Zyxel Device supports IKEv1 and IKEv2 for IPv4 and IPv6 traffic. IKE (Internet Key keys are derived. A security policy for each peer must be manually created. IPSec VPN consists of two phases: Phase 1 and Phase USG FLEX Series User's Guide 418 - ZyXEL USG FLEX 700 | User Guide - Page 419
IP addresses in common between the Zyxel Device and the remote IPSec router. • The IKEv2 protocol supports connectivity checks which is used to detect whether the tunnel is still up or not. If the File Share Non-Web Web-based Application Application Server ZyWALL USG FLEX Series User's Guide 419 - ZyXEL USG FLEX 700 | User Guide - Page 420
Device and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. ZyWALL USG FLEX Series User's Guide 420 - ZyXEL USG FLEX 700 | User Guide - Page 421
tunneling, encryption, authentication, and other security features of the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE SA first. ZyWALL USG FLEX Series User's Guide 421 - ZyXEL USG FLEX 700 | User Guide - Page 422
Out More • See Section 19.6 on page 444 for IPSec VPN background information. • See the help in the IPSec VPN quick setup wizard screens. ZyWALL USG FLEX Series User's Guide 422 - ZyXEL USG FLEX 700 | User Guide - Page 423
between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel guidance on configuration walkthroughs, troubleshooting and other information. ZyWALL USG FLEX Series User's Guide 423 - ZyXEL USG FLEX 700 | User Guide - Page 424
Select this to be able to use policy routes to manually specify the destination addresses of dynamic IPSec rules. You must manually create these policy routes. The Zyxel Device automatically obtains . To disconnect an IPSec SA, select it and click Disconnect. ZyWALL USG FLEX Series User's Guide 424 - ZyXEL USG FLEX 700 | User Guide - Page 425
screen, go to the Configuration > VPN Connection screen (see Section 19.2 on page 423), and click either the Add icon or an Edit icon. ZyWALL USG FLEX Series User's Guide 425 - ZyXEL USG FLEX 700 | User Guide - Page 426
Chapter 19 IPSec VPN Figure 299 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit ZyWALL USG FLEX Series User's Guide 426 - ZyXEL USG FLEX 700 | User Guide - Page 427
Select this check box to detect and reject old or duplicate packets to protect against Denial-of-Service attacks. Enable NetBIOS Broadcast over IPSec Select this check box if you the Zyxel Device to send .168.30.80 Narrowed 192.168.30.60 ~ 192.168.30.70 ZyWALL USG FLEX Series User's Guide 427 - ZyXEL USG FLEX 700 | User Guide - Page 428
that is checked if the first one is unavailable. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping table of the an address object from the drop-down list box. ZyWALL USG FLEX Series User's Guide 428 - ZyXEL USG FLEX 700 | User Guide - Page 429
checked if the first one is unavailable. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The WINS server keeps a mapping sequence of proposals should not affect performance significantly. ZyWALL USG FLEX Series User's Guide 429 - ZyXEL USG FLEX 700 | User Guide - Page 430
you specify to make sure traffic can still go through the connection. You may need to configure the peer to accept the TCP connection. ZyWALL USG FLEX Series User's Guide 430 - ZyXEL USG FLEX 700 | User Guide - Page 431
entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. ZyWALL USG FLEX Series User's Guide 431 - ZyXEL USG FLEX 700 | User Guide - Page 432
. To access this screen, click Configuration > VPN > Network > IPSec VPN > VPN Gateway. The following screen appears. Figure 300 Configuration > VPN > IPSec VPN > VPN Gateway ZyWALL USG FLEX Series User's Guide 432 - ZyXEL USG FLEX 700 | User Guide - Page 433
screen, go to the VPN Gateway summary screen (see Section 19.3 on page 432), and click either the Add icon or an Edit icon. ZyWALL USG FLEX Series User's Guide 433 - ZyXEL USG FLEX 700 | User Guide - Page 434
Chapter 19 IPSec VPN Figure 301 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit ZyWALL USG FLEX Series User's Guide 434 - ZyXEL USG FLEX 700 | User Guide - Page 435
(and does not use DDNS). Note: The Zyxel Device and remote IPSec router must use the same authentication method to establish the IKE SA. ZyWALL USG FLEX Series User's Guide 435 - ZyXEL USG FLEX 700 | User Guide - Page 436
up to 63 ASCII characters including spaces, although trailing spaces are truncated. This value is only used for identification and can be any string. ZyWALL USG FLEX Series User's Guide 436 - ZyXEL USG FLEX 700 | User Guide - Page 437
and authentication algorithm pairs the Zyxel Device accepts from the remote IPSec router for negotiating the IKE SA. Click this to create a new entry. ZyWALL USG FLEX Series User's Guide 437 - ZyXEL USG FLEX 700 | User Guide - Page 438
or more NAT routers between the Zyxel Device and remote IPSec router, and these routers do not support IPSec pass-thru or a similar feature. The remote IPSec router must also enable NAT traversal, and and Extended Authentication Protocol when using IKEv2. ZyWALL USG FLEX Series User's Guide 438 - ZyXEL USG FLEX 700 | User Guide - Page 439
specifies how the Zyxel Device authenticates this information. Allowed User Extended authentication now supports an allowed user. Select what users should be authenticated. Client Mode Select this . Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 439 - ZyXEL USG FLEX 700 | User Guide - Page 440
, set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your security policies can still block VPN packets. ZyWALL USG FLEX Series User's Guide 440 - ZyXEL USG FLEX 700 | User Guide - Page 441
screen, go to the VPN Concentrator summary screen (see Section 19.4 on page 440), and click either the Add icon or an Edit icon. ZyWALL USG FLEX Series User's Guide 441 - ZyXEL USG FLEX 700 | User Guide - Page 442
to manually configure all rule settings in the Zyxel Device IPSec VPN client. VPN rules for the Zyxel Device IPSec VPN Client have certain restrictions. They must not contain the following settings: • AH active protocol • NULL encryption • SHA512 authentication ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 443
can bind different rules to the same user, but the Zyxel Device will only allow VPN rule setting retrieval for the first match found. ZyWALL USG FLEX Series User's Guide 443 - ZyXEL USG FLEX 700 | User Guide - Page 444
mode determines how many. There are two negotiation modes--main mode and aggressive mode. Main mode provides better security, while aggressive mode is faster. ZyWALL USG FLEX Series User's Guide 444 - ZyXEL USG FLEX 700 | User Guide - Page 445
Negotiation Mode. Main mode is used in various examples in the rest of this section. The Zyxel Device supports IKEv1 and IKEv2. See Section 19.1 on page 418 for more information. IP Addresses of the Zyxel . It applies a 56-bit key to each 64-bit block of data. ZyWALL USG FLEX Series User's Guide 445 - ZyXEL USG FLEX 700 | User Guide - Page 446
below. The identities are also encrypted using the encryption algorithm and encryption key the Zyxel Device and remote IPSec router selected in previous steps. ZyWALL USG FLEX Series User's Guide 446 - ZyXEL USG FLEX 700 | User Guide - Page 447
content: [email protected] Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: [email protected] ZyWALL USG FLEX Series User's Guide 447 - ZyXEL USG FLEX 700 | User Guide - Page 448
of the remote IPSec router (for example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This section provides more information about IKE example, there is another router (A) between router X and router Y. ZyWALL USG FLEX Series User's Guide 448 - ZyXEL USG FLEX 700 | User Guide - Page 449
thru or if the active protocol is AH, you can solve this problem by enabling NAT traversal. In NAT traversal, router X and router on the standard(s) the Zyxel Device and remote IPSec router support. X-Auth / Extended Authentication X-Auth / Extended authentication is USG FLEX Series User's Guide 449 - ZyXEL USG FLEX 700 | User Guide - Page 450
IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. Encapsulation There are two ways to encapsulate packets. Original Packet IP Header TCP Header Data ZyWALL USG FLEX Series User's Guide 450 - ZyXEL USG FLEX 700 | User Guide - Page 451
keys, ID type and content. The SPI is an identification number. Note: The Zyxel Device and remote IPSec router must use the same SPI. ZyWALL USG FLEX Series User's Guide 451 - ZyXEL USG FLEX 700 | User Guide - Page 452
want to change the source address of computers in the remote network. To set up this NAT, you have to specify the following information: ZyWALL USG FLEX Series User's Guide 452 - ZyXEL USG FLEX 700 | User Guide - Page 453
address; the remote network (B). • Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection. • Original Port - the original destination port or range of destination ports; in Figure 311 Figure 312 Site-to-site IPSec VPN Example ZyWALL USG FLEX Series User's Guide 453 - ZyXEL USG FLEX 700 | User Guide - Page 454
network. • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. ZyWALL USG FLEX Series User's Guide 454 - ZyXEL USG FLEX 700 | User Guide - Page 455
. This screen lists the configured SSL access policies. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting and other information. Figure 314 VPN > SSL VPN > Access Privilege ZyWALL USG FLEX Series User's Guide 455 - ZyXEL USG FLEX 700 | User Guide - Page 456
Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. ZyWALL USG FLEX Series User's Guide 456 - ZyXEL USG FLEX 700 | User Guide - Page 457
such as security policy and remote management. Description Enter additional information about this SSL access policy. You can enter up to 60 characters ("0-9", "a-z", "A-Z", "-" and "_"). ZyWALL USG FLEX Series User's Guide 457 - ZyXEL USG FLEX 700 | User Guide - Page 458
network as if they were on the same local network. This includes access to resources not supported by SSL application objects. For example this lets users Telnet to the internal network even though gateway device) on your network for full tunnel mode access. ZyWALL USG FLEX Series User's Guide 458 - ZyXEL USG FLEX 700 | User Guide - Page 459
Apply to save the changes and/or start the logo file upload process. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 459 - ZyXEL USG FLEX 700 | User Guide - Page 460
prior to proper L2TP VPN usage (see Chapter 21 on page 460 for details). The IPSec VPN connection must: • Be enabled. • Use transport mode. ZyWALL USG FLEX Series User's Guide 460 - ZyXEL USG FLEX 700 | User Guide - Page 461
re-establish the sessions using the new settings. Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information. ZyWALL USG FLEX Series User's Guide 461 - ZyXEL USG FLEX 700 | User Guide - Page 462
connections. You must have certificates already configured in the My Certificates screen. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols. ZyWALL USG FLEX Series User's Guide 462 - ZyXEL USG FLEX 700 | User Guide - Page 463
of a DNS server that another interface received from its DHCP server. The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer names on your network and the IP addresses that > Address for the WAN IP address of the NAT router. ZyWALL USG FLEX Series User's Guide 463 - ZyXEL USG FLEX 700 | User Guide - Page 464
the NAT router WAN IP address object as the Local Policy. 5 Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured. ZyWALL USG FLEX Series User's Guide 464 - ZyXEL USG FLEX 700 | User Guide - Page 465
control. 22.1.2 What You Need to Know When you allow a service, you can restrict the bandwidth it uses. It controls TCP Device continues to route the connection. BWM Type The Zyxel Device supports three types of bandwidth management: Shared, Per user and Per-Source USG FLEX Series User's Guide 465 - ZyXEL USG FLEX 700 | User Guide - Page 466
destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating before sending the traffic out a LAN1 interface. ZyWALL USG FLEX Series User's Guide 466 - ZyXEL USG FLEX 700 | User Guide - Page 467
divide bandwidth among traffic flows with the same priority. • The Zyxel Device automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). ZyWALL USG FLEX Series User's Guide 467 - ZyXEL USG FLEX 700 | User Guide - Page 468
configured rate. Table 181 Configured Rate Effect POLICY CONFIGURED RATE A 300 kbps B 200 kbps MAX. B. U. No No PRIORITY 1 1 ACTUAL RATE 300 kbps 200 kbps ZyWALL USG FLEX Series User's Guide 468 - ZyXEL USG FLEX 700 | User Guide - Page 469
, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions, similar to the sequence of , and remove user-defined bandwidth management policies. ZyWALL USG FLEX Series User's Guide 469 - ZyXEL USG FLEX 700 | User Guide - Page 470
User, when the policy is set for an individual user or a user group • Per-Source-IP, when the policy is set for a source IP ZyWALL USG FLEX Series User's Guide 470 - ZyXEL USG FLEX 700 | User Guide - Page 471
DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic Service The "af" options stand for Assured Forwarding. The number following the "af" identifies one lowest priority (7) regardless of this field's configuration. ZyWALL USG FLEX Series User's Guide 471 - ZyXEL USG FLEX 700 | User Guide - Page 472
Length and type of Ethernet frame Frame data Frame Check Sequence The following table is a guide to types of traffic for the priority code. Table 188 Priority Code and Types of Traffic 100 ms latency and jitter 5 Voice, less than 10 ms latency and jitter ZyWALL USG FLEX Series User's Guide 472 - ZyXEL USG FLEX 700 | User Guide - Page 473
22.2 on page 469), and click either the Add icon or an Edit icon. Figure 326 Configuration > Bandwidth Management > Edit (For the Default Policy) ZyWALL USG FLEX Series User's Guide 473 - ZyXEL USG FLEX 700 | User Guide - Page 474
User, when the policy is set for an individual user or a user group • Per Source IP, when the policy is set for a source IP ZyWALL USG FLEX Series User's Guide 474 - ZyXEL USG FLEX 700 | User Guide - Page 475
traffic with a DSCP value of 0. This is usually best effort traffic User-Defined DSCP Code Service Type Service Object The "af" choices stand for Assured Forwarding. The number following the "af" identifies one of bandwidth the matching traffic can use. ZyWALL USG FLEX Series User's Guide 475 - ZyXEL USG FLEX 700 | User Guide - Page 476
matches this policy. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 476 - ZyXEL USG FLEX 700 | User Guide - Page 477
. User Type Select a user type from the drop down menu. The user types are Admin, Limited admin, User, Guest, Ext-user, Ext-group-user. ZyWALL USG FLEX Series User's Guide 477 - ZyXEL USG FLEX 700 | User Guide - Page 478
of 1,440 minutes and Reauthentication Time of 1,440 minutes or you can enter them manually by choosing Use Manual Settings option. Lease Time This shows the Lease Time setting for the user, by save the setting. Cancel Click Cancel to abandon this screen. ZyWALL USG FLEX Series User's Guide 478 - ZyXEL USG FLEX 700 | User Guide - Page 479
to choose a Stop Date for schedule object. Stop Time Click the icon menu on the right to choose a Stop Time for the schedule object. ZyWALL USG FLEX Series User's Guide 479 - ZyXEL USG FLEX 700 | User Guide - Page 480
. IP Address Enter an IP address for the Address object. OK Click OK to save the setting. Cancel Click Cancel to abandon the setting. ZyWALL USG FLEX Series User's Guide 480 - ZyXEL USG FLEX 700 | User Guide - Page 481
. • Use the Configuration > Web Authentication > SSO screen (Section 23.3 on page 502) to configure how the Zyxel Device communicates with a Single Sign-On agent. ZyWALL USG FLEX Series User's Guide 481 - ZyXEL USG FLEX 700 | User Guide - Page 482
users for which user-aware policies have been configured go to the Zyxel Device Login screen manually, you can configure the Zyxel Device to display the Login screen automatically whenever it routes this screen to enable web authentication on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 482 - ZyXEL USG FLEX 700 | User Guide - Page 483
log out immediately. Logout IP Specify an IP address that users can use to terminate their sessions manually by entering the IP address in the address bar of the web browser. User Agreement General email address) on the User Agreement (PC or mobile) page. ZyWALL USG FLEX Series User's Guide 483 - ZyXEL USG FLEX 700 | User Guide - Page 484
the default authentication policy that the Zyxel Device uses on traffic that does not match any exceptional service or other authentication policy. You can edit the default rule but not delete it. This field means the policy is active at all times if enabled. ZyWALL USG FLEX Series User's Guide 484 - ZyXEL USG FLEX 700 | User Guide - Page 485
do not need to be authenticated. required - Users need to be authenticated. They must manually go to the login screen or user agreement page. The Zyxel Device will not redirect Figure 334 Configuration > Web Authentication > General > Add Exceptional Service ZyWALL USG FLEX Series User's Guide 485 - ZyXEL USG FLEX 700 | User Guide - Page 486
defines when the policy applies. Otherwise, select none and the rule is always effective. This is none and not configurable for the default policy. ZyWALL USG FLEX Series User's Guide 486 - ZyXEL USG FLEX 700 | User Guide - Page 487
from unauthenticated users is redirected to a default or user-defined login page. Otherwise, they must manually go to the login screen. The Zyxel Device will not redirect them to the login screen. account is authenticated by an external server. Click OK. ZyWALL USG FLEX Series User's Guide 487 - ZyXEL USG FLEX 700 | User Guide - Page 488
you could add more members later. Figure 337 Configuration > Object > User/Group > Group > Add 3 Repeat this process to set up the remaining user groups. ZyWALL USG FLEX Series User's Guide 488 - ZyXEL USG FLEX 700 | User Guide - Page 489
3 Click Configuration > Web Authentication. In the Web Authentication > General screen, select Enable Web Authentication to turn on the web authentication feature and click Apply. ZyWALL USG FLEX Series User's Guide 489 - ZyXEL USG FLEX 700 | User Guide - Page 490
default settings, and click OK. Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN. ZyWALL USG FLEX Series User's Guide 490 - ZyXEL USG FLEX 700 | User Guide - Page 491
attribute's value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. ZyWALL USG FLEX Series User's Guide 491 - ZyXEL USG FLEX 700 | User Guide - Page 492
to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius. ZyWALL USG FLEX Series User's Guide 492 - ZyXEL USG FLEX 700 | User Guide - Page 493
entry's settings. Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. ZyWALL USG FLEX Series User's Guide 493 - ZyXEL USG FLEX 700 | User Guide - Page 494
screen. The screen differs depending on what you select in the Type field. Figure 345 Configuration > Web Authentication > Authentication Type: Add/Edit (Web Portal) ZyWALL USG FLEX Series User's Guide 494 - ZyXEL USG FLEX 700 | User Guide - Page 495
Device. Note: You can upload zipped custom web portal files to the Zyxel Device using the Configuration > Web Authentication > Web Portal Customize File screen. ZyWALL USG FLEX Series User's Guide 495 - ZyXEL USG FLEX 700 | User Guide - Page 496
, http://IIS server IP Address/logout.html. The Internet Information Server (IIS) is the web server on which the user agreement files are installed. ZyWALL USG FLEX Series User's Guide 496 - ZyXEL USG FLEX 700 | User Guide - Page 497
the Custom Web Portal File or Custom User Agreement File tab to display the screen. Figure 347 Configuration > Web Authentication > Custom Web Portal File ZyWALL USG FLEX Series User's Guide 497 - ZyXEL USG FLEX 700 | User Guide - Page 498
portal or user agreement file for your reference. 23.2.4 Facebook Wi-Fi Screen The Zyxel Device supports Facebook Wi-Fi to let users check in to a business on Facebook for free Internet access the Facebook page before they can have free Internet access. ZyWALL USG FLEX Series User's Guide 498 - ZyXEL USG FLEX 700 | User Guide - Page 499
have not yet set up a Facebook fan page and see the following message 'This device is not paired with facebook. Please configure this device'. ZyWALL USG FLEX Series User's Guide 499 - ZyXEL USG FLEX 700 | User Guide - Page 500
Started. 4 In the following screen, select the page just created and click Save Settings. Your Facebook page is now paired with Facebook Wi-Fi. ZyWALL USG FLEX Series User's Guide 500 - ZyXEL USG FLEX 700 | User Guide - Page 501
, users need to enter the Wi-Fi password you provided. 4 Users then can click Continue Browsing to surf the Internet through the Zyxel Device. ZyWALL USG FLEX Series User's Guide 501 - ZyXEL USG FLEX 700 | User Guide - Page 502
. SSO does not support IPv6, LDAP or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) authentication database. You must enable Web Authentication in the Configuration > Web Authentication screen. Figure 350 SSO Overview ZyWALL USG FLEX Series User's Guide 502 - ZyXEL USG FLEX 700 | User Guide - Page 503
Agent Configuration Page > Gateway Setting FIELD Gateway Port Agent Listening Port Group Membership Base DN Bind DN Login Name Attribute Server Address Gateway IP ZyWALL USG FLEX Series User's Guide 503 - ZyXEL USG FLEX 700 | User Guide - Page 504
Type the same port number here as in the Agent Listening Port field on the SSO agent. Type a number ranging from 1025 to 65535. ZyWALL USG FLEX Series User's Guide 504 - ZyXEL USG FLEX 700 | User Guide - Page 505
Sign-On and choose required in Authentication. Do NOT select any as the source address unless you want all incoming connections to be authenticated! ZyWALL USG FLEX Series User's Guide 505 - ZyXEL USG FLEX 700 | User Guide - Page 506
traffic. Go to Configuration > Security Policy > Policy Control and add a new policy if a default one does not cover the SSO web authentication traffic direction. ZyWALL USG FLEX Series User's Guide 506 - ZyXEL USG FLEX 700 | User Guide - Page 507
Information Configure a User account of the ext-group-user type. Configure Group Identifier to be the same as Group Membership on the SSO agent. ZyWALL USG FLEX Series User's Guide 507 - ZyXEL USG FLEX 700 | User Guide - Page 508
Chapter 23 Web Authentication 23.4.6 Configure an Authentication Method Configure Active Directory (AD) for authentication with SSO. Choose group ad as the authentication server for SSO. ZyWALL USG FLEX Series User's Guide 508 - ZyXEL USG FLEX 700 | User Guide - Page 509
SSO. Bind DN is a user name and password that allows the Zyxel Device to join the domain with administrative privileges. It is a required field. ZyWALL USG FLEX Series User's Guide 509 - ZyXEL USG FLEX 700 | User Guide - Page 510
. Add the Zyxel Device IP address as the Gateway. Make sure the Zyxel Device and SSO agent are able to communicate with each other. ZyWALL USG FLEX Series User's Guide 510 - ZyXEL USG FLEX 700 | User Guide - Page 511
settings exactly as you have done on the Zyxel Device. Group Membership is called Group Identifier on the Zyxel Device. LDAP/AD Server Configuration ZyWALL USG FLEX Series User's Guide 511 - ZyXEL USG FLEX 700 | User Guide - Page 512
Zyxel Device. After all SSO agent configurations are done, right-click the SSO icon in the system tray and select Enable Zyxel SSO Agent. ZyWALL USG FLEX Series User's Guide 512 - ZyXEL USG FLEX 700 | User Guide - Page 513
Section 1.1.1 on page 27 to see which models support Hotspot management. 24.2 Billing Overview You can use an accounting method, configure a discount price plan or use an online payment service by credit card. • Use the General screen (see Section 24.3 on . ZyWALL USG FLEX Series User's Guide 513 - ZyXEL USG FLEX 700 | User Guide - Page 514
SSID profiles to which the settings are applied. Click Configuration > Hotspot > Billing > General to open the following screen. Figure 352 Configuration > Hotspot > Billing > General ZyWALL USG FLEX Series User's Guide 514 - ZyXEL USG FLEX 700 | User Guide - Page 515
symbol or currency unit. If you set Currency code to User-Define, enter a three-letter alphabetic code manually. This shows the number of decimal places to be used for billing. Select whether you would like to Profiles list and click the left arrow button. ZyWALL USG FLEX Series User's Guide 515 - ZyXEL USG FLEX 700 | User Guide - Page 516
a new one. If a Standard license has expired, click Renew to extend the license. Service Type Expiration Date Apply Reset Then, click Activate to connect with the myZyxel server to activate the correspond to the buttons on a connected statement printer. ZyWALL USG FLEX Series User's Guide 516 - ZyXEL USG FLEX 700 | User Guide - Page 517
the Preview button to open this screen. You can also open this screen by logging into the Web Configurator with the guest-manager account. ZyWALL USG FLEX Series User's Guide 517 - ZyXEL USG FLEX 700 | User Guide - Page 518
field displays the price per time unit for each level. Enter the user's name. Enter the user's email address. Enter the user's phone number. ZyWALL USG FLEX Series User's Guide 518 - ZyXEL USG FLEX 700 | User Guide - Page 519
account information in an SMS text message to the user's mobile phone. Click Cancel to close this window when you are finished viewing it. ZyWALL USG FLEX Series User's Guide 519 - ZyXEL USG FLEX 700 | User Guide - Page 520
screen allows you to send SMS messages for certain accounts. Click the Account Redeem tab in the Account Generator screen to open this screen. ZyWALL USG FLEX Series User's Guide 520 - ZyXEL USG FLEX 700 | User Guide - Page 521
cost of the account. This field displays the method of payment for each account. This field displays the mobile phone number for the account. ZyWALL USG FLEX Series User's Guide 521 - ZyXEL USG FLEX 700 | User Guide - Page 522
expires, the user's access will be stopped. The allowed time period ranges are 10 to 60 minutes, 0 to 24 hours, or 0 to 365 days. ZyWALL USG FLEX Series User's Guide 522 - ZyXEL USG FLEX 700 | User Guide - Page 523
> Discount to open the following screen. Note: The discount price plan does not apply to users who purchase access time online with a credit card. ZyWALL USG FLEX Series User's Guide 523 - ZyXEL USG FLEX 700 | User Guide - Page 524
level. Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 524 - ZyXEL USG FLEX 700 | User Guide - Page 525
directly through the Internet. You must register with the supported credit card service before you can configure the Zyxel Device to handle credit card transactions. Click Configuration > Hotspot > Billing > Payment Service to open the following screen. ZyWALL USG FLEX Series User's Guide 525 - ZyXEL USG FLEX 700 | User Guide - Page 526
enable the online payment service on the Zyxel supports. Enter the ID token provided to you by PayPal after successfully applying for your PayPal account. Enter the address of the PayPal gateway provided to you by PayPal after applying for your PayPal account. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 527
can configure both the desktop and mobile versions of the service pages. Users click a link in the pages to switch between the two versions. Click Configuration > Hotspot > Billing > Payment Service > Desktop View or Mobile View to open the following screen. ZyWALL USG FLEX Series User's Guide 527 - ZyXEL USG FLEX 700 | User Guide - Page 528
Chapter 24 Hotspot Figure 360 Configuration > Hotspot > Billing > Payment Service > Desktop View ZyWALL USG FLEX Series User's Guide 528 - ZyXEL USG FLEX 700 | User Guide - Page 529
Chapter 24 Hotspot Figure 361 Configuration > Hotspot > Billing > Payment Service > Mobile View ZyWALL USG FLEX Series User's Guide 529 - ZyXEL USG FLEX 700 | User Guide - Page 530
page as it is saved indefinitely. Use Customized Page Select this to use a custom online payment service page instead of the default one built into the Zyxel Device. Once this option is selected, the button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 530 - ZyXEL USG FLEX 700 | User Guide - Page 531
configure a printer list and allow the Zyxel Device to monitor the printer status. Click Configuration > Hotspot > Printer Manager > General to open the following screen. ZyWALL USG FLEX Series User's Guide 531 - ZyXEL USG FLEX 700 | User Guide - Page 532
use this feature. Refresh Use Printer Manager > General > Add to manually configure a printer's IP address and add it to the managed printer list when the printer is not detected or connected to the Zyxel Device. Click this to update the printer list table. ZyWALL USG FLEX Series User's Guide 532 - ZyXEL USG FLEX 700 | User Guide - Page 533
to buy a new one. If a Standard license has expired, click Renew to extend the license. Service Type Expiration Date Apply Reset Then, click Activate to connect with the myZyxel server to activate the new to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 533 - ZyXEL USG FLEX 700 | User Guide - Page 534
. You can't click the Edit icon when the printer status is sync fail or sync progressing. Figure 364 Configuration > Hotspot > Printer Manager > General: Edit ZyWALL USG FLEX Series User's Guide 534 - ZyXEL USG FLEX 700 | User Guide - Page 535
screen to find connected printers or edit a connected printer's settings. Use Printer Manager >General > Add to manually configure a printer's IP address and add it to the managed printer list when the printer is not detected or connected to the Zyxel Device. ZyWALL USG FLEX Series User's Guide 535 - ZyXEL USG FLEX 700 | User Guide - Page 536
printer is not in the managed printer list or the printer status is sync fail. This field displays the MAC address of the printer. ZyWALL USG FLEX Series User's Guide 536 - ZyXEL USG FLEX 700 | User Guide - Page 537
Use Fixed IP Address Select this if you want to specify the IP address, subnet mask, and gateway manually. IP Address This field is enabled if you select Use Fixed IP Address. Subnet Mask Enter the IP . Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 537 - ZyXEL USG FLEX 700 | User Guide - Page 538
default). Click this button to save your changes to the Zyxel Device. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 538 - ZyXEL USG FLEX 700 | User Guide - Page 539
includes the accounts created on 2013/05/10 between 00:00:01 and 19:59:59. Key combination: A B C A A The following figure shows an example. ZyWALL USG FLEX Series User's Guide 539 - ZyXEL USG FLEX 700 | User Guide - Page 540
. If there are more than 2000 accounts created in the same month or same day, the account report's calculations only include the latest 2000. ZyWALL USG FLEX Series User's Guide 540 - ZyXEL USG FLEX 700 | User Guide - Page 541
the MAC address of the Zyxel Device on the WAN. LAMA This field displays the MAC address of the Zyxel Device on the LAN. ZyWALL USG FLEX Series User's Guide 541 - ZyXEL USG FLEX 700 | User Guide - Page 542
the Zyxel Device's recent memory usage. DKST This field displays what percentage of the Zyxel Device's on-board flash memory is currently being used. ZyWALL USG FLEX Series User's Guide 542 - ZyXEL USG FLEX 700 | User Guide - Page 543
to enable and configure the free time settings. Click Configuration > Hotspot > Free Time to open the following screen. Figure 371 Configuration > Hotspot > Free Time ZyWALL USG FLEX Series User's Guide 543 - ZyXEL USG FLEX 700 | User Guide - Page 544
On-Screen to display the user account information in the web screen. Select SMS to use Short Message Service (SMS) to send account information in a text message to the user's mobile device. Select On and password, and click login to access their free account. ZyWALL USG FLEX Series User's Guide 544 - ZyXEL USG FLEX 700 | User Guide - Page 545
to buy a new one. If a Standard license has expired, click Renew to extend the license. Service Type Expiration Date Apply Reset Then, click Activate to connect with the myZyxel server to activate the new screen with a link to create a free guest account. ZyWALL USG FLEX Series User's Guide 545 - ZyXEL USG FLEX 700 | User Guide - Page 546
description in the login screen will be mainly for online payment service. You can still click the link to get a free account. If SMS is enabled on the Zyxel Device, you have to enter your mobile phone number before clicking OK to get a free guest account. ZyWALL USG FLEX Series User's Guide 546 - ZyXEL USG FLEX 700 | User Guide - Page 547
The guest account information then displays on the screen and/or is sent to the configured mobile phone number. EXAMPLE ZyWALL USG FLEX Series User's Guide 547 - ZyXEL USG FLEX 700 | User Guide - Page 548
network settings, even when the IP addresses of the computer and the Zyxel Device are not in the same subnet. Figure 372 IPnP Application ZyWALL USG FLEX Series User's Guide 548 - ZyXEL USG FLEX 700 | User Guide - Page 549
for this service. If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license. Then, click Activate to connect with the myZyxel server to activate the new license. ZyWALL USG FLEX Series User's Guide 549 - ZyXEL USG FLEX 700 | User Guide - Page 550
can register your Zyxel Device and activate the service. Apply Reset This link is available only when the service is not activated yet. Click Apply to save your changes back to the Zyxel Device. Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 550 - ZyXEL USG FLEX 700 | User Guide - Page 551
DESCRIPTION Enable Walled Garden Select this to turn on the walled garden feature. Note: This feature works only with the web portal authentication type. Hotspot Service Status ZyWALL USG FLEX Series User's Guide 551 - ZyXEL USG FLEX 700 | User Guide - Page 552
if your license has Expired. It displays Not Licensed if there isn't a license to be activated for this service. If you need a license or a trial license has expired, click Buy to buy a new one. If open a screen where you can modify the entry's settings. ZyWALL USG FLEX Series User's Guide 552 - ZyXEL USG FLEX 700 | User Guide - Page 553
in the login screen. You can use up to 31 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Spaces are also allowed. The first character must be a letter. ZyWALL USG FLEX Series User's Guide 553 - ZyXEL USG FLEX 700 | User Guide - Page 554
lit when the entry is active and dimmed when the entry is inactive. Name This field displays the descriptive name of the web site. ZyWALL USG FLEX Series User's Guide 554 - ZyXEL USG FLEX 700 | User Guide - Page 555
Login Example The following figure shows the user login screen with two walled garden links. The links are named WalledGardenLink1 through 2 for demonstration purposes. ZyWALL USG FLEX Series User's Guide 555 - ZyXEL USG FLEX 700 | User Guide - Page 556
Chapter 28 Walled Garden Figure 379 Walled Garden Login Example ZyWALL USG FLEX Series User's Guide 556 - ZyXEL USG FLEX 700 | User Guide - Page 557
Zyxel Device confirms you want to remove it before doing so. # This field is a sequential value, and it is not associated with any entry. ZyWALL USG FLEX Series User's Guide 557 - ZyXEL USG FLEX 700 | User Guide - Page 558
your license has Expired. It displays Not Licensed if there isn't a license to be activated for this service. If you need a license or a trial license has expired, click Buy to buy a new one. . Figure 381 Configuration > Hotspot > Advertisement > Add/Edit ZyWALL USG FLEX Series User's Guide 558 - ZyXEL USG FLEX 700 | User Guide - Page 559
web site in a new frame. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 559 - ZyXEL USG FLEX 700 | User Guide - Page 560
(from / to) • to a specific source and destination address objects • to a specific type of traffic (services) • to a specific user or group of users • at a specific schedule The policy can be configured: Figure 382 Default Directional Security Policy Example ZyWALL USG FLEX Series User's Guide 560 - ZyXEL USG FLEX 700 | User Guide - Page 561
troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough. Figure 383 Example of a Port Forwarding Configuration Walkthrough. 1 2 3 4 This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 562
Chapter 30 Security Policy Figure 384 Example of L2TP over IPSec Troubleshooting - 1 1 2 3 2 ZyWALL USG FLEX Series User's Guide 562 - ZyXEL USG FLEX 700 | User Guide - Page 563
link to OneSecurity walkthroughs, troubleshooting and so on in Service > App Patrol • Security Service > Content Filter • Security Service > IDP • Security Service > Anti-Malware • Security Service > Email Security • VPN > IPSec VPN • VPN > SSL VPN • VPN > L2TP VPN ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 564
with specific types of traffic. Traffic not recognized by application patrol is ignored. • Security Service > Application Patrol Click this icon for more information on Content Filter, which controls access to passing between zones or even between interfaces. ZyWALL USG FLEX Series User's Guide 564 - ZyXEL USG FLEX 700 | User Guide - Page 565
address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy. ZyWALL USG FLEX Series User's Guide 565 - ZyXEL USG FLEX 700 | User Guide - Page 566
2. 3 The reply from the WAN goes to the Zyxel Device. 4 The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1. ZyWALL USG FLEX Series User's Guide 566 - ZyXEL USG FLEX 700 | User Guide - Page 567
destination. • The ordering of your policies is very important as policies are applied in sequence. The following screen shows the Security Policy summary screen. ZyWALL USG FLEX Series User's Guide 567 - ZyXEL USG FLEX 700 | User Guide - Page 568
Chapter 30 Security Policy Figure 387 Configuration > Security Policy > Policy Control ZyWALL USG FLEX Series User's Guide 568 - ZyXEL USG FLEX 700 | User Guide - Page 569
is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. Service View all security policies based the service object used. User View all security policies based on user or user group . To turn off an entry, select it and click Inactivate. ZyWALL USG FLEX Series User's Guide 569 - ZyXEL USG FLEX 700 | User Guide - Page 570
email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 570 - ZyXEL USG FLEX 700 | User Guide - Page 571
packets to which the policy applies. any means all interfaces. Source Destination Service Device means packets destined for the Zyxel Device itself. Select an IPv4 going to IPv4 / IPv6 addresses. Select a service or service group from the drop-down list box. ZyWALL USG FLEX Series User's Guide 571 - ZyXEL USG FLEX 700 | User Guide - Page 572
the list box; none displays if no profiles have been created in the Configuration > Security Service > SSL Inspection screen. Click OK to save your customized settings and exit this screen. Click anomaly policies may be updated when you upload new firmware. ZyWALL USG FLEX Series User's Guide 572 - ZyXEL USG FLEX 700 | User Guide - Page 573
that entry and press [ENTER] to move the entry to the number that you typed. # This is the entry's index number in the list. ZyWALL USG FLEX Series User's Guide 573 - ZyXEL USG FLEX 700 | User Guide - Page 574
or disable individual policies and then edit the default log options and actions. Click Configuration > Security Policy > ADP > Profile to view the following screen. ZyWALL USG FLEX Series User's Guide 574 - ZyXEL USG FLEX 700 | User Guide - Page 575
> Security Policy > ADP > Profile screen, click the Edit or Add icon and choose a base profile. Traffic Anomaly is the first tab in the profile. ZyWALL USG FLEX Series User's Guide 575 - ZyXEL USG FLEX 700 | User Guide - Page 576
invalid profile names: Description • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 In addition to the name, type additional information to help you identify this ADP profile. ZyWALL USG FLEX Series User's Guide 576 - ZyXEL USG FLEX 700 | User Guide - Page 577
attacks where an attacker scans device(s) to determine what types of network protocols or services a device supports. Sensitivity Flood detection tries to find attacks that saturate a network with useless the final profile screen to complete the profile. ZyWALL USG FLEX Series User's Guide 577 - ZyXEL USG FLEX 700 | User Guide - Page 578
LAN interface. • In an IP Spoof from a LAN interface, the source address appears to be in a different subnet from that Zyxel Device LAN interface. ZyWALL USG FLEX Series User's Guide 578 - ZyXEL USG FLEX 700 | User Guide - Page 579
Chapter 30 Security Policy Figure 392 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly ZyWALL USG FLEX Series User's Guide 579 - ZyXEL USG FLEX 700 | User Guide - Page 580
policy and use the Action icon. original setting: Select this action to return each rule in a service group to its previously saved configuration. none: Select this action to have the Zyxel Device take no order according to the protocol anomaly policy name. ZyWALL USG FLEX Series User's Guide 580 - ZyXEL USG FLEX 700 | User Guide - Page 581
individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 393 Configuration > Security Policy > Session Control ZyWALL USG FLEX Series User's Guide 581 - ZyXEL USG FLEX 700 | User Guide - Page 582
Edit icon to display the Add or Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. ZyWALL USG FLEX Series User's Guide 582 - ZyXEL USG FLEX 700 | User Guide - Page 583
need to specify a schedule since you need the Security Policy to always be in effect. The following figure shows the results of this policy. ZyWALL USG FLEX Series User's Guide 583 - ZyXEL USG FLEX 700 | User Guide - Page 584
SCHEDULE 1 Any Any Any Any 2 Any Any Any Any SERVICE IRC Any ACTION Deny Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the Security Policy figure shows the results of your two custom policies. ZyWALL USG FLEX Series User's Guide 584 - ZyXEL USG FLEX 700 | User Guide - Page 585
DESTINATION SCHEDULE 1 Any 172.16.1.7 Any Any 2 Any Any Any Any 3 Any Any Any Any SERVICE IRC IRC Any ACTION Allow Deny Allow • The first row allows the LAN1 computer at IP address 172.16 drop it and not check any other security policies. ZyWALL USG FLEX Series User's Guide 585 - ZyXEL USG FLEX 700 | User Guide - Page 586
action the Zyxel Device takes once a packet matches a signature (forward, drop, or reject a service's connections and/or create a log alert). Use policies to link profiles to traffic flows based on Zyxel Device examines several packets to make sure the match ZyWALL USG FLEX Series User's Guide 586 - ZyXEL USG FLEX 700 | User Guide - Page 587
action and log settings. Click Configuration > Security Service > App Patrol to open the following screen. Click the Application Patrol icon for more information on the Zyxel Device's security features. Figure 397 Configuration > Security Service > App Patrol ZyWALL USG FLEX Series User's Guide 587 - ZyXEL USG FLEX 700 | User Guide - Page 588
Patrol The following table describes the labels in this screen. Table 240 Configuration > Security Service > App Patrol LABEL DESCRIPTION Add Click this to create a new entry. Select an > Security Policy > Policy Control screen to check the result. ZyWALL USG FLEX Series User's Guide 588 - ZyXEL USG FLEX 700 | User Guide - Page 589
Action The following table describes the labels in this screen. Table 241 Configuration > Security Service > App Patrol > Action LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display zone and/or to a particular zone. any means all zones. ZyWALL USG FLEX Series User's Guide 589 - ZyXEL USG FLEX 700 | User Guide - Page 590
, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 590 - ZyXEL USG FLEX 700 | User Guide - Page 591
My Application The following table describes the labels in this screen. Table 242 Configuration > Security Service > App Patrol > Add/Edit > My Application LABEL DESCRIPTION General Settings Name Type the name click Remove to delete the selected entry. ZyWALL USG FLEX Series User's Guide 591 - ZyXEL USG FLEX 700 | User Guide - Page 592
page. 31.2.3 Application Patrol Profile > Add/Edit - Query Result Click Configuration > Security Service > App Patrol > Add, then click Query Result to search for certain applications within a click it), then click Query Result to open the following screen. ZyWALL USG FLEX Series User's Guide 592 - ZyXEL USG FLEX 700 | User Guide - Page 593
Query Result The following table describes the labels in this screen. Table 243 Configuration > Security Service > App Patrol > Add/Edit > Query Result LABEL DESCRIPTION General Settings Name Type the field displays the category type of the application. ZyWALL USG FLEX Series User's Guide 593 - ZyXEL USG FLEX 700 | User Guide - Page 594
Chapter 31 Application Patrol Table 243 Configuration > Security Service > App Patrol > Add/Edit (continued)> Query Result LABEL DESCRIPTION Tag Action This field displays . Click Cancel to return to the profile summary page without saving any changes. ZyWALL USG FLEX Series User's Guide 594 - ZyXEL USG FLEX 700 | User Guide - Page 595
following features. • Category-based Blocking The Zyxel Device can block access to particular categories of web site content, such as pornography or racial intolerance. ZyWALL USG FLEX Series User's Guide 595 - ZyXEL USG FLEX 700 | User Guide - Page 596
HTTPS traffic and take appropriate action. SSL Inspection identifies HTTPS traffic for all Security Service traffic and has higher priority than HTTPS Domain Filter. HTTPS Domain Filter only identifies (news/pressroom.php) but it would not find "tw/news". ZyWALL USG FLEX Series User's Guide 596 - ZyXEL USG FLEX 700 | User Guide - Page 597
or specify a redirect URL and check your external web filtering service registration status. Click the Content Filter icon for more information on the Zyxel Device's security features. Figure 401 Configuration > Security Service > Content Filter > Profile ZyWALL USG FLEX Series User's Guide 597 - ZyXEL USG FLEX 700 | User Guide - Page 598
this check box to have the Zyxel Device block HTTPS web pages using the cloud category service. Enable Content Filter HTTPS Domain Filter Block/Warn Page Block/Warn Page Port Drop connection when in the Action field to apply the entry to a security policy. ZyWALL USG FLEX Series User's Guide 598 - ZyXEL USG FLEX 700 | User Guide - Page 599
Action The following table describes the labels in this screen. Table 245 Configuration > Security Service > Content Filter > Action LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display zone and/or to a particular zone. any means all zones. ZyWALL USG FLEX Series User's Guide 599 - ZyXEL USG FLEX 700 | User Guide - Page 600
, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 600 - ZyXEL USG FLEX 700 | User Guide - Page 601
Content Filter 32.2.2 Content Filter Add Profile Category Service Click Configuration > Security Service > Content Filter > Profile > Add or Edit to open the Add Filter Profile screen. Figure 403 Content Filter > Profile > Add Filter Profile > Category Service ZyWALL USG FLEX Series User's Guide 601 - ZyXEL USG FLEX 700 | User Guide - Page 602
gws_rd=ssl#q=porn&safe=active. Supported search engines at the time of writing are: Enable Content Filter Category Service Log all web pages Yahoo, service has not categorized. Select Log to record attempts to access web pages that are not categorized. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 603
of Internet content. Test Web Site Category URL to test You must have the Category Service content filtering license to filter these categories. See the next table for category details. category also includes cocktail recipes and home-brewing instructions. ZyWALL USG FLEX Series User's Guide 603 - ZyXEL USG FLEX 700 | User Guide - Page 604
This category also includes sites where many consumers reported being cheated or not receiving services. Content Server This category does not include phishing, which tries to perpetrate fraud that serve only advertisements. See the Web Ads category. ZyWALL USG FLEX Series User's Guide 604 - ZyXEL USG FLEX 700 | User Guide - Page 605
interaction such as online dating, friendship, school reunions, pen-pals, escort services, or introductions to potential spouses. Digital Postcards Discrimination This category does not include as Games, Humor/ Comics, Recreation/Hobbies, or Entertainment. ZyWALL USG FLEX Series User's Guide 605 - ZyXEL USG FLEX 700 | User Guide - Page 606
category does not include message forums with a business or technical support focus. Web pages that allow users to wager or place cover all health-related information and health care services. Historical Revisionism This category does not include value. ZyWALL USG FLEX Series User's Guide 606 - ZyXEL USG FLEX 700 | User Guide - Page 607
sites such as web design, domain registration, Internet Service Providers, and broadband and telecommunications companies that provide web services. This category includes web utilities such as statistics and access logs, and web graphics like clip art. ZyWALL USG FLEX Series User's Guide 607 - ZyXEL USG FLEX 700 | User Guide - Page 608
Software/Hardware, Stock Trading, Tobacco, Travel, and Weapons. • Sites that market their services only to other businesses. See the Business category. • Sites that rob or cheat consumers provide business-to-business-only content regarding motor vehicles. ZyWALL USG FLEX Series User's Guide 608 - ZyXEL USG FLEX 700 | User Guide - Page 609
sites also provide a variety of internal site features or services such as search engines, email, news, and entertainment. Mailing list sites with a variety of content are in this category. This category does not include sites with topic-specific content. ZyWALL USG FLEX Series User's Guide 609 - ZyXEL USG FLEX 700 | User Guide - Page 610
pages that provide instructions to commit illegal or criminal activities. Instructions include committing murder or suicide, sabotage, bomb-making, lockpicking, service theft, evading law cases, they might want to remove this software from their computers. ZyWALL USG FLEX Series User's Guide 610 - ZyXEL USG FLEX 700 | User Guide - Page 611
astrology and horoscope sites Web pages that provide remote access to a program, online service, or an entire computer system. Reserved Residential IP Addresses Although remote access is often other content that is often the subject of research papers. ZyWALL USG FLEX Series User's Guide 611 - ZyXEL USG FLEX 700 | User Guide - Page 612
or business focus that provide online message posting or real-time chatting, such as technical support or interactive business communication. Although users can post any type of content, these forums only in the categories of Forum/Bulletin Boards or Chat. ZyWALL USG FLEX Series User's Guide 612 - ZyXEL USG FLEX 700 | User Guide - Page 613
, not the companies that provide the advertisements or advertising services. Web Mail This category does not include aggressive advertising adware. See the Spyware/ Adware category. Web pages that enable users to send or receive email through the Internet. ZyWALL USG FLEX Series User's Guide 613 - ZyXEL USG FLEX 700 | User Guide - Page 614
the web site's address contains a keyword. Use this screen to add or remove specific sites or keywords from the filter list. Figure 404 Configuration > Security Service > Content Filter > Filter Profile > Custom Service ZyWALL USG FLEX Series User's Guide 614 - ZyXEL USG FLEX 700 | User Guide - Page 615
are files stored on a computer's hard drive. Some web servers use them to track usage and provide service based on ID. A server that acts as an intermediary between a user and the Internet to provide it. This displays the index number of the trusted web sites. ZyWALL USG FLEX Series User's Guide 615 - ZyXEL USG FLEX 700 | User Guide - Page 616
. 32.3 Content Filter Trusted Web Sites Screen Click Configuration > Security Service > Content Filter > Trusted Web Sites to open the Trusted Web Sites screen. You can create a common list of good (allowed) web site addresses. When you configure Filter ZyWALL USG FLEX Series User's Guide 616 - ZyXEL USG FLEX 700 | User Guide - Page 617
screen to its last-saved settings. 32.4 Content Filter Forbidden Web Sites Screen Click Configuration > Security Service > Content Filter > Forbidden Web Sites to open the Forbidden Web Sites screen. You can create remove specific sites from the filter list. ZyWALL USG FLEX Series User's Guide 617 - ZyXEL USG FLEX 700 | User Guide - Page 618
Sites The following table describes the labels in this screen. Table 250 Configuration > Security Service > Content Filter > Forbidden Web Sites LABEL DESCRIPTION Forbidden Web Site List Add Edit Remove content filter lookup process is described below. ZyWALL USG FLEX Series User's Guide 618 - ZyXEL USG FLEX 700 | User Guide - Page 619
on the settings in the content filter profile. The web site's address and category are then stored in the Zyxel Device's content filter cache. ZyWALL USG FLEX Series User's Guide 619 - ZyXEL USG FLEX 700 | User Guide - Page 620
your computer inoperable. Spyware infiltrate your device and secretly gathers information about you, such as your network activity, passwords, bank details, and so on. ZyWALL USG FLEX Series User's Guide 620 - ZyXEL USG FLEX 700 | User Guide - Page 621
of writing, the MD5 (Message Digest 5) hash algorithm is supported. Local Signature Databases The Zyxel Device downloads the signature(s) cloud query. Extend your license in the Registration > Service screen. Anti-Malware Scan Process Before going through the ZyWALL USG FLEX Series User's Guide 621 - ZyXEL USG FLEX 700 | User Guide - Page 622
file will be modified. Logs/alerts will be sent according to your settings. The next figure shows a flow chart detailing the anti-malware scan. ZyWALL USG FLEX Series User's Guide 622 - ZyXEL USG FLEX 700 | User Guide - Page 623
Chapter 33 Anti-Malware Figure 410 Anti-Malware Flowchart ZyWALL USG FLEX Series User's Guide 623 - ZyXEL USG FLEX 700 | User Guide - Page 624
decompression (ZIP and RAR). • Traffic compressed or encoded using a method the Zyxel Device does not support. Finding Out More • See Section 33.7 on page 638 for anti-malware background information. 33 blocked) and white (allowed) lists of malware patterns. ZyWALL USG FLEX Series User's Guide 624 - ZyXEL USG FLEX 700 | User Guide - Page 625
particular signatures and get more information about them. 33.2 Anti-Malware Screen Click Configuration > Security Service > Anti-Malware to display the configuration screen as shown next. Click the Anti-Malware icon the user if there is an infected file. ZyWALL USG FLEX Series User's Guide 625 - ZyXEL USG FLEX 700 | User Guide - Page 626
. Table 252 Configuration > Security Service > Anti-Malware LABEL DESCRIPTION General Setting Enable Select this checkbox to activate the anti-malware feature to protect your connected network from infection and the installation of malicious software. ZyWALL USG FLEX Series User's Guide 626 - ZyXEL USG FLEX 700 | User Guide - Page 627
Chapter 33 Anti-Malware Table 252 Configuration > Security Service > Anti-Malware (continued) LABEL DESCRIPTION Scan and detect EICAR test virus Select this option to have and click this to delete it. To turn on an entry, select it and click Activate. ZyWALL USG FLEX Series User's Guide 627 - ZyXEL USG FLEX 700 | User Guide - Page 628
Device to allow this file. Click Configuration > Security Service > Anti-Malware > Black/White List > White List to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. ZyWALL USG FLEX Series User's Guide 628 - ZyXEL USG FLEX 700 | User Guide - Page 629
White List The following table describes the fields in this screen. Table 253 Configuration > Security Service > Anti-Malware > Black/White List > White List LABEL DESCRIPTION Check White List Add Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 629 - ZyXEL USG FLEX 700 | User Guide - Page 630
pattern that would cause the Zyxel Device to log and then destroy this file. Click Configuration > Security Service > Anti-Malware > Black/White List > Black List to display the following screen. Use Add to to distinguish whether a file should be blocked. ZyWALL USG FLEX Series User's Guide 630 - ZyXEL USG FLEX 700 | User Guide - Page 631
Service > Anti-Malware > Signature LABEL DESCRIPTION Signatures Search Enter the name, part of the name or keyword of the signature(s) you want to find and click Search. This search is not case-sensitive and accepts numerical strings. Query Result ZyWALL USG FLEX Series User's Guide 631 - ZyXEL USG FLEX 700 | User Guide - Page 632
> Profile The following table describes the labels in this screen. Table 256 Configuration > Security Service > Anti-Malware > Profile LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Remove to delete the selected entry. ZyWALL USG FLEX Series User's Guide 632 - ZyXEL USG FLEX 700 | User Guide - Page 633
following table describes the labels in this screen. Table 257 Configuration > Security Service > Anti-Malware > Profile > Add/Edit LABEL DESCRIPTION General Setting Name names: • 1mYProfile • My Profile • MyProfile? • Whatalongprofilename123456789012 ZyWALL USG FLEX Series User's Guide 633 - ZyXEL USG FLEX 700 | User Guide - Page 634
Chapter 33 Anti-Malware Table 257 Configuration > Security Service > Anti-Malware > Profile > Add/Edit (continued) LABEL DESCRIPTION Description Actions When Matched screen under Profile, select which profile you want to use for each security service. ZyWALL USG FLEX Series User's Guide 634 - ZyXEL USG FLEX 700 | User Guide - Page 635
Chapter 33 Anti-Malware Figure 418 Configuration > Security Service > Policy Control > Profile 33.6.3 Anti-Malware Advance Screen The Security Service > Anti-Malware > Anti-Malware screen changes when using profiles. ZyWALL USG FLEX Series User's Guide 635 - ZyXEL USG FLEX 700 | User Guide - Page 636
by clicking the link here. If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to !P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ZyWALL USG FLEX Series User's Guide 636 - ZyXEL USG FLEX 700 | User Guide - Page 637
you must first make sure to change Inspect by policy to Inspect all traffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security. Note: All profiles that you you will not see the profile screen for this feature. ZyWALL USG FLEX Series User's Guide 637 - ZyXEL USG FLEX 700 | User Guide - Page 638
the computer for file inspection. • You have to update the malware signatures and/or perform malware scans on all computers on the network regularly. ZyWALL USG FLEX Series User's Guide 638 - ZyXEL USG FLEX 700 | User Guide - Page 639
enter or exit a network. • NAM scanners reduce computing loading on computers as the read-time data traffic inspection is done on a dedicated security device. ZyWALL USG FLEX Series User's Guide 639 - ZyXEL USG FLEX 700 | User Guide - Page 640
activity is detected. 34.2 URL Threat Filter Screen When you enable the URL Threat filtering service, your Zyxel Device will access an external database, Cloud Query, that has millions of web connection attempt to or from a site in a selected category. ZyWALL USG FLEX Series User's Guide 640 - ZyXEL USG FLEX 700 | User Guide - Page 641
The following table describes the labels in this screen. Table 260 Configuration > Security Service > Reputation Filter > URL Threat Filter > General LABEL DESCRIPTION URL Blocking Enable Action connection matches web pages of the specified categories. ZyWALL USG FLEX Series User's Guide 641 - ZyXEL USG FLEX 700 | User Guide - Page 642
up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it. Enter a URL using http allow incoming packets from the listed IPv4 addresses and URLs. ZyWALL USG FLEX Series User's Guide 642 - ZyXEL USG FLEX 700 | User Guide - Page 643
table describes the labels in this screen. Table 261 Configuration > Security Service > Reputation Filter > URL Threat Filter > White List LABEL DESCRIPTION White 423 Configuration > Security Service > Reputation Filter > URL Threat Filter > Black List ZyWALL USG FLEX Series User's Guide 643 - ZyXEL USG FLEX 700 | User Guide - Page 644
table describes the labels in this screen. Table 262 Configuration > Security Service > Reputation Filter > URL Threat Filter > Black List LABEL DESCRIPTION Black Figure 425 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile ZyWALL USG FLEX Series User's Guide 644 - ZyXEL USG FLEX 700 | User Guide - Page 645
table describes the labels in this screen. Table 263 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile LABEL DESCRIPTION Add Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile > Add/Edit ZyWALL USG FLEX Series User's Guide 645 - ZyXEL USG FLEX 700 | User Guide - Page 646
The following table describes the labels in this screen. Table 264 Configuration > Security Service > Reputation Filter > URL Threat Filter > Profile > Add/Edit LABEL DESCRIPTION Configuration monitoring or make system changes without the user's consent. ZyWALL USG FLEX Series User's Guide 646 - ZyXEL USG FLEX 700 | User Guide - Page 647
up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it. OK Click OK to , select which profile you want to use for each security service. ZyWALL USG FLEX Series User's Guide 647 - ZyXEL USG FLEX 700 | User Guide - Page 648
Chapter 34 Reputation Filter Figure 427 Configuration > Security Service > Policy Control > Profile 34.3.3 URL Threat Filter Advance Screen The Configuration > Security Service > Reputation Filter > URL Threat Filter screen also changes when using profiles. ZyWALL USG FLEX Series User's Guide 648 - ZyXEL USG FLEX 700 | User Guide - Page 649
the link here. Inspect by policy If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a policy to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 649 - ZyXEL USG FLEX 700 | User Guide - Page 650
you must first make sure to change Inspect by policy to Inspect all traffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security. Note: All profiles that you , you will not see the profile screen for this feature. ZyWALL USG FLEX Series User's Guide 650 - ZyXEL USG FLEX 700 | User Guide - Page 651
edit an existing signature, delete existing signatures or save signatures to your computer. • Use the Security Service > IDP > White List screen (Section 35.4 on page 665) to list signatures that will be key using the same screens to continue the subscription. ZyWALL USG FLEX Series User's Guide 651 - ZyXEL USG FLEX 700 | User Guide - Page 652
. If you try to enable IDP when the IDP service has not yet been registered, a warning screen displays and IDP is not enabled. Click the IDP icon for more information on the Zyxel Device's security features. Figure 430 Configuration > Security Service > IDP ZyWALL USG FLEX Series User's Guide 652 - ZyXEL USG FLEX 700 | User Guide - Page 653
Hold down the [Ctrl] key if you want to make multiple selections. Search for signatures by IDP service group(s). See Table 267 on page 654 for group details. Hold down the [Ctrl] key if you end with the 'rules' file name extension, for example, MySig.rules. ZyWALL USG FLEX Series User's Guide 653 - ZyXEL USG FLEX 700 | User Guide - Page 654
Chapter 35 IDP Table 266 Configuration > Security Service > IDP (continued) LABEL DESCRIPTION # This is the entry's index number in the list. SID SID is the are not specified in the policy such as password, spoof, hijack, phishing, and close-in. ZyWALL USG FLEX Series User's Guide 654 - ZyXEL USG FLEX 700 | User Guide - Page 655
it is a HTTP service run by some web server application. He then uses a web vulnerability scanner (for example, Nikto) to look for documented vulnerabilities. Spam is unsolicited "junk" email sent to large numbers of people to promote products or services. ZyWALL USG FLEX Series User's Guide 655 - ZyXEL USG FLEX 700 | User Guide - Page 656
ICMP n/a WEB_FRONTPAGE TELNET RSERVICES P2P MYSQL MISC FTP 35.2.1 Query Example This example shows a search with these criteria: • Severity: Severe • Classification Type: Misc • Platform: Windows • Service: Any • Actions: Any ZyWALL USG FLEX Series User's Guide 656 - ZyXEL USG FLEX 700 | User Guide - Page 657
own custom signatures. IP Packet Header These are the fields in an Internet Protocol (IP) version 4 packet header. Figure 432 IP v4 Packet Headers ZyWALL USG FLEX Series User's Guide 657 - ZyXEL USG FLEX 700 | User Guide - Page 658
as a filler to ensure that the IP packet is a multiple of 32 bits. Select Configuration > Security Service. The Custom Signature Rules section shows a summary of all custom signatures created. Click the SID or Name screen as shown in Figure 430 on page 652. ZyWALL USG FLEX Series User's Guide 658 - ZyXEL USG FLEX 700 | User Guide - Page 659
. Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit. Figure 433 Configuration > Security Service > IDP > Custom Signatures > Add/Edit ZyWALL USG FLEX Series User's Guide 659 - ZyXEL USG FLEX 700 | User Guide - Page 660
header is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type Of Service number. Select the check box, then select Equal or Not-Equal and then type in a number. , select Equal, Smaller or Greater and then type in a number. ZyWALL USG FLEX Series User's Guide 660 - ZyXEL USG FLEX 700 | User Guide - Page 661
Chapter 35 IDP Table 270 Configuration > Security Service > IDP > Custom Signatures > Add/Edit (continued) LABEL DESCRIPTION IP Options Same IP Transport Protocol Transport possible, it is recommended to have at least one payload option in your signature. ZyWALL USG FLEX Series User's Guide 661 - ZyXEL USG FLEX 700 | User Guide - Page 662
resource can be anything that has identity, for example, an electronic document, an image, a service ("today's weather report for Taiwan"), a collection of other resources. An identifier is an signature, you must first clearly understand the vulnerability. ZyWALL USG FLEX Series User's Guide 662 - ZyXEL USG FLEX 700 | User Guide - Page 663
a packet analyzer (also known as a network or protocol analyzer) such as Wireshark or Ethereal to investigate some more. Figure 434 DNS Query Packet Details ZyWALL USG FLEX Series User's Guide 663 - ZyXEL USG FLEX 700 | User Guide - Page 664
Example Custom Signature 35.3.3 Applying Custom Signatures After you create your custom signature, it becomes available in an IDP profile (Configuration > Security Service > IDP > Profile > Edit screen). Custom signatures have an SID from 9000000 to 9999999. ZyWALL USG FLEX Series User's Guide 664 - ZyXEL USG FLEX 700 | User Guide - Page 665
listed signature(s) from being intercepted and inspected. Click Configuration > Security Service > IDP > White List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. ZyWALL USG FLEX Series User's Guide 665 - ZyXEL USG FLEX 700 | User Guide - Page 666
White List The following table describes the fields in this screen. Table 271 Configuration > Security Service > IDP > White List LABEL DESCRIPTION White List Settings Add Click this to create a new out and then log in again. Figure 438 Logout Prompt ZyWALL USG FLEX Series User's Guide 666 - ZyXEL USG FLEX 700 | User Guide - Page 667
feature. Figure 439 Configuration > Security Service > IDP> Profile The following table describes the labels in this screen. Table 272 Configuration > Security Service > IDP > Profile LABEL DESCRIPTION Add you can create or modify the entry's settings. ZyWALL USG FLEX Series User's Guide 667 - ZyXEL USG FLEX 700 | User Guide - Page 668
Add/Edit The following table describes the labels in this screen. Table 273 Configuration > Security Service > IDP LABEL DESCRIPTION Configuration Profile Name Type the name of the profile. You may use of the ID of the signature(s) you want to find. ZyWALL USG FLEX Series User's Guide 668 - ZyXEL USG FLEX 700 | User Guide - Page 669
Hold down the [Ctrl] key if you want to make multiple selections. Search for signatures by IDP service group(s). See Table 267 on page 654 for group details. Hold down the [Ctrl] key if Profile, select which profile you want to use for each security service. ZyWALL USG FLEX Series User's Guide 669 - ZyXEL USG FLEX 700 | User Guide - Page 670
Chapter 35 IDP Figure 441 Configuration > Security Service > Policy Control > Profile 35.5.3 The IDP Advance Screen The Configuration > Security Service > IDP screen changes when using profiles. ZyWALL USG FLEX Series User's Guide 670 - ZyXEL USG FLEX 700 | User Guide - Page 671
Inspect by policy Custom Signature Rules If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to # This is the entry's index number in the list. ZyWALL USG FLEX Series User's Guide 671 - ZyXEL USG FLEX 700 | User Guide - Page 672
, you must first make sure to change Inspect by policy to Inspect all traffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security. Note: All profiles that you will be prompted to log out and then log in again. ZyWALL USG FLEX Series User's Guide 672 - ZyXEL USG FLEX 700 | User Guide - Page 673
necessarily tight integration with the host operating system, future operating system upgrades could cause problems. Network Intrusions Network-based intrusions have the goal of bringing down a network or The rule header contains the rule's: • Action • Protocol ZyWALL USG FLEX Series User's Guide 673 - ZyXEL USG FLEX 700 | User Guide - Page 674
Snort Equivalent Terms ZYXEL DEVICE TERM SNORT EQUIVALENT TERM Type Of Service tos Identification id Fragmentation fragbits Fragmentation Offset fragoffset Time to Live Note: Not all Snort functionality is supported in the Zyxel Device. ZyWALL USG FLEX Series User's Guide 674 - ZyXEL USG FLEX 700 | User Guide - Page 675
security checking on that individual email. A properly configured black list helps catch spam email and increases the Zyxel Device's email security speed and efficiency. ZyWALL USG FLEX Series User's Guide 675 - ZyXEL USG FLEX 700 | User Guide - Page 676
. 36.2 Before You Begin • Before using the email security features (IP Reputation, Mail Content Analysis and Virus Outbreak Detection) you must activate your email security Service license. • Configure your zones before you configure email security. ZyWALL USG FLEX Series User's Guide 676 - ZyXEL USG FLEX 700 | User Guide - Page 677
36 Email Security 36.3 The Email Security Screen Click Configuration > Security Service > Email Security to open the Email Security screen. Use this screen on the Zyxel Device's security features. Figure 444 Configuration > Security Service > Email Security ZyWALL USG FLEX Series User's Guide 677 - ZyXEL USG FLEX 700 | User Guide - Page 678
following table describes the labels in this screen. Table 276 Configuration > Security Service > Email Security LABEL DESCRIPTION General Settings Enable Check White List Check Black List (no) by default when traffic matches a signature in this category. ZyWALL USG FLEX Series User's Guide 678 - ZyXEL USG FLEX 700 | User Guide - Page 679
screen to its last-saved settings. 36.4 The Black List / White List Screen Click Configuration > Security Service > Email Security > Black /White List to display the Black List / White List screen. Configure the heading cell again to reverse the sort order. ZyWALL USG FLEX Series User's Guide 679 - ZyXEL USG FLEX 700 | User Guide - Page 680
List The following table describes the labels in this screen. Table 277 Configuration > Security Service > Email Security > Black/White List LABEL DESCRIPTION Rule Summary Add Click this to create that check for particular header fields and values. ZyWALL USG FLEX Series User's Guide 680 - ZyXEL USG FLEX 700 | User Guide - Page 681
) > Add The following table describes the labels in this screen. Table 278 Configuration > Security Service > Email Security > Black/White List > Black/White List > Add LABEL DESCRIPTION Enable Rule a specific mail server's domain, enter "Received" here. ZyWALL USG FLEX Series User's Guide 681 - ZyXEL USG FLEX 700 | User Guide - Page 682
Chapter 36 Email Security Table 278 Configuration > Security Service > Email Security > Black/White List > Black/White List > Add LABEL DESCRIPTION Field Value Keyword This field After you log in again, you will see the new profile screen for this feature. ZyWALL USG FLEX Series User's Guide 682 - ZyXEL USG FLEX 700 | User Guide - Page 683
> Profile The following table describes the labels in this screen. Table 279 Configuration > Security Service > > Profile LABEL DESCRIPTION Add Click this to create a new entry. Select an entry where you can create or modify the entry's settings. ZyWALL USG FLEX Series User's Guide 683 - ZyXEL USG FLEX 700 | User Guide - Page 684
Add/Edit The following table describes the labels in this screen. Table 280 Configuration > Security Service > Email Security Profile > Add/Edit LABEL DESCRIPTION General Settings Name Type the name of to set how the Zyxel Device is to handle spam mail. ZyWALL USG FLEX Series User's Guide 684 - ZyXEL USG FLEX 700 | User Guide - Page 685
Chapter 36 Email Security Table 280 Configuration > Security Service > Email Security Profile > Add/Edit (continued) LABEL DESCRIPTION SMTP Select how the Edit Policy screen under Profile, select which profile you want to use for each security service. ZyWALL USG FLEX Series User's Guide 685 - ZyXEL USG FLEX 700 | User Guide - Page 686
Chapter 36 Email Security Figure 450 Configuration > Security Service > Policy Control > Profile 36.5.3 The Email Security Advance Screen The Configuration > Security Service > Email Security screen changes when using profiles. ZyWALL USG FLEX Series User's Guide 686 - ZyXEL USG FLEX 700 | User Guide - Page 687
it by clicking the link here. If you configured a specific profile in the Profile tab for this service, select this to have specific traffic inspected by that profile. You must bind the profile to a classifies email that matches a DNS black list as spam. ZyWALL USG FLEX Series User's Guide 687 - ZyXEL USG FLEX 700 | User Guide - Page 688
Chapter 36 Email Security Table 281 Configuration > Security Service > Email Security Advance (continued) LABEL DESCRIPTION DNSBL Spam Tag Enter a message or label (up to server IP addresses in the mail header to check against the DNSBL domain servers. ZyWALL USG FLEX Series User's Guide 688 - ZyXEL USG FLEX 700 | User Guide - Page 689
you must first make sure to change Inspect by policy to Inspect all traffic in the following security services: Anti-Malware, DNS Filter, URL Threat Filter, IDP, Email Security. Note: All profiles that you in their list. Each IP address has a separate reply. ZyWALL USG FLEX Series User's Guide 689 - ZyXEL USG FLEX 700 | User Guide - Page 690
Zyxel Device does not wait for any more DNSBL replies. Here is an example of an email classified as legitimate based on DNSBL replies. ZyWALL USG FLEX Series User's Guide 690 - ZyXEL USG FLEX 700 | User Guide - Page 691
Zyxel Device receives conflicting DNSBL replies for an email routing IP address, the Zyxel Device classifies the email as spam. Here is an example. ZyWALL USG FLEX Series User's Guide 691 - ZyXEL USG FLEX 700 | User Guide - Page 692
was an SMTP mail and the defined action was to drop the mail. The Zyxel Device does not wait for any more DNSBL replies. ZyWALL USG FLEX Series User's Guide 692 - ZyXEL USG FLEX 700 | User Guide - Page 693
Do in this Chapter • Use the Security Service > SSL Inspection > Profile screen (Section Service > SSL Inspection > Certificate Update screens (Section 37.4 on page 703) to update the latest certificates of servers using SSL connections to the Zyxel Device network ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 694
GCM • TLS1.3 AES-GCM (no key update support nor 0-RTT) • SSL Inspection does not support the following: • Compression Support • Client Authentication 37.1.3 What You Can Do Click Configuration > Security Service > SSL Inspection > Profile to open this screen. ZyWALL USG FLEX Series User's Guide 694 - ZyXEL USG FLEX 700 | User Guide - Page 695
Chapter 37 SSL Inspection Figure 457 Configuration > Security Service > SSL Inspection > Profile ZyWALL USG FLEX Series User's Guide 695 - ZyXEL USG FLEX 700 | User Guide - Page 696
in this screen. Table 282 Configuration > Security Service > SSL Inspection > Profile LABEL DESCRIPTION General public key. • ECDSA-RSA-1024 indicates Zyxel Device support for clients that support both ECDSA256 and RSA-1024 with ECDSA-256 having it. ZyWALL USG FLEX Series User's Guide 696 - ZyXEL USG FLEX 700 | User Guide - Page 697
Chapter 37 SSL Inspection Table 282 Configuration > Security Service > SSL Inspection > Profile (continued) LABEL DESCRIPTION Remove References # Name Description CA to the Configuration > Security Policy > Policy Control screen to check the result. ZyWALL USG FLEX Series User's Guide 697 - ZyXEL USG FLEX 700 | User Guide - Page 698
Action The following table describes the labels in this screen. Table 283 Configuration > Security Service > SSL Inspection > Action LABEL DESCRIPTION Show Filter/Hide Click Show Filter to display zone and/or to a particular zone. any means all zones. ZyWALL USG FLEX Series User's Guide 698 - ZyXEL USG FLEX 700 | User Guide - Page 699
, antimalware, email security) apply to this Security policy. Click an applied Security Service profile icon to edit the profile directly. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 699 - ZyXEL USG FLEX 700 | User Guide - Page 700
and click Edit to change its settings. Figure 459 Configuration > Security Service > SSL Inspection > Profile > Add / Edit The following table Mymy12_3-4 Description CA Certificate SSL/TLS version supported minimum Log These are invalid profile names: ZyWALL USG FLEX Series User's Guide 700 - ZyXEL USG FLEX 700 | User Guide - Page 701
and is passed through uninspected. Click Configuration > Security Service > SSL Inspection > Exclude List to display the following screen. Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry. ZyWALL USG FLEX Series User's Guide 701 - ZyXEL USG FLEX 700 | User Guide - Page 702
Edit) The following table describes the fields in this screen. Table 285 Configuration > Security Service > SSL Inspection > Exclude List LABEL DESCRIPTION General Settings Enable Logs for Click this the profile summary page without saving any changes. ZyWALL USG FLEX Series User's Guide 702 - ZyXEL USG FLEX 700 | User Guide - Page 703
Zyxel Device. Figure 461 SSL Inspection Certificate Update Overview Click Configuration > Security Service > SSL Inspection > Certificate Update to display the following screen. Figure 462 Configuration > Security Service > SSL Inspection > Certificate Update ZyWALL USG FLEX Series User's Guide 703 - ZyXEL USG FLEX 700 | User Guide - Page 704
describes the fields in this screen. Table 286 Configuration > Security Service > SSL Inspection > Certificate Update LABEL DESCRIPTION Certificate Information Current using certmgr.msc. 2 Go to Trusted Root Certification Authorities > Certificates. ZyWALL USG FLEX Series User's Guide 704 - ZyXEL USG FLEX 700 | User Guide - Page 705
Chapter 37 SSL Inspection 3 From the main menu, select Action > All Tasks > Import and run the Certificate Import Wizard to install the certificate on the PC. ZyWALL USG FLEX Series User's Guide 705 - ZyXEL USG FLEX 700 | User Guide - Page 706
> Advanced > Encryption > View Certificates, click Import and enter the filename of the certificate you want to import. See the browser's help for further information. ZyWALL USG FLEX Series User's Guide 706 - ZyXEL USG FLEX 700 | User Guide - Page 707
. Click Configuration > Security Service > IP Exception to display the following screen. Use Add to put a new entry in the list or Edit to change an existing one or Remove to delete an existing entry. Figure 463 Configuration > Security Service > IP Exception ZyWALL USG FLEX Series User's Guide 707 - ZyXEL USG FLEX 700 | User Guide - Page 708
Use this screen to add or edit entries of IPv4 or IPv6 address in the IP exception list. Click Configuration > Security Service > IP Exception > Add/Edit to display the following screen. Figure 464 Configuration > Security Service > IP Exception > Add/Edit ZyWALL USG FLEX Series User's Guide 708 - ZyXEL USG FLEX 700 | User Guide - Page 709
that match source/destination criteria above. Nonselected services do inspect packets that match source/destination criteria above. OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. ZyWALL USG FLEX Series User's Guide 709 - ZyXEL USG FLEX 700 | User Guide - Page 710
of interfaces in many security and policy settings, such as Secure Policies rules, Security Service, and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface traffic, inter-zone traffic, and extra-zone traffic. ZyWALL USG FLEX Series User's Guide 710 - ZyXEL USG FLEX 700 | User Guide - Page 711
System Default zones that you cannot delete. You can create your own User Configuration zones Add Click this to create a new, user-configured zone. ZyWALL USG FLEX Series User's Guide 711 - ZyXEL USG FLEX 700 | User Guide - Page 712
belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. ZyWALL USG FLEX Series User's Guide 712 - ZyXEL USG FLEX 700 | User Guide - Page 713
user Perform basic diagnostics (CLI) Access network services guest ext-user Browse user-mode commands (CLI) Access network services External user account LOGIN METHOD(S) WWW, TELNET, SSH, FTP, Console WWW, TELNET, SSH, Console WWW, TELNET, SSH WWW WWW ZyWALL USG FLEX Series User's Guide 713 - ZyXEL USG FLEX 700 | User Guide - Page 714
group user account guest-manager Create dynamic guest accounts dynamic-guest Access network services LOGIN METHOD(S) WWW WWW Hotspot Portal Note: The default admin account is user database. A dynamic guest account has a dynamically-created user name and ZyWALL USG FLEX Series User's Guide 714 - ZyXEL USG FLEX 700 | User Guide - Page 715
by cash or created and paid via the on-line payment service. ua-users are users that log in from the user agreement external authentication server in order to log in. • The Zyxel Device supports TTLS using PAP so you can use the Zyxel Device's local user . ZyWALL USG FLEX Series User's Guide 715 - ZyXEL USG FLEX 700 | User Guide - Page 716
guest - this user has access to the Zyxel Device's services but cannot look at the configuration. • user - this user has access to the Zyxel Device's services and can also browse user-mode commands (CLI). • user name can only contain the following characters: ZyWALL USG FLEX Series User's Guide 716 - ZyXEL USG FLEX 700 | User Guide - Page 717
Chapter 39 Object • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash . Figure 469 Configuration > Object > User/Group > User > Add/Edit_General ZyWALL USG FLEX Series User's Guide 717 - ZyXEL USG FLEX 700 | User Guide - Page 718
this user has access to the Zyxel Device's services and can also browse user-mode commands (CLI). • guest - this user has access to the Zyxel Device's services but cannot look at the configuration. • the following characters in the square brackets [+*#()-]. ZyWALL USG FLEX Series User's Guide 718 - ZyXEL USG FLEX 700 | User Guide - Page 719
Settings in the Authentication Timeout Settings field, the default lease time is shown. If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session the user credentials instead of using an AAA server. ZyWALL USG FLEX Series User's Guide 719 - ZyXEL USG FLEX 700 | User Guide - Page 720
other information. In Object > User/Group > User, click Add to create a new entry or select an entry and click Edit to modify the entry. ZyWALL USG FLEX Series User's Guide 720 - ZyXEL USG FLEX 700 | User Guide - Page 721
Chapter 39 Object Figure 472 Configuration > Object > User/Group > User > Add/Edit_Two-factor Authentication Figure 473 Configuration > Object > User/Group > User > Add/Edit_Two-factor Authentication_Verified ZyWALL USG FLEX Series User's Guide 721 - ZyXEL USG FLEX 700 | User Guide - Page 722
groups. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Group. Figure 474 Configuration > Object > User/Group > Group ZyWALL USG FLEX Series User's Guide 722 - ZyXEL USG FLEX 700 | User Guide - Page 723
than user names. Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces. ZyWALL USG FLEX Series User's Guide 723 - ZyXEL USG FLEX 700 | User Guide - Page 724
Zyxel Device before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting. ZyWALL USG FLEX Series User's Guide 724 - ZyXEL USG FLEX 700 | User Guide - Page 725
user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. ZyWALL USG FLEX Series User's Guide 725 - ZyXEL USG FLEX 700 | User Guide - Page 726
are the kinds of user account the Zyxel Device supports. Lease Time • admin - this user can look services but cannot look at the configuration • guest - this user has access to the Zyxel Device's services automatically, as well as manually, simply by selecting the USG FLEX Series User's Guide 726 - ZyXEL USG FLEX 700 | User Guide - Page 727
any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. To access this screen, go to the . Figure 477 Configuration > Object > User/Group > Setting > Edit ZyWALL USG FLEX Series User's Guide 727 - ZyXEL USG FLEX 700 | User Guide - Page 728
guest - this user has access to the Zyxel Device's services but cannot look at the configuration. • user - this user has access to the Zyxel Device's services but cannot look at the configuration. • guest - this the Zyxel Device, the following screen appears. ZyWALL USG FLEX Series User's Guide 728 - ZyXEL USG FLEX 700 | User Guide - Page 729
SSID security profile's MAC authentication settings to have the AP use the Zyxel Device's local database to authenticate wireless clients by their MAC addresses. ZyWALL USG FLEX Series User's Guide 729 - ZyXEL USG FLEX 700 | User Guide - Page 730
spaces. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 730 - ZyXEL USG FLEX 700 | User Guide - Page 731
of profiles for your networked APs. 39.3.0.1 What You Need To Know The following terms and concepts may help as you read this section. ZyWALL USG FLEX Series User's Guide 731 - ZyXEL USG FLEX 700 | User Guide - Page 732
on the Zyxel Device. SSID The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. devices support Target Wakeup Time (TWT) allowing them to automatically power down when they are inactive. ZyWALL USG FLEX Series User's Guide 732 - ZyXEL USG FLEX 700 | User Guide - Page 733
create radio profiles for the APs on your network. A radio profile is a list of settings that a supported managed AP (NWA5121-N for example) can use to configure either one of its two radio transmitters. To indicates the name assigned to the radio profile. ZyWALL USG FLEX Series User's Guide 733 - ZyXEL USG FLEX 700 | User Guide - Page 734
. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 734 - ZyXEL USG FLEX 700 | User Guide - Page 735
Add button or select a radio profile from the list and click the Edit button. Figure 484 Configuration > Object > AP Profile > Add/Edit Radio Profile ZyWALL USG FLEX Series User's Guide 735 - ZyXEL USG FLEX 700 | User Guide - Page 736
if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding. Note: If the environment has poor signal-to-noise (SNR), the Zyxel Device will switch to a lower bandwidth. ZyWALL USG FLEX Series User's Guide 736 - ZyXEL USG FLEX 700 | User Guide - Page 737
the area around it and determining what channels are currently being used by other devices. Select Manual and specify the channels the AP uses. Blacklist DFS channels in presence of radar This field clean channel or a channel with lower interference. ZyWALL USG FLEX Series User's Guide 737 - ZyXEL USG FLEX 700 | User Guide - Page 738
Selection to DCS and set 2.4 GHz Channel Selection Method to manual. Schedule Start Time Week Days Enable 5 GHz DFS Aware aggregated each time. Select this to enable A-MSDU aggregation. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of USG FLEX Series User's Guide 738 - ZyXEL USG FLEX 700 | User Guide - Page 739
higher than 4 Mbps. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 739 - ZyXEL USG FLEX 700 | User Guide - Page 740
allows you to create and manage SSID configurations that can be used by the APs. An SSID, or Service Set IDentifier, is basically the name of the wireless network to which a wireless client can connect. indicates the VLAN ID associated with the SSID profile. ZyWALL USG FLEX Series User's Guide 740 - ZyXEL USG FLEX 700 | User Guide - Page 741
have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections. The disable setting means no MAC filtering is used. ZyWALL USG FLEX Series User's Guide 741 - ZyXEL USG FLEX 700 | User Guide - Page 742
> SSID > Add/Edit SSID Profile (continued) LABEL DESCRIPTION QoS Select a Quality of Service (QoS) access category to associate with this SSID. Access categories minimize the delay of data station's traffic goes through the associated AP's gateway. ZyWALL USG FLEX Series User's Guide 742 - ZyXEL USG FLEX 700 | User Guide - Page 743
wireless client cannot see it, the only way you can connect to the SSID is by manually entering the SSID name in your wireless connection setup screen(s) (these vary by client, client 487 Configuration > Object > AP Profile > SSID > Security List ZyWALL USG FLEX Series User's Guide 743 - ZyXEL USG FLEX 700 | User Guide - Page 744
's options change based on the Security Mode selected. Figure 488 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: open ZyWALL USG FLEX Series User's Guide 744 - ZyXEL USG FLEX 700 | User Guide - Page 745
The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. Accounting Share Secret Enter a password (up to server requires for letters in the account MAC addresses. ZyWALL USG FLEX Series User's Guide 745 - ZyXEL USG FLEX 700 | User Guide - Page 746
exit this screen without saving your changes. Figure 489 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: enhanced-open ZyWALL USG FLEX Series User's Guide 746 - ZyXEL USG FLEX 700 | User Guide - Page 747
The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. Accounting Share Secret Enter a password (up to for the two-character pairs within account MAC addresses. ZyWALL USG FLEX Series User's Guide 747 - ZyXEL USG FLEX 700 | User Guide - Page 748
to exit this screen without saving your changes. Figure 490 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wep ZyWALL USG FLEX Series User's Guide 748 - ZyXEL USG FLEX 700 | User Guide - Page 749
. The default port number is 1813. You need not change this value unless your network administrator instructs you to do so with additional information. Accounting Share Secret Enter a password (up to 128 Zyxel Device. The key is not sent over the network. ZyWALL USG FLEX Series User's Guide 749 - ZyXEL USG FLEX 700 | User Guide - Page 750
addresses. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 750 - ZyXEL USG FLEX 700 | User Guide - Page 751
Chapter 39 Object Figure 491 Configuration > Object > AP Profile > SSID > Security Profile > Add/Edit Security Profile> Security Mode: wpa2/ wpa2-mix ZyWALL USG FLEX Series User's Guide 751 - ZyXEL USG FLEX 700 | User Guide - Page 752
a more recent development over TKIP and considerably more robust. Not all wireless clients may support this. Enter the idle interval (in seconds) that a client can be idle before authentication : The wireless client communicates directly with the target AP. ZyWALL USG FLEX Series User's Guide 752 - ZyXEL USG FLEX 700 | User Guide - Page 753
, such as voice and video. Wireless clients should also support WPA2 and fast roaming to associate with the AP (Zyxel . You need not change this value unless your network administrator instructs you to do so with additional information. Accounting Share Secret Enter USG FLEX Series User's Guide 753 - ZyXEL USG FLEX 700 | User Guide - Page 754
encryption. Pre-Shared Key Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters. ZyWALL USG FLEX Series User's Guide 754 - ZyXEL USG FLEX 700 | User Guide - Page 755
support MFP. Management frames will be encrypted if the clients support MFP. Select Required and wireless clients must support You need not change this value unless your network administrator instructs you to do so with additional information. Accounting Share Secret USG FLEX Series User's Guide 755 - ZyXEL USG FLEX 700 | User Guide - Page 756
. Profile Name This field indicates the name assigned to the MAC filtering profile. Filter Action This field indicates this profile's filter action (if any). ZyWALL USG FLEX Series User's Guide 756 - ZyXEL USG FLEX 700 | User Guide - Page 757
, you can use the Rogue AP screen (Section 8.4 on page 220) to classify them as either rogue or friendly and then manage them accordingly. ZyWALL USG FLEX Series User's Guide 757 - ZyXEL USG FLEX 700 | User Guide - Page 758
it is not associated with a specific user. Status This icon is lit when the entry is active and dimmed when the entry is inactive. ZyWALL USG FLEX Series User's Guide 758 - ZyXEL USG FLEX 700 | User Guide - Page 759
LABEL DESCRIPTION Activate Select this to activate this monitor mode profile. Profile Name This field indicates the name assigned to the monitor mode profile. ZyWALL USG FLEX Series User's Guide 759 - ZyXEL USG FLEX 700 | User Guide - Page 760
column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual. OK Cancel These channels are limited to the 5 GHz range (802.11 a/n). Click OK to , you can use commercially-available software to physically locate it. ZyWALL USG FLEX Series User's Guide 760 - ZyXEL USG FLEX 700 | User Guide - Page 761
wireless mesh links between managed APs to expand the wireless network. Managed APs can provide services or forward traffic between the Zyxel Device and wireless clients. ZyMesh also allows the Zyxel A manged AP can be either a root AP or repeater in a ZyMesh. ZyWALL USG FLEX Series User's Guide 761 - ZyXEL USG FLEX 700 | User Guide - Page 762
root AP) you can have in a ZyMesh varies according to how many wireless clients a managed AP can support. Note: A ZyMesh link with more hops has lower throughput. Note: When the wireless connection between the root the managed AP via an 8-ping Ethernet cable. ZyWALL USG FLEX Series User's Guide 762 - ZyXEL USG FLEX 700 | User Guide - Page 763
screen instructions to update the AP controller's MAC address. Click this to add a new profile. Click this to edit the selected profile. Click this to remove the selected profile. This field is a sequential value, and it is not associated with a specific profile. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 764
the Zyxel Device. • Use the Geo IP screen (Section 39.6.4 on page 771) to update the database of country-to-IP address mappings and to manually configure country-to-IP address mappings. ZyWALL USG FLEX Series User's Guide 764 - ZyXEL USG FLEX 700 | User Guide - Page 765
> Address. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. ZyWALL USG FLEX Series User's Guide 765 - ZyXEL USG FLEX 700 | User Guide - Page 766
's settings are based on one of the Zyxel Device's interfaces, the name of the interface displays first followed by the object's current address settings. ZyWALL USG FLEX Series User's Guide 766 - ZyXEL USG FLEX 700 | User Guide - Page 767
the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents. ZyWALL USG FLEX Series User's Guide 767 - ZyXEL USG FLEX 700 | User Guide - Page 768
field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents. ZyWALL USG FLEX Series User's Guide 768 - ZyXEL USG FLEX 700 | User Guide - Page 769
. # This field is a sequential value, and it is not associated with a specific address group. Name This field displays the name of each address group. ZyWALL USG FLEX Series User's Guide 769 - ZyXEL USG FLEX 700 | User Guide - Page 770
- sensitive. Description This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces. ZyWALL USG FLEX Series User's Guide 770 - ZyXEL USG FLEX 700 | User Guide - Page 771
screen to update the database of country-to-IP and continent-to-IP address mappings and manually configure custom country-to-IP and continent-to-IP address mappings in geographic address objects. You . Click the heading cell again to reverse the sort order. ZyWALL USG FLEX Series User's Guide 771 - ZyXEL USG FLEX 700 | User Guide - Page 772
Chapter 39 Object Figure 505 Configuration > Object > Address/Geo IP > Geo IP ZyWALL USG FLEX Series User's Guide 772 - ZyXEL USG FLEX 700 | User Guide - Page 773
newer. There are logs to show the update status. You need to have a registered Content Filter Service license. Auto Update If you want the Zyxel Device to check weekly for the latest country-to-IP Geography Rules or Custom IPv6 to Geography Rules section. ZyWALL USG FLEX Series User's Guide 773 - ZyXEL USG FLEX 700 | User Guide - Page 774
list of service groups. 39.7.1 What You Need to Know IP Protocols IP protocols are based on the eight-bit protocol field in the IP header. This field represents the next-level protocol that is sent in this packet. This section discusses three of the most common IP protocols. ZyWALL USG FLEX Series - ZyXEL USG FLEX 700 | User Guide - Page 775
remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 776
screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 39.7.2 on page 775), and click either the Add icon or an Edit icon. Figure 508 Configuration > Object > Service > Service > Edit ZyWALL USG FLEX Series User's Guide 776 - ZyXEL USG FLEX 700 | User Guide - Page 777
service group, which is used in the WAN_to_Device security policy. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 509 Configuration > Object > Service > Service Group ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 778
to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 39.7.3 on page 777), and click either the Add icon or an Edit icon. Figure 510 Configuration > Object > Service > Service Group > Edit ZyWALL USG FLEX Series User's Guide 778 - ZyXEL USG FLEX 700 | User Guide - Page 779
The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not application patrol, and content filtering. The Zyxel Device supports one-time and recurring schedules. One-time schedules USG FLEX Series User's Guide 779 - ZyXEL USG FLEX 700 | User Guide - Page 780
This field displays the time at which the schedule ends. Reference This displays the number of times an object reference is used in a profile. ZyWALL USG FLEX Series User's Guide 780 - ZyXEL USG FLEX 700 | User Guide - Page 781
- 0 - 23 • Minute - 0 - 59 Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 781 - ZyXEL USG FLEX 700 | User Guide - Page 782
schedule is effective. Click OK to save your changes back to the Zyxel Device. Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 782 - ZyXEL USG FLEX 700 | User Guide - Page 783
access this screen, go to the Schedule screen (see), and click either the Add icon or an Edit icon in the Schedule Group section. ZyWALL USG FLEX Series User's Guide 783 - ZyXEL USG FLEX 700 | User Guide - Page 784
to 60 printable ASCII characters. The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important. Select items from the method objects (see Chapter 39 on page 794). ZyWALL USG FLEX Series User's Guide 784 - ZyXEL USG FLEX 700 | User Guide - Page 785
to retrieve information from a directory. A network example is shown next. Figure 516 Example: Directory Service Client and Server The following describes the user authentication procedure via an LDAP/AD server. 1 A included on the ASAS' CD for details. ZyWALL USG FLEX Series User's Guide 785 - ZyXEL USG FLEX 700 | User Guide - Page 786
Know AAA Servers Supported by the Zyxel Device The following lists the types of authentication server the Zyxel Device supports. • Local server. • RADIUS RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users USG FLEX Series User's Guide 786 - ZyXEL USG FLEX 700 | User Guide - Page 787
Zyxel Device can use in authenticating users. Click Configuration > Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. ZyWALL USG FLEX Series User's Guide 787 - ZyXEL USG FLEX 700 | User Guide - Page 788
or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. ZyWALL USG FLEX Series User's Guide 788 - ZyXEL USG FLEX 700 | User Guide - Page 789
the address of the AD or LDAP server. Backup Server Address If the AD or LDAP server has a backup server, enter its address here. ZyWALL USG FLEX Series User's Guide 789 - ZyXEL USG FLEX 700 | User Guide - Page 790
that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa. ZyWALL USG FLEX Series User's Guide 790 - ZyXEL USG FLEX 700 | User Guide - Page 791
or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. ZyWALL USG FLEX Series User's Guide 791 - ZyXEL USG FLEX 700 | User Guide - Page 792
. Backup Authentication Port Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535. ZyWALL USG FLEX Series User's Guide 792 - ZyXEL USG FLEX 700 | User Guide - Page 793
Change of Authorization) or RADIUS Disconnect messages in order to terminate the subscriber's service. Server Address Accounting Port Backup Server Address Backup Accounting Port Key Select this this if you want configure your username as case-sensitive. ZyWALL USG FLEX Series User's Guide 793 - ZyXEL USG FLEX 700 | User Guide - Page 794
Enable Extended Authentication. 3 Select Server Mode and select an authentication method object from the drop-down list box. 4 Click OK to save the settings. ZyWALL USG FLEX Series User's Guide 794 - ZyXEL USG FLEX 700 | User Guide - Page 795
. 39.10.3.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. 1 Click Configuration > Object > Auth. Method. 2 Click Add. ZyWALL USG FLEX Series User's Guide 795 - ZyXEL USG FLEX 700 | User Guide - Page 796
as Zyxel Device authenticates the users using the authentication methods in the order they appear in this screen. # This field displays the index number. ZyWALL USG FLEX Series User's Guide 796 - ZyXEL USG FLEX 700 | User Guide - Page 797
SMS (via mobile phone number) or email address. 39.10.4.1 Overview This section introduces how two-factor authentication works. Figure 526 Two-Factor Authentication ZyWALL USG FLEX Series User's Guide 797 - ZyXEL USG FLEX 700 | User Guide - Page 798
Directory, RADIUS server or local Zyxel Device database • Enable Two-factor Authentication in Object > User/Group > User > Edit > Two-factor Authentication for a specific user ZyWALL USG FLEX Series User's Guide 798 - ZyXEL USG FLEX 700 | User Guide - Page 799
Two-Factor Authentication VPN Access Use this screen to select the users and VPN services that requires two-factor authentication. Go to Configuration > Object > Auth. Method > Two-factor Authentication > VPN Access and configure the following screen as shown. ZyWALL USG FLEX Series User's Guide 799 - ZyXEL USG FLEX 700 | User Guide - Page 800
authorization for the VPN connection. Two-factor Authentication for Services: Select which kinds of VPN tunnels require Two-Factor Authentication. You should have configured the VPN tunnel first. • SSL VPN Access • IPSec VPN Access • L2TP/IPSec VPN Access ZyWALL USG FLEX Series User's Guide 800 - ZyXEL USG FLEX 700 | User Guide - Page 801
Access Use this screen to select the service (Web, SSH, and TELNET) that requires two-factor authentication for the admin user. Go to Configuration > Object > Auth. Method > Two-factor Authentication > Admin Access and configure the following screen as shown. ZyWALL USG FLEX Series User's Guide 801 - ZyXEL USG FLEX 700 | User Guide - Page 802
authorization for logins via the Web Configurator, SSH, or Telnet. Two-factor Authentication for Services: Select which services require Two-Factor Authentication for the admin user. • Web • SSH • TELNET requests and import the CA-signed certificates. ZyWALL USG FLEX Series User's Guide 802 - ZyXEL USG FLEX 700 | User Guide - Page 803
framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). Advantages of Certificates Certificates offer the following benefits. ZyWALL USG FLEX Series User's Guide 803 - ZyXEL USG FLEX 700 | User Guide - Page 804
certificate. 1 Browse to where you have the certificate saved on your computer. 2 Make sure that the certificate has a ".cer" or ".crt" file name extension. ZyWALL USG FLEX Series User's Guide 804 - ZyXEL USG FLEX 700 | User Guide - Page 805
Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the Zyxel Device's summary list of certificates and certification requests. ZyWALL USG FLEX Series User's Guide 805 - ZyXEL USG FLEX 700 | User Guide - Page 806
this and the following screen will appear. Type the selected certificate's password and save the selected certificate to your computer. Figure 532 Download a Certificate ZyWALL USG FLEX Series User's Guide 806 - ZyXEL USG FLEX 700 | User Guide - Page 807
listed in alphabetical order. This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. ZyWALL USG FLEX Series User's Guide 807 - ZyXEL USG FLEX 700 | User Guide - Page 808
Certificates Add screen. Use this screen to have the Zyxel Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. ZyWALL USG FLEX Series User's Guide 808 - ZyXEL USG FLEX 700 | User Guide - Page 809
city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. ZyWALL USG FLEX Series User's Guide 809 - ZyXEL USG FLEX 700 | User Guide - Page 810
a self-signed certificate Create a certification request and save it locally for later manual enrollment OK Cancel Select DSA to use the Digital Signature Algorithm public-key algorithm. in-depth certificate information and change the certificate's name. ZyWALL USG FLEX Series User's Guide 810 - ZyXEL USG FLEX 700 | User Guide - Page 811
displays "Not trusted" in this field if any certificate on the path has expired or been revoked. Click Refresh to display the certification path. ZyWALL USG FLEX Series User's Guide 811 - ZyXEL USG FLEX 700 | User Guide - Page 812
that the Zyxel Device calculated using the MD5 algorithm. This is the certificate's message digest that the Zyxel Device calculated using the SHA1 algorithm. ZyWALL USG FLEX Series User's Guide 812 - ZyXEL USG FLEX 700 | User Guide - Page 813
editor and save the file on a management computer for later manual enrollment. Export Certificate Only Password Export Certificate with Private Key open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to ZyWALL USG FLEX Series User's Guide 813 - ZyXEL USG FLEX 700 | User Guide - Page 814
to open a screen that shows which settings use the entry. # This field displays the certificate index number. The certificates are listed in alphabetical order. ZyWALL USG FLEX Series User's Guide 814 - ZyXEL USG FLEX 700 | User Guide - Page 815
whether or not you want the Zyxel Device to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority. ZyWALL USG FLEX Series User's Guide 815 - ZyXEL USG FLEX 700 | User Guide - Page 816
Chapter 39 Object Figure 538 Configuration > Object > Certificate > Trusted Certificates > Edit ZyWALL USG FLEX Series User's Guide 816 - ZyXEL USG FLEX 700 | User Guide - Page 817
, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field. ZyWALL USG FLEX Series User's Guide 817 - ZyXEL USG FLEX 700 | User Guide - Page 818
> Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the Zyxel Device. Note: You must remove any spaces from the certificate's filename before you can import the certificate. ZyWALL USG FLEX Series User's Guide 818 - ZyXEL USG FLEX 700 | User Guide - Page 819
" or "unknown" response. 39.12 ISP Account Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP/L2TP interfaces. An ISP account is a profile access this screen, click Configuration > Object > ISP Account. ZyWALL USG FLEX Series User's Guide 819 - ZyXEL USG FLEX 700 | User Guide - Page 820
. (See Section 39.12.1 on page 819.) Then, click on an Add icon or Edit icon to open the ISP Account Edit screen below. ZyWALL USG FLEX Series User's Guide 820 - ZyXEL USG FLEX 700 | User Guide - Page 821
40-bit MPPE. User Name mppe-128 - This ISP account uses 128-bit MMPE. Type the user name given to you by your ISP. ZyWALL USG FLEX Series User's Guide 821 - ZyXEL USG FLEX 700 | User Guide - Page 822
blank. If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be DHCPv6 > Request. Figure 542 Configuration > Object > DHCPv6 > Request ZyWALL USG FLEX Series User's Guide 822 - ZyXEL USG FLEX 700 | User Guide - Page 823
object. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 823 - ZyXEL USG FLEX 700 | User Guide - Page 824
screen (see Section 39.13.2 on page 824), and click either the Add icon or an Edit icon. Figure 545 Configuration > DHCPv6 > Lease > Add ZyWALL USG FLEX Series User's Guide 824 - ZyXEL USG FLEX 700 | User Guide - Page 825
selected. OK Click OK to save your changes back to the Zyxel Device. Cancel Click Cancel to exit this screen without saving your changes. ZyWALL USG FLEX Series User's Guide 825 - ZyXEL USG FLEX 700 | User Guide - Page 826
license status and details on the active and passive Zyxel Devices. Go to Configuration > Device HA > Device HA Status to view the following screen. ZyWALL USG FLEX Series User's Guide 826 - ZyXEL USG FLEX 700 | User Guide - Page 827
on the passive Zyxel Device. It doesn't matter which Zyxel Device is actually active or passive as this is dynamic in Device HA Pro. ZyWALL USG FLEX Series User's Guide 827 - ZyXEL USG FLEX 700 | User Guide - Page 828
dedicated link that is used for heartbeat control, configuration synchronization and troubleshooting. All links on Zyxel Device B are down except for the is down. • A monitored service (daemon) is down. • The heartbeat link exceeds the failure tolerance. ZyWALL USG FLEX Series User's Guide 828 - ZyXEL USG FLEX 700 | User Guide - Page 829
a Device HA Pro license at myZyxel. Check that it's properly licensed in Licensing > Registration > Service in the active Zyxel Device. 2 Make sure the passive Zyxel Device is offline, then enable Device HA > Device HA Pro and configure the following screen. ZyWALL USG FLEX Series User's Guide 829 - ZyXEL USG FLEX 700 | User Guide - Page 830
: The active and passive Zyxel Device Management IP addresses must be in the same subnet. Type the subnet mask for the management IP addresses. ZyWALL USG FLEX Series User's Guide 830 - ZyXEL USG FLEX 700 | User Guide - Page 831
a monitored interface fails. Enable Failover When Device Service Fails (Option) Select this to have the passive Zyxel Device take over when a monitored service daemon on the active Zyxel Device fails. Apply HA > View Log to display the following screen. ZyWALL USG FLEX Series User's Guide 831 - ZyXEL USG FLEX 700 | User Guide - Page 832
Zyxel Device. Passive Device This displays Device HA Pro logs on the passive Zyxel Device. Refresh Click Refresh to update information in this screen. ZyWALL USG FLEX Series User's Guide 832 - ZyXEL USG FLEX 700 | User Guide - Page 833
commands to ZyWALL/USG devices for management and monitoring; these devices must have firmware that supports the TR-069 protocol. In the following figure, SP is the management service provider, while A and B are sites with devices being managed by SP. ZyWALL USG FLEX Series User's Guide 833 - ZyXEL USG FLEX 700 | User Guide - Page 834
the Cloud CNM SecuManager server. You must configure Configuration > Cloud CNM > SecuManager to allow the Zyxel Device to find the Cloud CNM SecuManager server. ZyWALL USG FLEX Series User's Guide 834 - ZyXEL USG FLEX 700 | User Guide - Page 835
in a private network, or if the VM server is behind a NAT router. You then need to manually enter the VM server URL into the Zyxel Device. Enter the IPv4 IP address of the Cloud CNM SecuManager Cloud CNM SecuManager server of its presence at regular intervals. ZyWALL USG FLEX Series User's Guide 835 - ZyXEL USG FLEX 700 | User Guide - Page 836
return the screen to its last-saved settings. Note: See the Cloud CNM SecuManager User's Guide for more information on Cloud CNM SecuManager. 41.3 Cloud CNM SecuReporter Cloud CNM SecuReporter is also get notifications sent to an app on your mobile phone. ZyWALL USG FLEX Series User's Guide 836 - ZyXEL USG FLEX 700 | User Guide - Page 837
CNM SecuReporter Application Scenario How to activate and enable SecuReporter 1 Does Service Status displays Activated in the Configuration > Cloud CNM > SecuReporter > Licensing > Registration > Service after you activate the SecuReporter license at myZyxel. ZyWALL USG FLEX Series User's Guide 837 - ZyXEL USG FLEX 700 | User Guide - Page 838
Chapter 41 Cloud CNM Figure 554 Configuration > Licensing > Registration > Service 2 After the SecuReporter license is activated, go back to the Configuration > Cloud CNM > hasn't been enabled before. 2 The Zyxel Device is not added to an organization yet. ZyWALL USG FLEX Series User's Guide 838 - ZyXEL USG FLEX 700 | User Guide - Page 839
names, will be identifiable in downloaded logs. Figure 556 SecuReporter Banner Settings Click Configuration > Cloud CNM > SecuReporter to open the following screen. Figure 557 ZyWALL USG FLEX Series User's Guide 839 - ZyXEL USG FLEX 700 | User Guide - Page 840
This field is blank when the service is not activated. Expiration Date This field displays the date your service expires. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 840 - ZyXEL USG FLEX 700 | User Guide - Page 841
the Notification > SMS screen (Section 42.14 on page 892) to turn on the SMS service on the Zyxel Device in order to send dynamic guest account information in text messages and authorization for when access to a website is restricted due to a security service. ZyWALL USG FLEX Series User's Guide 841 - ZyXEL USG FLEX 700 | User Guide - Page 842
screens. • Use the System > IPv6 screen (see Section 42.17 on page 896) to enable or disable IPv6 support on the Zyxel Device. • Use the System > ZON screen (see Section 42.18 on page 896) to enable turn on this feature and set a disk full warning limit. ZyWALL USG FLEX Series User's Guide 842 - ZyXEL USG FLEX 700 | User Guide - Page 843
Configuration > System > USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device(s). manually set the Zyxel Device's time and date or have the Zyxel Device get the date and time from a time server. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 844
the new time and date you entered. When you enter the time settings manually, the Zyxel Device uses the new setting once you click Apply. New manually. When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. ZyWALL USG FLEX Series User's Guide 844 - ZyXEL USG FLEX 700 | User Guide - Page 845
displays the last updated date from the time server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time 's time zone is one hour ahead of GMT or UTC (GMT+1). ZyWALL USG FLEX Series User's Guide 845 - ZyXEL USG FLEX 700 | User Guide - Page 846
is successful. If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen. To manually set the Zyxel Device date and time. 1 Click System > Date/Time. 2 Select Manual under Time and Date Setup. ZyWALL USG FLEX Series User's Guide 846 - ZyXEL USG FLEX 700 | User Guide - Page 847
the console port using a terminal emulation program. Click Configuration > System > Console Speed to open the Console Speed screen. Figure 563 Configuration > System > Console Speed ZyWALL USG FLEX Series User's Guide 847 - ZyXEL USG FLEX 700 | User Guide - Page 848
supports addresses, manually enter Service (DDoS) attack that uses publicly accessible open DNS servers to flood a victim with DNS response traffic. An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone on the Internet. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 849
the Zyxel Device is being used (either by hackers or by a corrupted open DNS server) in a DNS amplification attack. Figure 564 Configuration > System > DNS ZyWALL USG FLEX Series User's Guide 849 - ZyXEL USG FLEX 700 | User Guide - Page 850
uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records. ZyWALL USG FLEX Series User's Guide 850 - ZyXEL USG FLEX 700 | User Guide - Page 851
Priority Name Address Additional Info from Cache Query Recursion Service Control Add Edit Remove Move A "*" means all domain assigned by the ISP dynamically through a specified interface or configured manually (User-Defined). This is the IP address of a DNS server USG FLEX Series User's Guide 851 - ZyXEL USG FLEX 700 | User Guide - Page 852
369 Configuration > System > DNS (continued) LABEL DESCRIPTION # This the index number of the service control rule. The ordering of your rules is important as rules are applied in sequence. Zone 565 Configuration > System > DNS > Address/PTR Record Edit ZyWALL USG FLEX Series User's Guide 852 - ZyXEL USG FLEX 700 | User Guide - Page 853
Record table to add a record. Use "*." as a prefix for a wildcard domain name. For example *.zyxel.com. Figure 566 Configuration > System > DNS > CNAME Record > Add ZyWALL USG FLEX Series User's Guide 853 - ZyXEL USG FLEX 700 | User Guide - Page 854
the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 567 Configuration > System > DNS > Domain Zone Forwarder Add ZyWALL USG FLEX Series User's Guide 854 - ZyXEL USG FLEX 700 | User Guide - Page 855
Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 568 Configuration > System > DNS > MX Record Add ZyWALL USG FLEX Series User's Guide 855 - ZyXEL USG FLEX 700 | User Guide - Page 856
to change allow or deny actions for Query Recursion and Additional Info from Cache. Figure 569 Configuration > System > DNS > Security Option Control Edit (Customize) ZyWALL USG FLEX Series User's Guide 856 - ZyXEL USG FLEX 700 | User Guide - Page 857
42.6.14 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 570 Configuration > System > DNS > Service Control Rule Add The following a DNS query to the Zyxel Device is allowed or denied. ZyWALL USG FLEX Series User's Guide 857 - ZyXEL USG FLEX 700 | User Guide - Page 858
client IP address (the Zyxel Device disallows the session). 3 The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. 4 There is a Configurator access and from which IP address the access can come. ZyWALL USG FLEX Series User's Guide 858 - ZyXEL USG FLEX 700 | User Guide - Page 859
or HTTPS. You can also specify which IP addresses the access can come from. Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the Zyxel Device (logging into SSL VPN for example). ZyWALL USG FLEX Series User's Guide 859 - ZyXEL USG FLEX 700 | User Guide - Page 860
Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the Zyxel Device Web Configurator using secure HTTPs connections. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 861
the IP addresses from which the administrators can manage the Zyxel Device. Add Edit Remove Move # User Service Control specifies from which zones a user can use HTTPS to log into the Zyxel Device (to log Add to create a new entry after the selected entry. ZyWALL USG FLEX Series User's Guide 861 - ZyXEL USG FLEX 700 | User Guide - Page 862
return the screen to its last-saved settings. 42.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 573 Configuration > System > Service Control Rule > Edit ZyWALL USG FLEX Series User's Guide 862 - ZyXEL USG FLEX 700 | User Guide - Page 863
. Select ALL to allow or deny any computer to communicate with the Zyxel Device using this service. Zone Select a predefined address object to just allow or deny the computer with the IP into the Web Configurator to access network services like the Internet. ZyWALL USG FLEX Series User's Guide 863 - ZyXEL USG FLEX 700 | User Guide - Page 864
Chapter 42 System Figure 574 Configuration > System > WWW > Login Page (Desktop View) ZyWALL USG FLEX Series User's Guide 864 - ZyXEL USG FLEX 700 | User Guide - Page 865
Chapter 42 System Figure 575 Configuration > System > WWW > Login Page (Mobile View) The following figures identify the parts you can customize in the login and access pages. ZyWALL USG FLEX Series User's Guide 865 - ZyXEL USG FLEX 700 | User Guide - Page 866
of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. ZyWALL USG FLEX Series User's Guide 866 - ZyXEL USG FLEX 700 | User Guide - Page 867
If your desired color does not display, your browser may not support it. Try selecting another color. The following table describes the an access user logs into the Web Configurator to access network services like the Internet. Enter the title for the top of ZyWALL USG FLEX Series User's Guide 867 - ZyXEL USG FLEX 700 | User Guide - Page 868
Device. Select I Understand the Risks and then click Add Exception to add the Zyxel Device to the security exception list. Click Confirm Security Exception. ZyWALL USG FLEX Series User's Guide 868 - ZyXEL USG FLEX 700 | User Guide - Page 869
you accept the certificate, the Zyxel Device login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. ZyWALL USG FLEX Series User's Guide 869 - ZyXEL USG FLEX 700 | User Guide - Page 870
install the personal certificate(s). 42.7.7.5.1 Installing the CA's Certificate 1 Double click the CA's trusted certificate to produce a screen similar to the one shown next. ZyWALL USG FLEX Series User's Guide 870 - ZyXEL USG FLEX 700 | User Guide - Page 871
the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. ZyWALL USG FLEX Series User's Guide 871 - ZyXEL USG FLEX 700 | User Guide - Page 872
. Click Browse if you wish to import a different certificate. Figure 585 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. ZyWALL USG FLEX Series User's Guide 872 - ZyXEL USG FLEX 700 | User Guide - Page 873
the following store and choose a different location. Figure 587 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. ZyWALL USG FLEX Series User's Guide 873 - ZyXEL USG FLEX 700 | User Guide - Page 874
to select a personal certificate to send to the Zyxel Device. This screen displays even if you only have a single certificate as in the example. ZyWALL USG FLEX Series User's Guide 874 - ZyXEL USG FLEX 700 | User Guide - Page 875
. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the Zyxel Device for a management session. ZyWALL USG FLEX Series User's Guide 875 - ZyXEL USG FLEX 700 | User Guide - Page 876
default services allowed in the WAN_to_Device security policy. Figure 593 SSH Communication Over the WAN Example 42.8.1 SSH Implementation on the Zyxel Device Your Zyxel Device supports SSH version the access can come. Figure 594 Configuration > System > SSH ZyWALL USG FLEX Series User's Guide 876 - ZyXEL USG FLEX 700 | User Guide - Page 877
. Reset Click Reset to return the screen to its last-saved settings. 42.8.4 Service Control Rules Click the Add or Edit icon in the Service Control table to add a service control rule. Figure 595 Configuration > System > SSH > Service Control Rule Add/Edit ZyWALL USG FLEX Series User's Guide 877 - ZyXEL USG FLEX 700 | User Guide - Page 878
predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Accept to guide. 1 Launch the SSH client and configure the SSH client to use SSH version 2. 2 Specify the connection information (IP address, port number) for the Zyxel Device. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 879
the access can come. Note: To allow a Telnet connection to the Zyxel Device, add Telnet in the Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL service group which defines the default services allowed in the WAN_to_Device security policy. ZyWALL USG FLEX Series User's Guide 879 - ZyXEL USG FLEX 700 | User Guide - Page 880
and press [ENTER] to move the rule to the number that you typed. This the index number of the service control rule. Zone Address Action Apply Reset The entry with a hyphen (-) instead of a number is the Zyxel to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 880 - ZyXEL USG FLEX 700 | User Guide - Page 881
zones from being accessed using Telnet. Action Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Accept to allow the user to access the Zyxel Device from the specify from which IP addresses the access can come. ZyWALL USG FLEX Series User's Guide 881 - ZyXEL USG FLEX 700 | User Guide - Page 882
and press [ENTER] to move the rule to the number that you typed. This the index number of the service control rule. Zone Address Action The entry with a hyphen (-) instead of a number is the Zyxel Device's in the Zone field (Accept) or not (Deny). ZyWALL USG FLEX Series User's Guide 882 - ZyXEL USG FLEX 700 | User Guide - Page 883
Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Accept to allow the user supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3). The next figure illustrates an SNMP management operation. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 884
SNMPv3 enhances security for SNMP management using authentication and encryption. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions. ZyWALL USG FLEX Series User's Guide 884 - ZyXEL USG FLEX 700 | User Guide - Page 885
intended recipients can read them. 42.11.2 Supported MIBs The Zyxel Device supports MIB II that is defined in RFC-1213 and RFC-1215. The Zyxel Device also supports private MIBs (zywall.mib and zyxel-zywall- specify from which IP addresses the access can come. ZyWALL USG FLEX Series User's Guide 885 - ZyXEL USG FLEX 700 | User Guide - Page 886
matches the IP address(es) in the Service Control table to access the Zyxel Device using this service. Server Port You may change the server port number for a service if needed, however you must use will display if your login password has fewer characters. ZyWALL USG FLEX Series User's Guide 886 - ZyXEL USG FLEX 700 | User Guide - Page 887
key. AES applies a 128-bit key to 128-bit blocks of data. This displays the access rights to MIBs. Service Control Add Edit Remove Move # • Read-Write - The associated user can create and edit the MIBs on the screen to create accounts on the SNMP v3 manager. ZyWALL USG FLEX Series User's Guide 887 - ZyXEL USG FLEX 700 | User Guide - Page 888
the changes. Click Cancel to begin configuring this screen afresh. 42.11.6 Service Control Rules Click the Add or Edit icon in the Service Control table to add a service control rule. Figure 603 Configuration > System > SNMP > Service Control Rule Add/Edit ZyWALL USG FLEX Series User's Guide 888 - ZyXEL USG FLEX 700 | User Guide - Page 889
zones from being accessed using SNMP. Action Select a predefined Zyxel Device zone on which a incoming service is allowed or denied. Select Accept to allow the user to access the Zyxel Device from address. Figure 604 Configuration > System > Auth. Server ZyWALL USG FLEX Series User's Guide 889 - ZyXEL USG FLEX 700 | User Guide - Page 890
display the following screen. Use this screen to create a new entry or edit an existing one. Figure 605 Configuration > System > Auth. Server > Add/Edit ZyWALL USG FLEX Series User's Guide 890 - ZyXEL USG FLEX 700 | User Guide - Page 891
to configure what reports to send and to whom. Click Configuration > System > Notification to display the Mail Server screen. Figure 606 Configuration > System > Notification ZyWALL USG FLEX Series User's Guide 891 - ZyXEL USG FLEX 700 | User Guide - Page 892
return the screen to its last-saved settings. 42.14 Notification > SMS The Zyxel Device supports Short Message Service (SMS) to send short text messages to mobile phone devices. Click Configuration > System > Notification > SMS to open the following screen. ZyWALL USG FLEX Series User's Guide 892 - ZyXEL USG FLEX 700 | User Guide - Page 893
up to 252 characters. Select auto append to "Mail to" to add the domain name of your SMS service provider after the mobile phone number in the Mail To field. Type the subject line of up to 128 Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 893 - ZyXEL USG FLEX 700 | User Guide - Page 894
of the screen to create a message to display when access to a website is blocked due to a security service. Edit Double-click an entry or select it and click Edit to be able to modify the entry's settings. , click Upload to send the file to the Zyxel Device. ZyWALL USG FLEX Series User's Guide 894 - ZyXEL USG FLEX 700 | User Guide - Page 895
. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 895 - ZyXEL USG FLEX 700 | User Guide - Page 896
Configuration > System > IPv6 to open the following screen. Use this screen to enable IPv6 support for the Zyxel Device's Web Configurator screens. Figure 610 Configuration > System > IPv6 The following please make sure it meets the requirements listed below. ZyWALL USG FLEX Series User's Guide 896 - ZyXEL USG FLEX 700 | User Guide - Page 897
-click the ZON Utility to run it. 2 The first time you run the ZON Utility you will see if your Zyxel Device and firmware version support the ZON Utility. Click the OK button to close this screen. ZyWALL USG FLEX Series User's Guide 897 - ZyXEL USG FLEX 700 | User Guide - Page 898
your device is not listed here, see the device release notes for ZON utility support. The release notes are in the firmware zip file on the Zyxel web site. Figure 612 ZON Utility Screen 3 Select a network adapter to which your supported devices are connected. ZyWALL USG FLEX Series User's Guide 898 - ZyXEL USG FLEX 700 | User Guide - Page 899
Adapter Chapter 42 System 4 Click the Go button for the ZON Utility to discover all supported devices in your network. Figure 614 Discovery 5 The ZON Utility screen shows the devices . 2 Renew IP Address Update a DHCP-assigned dynamic IP address. ZyWALL USG FLEX Series User's Guide 899 - ZyXEL USG FLEX 700 | User Guide - Page 900
when troubleshooting supports the Nebula Control Center (NCC) discovery feature. If it's enabled, the selected device will try to connect to the NCC. Once the selected device is connected to and has registered in the NCC, it'll go into the cloud management mode. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 901
. Apply Click Apply to save your changes back to the Zyxel Device. Reset Click Reset to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 901 - ZyXEL USG FLEX 700 | User Guide - Page 902
> Log & Report > Email Daily Report to display the following screen. Configure this screen to have the Zyxel Device email you system statistics every day. ZyWALL USG FLEX Series User's Guide 902 - ZyXEL USG FLEX 700 | User Guide - Page 903
Daily Select this to send reports by email every day. Report Mail Subject Type the subject line for outgoing email from the Zyxel Device. ZyWALL USG FLEX Series User's Guide 903 - ZyXEL USG FLEX 700 | User Guide - Page 904
System Resource Usage, Wireless Report, Security Service, Interface Traffic Statistics and DHCP Table. system errors and attacks. The Zyxel Device provides a system log and supports email profiles and remote syslog servers. View the system log in Log Setting. ZyWALL USG FLEX Series User's Guide 904 - ZyXEL USG FLEX 700 | User Guide - Page 905
includes the email profiles). Go to the Log Settings Summary screen (see Section 43.3.1 on page 904), and click the system log Edit icon. ZyWALL USG FLEX Series User's Guide 905 - ZyXEL USG FLEX 700 | User Guide - Page 906
Chapter 43 Log and Report Figure 619 Configuration > Log & Report > Log Setting > Edit (System Log - E-mail Servers) Figure 620 Configuration > Log & Report > Log Setting > Edit (System Log ) ZyWALL USG FLEX Series User's Guide 906 - ZyXEL USG FLEX 700 | User Guide - Page 907
) - create log messages, alerts, and debugging information for all categories. The Zyxel Device does not email debugging information, even if this setting is selected. ZyWALL USG FLEX Series User's Guide 907 - ZyXEL USG FLEX 700 | User Guide - Page 908
. Click this to save your changes and return to the previous screen. Click this to return to the previous screen without saving your changes. ZyWALL USG FLEX Series User's Guide 908 - ZyXEL USG FLEX 700 | User Guide - Page 909
categories. enable normal logs and debug logs (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories. ZyWALL USG FLEX Series User's Guide 909 - ZyXEL USG FLEX 700 | User Guide - Page 910
screen (see Section 43.3.1 on page 904), and click a remote server Edit icon. Figure 623 Configuration > Log & Report > Log Setting > Edit (Remote Server - AC) ZyWALL USG FLEX Series User's Guide 910 - ZyXEL USG FLEX 700 | User Guide - Page 911
server name or the IP address of the syslog server to which to send log information. Type the service port number used by the remote server. Select a log facility. The log facility allows you to log return to the previous screen without saving your changes. ZyWALL USG FLEX Series User's Guide 911 - ZyXEL USG FLEX 700 | User Guide - Page 912
alert. Please see Section 43.3.2 on page 905, where this process is discussed. (The Default category includes debugging messages generated by open source software.) ZyWALL USG FLEX Series User's Guide 912 - ZyXEL USG FLEX 700 | User Guide - Page 913
log messages, alerts, and debugging information from this category; the Zyxel Device does not email debugging information, however, even if this setting is selected. ZyWALL USG FLEX Series User's Guide 913 - ZyXEL USG FLEX 700 | User Guide - Page 914
Click this to save your changes and return to the previous screen. Click this to return to the previous screen without saving your changes. ZyWALL USG FLEX Series User's Guide 914 - ZyXEL USG FLEX 700 | User Guide - Page 915
file does not include. When you run a shell script, the Zyxel Device only applies the commands that it contains. Other settings do not change. ZyWALL USG FLEX Series User's Guide 915 - ZyXEL USG FLEX 700 | User Guide - Page 916
which is also identical to the way you run CLI commands manually. An example is shown below. Figure 626 Configuration File / # enable Telnet access (not enabled by default, unlike other services) ip telnet server # open WAN-to-ZyWALL firewall for mode. ZyWALL USG FLEX Series User's Guide 916 - ZyXEL USG FLEX 700 | User Guide - Page 917
the automatic backup when a secure policy is added or changed. Select a configuration file, then click Apply to apply the file to the Zyxel Device . ZyWALL USG FLEX Series User's Guide 917 - ZyXEL USG FLEX 700 | User Guide - Page 918
for any errors. Figure 627 Maintenance > File Manager > Configuration File Do not turn off the Zyxel Device while configuration file upload is in progress. ZyWALL USG FLEX Series User's Guide 918 - ZyXEL USG FLEX 700 | User Guide - Page 919
select it and click Remove to delete it from the Zyxel Device. You can only delete manually saved configuration files. You cannot delete the systemdefault.conf, startup-config.conf and lastgood.conf files without saving a duplicate of the configuration file. ZyWALL USG FLEX Series User's Guide 919 - ZyXEL USG FLEX 700 | User Guide - Page 920
the device last restarted. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration. ZyWALL USG FLEX Series User's Guide 920 - ZyXEL USG FLEX 700 | User Guide - Page 921
Device configuration file according to a schedule, and then send it to the configured email addresses. Figure 631 Maintenance > File Manager > Configuration File> Schedule Backup ZyWALL USG FLEX Series User's Guide 921 - ZyXEL USG FLEX 700 | User Guide - Page 922
need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the be decompressed option while you download the firmware package. ZyWALL USG FLEX Series User's Guide 922 - ZyXEL USG FLEX 700 | User Guide - Page 923
firmware notifications is free when you register your Zyxel Device. The license does not expire if you have firmware version 4.32 patch 1 and later. ZyWALL USG FLEX Series User's Guide 923 - ZyXEL USG FLEX 700 | User Guide - Page 924
standby firmware. If you haven't registered the Zyxel Device, a message will appear and remind you to register it. Also, Upgrade Now is grayed out. ZyWALL USG FLEX Series User's Guide 924 - ZyXEL USG FLEX 700 | User Guide - Page 925
you want to reboot the Zyxel Device. 44.3.2 The Firmware Management Screen Click Maintenance > File Manager > Firmware Management to open the Firmware Management screen. ZyWALL USG FLEX Series User's Guide 925 - ZyXEL USG FLEX 700 | User Guide - Page 926
is running on. This is the firmware version and the date created. This is the date that the version of the firmware was created. ZyWALL USG FLEX Series User's Guide 926 - ZyXEL USG FLEX 700 | User Guide - Page 927
your network is not busy for minimal interruption. Daily Weekly Auto Reboot Firmware Upgrade Service Status Service Status Note: You cannot enable Auto Update in File Manager > Firmware Management and check your new firmware version in the Dashboard screen. ZyWALL USG FLEX Series User's Guide 927 - ZyXEL USG FLEX 700 | User Guide - Page 928
will revert (failover) to the previously running firmware. If the startup-config.conf configuration file has problems and you are upgrading to earlier than 4.25 firmware, then the Zyxel Device uses the new earlier files on the Zyxel Device at the same time. ZyWALL USG FLEX Series User's Guide 928 - ZyXEL USG FLEX 700 | User Guide - Page 929
without deleting the shell script file. Click a shell script file's row to select it and click Download to save the configuration to your computer. ZyWALL USG FLEX Series User's Guide 929 - ZyXEL USG FLEX 700 | User Guide - Page 930
... to find the .zysh file you want to upload. Click Upload to begin the upload process. This process may take up to several minutes. ZyWALL USG FLEX Series User's Guide 930 - ZyXEL USG FLEX 700 | User Guide - Page 931
provide it to customer support during troubleshooting. • Use the supports Unicode, such as Notepad to create a script. Each command in a script must be on its own line and the file must end with an empty line. The script must be saved in Unicode format (UTF-8). ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 932
support may request the bz2 file for troubleshooting. 45.2.2 The Diagnostics Controller Screen Click Maintenance > Diagnostics > Controller to open the following screen. When you click Collect Now, a series of commands are run to display information about the Zyxel Device. ZyWALL USG FLEX Series - ZyXEL USG FLEX 700 | User Guide - Page 933
to generate information about configuration and diagnostics of managed APs. See Section 45.2.1 on page 931 for more information on scripts. Upload Shell Script ZyWALL USG FLEX Series User's Guide 933 - ZyXEL USG FLEX 700 | User Guide - Page 934
a file containing the selected managed AP's configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. Click Maintenance > Diagnostics > Collect on AP to open the Collect on AP screen. ZyWALL USG FLEX Series User's Guide 934 - ZyXEL USG FLEX 700 | User Guide - Page 935
button to remove them. Select this to have the Zyxel Device create an extra copy of the diagnostic file to a connected USB storage device. ZyWALL USG FLEX Series User's Guide 935 - ZyXEL USG FLEX 700 | User Guide - Page 936
Zyxel Device has collected and stored on the Zyxel Device or in a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 641 Maintenance > Diagnostics > Files ZyWALL USG FLEX Series User's Guide 936 - ZyXEL USG FLEX 700 | User Guide - Page 937
captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this. ZyWALL USG FLEX Series User's Guide 937 - ZyXEL USG FLEX 700 | User Guide - Page 938
for which to capture packets. Select any to capture packets for all hosts. Select User Defined to be able to enter an IP address. ZyWALL USG FLEX Series User's Guide 938 - ZyXEL USG FLEX 700 | User Guide - Page 939
this. Status: Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the mount it. none - no USB storage device is connected. service deactivated - USB storage feature is disabled (in Configuration > System USG FLEX Series User's Guide 939 - ZyXEL USG FLEX 700 | User Guide - Page 940
help you identify network problems. Click Maintenance > Diagnostics > Packet Capture > Capture on AP to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field's setting to avoid this. ZyWALL USG FLEX Series User's Guide 940 - ZyXEL USG FLEX 700 | User Guide - Page 941
's interface(s). This shows File Receiving when the Zyxel Device starts to receive capture files from the AP's interface(s) after you press the Stop button. ZyWALL USG FLEX Series User's Guide 941 - ZyXEL USG FLEX 700 | User Guide - Page 942
on the Zyxel Device. The available storage size is displayed as well. Note: The Zyxel Device reserves some on board storage space as a buffer. ZyWALL USG FLEX Series User's Guide 942 - ZyXEL USG FLEX 700 | User Guide - Page 943
this. Status: Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason mount it. none - no USB storage device is connected. service deactivated - USB storage feature is disabled (in Configuration > System USG FLEX Series User's Guide 943 - ZyXEL USG FLEX 700 | User Guide - Page 944
to open the CPU/Memory Status screen. Use this screen to view the CPU and memory performance of various applications on the Zyxel Device. ZyWALL USG FLEX Series User's Guide 944 - ZyXEL USG FLEX 700 | User Guide - Page 945
is using. This field displays the current percentage of memory utilization. # This field is a sequential value, and it is not associated with any entry. ZyWALL USG FLEX Series User's Guide 945 - ZyXEL USG FLEX 700 | User Guide - Page 946
were saved. 45.6 The Network Tool Screen Use this screen to perform various network tests. Click Maintenance > Diagnostics > Network Tool to display this screen. ZyWALL USG FLEX Series User's Guide 946 - ZyXEL USG FLEX 700 | User Guide - Page 947
Chapter 45 Diagnostics Figure 647 Maintenance > Diagnostics > Network Tool Figure 648 Maintenance > Diagnostics > Network Tool - Test Email Server ZyWALL USG FLEX Series User's Guide 947 - ZyXEL USG FLEX 700 | User Guide - Page 948
button to start the test. Click this button to stop the test. Click this button to return the screen to its last-saved settings. ZyWALL USG FLEX Series User's Guide 948 - ZyXEL USG FLEX 700 | User Guide - Page 949
Use this screen to configure a traceroute to identify where packets are dropped for troubleshooting. Figure 649 Maintenance > Diagnostics > Routing Traces The following table describes the active session applies. This field displays traceroute information. ZyWALL USG FLEX Series User's Guide 949 - ZyXEL USG FLEX 700 | User Guide - Page 950
interfaces connected to your Zyxel Device. Studying these frame captures may help you identify network problems. Click Maintenance > Diagnostics > Wireless Frame Capture to display this screen. Note: the capture file when either the file reaches this size. ZyWALL USG FLEX Series User's Guide 950 - ZyXEL USG FLEX 700 | User Guide - Page 951
column displays the size (in bytes) of a configuration file. Last Modified This column displays the date and time that the individual files were saved. ZyWALL USG FLEX Series User's Guide 951 - ZyXEL USG FLEX 700 | User Guide - Page 952
settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems. 46.1.1 What You Can Do in this Chapter • Use the Routing Status screen (see action and does not perform any further flow checking. ZyWALL USG FLEX Series User's Guide 952 - ZyXEL USG FLEX 700 | User Guide - Page 953
Explore > Routing Status (Dynamic VPN) Figure 654 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 655 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) ZyWALL USG FLEX Series User's Guide 953 - ZyXEL USG FLEX 700 | User Guide - Page 954
(Static-Dynamic Route) Figure 658 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 659 Maintenance > Packet Flow Explore > Routing Status (Main Route) ZyWALL USG FLEX Series User's Guide 954 - ZyXEL USG FLEX 700 | User Guide - Page 955
the destination IP address(es) to which the packets are transmitted. Service This is the name of the service object. any means all services. Source Port This is the source port(s) from which the packets . Source Port This is the source port number. ZyWALL USG FLEX Series User's Guide 955 - ZyXEL USG FLEX 700 | User Guide - Page 956
Device takes the corresponding action and does not perform any further flow checking. Figure 660 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT) ZyWALL USG FLEX Series User's Guide 956 - ZyXEL USG FLEX 700 | User Guide - Page 957
if you click Policy Route SNAT in the SNAT Flow section. # This field is a sequential value, and it is not associated with any entry. ZyWALL USG FLEX Series User's Guide 957 - ZyXEL USG FLEX 700 | User Guide - Page 958
Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. ZyWALL USG FLEX Series User's Guide 958 - ZyXEL USG FLEX 700 | User Guide - Page 959
storage and stops the system processes. 47.2 The Shutdown / Reboot Screen To access this screen, click Maintenance > Shutdown/Reboot. Figure 664 Maintenance > Shutdown/ Reboot ZyWALL USG FLEX Series User's Guide 959 - ZyXEL USG FLEX 700 | User Guide - Page 960
the Shutdown button to shut down the Zyxel Device. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. Reboot Click Reboot to reboot use the CLI command shutdown to close down the Zyxel Device. ZyWALL USG FLEX Series User's Guide 960 - ZyXEL USG FLEX 700 | User Guide - Page 961
Chapter 47 Shutdown ZyWALL USG FLEX Series User's Guide 961 - ZyXEL USG FLEX 700 | User Guide - Page 962
PART III Appendices and Troubleshooting 962 - ZyXEL USG FLEX 700 | User Guide - Page 963
CHAPTER 48 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Section 6.38 on page 190). • For sure that you enter the correct settings. Use the same case as provided by your ISP. ZyWALL USG FLEX Series User's Guide 963 - ZyXEL USG FLEX 700 | User Guide - Page 964
48 Troubleshooting I cannot update the anti-malware/IDP/application patrol/URL Threat filter/IP reputation signatures. • Make sure your Zyxel Device has the anti-malware/IDP/application patrol service registered other routes that the traffic would also match. ZyWALL USG FLEX Series User's Guide 964 - ZyXEL USG FLEX 700 | User Guide - Page 965
Chapter 48 Troubleshooting The Zyxel Device is not applying the custom security policy I configured. The Zyxel Device checks the security policies in PPPoE or PPTP interface. The data rates through my cellular connection are no-where near the rates I expected. ZyWALL USG FLEX Series User's Guide 965 - ZyXEL USG FLEX 700 | User Guide - Page 966
of writing, the Zyxel Device does not support ingress bandwidth management. The Zyxel Device is not applying my application patrol bandwidth management settings. Bandwidth management in policy routes has priority over application patrol bandwidth management. ZyWALL USG FLEX Series User's Guide 966 - ZyXEL USG FLEX 700 | User Guide - Page 967
Chapter 48 Troubleshooting The Zyxel Device's performance be executed. Make sure you enable Destroy Infected File in the Configuration > Security Service > Anti-Malware screen to modify infected files before forwarding the files to the can concurrently unzip. ZyWALL USG FLEX Series User's Guide 967 - ZyXEL USG FLEX 700 | User Guide - Page 968
Troubleshooting The threat intelligence machine learning (TIML) feature is not working. 1 Make sure you purchase the gold security pack. • Make sure you've registered the Zyxel Device and activated the anti-malware service is supported in the Zyxel Device. ZyWALL USG FLEX Series User's Guide 968 - ZyXEL USG FLEX 700 | User Guide - Page 969
incoming interface. You can configure up to one HTTP redirect rule for each (incoming) interface. I cannot get the application patrol to manage SIP traffic. ZyWALL USG FLEX Series User's Guide 969 - ZyXEL USG FLEX 700 | User Guide - Page 970
Chapter 48 Troubleshooting Make sure you have the SIP ALG IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both Zyxel the same pre- shared key. ZyWALL USG FLEX Series User's Guide 970 - ZyXEL USG FLEX 700 | User Guide - Page 971
Chapter 48 Troubleshooting • The Zyxel Device's local and peer routed. • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using). • If you have the Zyxel Device and remote it does not display properly. ZyWALL USG FLEX Series User's Guide 971 - ZyXEL USG FLEX 700 | User Guide - Page 972
48 Troubleshooting interface's IP address settings change. However, you need to manually edit any address objects for your LAN that are not specific service but access is blocked. • If you want to use a service, make sure the security policy allows Security Service USG FLEX Series User's Guide 972 - ZyXEL USG FLEX 700 | User Guide - Page 973
Chapter 48 Troubleshooting I cannot get the RADIUS server to authenticate the Zyxel Device's default admin account. The default admin Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form. ZyWALL USG FLEX Series User's Guide 973 - ZyXEL USG FLEX 700 | User Guide - Page 974
Chapter 48 Troubleshooting • Binary PKCS#7: This is a standard that cannot access the Zyxel Device from a computer connected to the Internet. Check the service control rules and to-Zyxel Device security policies. I uploaded a logo to display working properly. ZyWALL USG FLEX Series User's Guide 974 - ZyXEL USG FLEX 700 | User Guide - Page 975
Chapter 48 Troubleshooting • In a configuration file or shell script, use "#" or "!" as the first character of a command line to have the Zyxel for IPv4 addresses. See Chapter 34 Reputation Filter for more information. The SecuReporter banner keeps showing up. ZyWALL USG FLEX Series User's Guide 975 - ZyXEL USG FLEX 700 | User Guide - Page 976
, and wait for the Zyxel Device to restart. You should be able to access the Zyxel Device using the default settings. 48.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. ZyWALL USG FLEX Series User's Guide 976 - ZyXEL USG FLEX 700 | User Guide - Page 977
APPENDIX A Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then India Pvt Ltd • http://www.zyxel.in Kazakhstan • Zyxel Kazakhstan • http://www.zyxel.kz ZyWALL USG FLEX Series User's Guide 977 - ZyXEL USG FLEX 700 | User Guide - Page 978
Appendix A Customer Support Korea • Zyxel Korea Corp. • http://www.zyxel.kr Malaysia • Zyxel Malaysia Sdn Bhd. • http://www.zyxel.com.my Pakistan • Zyxel /vi Europe Austria • Zyxel Deutschland GmbH • http://www.zyxel.de Belarus • Zyxel BY • http://www.zyxel.by ZyWALL USG FLEX Series User's Guide 978 - ZyXEL USG FLEX 700 | User Guide - Page 979
Appendix A Customer Support Belgium • Zyxel Communications B.V. • http://www.zyxel.com/be/nl/ • http://www.zyxel.com/be/fr/ Bulgaria • Zyxel http .de Hungary • Zyxel Hungary & SEE • http://www.zyxel.hu Italy • Zyxel Communications Italy • http://www.zyxel.it/ ZyWALL USG FLEX Series User's Guide 979 - ZyXEL USG FLEX 700 | User Guide - Page 980
Appendix A Customer Support Latvia • Zyxel Latvia • http://www.zyxel.com/lv/lv/homepage.shtml Lithuania • Zyxel Lithuania • http://www.zyxel. ES Ltd • http://www.zyxel.es Sweden • Zyxel Communications • http://www.zyxel.se Switzerland • Studerus AG ZyWALL USG FLEX Series User's Guide 980 - ZyXEL USG FLEX 700 | User Guide - Page 981
Appendix A Customer Support • http://www.zyxel.ch/ Turkey • Zyxel Turkey A.S. • http://www.zyxel.com.tr UK • Zyxel Communications UK Ltd. • http:// • http://il.zyxel.com/homepage.shtml Middle East • Zyxel Communication Corporation • http://www.zyxel.com/me/en/ ZyWALL USG FLEX Series User's Guide 981 - ZyXEL USG FLEX 700 | User Guide - Page 982
Support North America USA • Zyxel Communications, Inc. - North America Headquarters • http://www.zyxel.com/us/en/ Oceania Australia • Zyxel Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 983
Address Object In One Group Service Object Service Group Maximum Service Object In One Group 4.60 USG FLEX 100 6 4.60 4.60 USG FLEX 100W USG FLEX 200 6 7 4.60 USG FLEX 500 7 4.60 USG FLEX 700 14 8 4 per interface 128 512 2000 400 256 1000 200 256 ZyWALL USG FLEX Series User's Guide 983 - ZyXEL USG FLEX 700 | User Guide - Page 984
2 8 4 8 8 8 8 16 4.60 USG FLEX 500 32 16 24 1000 200 128 32 (PPP+3G) 16 16 16 9 16 4.60 USG FLEX 700 32 16 24 1000 200 256 32 16 16 16 per service 64 8 8 16 per service 64 16 8 16 per service 128 16 16 32 per service 128 16 16 32 per service Maximum USG FLEX Series User's Guide 984 - ZyXEL USG FLEX 700 | User Guide - Page 985
- Domain/IP Base Advertisement Ticket Printer Support 4.60 USG FLEX 100 128 per profiles 4.60 4.60 4.60 4.60 USG FLEX 100W USG FLEX 200 USG FLEX 500 USG FLEX 700 128 per profiles 128 per profiles 256 MB 4000 3200 Yes 50 50 20 SP350E (Ethernet) Up to 10 ZyWALL USG FLEX Series User's Guide 985 - ZyXEL USG FLEX 700 | User Guide - Page 986
's manual mention that this device can be installed into the external environment. CANADA The following information applies if you use the product within Canada area Innovation, Science and Economic Development Canada ICES Statement CAN ICES-3 (B)/NMB-3(B) ZyWALL USG FLEX Series User's Guide 986 - ZyXEL USG FLEX 700 | User Guide - Page 987
contrôlé. Cet équipement doit être installé et utilisé avec un minimum de 25 cm de distance entre la source de rayonnement et votre corps. ZyWALL USG FLEX Series User's Guide 987 - ZyXEL USG FLEX 700 | User Guide - Page 988
over them. • Always disconnect all cables from this device before servicing or disassembling. • Do not remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet. ZyWALL USG FLEX Series User's Guide 988 - ZyXEL USG FLEX 700 | User Guide - Page 989
incorrect type, dispose of used batteries according to the instruction. Dispose them at the applicable collection point for the your local city office, your household waste disposal service or the store where you purchased the product. återvinningsställe. ZyWALL USG FLEX Series User's Guide 989 - ZyXEL USG FLEX 700 | User Guide - Page 990
台灣 Appendix C Legal Information 110V AC 230V AC USG FLEX 100W) About the Symbols Various symbols are used in this product to ensure correct usage, It is important that you read these descriptions thoroughly and fully understand the contents. ZyWALL USG FLEX Series User's Guide 990 - ZyXEL USG FLEX 700 | User Guide - Page 991
purchaser. To obtain the services of this warranty, Support at [email protected]. Regulatory Notice and Statement (Class A) Model List: USG FLEX 500, USG FLEX 700 United States of America The following information applies if you use the product within USA area. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 992
installed and used in accordance with the instruction manual, may cause harmful interference to radio service this device during a thunderstorm. There is a remote risk of electric shock from lightning. • Connect ONLY suitable accessories to the device. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 993
stumble over them. • Always disconnect all cables from this device before servicing or disassembling. • Do not remove the plug and connect it to type, dispose of used batteries according to the instruction. Dispose them at the applicable collection point for . ZyWALL USG FLEX Series User's Guide 993 - ZyXEL USG FLEX 700 | User Guide - Page 994
property damage. The meaning of these symbols are described below. It is important that you read these descriptions thoroughly and fully understand the contents. ZyWALL USG FLEX Series User's Guide 994 - ZyXEL USG FLEX 700 | User Guide - Page 995
of any kind to the purchaser. To obtain the services of this warranty, contact your vendor. You may Support at [email protected]. To obtain the source code covered under those Licenses, please contact your vendor or Zyxel Technical Support at [email protected]. ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 996
790 port 790, 792 search time limit 790 SSL 790 AAA server 784 AD 786 and users 714 directory service 785 LDAP 785, 786 local user database 786 RADIUS 785, 786, 791 RADIUS group 791 see also RADIUS routes 332 and security policy 486 and SNMP 887 and SSH 877 ZyWALL USG FLEX Series User's Guide 996 - ZyXEL USG FLEX 700 | User Guide - Page 997
alerts 907, 908, 910, 911, 912, 913 IDP 700, 701 ALG 381, 387 and NAT 381, 383 and policy troubleshooting 964, 967 troubleshooting signatures update 964 updating signatures 200 AP antenna orientation 162 group 159 management icons 152 status 152 status icons 155 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 998
587 service ports 587 troubleshooting 964 service 527 printout 520 profile 513, 516 quota (T/U/D) 517 quota type 523 SMS message 519 time-to-finish accounting method 513 user logon settings 515 Bind DN 787, 790 BitTorrent 655 black list 678, 679, 684 anti-spam 675 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 999
virus concurrent e-mail sessions 186 configuration information 931 configuration file troubleshooting 974 configuration files 915 at restart 918 backing up 917 downloading 919, 951 downloading with FTP 881 editing 915 how applied 916 lastgood.conf 918, 920 ZyWALL USG FLEX Series User's Guide 999 - ZyXEL USG FLEX 700 | User Guide - Page 1000
manually Service (Dos) attacks 427 DES 445 device access troubleshooting 963 Device HA 826 device HA virtual router 828 device High Availability see Device HA 826 DHCP 322, 842 and DNS servers 323 and domain name 842 and interfaces 322 pool 323 static DHCP 323 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 1001
684, 687 see also anti-spam 676 domain name 842 Domain Name System, see DNS DoS (Denial of Service) attacks 655 DPD 438 DSA 810 DSCP 329, 332, 472, 955 DUID 233 Dynamic Domain Name System, 235 basic characteristics 229 virtual 254 ethernet interfaces ZyWALL USG FLEX Series User's Guide 1001 - ZyXEL USG FLEX 700 | User Guide - Page 1002
port 386 troubleshooting 970 header checksum 658 host-based intrusions 673 Hotspot Service Status 516 HSDPA 271 HTTP over SSL, see HTTPS redirect to HTTPS 861 vs HTTPS 859 HTTP redirect and application patrol 376 and interfaces 380 and policy routes 376, 377 ZyWALL USG FLEX Series User's Guide 1002 - ZyXEL USG FLEX 700 | User Guide - Page 1003
577, 581, 700, 701 reject sender 580 reject-both 580 reject-receiver 580 service group 656 signatures 651 Snort signatures 673 statistics 183 troubleshooting 964, 968 verifying ) 586, 655 managing 586 interface status 129 troubleshooting 965 interfaces 228 ZyWALL USG FLEX Series User's Guide 1003 - ZyXEL USG FLEX 700 | User Guide - Page 1004
IP policy routing, see policy routes IP pool 458 IP protocols 774 and service objects 775 ICMP, see ICMP TCP, see TCP UDP, see UDP IP AH 429 and certificates 423 authentication 430 basic troubleshooting 970 certificates 436 connections 423 connectivity check 430 USG FLEX Series User's Guide 1004 - ZyXEL USG FLEX 700 | User Guide - Page 1005
by name 174 search by policy 174 Security Parameter Index (SPI) (manual keys) 451 see also IPSec see also VPN source NAT for inbound mode 450 when IKE SA is disconnected 450 IPSec VPN troubleshooting 970 IPv6 231 link-local address 232 prefix 231 prefix ZyWALL USG FLEX Series User's Guide 1005 - ZyXEL USG FLEX 700 | User Guide - Page 1006
913 debugging 190 regular 190 types of 190 log options (IDP) 577, 581, 700, 701 login custom page 863 logo troubleshooting 974 logout Web Configurator 37 logs and security policy 572 e-mail profiles 904 e-mailing SA 174 sessions 135 monitor profile ADP 574 ZyWALL USG FLEX Series User's Guide 1006 - ZyXEL USG FLEX 700 | User Guide - Page 1007
AAA server 784 addresses and address groups 764 authentication method 794 certificates 802 schedules 779 services and service groups 774 users, user groups 713, 822 offset (patterns) 662 ommon 638 One-Time 237 link cost 237 priority 237 redistribute 340 ZyWALL USG FLEX Series User's Guide 1007 - ZyXEL USG FLEX 700 | User Guide - Page 1008
332, 471, 475 and service objects 775 and SMTP redirect 377 troubleshooting 964, 972 POP POP2 676 POP3 676 pop-up windows 33 port forwarding, see NAT port groups 229, 234 port roles 233 and Ethernet interfaces 233 and physical ports 233 port translation, see NAT ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 1009
combination 539 list 531 management 531 manually configure 535 reports 539 secret key 891 troubleshooting 973 Real-time Transport Protocol, see RTP record route 658 Reference Guide, CLI User Service, see RADIUS remote management FTP, see FTP see also service control USG FLEX Series User's Guide 1009 - ZyXEL USG FLEX 700 | User Guide - Page 1010
and NAT 567 and schedules 471, 475, 486, 572 and service groups 571 and service objects 775 and services 571 and SIP (ALG) 382 and user groups 572, 583 566, 569 troubleshooting 965 security settings troubleshooting 964 sensitivity level 577 serial number 115 ZyWALL USG FLEX Series User's Guide 1010 - ZyXEL USG FLEX 700 | User Guide - Page 1011
SHA1 446 shell script troubleshooting 974 shell scripts 915 and users 731 downloading 929 editing 928 how applied 916 managing 928 syntax 916 uploading 930 Short Message Service 892 shutdown 959 signal equivalent terms 674 rule header 673 rule options 673 ZyWALL USG FLEX Series User's Guide 1011 - ZyXEL USG FLEX 700 | User Guide - Page 1012
IP pool 458 network list 458 see also SSL VPN 454 troubleshooting 971 WINS 458 SSL Inspection Protocols 694 SSL inspection Server Signed stub area 339 STUN 383 and ALG 383 subscription services status 199 supported browsers 33 syslog 905, 911 syslog servers, see also USG FLEX Series User's Guide 1012 - ZyXEL USG FLEX 700 | User Guide - Page 1013
also certificates 814 tunnel encapsulation 429 Tunnel interfaces 229 TWT (Target Wakeup Time) 732 U UDP 775 attack packet 580 messages 775 port numbers 775 ZyWALL USG FLEX Series User's Guide 1013 - ZyXEL USG FLEX 700 | User Guide - Page 1014
714 and policy routes 331, 471, 475 and RADIUS 714 and security policy 572, 583 and service control 858 and shell scripts 731 attributes for Ext-User 714 attributes for LDAP 731 attributes for RADIUS 828 virus 656 attack 620, 656 boot sector 638 e-mail 638 ZyWALL USG FLEX Series User's Guide 1014 - ZyXEL USG FLEX 700 | User Guide - Page 1015
requirements 33 supported browsers 33 Service, see WINS. WINS 250, 292, 305, 323, 458 in L2TP VPN 463 WINS server 250, 463 Wireshark 663 Wizard Setup 51, 79 WLAN troubleshooting 966 user accounts 715 WLAN interfaces 229 worm 620, 656 attacks 656 WPA 732 WPA2 732 ZyWALL USG FLEX Series User's Guide - ZyXEL USG FLEX 700 | User Guide - Page 1016
method objects 862 and certificates 861 and zones 863 see also HTTP, HTTPS 859 Index Z zipped files troubleshooting 967 ZON utility 147, 896 zones 710 and FTP 882 and interfaces 710 and security policy 564, 570 Protocol (ZDP) 147 Zyxel One Network (ZON) 147 ZyWALL USG FLEX Series User's Guide 1016
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
-
743
-
744
-
745
-
746
-
747
-
748
-
749
-
750
-
751
-
752
-
753
-
754
-
755
-
756
-
757
-
758
-
759
-
760
-
761
-
762
-
763
-
764
-
765
-
766
-
767
-
768
-
769
-
770
-
771
-
772
-
773
-
774
-
775
-
776
-
777
-
778
-
779
-
780
-
781
-
782
-
783
-
784
-
785
-
786
-
787
-
788
-
789
-
790
-
791
-
792
-
793
-
794
-
795
-
796
-
797
-
798
-
799
-
800
-
801
-
802
-
803
-
804
-
805
-
806
-
807
-
808
-
809
-
810
-
811
-
812
-
813
-
814
-
815
-
816
-
817
-
818
-
819
-
820
-
821
-
822
-
823
-
824
-
825
-
826
-
827
-
828
-
829
-
830
-
831
-
832
-
833
-
834
-
835
-
836
-
837
-
838
-
839
-
840
-
841
-
842
-
843
-
844
-
845
-
846
-
847
-
848
-
849
-
850
-
851
-
852
-
853
-
854
-
855
-
856
-
857
-
858
-
859
-
860
-
861
-
862
-
863
-
864
-
865
-
866
-
867
-
868
-
869
-
870
-
871
-
872
-
873
-
874
-
875
-
876
-
877
-
878
-
879
-
880
-
881
-
882
-
883
-
884
-
885
-
886
-
887
-
888
-
889
-
890
-
891
-
892
-
893
-
894
-
895
-
896
-
897
-
898
-
899
-
900
-
901
-
902
-
903
-
904
-
905
-
906
-
907
-
908
-
909
-
910
-
911
-
912
-
913
-
914
-
915
-
916
-
917
-
918
-
919
-
920
-
921
-
922
-
923
-
924
-
925
-
926
-
927
-
928
-
929
-
930
-
931
-
932
-
933
-
934
-
935
-
936
-
937
-
938
-
939
-
940
-
941
-
942
-
943
-
944
-
945
-
946
-
947
-
948
-
949
-
950
-
951
-
952
-
953
-
954
-
955
-
956
-
957
-
958
-
959
-
960
-
961
-
962
-
963
-
964
-
965
-
966
-
967
-
968
-
969
-
970
-
971
-
972
-
973
-
974
-
975
-
976
-
977
-
978
-
979
-
980
-
981
-
982
-
983
-
984
-
985
-
986
-
987
-
988
-
989
-
990
-
991
-
992
-
993
-
994
-
995
-
996
-
997
-
998
-
999
-
1,000
-
1,001
-
1,002
-
1,003
-
1,004
-
1,005
-
1,006
-
1,007
-
1,008
-
1,009
-
1,010
-
1,011
-
1,012
-
1,013
-
1,014
-
1,015
-
1,016
 |
 |
Default Login Details
User’s Guide
ZyWALL USG FLEX
Series
Copyright © 2020 Zyxel Communications Corporation
LAN Port IP Address
User Name
admin
Password
1234
Version 4.60 Edition 1, 10/2020