Manuel d'utilisation / d'entretien du produit USG 2000 du fabricant ZyXEL Communications
Aller à la page of 1081
www .zyxel.com www .zyxel.com ZyW ALL USG 2000 Unified Security Gateway Copyright © 2010 ZyXEL Communications Corporation Firmware V ersion 2.12 Edition 1, 3/2010 Default Login Details LAN P ort P1 IP Address https://192.
.
About This User's Guide ZyWALL USG 2000 User’s Guide 3 About This User's Guide Intended Audience This manual is intended for people who want to want to configure the Z yW AL L using the W eb Configur ator . How T o Use This Guide •R e a d Chapter 1 on page 33 chapter for an overview of features av ailable on the Z yW ALL.
About This User's Guide ZyWALL USG 2000 U ser’s Guide 4 • W eb Configurator O nline He lp Click the help icon in an y screen for help in configuring that screen and supplementary information. Documentation Feedback Send your comments, questions or su g gestions to: techwriters@zyxel.
About This User's Guide ZyWALL USG 2000 User’s Guide 5 See http://www .zyxel.com/web/contact_us.php for contact informat ion. Please have the follow in g informatio n re ady when you contact an office. • Product model and serial number . •W a r r a n t y I n f o r m a t i o n .
Document Conventions ZyWALL USG 2000 U ser’s Guide 6 Document Conventions W arnings and Notes These are how warnings and notes are shown in this User’ s Guide.
Document Conventions ZyWALL USG 2000 User’s Guide 7 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The Z yW ALL icon is not an exact representation of your device.
Safety Warnings ZyWALL USG 2000 U ser’s Guide 8 Safety Warnings • Do NO T use this product near water , for exam ple, in a wet basement or n ear a swimming pool. • Do NO T expose your device to dampness, dust or corrosive liquids. • Do NO T store things on the device.
Contents Overview ZyWALL USG 2000 User’s Guide 9 Contents Overview User ’ s Guide ......................................... .......... ........... .................................................... ......... 31 Introducing the ZyWALL ...........
Contents Overview ZyWALL USG 2000 U ser’s Guide 10 Content Filtering ............ ................. ................ ................ ................ ................ ............... .... ..... 617 Content Filter Reports ........ ................ .
Table of Contents ZyWALL USG 2000 User’s Guide 11 Table of Contents About This User's Guide ..................................................... ................................................... .. 3 Document Conventions.....................
Table of Contents ZyWALL USG 2000 U ser’s Guide 12 3.3 Web Configurator Screens Overview .... ................. ................ ................ ................ ............. 53 3.3.1 T itle Bar ..... ... ... .... ... ................ ............
Table of Contents ZyWALL USG 2000 User’s Guide 13 6.2.1 Interface T ypes .......... ... .... ... ... ... ... .... ... ... ... ................. ... ... ................ ... .... ................ . .. 97 6.2.2 Default Interface and Zone Configuration .
Table of Contents ZyWALL USG 2000 U ser’s Guide 14 7.1 How to Configure Interfaces, Port Grouping, and Zones ........................ ... ... .... ... ... ... ... .... .. 1 19 7.1.1 Configure a W AN Ethernet Interface ... ... ... .... ... ... ... ..
Table of Contents ZyWALL USG 2000 User’s Guide 15 7.14 How to Use Active-Passive Device H A ................... ................ ................ ................ ........ 164 7.14.1 Before Y o u S tar t ................... ................ ........
Table of Contents ZyWALL USG 2000 U ser’s Guide 16 10.6 The DDNS S tatus Screen .... .................... ... .......... ................ ................ ................ ........... 236 10.7 IP/MAC Binding Monitor ...... .................... ... .
Table of Contents ZyWALL USG 2000 User’s Guide 17 13.2 Port Grouping ............ ................ ................ ................... ................ ................. ........... ...... 280 13.2.1 Port Grouping Overview ............. ...........
Table of Contents ZyWALL USG 2000 U ser’s Guide 18 Chapter 16 Routing Protocols ...................... ..................................................... ................................... ... 363 16.1 Routing Protocols Overvi ew ............. .
Table of Contents ZyWALL USG 2000 User’s Guide 19 20.2.1 The HTTP Redire ct Edit Screen . ................. ................ ................ ................ ........... 400 Chapter 21 ALG ............................................. .............
Table of Contents ZyWALL USG 2000 U ser’s Guide 20 25.1 IPSec VPN Ov erview ........ ................... ................. ................ ................ ................... ........ 441 25.1.1 What Y ou Can Do in this Chapter ..... ... .........
Table of Contents ZyWALL USG 2000 User’s Guide 21 29.1.1 What Y ou Need to Know ............ ................. ................ ................ ................ ........... 505 29.2 The Main File Sharing Screen ............. .... ............. ....
Table of Contents ZyWALL USG 2000 U ser’s Guide 22 33.1.2 What Y ou Need to Know ............ ................. ................ ................ ................ ........... 548 33.1.3 Before Y ou Begin ....... .... ................ ...............
Table of Contents ZyWALL USG 2000 User’s Guide 23 35.1.4 Before Y ou Begin ....... .... ................ ................ ................ ................ ................ ........ 598 35.2 The ADP General Sc reen . ................ ...............
Table of Contents ZyWALL USG 2000 U ser’s Guide 24 38.7 Anti-S p am T echnical Ref erence .................... .................... ................ ................... ........... 662 Chapter 39 Device HA .............. ............................
Table of Contents ZyWALL USG 2000 User’s Guide 25 42.1.1 What Y ou Can Do in this Chapter ..... ... ................ ............. ................ ................ ......71 1 42.1.2 What Y ou Need to Know ............ ................. ............
Table of Contents ZyWALL USG 2000 U ser’s Guide 26 46.1.3 V erifying a Certificate . ................ ................. ................ ................... ................ ........ 741 46.2 The My Certificates Screen ........ ................ ....
Table of Contents ZyWALL USG 2000 User’s Guide 27 50.4 Console Port S peed .......... ................ .................... ................ ................ ................ ......... .. 789 50.5 DNS Overview ..... ................ ................
Table of Contents ZyWALL USG 2000 U ser’s Guide 28 51.1.1 What Y ou Can Do In th is Chapter .. ................ ................ ................ ................ ........ 833 51.2 Email Daily Report ..... ................ ................ .........
Table of Contents ZyWALL USG 2000 User’s Guide 29 Chapter 57 Product Sp ecifications ................................... ..................................................... ................. 891 57.1 3G PCMCIA Card Installati on ........... ......
Table of Contents ZyWALL USG 2000 U ser’s Guide 30.
31 P ART I User ’ s Guide.
32.
ZyWALL USG 2000 User’s Guide 33 C HAPTER 1 Introducing the ZyWALL This chapter gives an overview of t he Z yWALL. It explains the front panel ports, LEDs, introduces the manage ment methods, and lists di fferent w ays to start or stop the Z yW ALL. 1.
Chapter 1 Introducing the ZyWALL ZyWALL USG 2000 U ser’s Guide 34 standard EIA rac k using a r ack -mounting kit. Make sure the r ack will safely support the combined weight of all t he equipment it contains and that the position of the Z yW ALL do es not make the rack unst able or top-hea vy .
Chapter 1 Introducin g the ZyWALL ZyWALL USG 2000 User’s Guide 35 3 After attaching both mounting br ackets, posi tion the ZyWALL in the r ack by lining up the holes in the br ackets wi th the a ppropriate holes on the r ack. Secure the Z yWALL to the rack with the rack -mounting screws.
Chapter 1 Introducing the ZyWALL ZyWALL USG 2000 U ser’s Guide 36 1.3.1.1 1000Base-T Port s The 1000Base- T auto-negotiating, auto-crossover Ethernet ports support 100/ 1000 Mbps Gigabit Ethernet so the speed can be 100 Mbps or 1000 Mbps. The duplex mode can be both half or full d u plex at 100 Mbps and full duplex only at 1000 Mbps.
Chapter 1 Introducin g the ZyWALL ZyWALL USG 2000 User’s Guide 37 1 Insert the transceiv er into the slot with the exposed section of PCB board facing down. Figure 4 T ransceiver Installation Example 2 Press the tr ansceiver firmly until i t clicks into place.
Chapter 1 Introducing the ZyWALL ZyWALL USG 2000 U ser’s Guide 38 1 Press down on the top of the fiber-optic ca ble where it connects to the transceiv er to release it. Then pull the fiber -optic cable out. Figure 7 Removing the Fiber- optic Cable Example 2 Open the transceiv er’s latch (latch styles v ary).
Chapter 1 Introducin g the ZyWALL ZyWALL USG 2000 User’s Guide 39 1.3.2 Maximizing Throughput The Z yWALL has one internal bus for ports P1 - P7 and another for port P8 . T o maximize the Z yW ALL’ s throughput, use P8 for your conn ection with the most traffic.
Chapter 1 Introducing the ZyWALL ZyWALL USG 2000 U ser’s Guide 40 1.4 Management Overview Y ou can use the followin g ways to manage the Z yW ALL. SYS Off The Z yWALL is turned off . Green On The Z yWALL is ready and operating normally . Flashing The Z yWALL is self -testing.
Chapter 1 Introducin g the ZyWALL ZyWALL USG 2000 User’s Guide 41 Web Configurator The W eb Confi gurator allows easy Z yW ALL setup and management using an Internet browser . This User’ s Guid e prov ides information about the W eb Configurator .
Chapter 1 Introducing the ZyWALL ZyWALL USG 2000 U ser’s Guide 42 Always use Maintenance > Shut down > Shut down or the shutdown command before you turn off the Zy W ALL or remove the power . Not doing so can cause the firmwa re to become corr upt.
ZyWALL USG 2000 User’s Guide 43 C HAPTER 2 Features and Applications This chapter introduces the main features and applications of the Z yWALL. 2.1 Features The Z yWALL ’s security features includ.
Chapter 2 Features and Applications ZyWALL USG 2000 U ser’s Guide 44 Firewall The Z yWALL’ s firew all is a stateful inspection firew all. The Z yWALL rest ricts access by screening data packets against defined access rules. It can also inspect sessions.
Chapter 2 Features an d Applications ZyWALL USG 2000 User’s Guide 45 Anti-Virus Scanner With the anti- virus packet s canner , your Z yW ALL scans files tr ansmitting through the enabled interfaces into the network. The Z yW ALL helps stop threats at the network edge before they reach th e local host computers.
Chapter 2 Features and Applications ZyWALL USG 2000 U ser’s Guide 46 2.2.1 VPN Connectivity Set up VPN tunnels with other companies, branch offices, t elecommuters, and business tr a velers to provide secure access t o y our network. Y ou can also set up additional connections to the Inte rnet to provide better service.
Chapter 2 Features an d Applications ZyWALL USG 2000 User’s Guide 47 Y ou do not have to install additional client software on the remote user computers for access.
Chapter 2 Features and Applications ZyWALL USG 2000 U ser’s Guide 48 2.2.3 User-A ware Access Control Set up security policies that restrict access to sensitiv e information and shared resources based on the user who is trying to access it. Figure 16 Applications: User-A ware Access Control 2.
Chapter 2 Features an d Applications ZyWALL USG 2000 User’s Guide 49 2.2.5 Device HA Set up an addit ional Z yW ALL as a backup gatew ay to ensure the defaul t gateway is always availab le for the network.
Chapter 2 Features and Applications ZyWALL USG 2000 U ser’s Guide 50.
ZyWALL USG 2000 User’s Guide 51 C HAPTER 3 Web Configurator The Z yW ALL W eb Configur ator allows easy Z yW ALL setup and management usi ng an Internet browser . 3.1 W eb Configurator Requirement s In order to use the W e b Configur ator , you must • Use Internet Explorer 7 or la ter , or Firefox 1.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 52 2 Open your web browser , and go to http://192.168.1.1 . By default, the Z yWALL automatically routes this req uest to its HT TPS server , and it is recommended to keep this setting. The Login screen appears.
Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide 53 5 The screen above appears every time y ou log in using the default user name and default password. If you chang e the passw ord for the default user account, this screen does not appear anymore.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 54 3.3.1 T itle Bar The title bar prov ides some icons in the upper right corner . Figure 22 Tit l e B a r The icons provide the following functions. 3.3.2 Navigation Panel Use the menu items on the na vigati on panel to open screens to configure Z yW ALL features.
Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide 55 hide the navigation panel menus or drag it to resize them. The following sections introduce the Z yWALL ’s navigati on panel menus and their screens.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 56 3.3.2.3 Configuration Menu Use the configurat ion menu screens to configure the ZyW ALL’ s features. Cellular Status Displays details about the Z yW ALL’ s 3G connection status. AppP atrol Statistics Displays bandwidth and protocol statistics.
Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide 57 Interface Por t Gr o up i ng Configure physical port groups. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. PPP Create and manage PPPoE and PPTP interfaces. Cellular Configure a cellular Internet connection for an installed 3G card.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 58 L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings. AppPatrol Gener al Enable or disable traffic management by application and see registration and signature information. Common Manage tr affic of the most commonly used web, file transfer and e-mail protocols.
Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide 59 User/Group User Create and manage users. Group Create and manage groups of users. Setting Manage default settings for all users, general settings for user sessions, and rules to force user authentication.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 60 3.3.2.4 Maintenance Menu Use the maintenan ce menu screens to mana ge configuration and firmw are files, run diagnostics, and reb oot or shut down the Z yWALL. 3.3.3 Main Window The main window shows the screen you sele ct in the navigation panel.
Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide 61 3.3.3.1 W a rning Messages W arning messages, such as those resultin g from misconfigur ation, display in a popup window . Figure 24 W arning Message 3.3.3.2 Site Map Click Site MAP to see an o v erview of links to the W eb Configur ator screens.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 62 settings reference the object. The follo wing example shows which configuration settings reference the ldap-users user obje ct (in this case the first firewall rule). Figure 26 Object Refer ence The fields vary with the t ype of object.
Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide 63 3.3.3.4 CLI Messages Click CLI to look at the CLI commands sen t by th e Web Configurator . These commands appear in a popup window , such as the following. Figure 27 CLI Messages Click Clear to remove the currently displa y ed information.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 64 • Sort in ascending alphabetical order • Sort in descending (reverse) al phabetical order • Select which columns to display •.
Chapter 3 Web Configurator ZyWALL USG 2000 User’s Guide 65 4 Select a column heading and dr ag and drop it to change the column order . A green check mark displays next to the col umn’s title when you drag the column to a valid new location.
Chapter 3 Web C onfig ur a t or ZyWALL USG 2000 U ser’s Guide 66 Here are descriptions for the most common table icons. 3.3.4.3 Wo rking with List s When a list of av ailable entries displays ne xt to a list of sele cted entries, you can often just double-click an entry to move it from one list to the other .
ZyWALL USG 2000 User’s Guide 67 C HAPTER 4 Installation Setup Wizard 4.1 Inst allation Setup Wizard Screens If you lo g into the W eb Configurator when the Z y WALL is using its def ault configuration, the firs t Installation Setup Wizard screen displays.
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 2000 U ser’s Guide 68 4.1.1 Internet Access Setup - W AN Interface Use this screen to set how many W AN interfaces to configure and the first W AN interface’ s type of encapsulation and method of IP address assignment.
Chapter 4 Installa tion Setup Wizard ZyWALL USG 2000 User’s Guide 69 Note: Enter the Internet access in formation exactly as given to you by your ISP . Figure 37 Internet Access: Ethernet Encapsulation • Encapsulation : This displays the type of Internet connection you are configu ring.
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 2000 U ser’s Guide 70 4.1.3 Internet Access: PPPoE Note: Enter the Internet access in formation exactly as given to you by your ISP . Figure 38 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • T ype the PPPoE Service Name from your service provider .
Chapter 4 Installa tion Setup Wizard ZyWALL USG 2000 User’s Guide 71 4.1.3.2 W AN IP Address Assignment s • WAN Interface : This is the name of the interfac e that will conne ct wit h your ISP . • Zone: This is the se curity zone to wh ic h thi s int er face and Inter net co nnection will belong .
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 2000 U ser’s Guide 72 • CHAP/PAP - Y our ZyW ALL accepts either CHAP or P AP when requested by the remote no de . • CHAP - Y our ZyW ALL accepts CHAP onl y . • PAP - Y our Z yWALL accept s PAP onl y .
Chapter 4 Installa tion Setup Wizard ZyWALL USG 2000 User’s Guide 73 4.1.6 Internet Access Se tup - Second W AN Interface If you se lected I have two ISPs , after you configure the First WAN Interface , you can configure the Second WAN Interface . The screens for configuring the second WAN interf ace are simil ar to the first (see Section 4.
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 2000 U ser’s Guide 74 Note: If you have not already do ne so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP . Click Next and us e the foll owing screen to perform a basic registrati on (see Section 4.
Chapter 4 Installa tion Setup Wizard ZyWALL USG 2000 User’s Guide 75 • Select existing myZyXEL.com account if you already have an account at myZ yXEL.com and enter your user name and password in the fields below to register your Z yWALL. •E n t e r a User Name for your myZ yXEL.
Chapter 4 Ins ta llat ion Setu p Wizard ZyWALL USG 2000 U ser’s Guide 76.
ZyWALL USG 2000 User’s Guide 77 C HAPTER 5 Quick Setup 5.1 Quick Setup Overview The W e b Configurator's qu ick setup wizards hel p you configur e Internet and VPN connection settings. This chapt er pro vid es informa t io n on configu r in g the quick setup screens in the W eb Configur ator .
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 78 5.2 W AN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to co nnect to the internet.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 79 Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from y our ISP . Figure 47 W AN Interface Setup: S tep 2 The screens v ary depending on what encapsulation t ype you use.
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 80 • IP Address Assignment : Select Auto If y our ISP did not assign you a fix ed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.4 W AN and ISP Connection Settings Use this screen to configure the ISP an d WAN interface settings.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 81 Authentication Ty p e Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Y our Z y WALL accepts either CHAP or P AP when requested by this remote node.
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 82 5.2.5 Quick Setup Interface Wizard: Summary This screen displa ys the WAN i nterface’ s setting s. Figure 50 Interface Wizard: Su mmary W AN (PPTP Shown) The following table describes t he labels in this screen.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 83 5.3 VPN Quick Setup Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and ad dress objects that you can use later in configur ing more VPN connec ti ons or other features.
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 84 5.4 VPN Setup Wizard: W izard T ype A VPN (Virtual Private Network) tunnel is a secure connecti on to another computer or network. Use this screen to select wh ich type of VPN connection you wan t to configure.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 85 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 52 on page 84 to display the following screen. Figure 53 VPN Express Wizard: S tep 2 Rule Name : T ype the name used to identify thi s VPN connection (and VPN gateway) .
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 86 5.5.1 VPN Express Wizard - Configuration Figure 54 VPN Express Wizard: S tep 3 • Secure Gateway : If Any displa ys in this field, it i s not configurable for the chosen scenario.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 87 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’ s configuration and also commands that you can copy and paste into another ZLD-based Z yW ALL’ s command line interface to configure it.
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 88 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 56 VPN Express Wizard: S tep 6 Note: If you have not already do ne so, use t he myZyXEL.com link and register you r ZyW ALL with myZyXEL.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 89 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 52 on p age 84 to di spla y the following screen. Figure 57 VPN Advanced Wizard: Scenario Rule Name : T ype the name used to identify thi s VPN connection (and VPN gateway) .
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 90 • Remote Access (Client R ole) - Choose this to connect to an IPSec server . Thi s Z yWALL is the cli ent (dial-in user) and can initiate the VPN tunnel.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 91 that uses a 168-bit k ey . As a result, 3DES is more secure than DES. It also requires more processing power , result ing in increased latency and decreased throughput. AES128 uses a 128-bit ke y and is faster than 3DES.
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 92 5.5.6 VPN Advanced Wizard - Phase 2 Phase 2 in an IKE uses the SA t hat was established in phase 1 t o negotiate SAs for IPSec. Figure 59 VPN Advanced Wizard: S tep 4 • Active Protocol : ESP is compatible with NA T , AH is not.
Chapter 5 Quick Setup ZyWALL USG 2000 User’s Guide 93 • Nailed-Up : This displays for the site-to-si te and remote access client role scenarios. Select this to have the Z y W ALL automatically renegot iate the IPSec SA when the SA l ife time expires.
Chapter 5 Quick Setup ZyWALL USG 2000 U ser’s Guide 94 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 61 VPN Wizard: S tep 6: Advanced Note: If you have not already do ne so, you can register your ZyW ALL with myZyXEL.com and activate trials of services like IDP .
ZyWALL USG 2000 User’s Guide 95 C HAPTER 6 Configuration Basics This information is provided to help yo u configure the ZyW ALL effectively . Some of it is helpf u l wh en you are ju st gettin g st a r t e d . So m e of it is provided for your reference when you configure various features in the Z yW ALL.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 96 objects whenever the interface’ s IP addres s settings change . For example, if you change an Ethernet interf ace’ s IP address, the Z y WALL automatically updates the rules or settings that use the interf ace-based, LAN subnet ad dress object.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 97 6.2.1 Interface T ypes There are man y types of interfaces in th e Z yWALL. In addition to being used in various features, i nterfaces also describe the network that is direct ly connected to the ZyW ALL.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 98 6.2.2 Default Interface and Zone Configuration This section introduces the Z yWALL’ s default zone member ph ysical interfaces and the default configuration of those interfac es.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 99 • The DMZ zone contains the ge4 , ge5 , and ge6 interfaces (physical ports P4 , P5 , and P6 ). The DMZ zone has servers that are av ailable to the publ ic. These interface uses priv ate IP addresses 192.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 100 6.4 Packet Flow Here is the order in which the Z yW A LL applies its features and checks. Figure 64 Packet Flow 6.4.1 ZLD 2.20 Packet Flow Enhancement s ZLD version 2.20 has been enhanced to simplif y configurat ion.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 101 • Y ou do not need to set up policy routes for 1:1 NA T entries. • Y ou can create Many 1:1 NA T entries to translate a r ange of priv ate network addresses to a r ange of public IP addresses • Static an d dynamic ro utes have th eir own cate gory .
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 102 2 Policy Routes : These are the user-configured policy routes. Configure policy routes to send packets through the ap propriate interface or VPN tunnel. See Chapter 15 on page 347 for more on policy routes.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 103 Z yWALL stops checking the packets against the NA T table and moves on to bandwidth management. Figure 66 NA T T able Checking Flow 1 SNA T defined in the policy routes . This was already in ZLD 2.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 104 6.5.1 Feature This provides a brief description. See the appropriate chapter(s) in this Us er’s Guide for more information about any feature. Example: This provi des a simple example to show you how to configure this feature.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 105 subscription to update the anti -virus and IDP/ap plication patrol signatures Y ou must have Internet access to myZ yXEL.com. 6.5.4 Interface See Section 6.2 on page 96 for background information.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 106 and general NA T on the source address. Y ou hav e to set up the criteria, next-hops, and NA T set tings first. Example: Y ou h a ve a n F TP s e r ve r co n n ec t e d to ge4 (in the DMZ zone).
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 107 6.5.7 S t atic Routes Use static routes to tell the Z yW ALL abou t networks not directly connected to the Zy WA L L . 6.5.8 Zones See Section 6.2 on page 96 for background information.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 108 The Z yWALL only checks regu lar (through-ZyW ALL) firew all rules for packets that are redirected by NA T , it does not check the to-Z yWALL f irewall rules. Example: Suppose you ha ve an FTP server with a private IP address connected t o a DMZ port.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 109 3 Name the entry . 4 Select the interface from which you w ant to redirect incoming HT TP requests ( ge1 ). 5 Specify the IP address of the HT TP proxy server . 6 Specify the port number to use for the HT TP traff ic that you forward to the proxy server .
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 11 0 Example: Suppose you hav e a SIP proxy server connected to the DMZ zone for V oIP calls. Y ou could configure a firewall rule to allow V o IP sessions from the SIP proxy server on DMZ to the LAN so V oIP users on the LAN can receiv e calls.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 111 Example: See Chapter 7 on page 119 . 6.5.17 L2TP VPN Use L2TP VPN to let remote users use the L2TP and IPSec cli ent softw are includ ed with their computers’ operati ng systems to securely connect to the network behind the Z yWALL.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 11 2 Note: With this example, Bob would have to log in using his a ccount. If you do not want him to have to log in, you might create a n exception policy with Bob’ s computer IP address as the so urce.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 11 3 1 Create a user account for Bill if you have not done so already ( Configuration > Object > User/Group ). 2 Create a schedule for the work day ( Configuration > Object > Schedule ).
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 11 4 6.6 Object s Objects store information and are ref erenced by other features. If you up date this informat ion in resp onse to changes, th e Zy WALL automatically propagates the change through the features that use the o bjec t.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 11 5 If you want to force us ers to log in to the ZyW ALL before the Z yWALL routes traffic for them, you might have to configure prerequis ites first. 6.7 System This section introduces some of the management featu res in the Z yW ALL.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 11 6 2 Create an address object for t he administr ator’s computer ( Configuration > Object > Ad dress ). 3 Click Configuration > System > WWW to configure the HT TP management access.
Chapter 6 Configu ra tio n Bas ics ZyWALL USG 2000 User’s Guide 11 7 Always use Maintenance > Shut down > Shut down or the shutdown command before you turn off the Zy W ALL or remove the power . Not doing so can cause the firm ware to become corrupt.
Chapter 6 Con figu ra tio n Bas i cs ZyWALL USG 2000 U ser’s Guide 11 8.
ZyWALL USG 2000 User’s Guide 11 9 C HAPTER 7 Tutorials Here are examples of using the W eb Conf igurator to set up features in the Zy WA L L . S e e a l s o Chapter 8 on page 171 for an example of configuring L2TP VPN.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 120 • Y ou want to be able to apply security settings s pecifically for all VPN tunnels so you create a new VPN zone. Figure 67 Ethernet In terface, Port Grouping, and Zone Configuration Example 7.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 121 1 Click Configuration > Network > Zone and then the Add icon. 2 Enter VPN as the name, select Default_L2TP_VPN_Connection a n d m o ve i t t o the Member box and clic k OK . Figure 69 Configura tion > Network > Zone > W AN Edit 7.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 122 2 Drag physical port 5 ont o representative interface ge4 and click Apply . Figure 70 Configura tion > Network > Interface > Port Grouping Examp le 3 Click Dashboar d , and look at the Interface Status Summary .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 123 3 Click Configuration > Network > Interface > Cellular . Select the 3G device’ s entry and click Edit . Figure 72 Configura tion > Network > Interface > Cellular 4 Enable the interface and add it to a z one.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 124 5 Go to the Dashboard . The Interface Status Summary section should contain a “cellular” entry . When its connection status is Connected y ou can use the 3G connection to acce ss the Internet.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 125 Y ou do not have to change many of t he Z yW ALL ’ s settings from the defaults to set up this trunk. Y ou only hav e to set up the outgoing bandwidth on each of the W AN interfaces and configure the WAN_TRUN K trunk’ s load balancing settings.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 126 7.3.2 Configure the W AN T runk 1 Click Configuration > Netw ork > Interface > Trun k . Click the Add icon. 2 Name the tru n k a nd se t the Load Balancing Algorithm field to Weighted Round Robin .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 127 3 Select the trunk as the defaul t trunk and click Apply . Figure 78 Configura tion > Network > Interface > T runk 7.4 How to Set Up an IPSec VPN T unnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 128 In this example, the Z yW ALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between Z yW ALL X ’s L AN s ub n et (192.168.1.0/24 ) and the LAN subnet behind peer IPSec router Y (172 .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 129 7.4.2 Set Up the VPN Connection The VPN con ne ction mana ge s the IPSec SA. Y ou have to set up th e ad dr ess objects for the local network and remote net work before you can set up th e VPN connection.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 130 4 Enable the VPN connection an d na me it (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Site-to-site and the VPN ga teway ( VPN_GW_EXAMPLE ). Under Policy , select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 131 7.5 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator A hub-and-spok e IPSec VPN connects IP Sec VPN tunnels to form one secure network. This reduces the number of VPN connections th at you have to set up and maintain in the network.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 132 • My Address: 10.0.0.1 • P eer Gatew ay Address: 10.0.0.2 VPN Connection (VPN T unnel 1): • Local P olicy: 192.168.168.0~192.168.169.255 • Remote P olicy:1 92.168.167.0/255.255.255.0 • Disable Policy Enforce ment VPN Gateway (VPN T unnel2): • My Address: 10.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 133 • T o have al l Internet access from the spoke routers to go t hrough the VPN tunnel, set the VPN rul es in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Y our firewall rules can still block VPN packets.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 134 7.6.1 Set Up User Account s Set up one user account for each user a ccount in th e RA D IUS server . If it is possible to export user names from the RADIUS server to a text file, then y ou might create a script to creat e the user accounts instead.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 135 2 Enter the n ame of the grou p that is used i n T a ble 20 on page 133 . In this example, it is “Finance” . Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so cl ic k OK .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 136 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Configure the RADIUS server’ s address authentication port (1812 if you were not told otherwise), key , and click Apply .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 137 Note: The users will have to lo g in using the W eb Configurator login screen befo re they can use HTTP or MSN.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 138 1 Click Configuration > AppPatrol . If application patrol and b andwidth management are not enabled, enable them, and click Apply . Figure 89 Configura tion > AppPatrol > General 2 Click the Common tab and double-clic k the http entry .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 139 3 Double-click the Defau lt policy . Figure 91 Configura tion > AppPatrol > Common > http 4 Change the access to Dr op because you do n ot want any one except authoriz ed user groups to browse the web.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 140 5 Click the Add icon in the policy list. In the ne w policy , select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fiel ds.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 141 2 Give the schedule a descriptive name. Set up the d ays (Monday through Friday) and the times (8:30 - 18:00) when Sal es is allowed to use MSN. Click OK . Figure 94 Configura tion > Object > Schedule > Add (Recur ring) 3 Fol low the steps in Section 7.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 142 2 Click the Add icon again and create a rule for one of the user groups that is allowed to access the DMZ. Figure 96 Configura tion > Firewall > Add 3 Re peat this proc ess to set up firewall rules for the other user groups that are allowed to access the DMZ.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 143 1 Click Configuration > Object > AAA Server > RADIUS . Double-click the radius entry . Besides configuring the RADIUS server’ s addres.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 144 2 Now you add ext -group-user user objects t o identify groups based on the group identifier values. Set up one user account for each group of user account s in the RADIUS server . Click Configuration > Object > User/Group > User .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 145 • Select Endpoint must have Personal Firewall installed and move the K asper sk y Internet Sec uri ty en tries to th e allowed list (you can double-click an entry to move it).
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 146 Repeat as needed to create endpoint secu rity objects for other Windows operating system versions. 7.8.2 Configure the Authentication Policy Click Configuration > Auth. Policy > Add to open the En dpoint Security Edit screen.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 147 4 T urn on authentication policy and click Apply . Figure 101 Configuration > Au th. Policy The following figure shows an error me ssage example when a user’ s computer does not meet an endpoint securi ty object’ s requirements.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 148 user access (logging into SSL VPN for example). See Chapter 50 on page 783 for more on service control. The T o-Z yWALL firewall rules apply to any ki nd of HTTP or HT TPS connection to the Z yWALL .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 149 4 Select the new rule and click the Add icon. Figure 105 Configur ation > System > WWW (First Example Admin Service Rule Configured) 5 In the Zone field select ALL and set the Action to Deny .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 150 6 Click Apply . Figure 107 Configuration > System > WWW (Sec ond Example Ad min Service Rule Configured) Now administr ator access to the W eb Conf igur at or can only come from the LAN zone.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 151 for ge2 IP address 10.0.0.8 t o a H.323 de vice located on the LAN and using IP address 192.168.1.56. Figure 108 W AN to LAN H.323 Peer-to-peer Calls Example 7.10.1 T urn On the ALG Click Configuration > Network > ALG .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 152 1 Use Configuration > Object > Address > Add to create an address object for the public W AN IP address (called W AN_IP-for -H323 here). Then use it again to create an address object for the H.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 153 2 Click Configuration > Network > NAT > Add. Configure a name for the rule (W AN-LAN_H323 here). Y ou want the LAN H.323 device to receive peer-to-peer calls from the W AN and also be able to initiate calls to t he WAN so you set the Classification to NAT 1:1 .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 154 1 Click Configuration > Firewall > Add . In the From field select W AN. In the To field select LAN. Configure a name for the rule (WAN-to-LAN_H323 here). Set the Destination to the H.323 device’ s LAN IP address object ( LAN_H323 ).
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 155 7.1 1.1 Create the Address Object s Use Configuration > Object > Address > Add to create the addr ess obje cts. 1 Create a host address object named DMZ_HT TP for the HT TP server’ s priv ate IP address of 192.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 156 • K eep Enable NAT Loopback selected to allow users connected to other interfaces to ac ce ss the HTTP server (see NA T Loopback on page 393 for details). Figure 1 16 Creating the NA T Entry 7.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 157 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the HT TP serv er’s DMZ IP address object ( DMZ_HTTP ). DMZ_HTTP is the destination because the Z yW ALL applies NA T to traffic before applying the firewal l rule.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 158 address 1.1.1.2 that you wi ll use on the ge3 interface and map to the IPPBX’ s privat e IP address of 192.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 159 7.12.1 T urn On the ALG Click Configuration > Network > ALG . Select Enable SIP ALG and Enable SIP Transformations and click Apply .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 160 2 Create a host address object named IPPB X -Publi c for the public W AN IP address 1.1.1.2. Figure 121 Creating the Public IP Address Object 7.12.3 Setup a NA T Policy for the IPPBX Click Configuration > Network > NAT > Add.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 161 •C l i c k OK . Figure 122 Configu ration > Network > NA T > Add 7.12.4 Set Up a W AN to DM Z Firewall Rule for SIP The firewall blocks traffi c from the W AN zone to the DMZ zone by default so you need to create a firew all rule to allow the pu blic to send SIP traffic to the IPPBX.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 162 1 Click Configuration > Firewall > Add . Set the From field as WAN and the To field as DMZ . Set the Destination to the IPPBX’ s DMZ IP address objec t ( DMZ_SIP ). IPPBX_DMZ is the desti nation be caus e the ZyW ALL applies NA T to traffic before applying the firewal l rule.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 163 1 Click Configuration > Firewall > Add . Set the From field as DMZ and the To field as LAN . Set the Destination to the IPPBX’ s DMZ IP address object ( DMZ_SIP ). Set the Source to IPPBX_DMZ .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 164 7.13.2 Configure the Policy Route Now you need to configure a policy r out e that has the ZyW ALL use the range of public IP addresses as the source address for W AN to LAN tr affic. Click Configuration > Netw ork > Routing > Add .
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 165 An Ethernet switch connects both Z yW ALLs’ ge1 interfaces to the LAN. Whichever Z yWALL is functioning as the master uses the default gatewa y IP address of the LAN computers (192.168.1.1) for its ge 1 interface and the static public IP address (1.
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 166 7.14.2 Configure Device HA on the Master ZyW ALL 1 Log into Z yW ALL A (the master) and click Configuration > Device HA > Active - Passive Mode . Double-click ge1 ’s e n t r y . 2 Configure 192.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 167 3 Set the Device Role to Mas ter . This example focuses on the connection from the LAN ( ge1 ) to the Internet through t he ge2 interface, so select the ge1 and ge2 interfaces and click Activate .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 168 7.14.3 Configure the Backup ZyW ALL 1 Connect a computer to ZyW ALL B ’s ge1 interface and log into i ts W eb Configurator . Connect Z yWALL B to the Internet and su bscribe it to the same subscription services (lik e content fi ltering and anti -virus) t o which Z yW ALL A is subscribed.
Chapter 7 Tutorials ZyWALL USG 2000 User’s Guide 169 4 Set the Device Role to Backup . Activ ate monitoring for the ge1 and ge2 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to “m ySyncP assword” .
Chapter 7 Tutorials ZyWALL USG 2000 U ser’s Guide 170 7.14.4 Deploy th e Backup ZyW ALL Connect Z yWALL B ’s ge1 interface to the LAN ne twork. Connect Z yW ALL B ’s ge2 interface to the same router that Z yW ALL A ’s ge2 interface uses for Internet access.
ZyWALL USG 2000 User’s Guide 171 C HAPTER 8 L2TP VPN Example Here is how to crea te a b asi c L2 T P V PN tunnel. 8.1 L2TP VPN Example This example uses the following setti ngs in creating a basic L 2TP VPN tunnel. Figure 135 L2TP VPN Example • The Z yW ALL has a static IP address of 172.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 172 • Configure the My Address setting. This example uses interface ge2 with static IP address 172.
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 173 8.3 Configuring the Default L2TP VPN Connection Example 1 Click Configuration > VPN > Network > IPSec VPN to open the screen that lists the VPN connections. Double-click the Default_L2TP_VPN_Connection entry .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 174 3 Select the Default_L2TP_VPN_Connection entry and click Activate and then Apply to turn on the entry .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 175 • The other fields are l eft to the defaults in this example, click Apply . Figure 140 Configu ration > VPN > L2TP VPN Example 8.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 176 2 Select Connect to a workplace and click Next . Figure 141 Set up a connection or network: Chose a connection type 3 Select Use my Internet connection (VPN) .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 177 4 Enter the domain name or W AN IP add ress configured as the My Addr ess in the VPN gateway config uration that the Z yWALL is using for L2TP VPN (172.16.1.2 in this example). For t h e Destination Name , enter L2TP to ZyWALL .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 178 6 Click Close . Figure 145 Connect to a workpla ce: The connection is ready to use 7 In the Network and Sharing Center screen, click Connect to a network . Right- click the L2TP VPN connec tion and select Properties .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 179 8 Click Security , select Advanced (custom settings) and click Settings . Figure 147 Connect L2TP to ZyW ALL: Security 9 Set Data encryption to Optional encryption (connect even if no encryption) and the Allow these protocols radio button.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 180 inside it. The L2TP tunnel i tself does no t need encryption sinc e it is inside th e encrypted IPSec VPN tunnel. Figure 149 Connect ZyW ALL L2TP: Security > Advanced > W arning 11 Click Networ king .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 181 13 Select the L2TP VPN connection and click Connect . Figure 152 L2TP to ZyW ALL Properties: Networking 14 Enter the us er name and password of your Z yW ALL user account.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 182 15 A window appears while the user name and password are verified and notifies you when the connection is establi shed.
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 183 17 After the network location has been set, click Close . Figure 156 Set Network L ocation Successful 18 After the connection is up a connecti on icon displays in your system tra y . Click it and then the L2TP connection to open a status screen.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 184 19 Click the L2TP connection’ s View status link to open a status screen. Figure 158 Network an d Sharing Center 20 Click Detail s to see the address that you received is from the L2TP range you specified on the Z yW ALL (192.
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 185 8.5.2 Configuring L2TP in Windows XP In Windows XP do the following to establi sh an L2TP VPN connection. 1 Click Start > Control Panel > Network Conne ctions > New Connection Wizard .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 186 5 Ty p e L2TP to ZyWALL as the Company Name . Figure 162 New Connection Wizard: Connection Name 6 Select Do not dial the initial connection and cl ick Next .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 187 7 Enter the domain name or W AN IP add ress configured as the My Addr ess in the VPN gateway config uration that the Z yWALL is using for L2TP VPN (172.16.1.2 in this example). Figure 164 New Connection Wizard: VPN Ser ver Selection 8 Click Finish .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 188 10 Click Security , select Advanced (custom settings) and click Settings . Figure 166 Connect L2TP to ZyW ALL: Security 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button.
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 189 12 Click IPSec Settings . Figure 168 L2TP to ZyW ALL Properties > Security 13 Select the Use pr e-shared key f or authentication check bo x and enter the pre- shared key used in the VPN gate way configur ation that the ZyW ALL is using for L2TP VPN.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 190 14 Click Networ king . Select L2TP IPSec VPN as the Ty pe of VPN . Click OK . Figure 170 L2TP to ZyW ALL Properties: Networking 15 Enter the us er name and password of your Z yW ALL account.
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 191 18 Click Detail s to see the address that you received is from the L2TP range you specified on the Z yW ALL (192.168.10.10-192.168.10.20) . Figure 173 ZyW ALL-L2TP S tatus: Det ails 19 Access a se rver or ot her n etwork resourc e b ehi nd th e Z yWALL to make sure your access works.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 192 3 Select HKEY_LOCAL_MACHINESys temCurre ntControlSetServicesRasmanP arameters . Figure 175 Regist ry Key 4 Right- click Parameters and select New > DWORD Value . Figure 176 New DWORD V alue 5 Enter ProhibitIpSec as the name.
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 193 8.5.3.2 Configure the Windows 2000 IPSec Policy After you hav e created the registry entr y and restarted the computer , use these directions to configure an IPSec policy for the computer to use.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 194 3 Click Add > IP Security Policy Management >Add > Finish . Click Close > OK . Figure 180 Add > IP Security Policy Manageme nt > Finish 4 Right- click IP Security Policies on Local Machine and click Create IP Security Policy .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 195 5 Name the IP security policy L2TP to ZyWALL , and click Next . Figure 182 IP Se curity Policy: Name 6 Clear the Activate the defa ult response rule check box and clic k Next .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 196 7 Leave the Edit Properties check b ox selected and cli ck Finish . Figure 184 IP Se curity Policy: Completing the IP Security Policy Wizard 8 In the properties dialog bo x, click Add > Next .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 197 9 Select This rule does no t specify a tunnel and click Next . Figure 186 IP Se curity Policy Properties: T unnel Endpoin t 10 Select All network connections and click Next .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 198 11 Select Use this string to protect th e key exchange (preshared key) , type password in the text box, and cli ck Next . Figure 188 IP Se curity Policy Properties: Authentication Method 12 Click Add .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 199 13 Ty p e ZyWALL WAN_IP in the Name field. Clear the Use Add Wizard check box and click Add . Figure 190 IP Se curity Policy Properties: IP Filter List > Add 14 Configure the following in the Addressing tab.
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 200 15 Configure the following in the Filter Properties window’ s Protocol tab. Set the protocol t ype to UDP from port 1701. Select To any port . Click Apply , OK, and then Close . Figure 192 Filter Properties: Pro tocol 16 Select ZyWALL WAN_IP and click Next .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 201 17 Select Require Security and click Next . Then click Finish and Close . Figure 194 IP Se curity Policy Properties: IP Filter List 18 In the Console window , right-click L2TP to ZyWALL and select Assign .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 202 1 Click Start > Settings > Network and Dial-up connections > Make New Connection . In the wizard welcome screen, click Next . Figure 196 S tart New Connection Wizard 2 Select Connect to a private network through the Internet and clic k Next .
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 203 4 Select For all users and click Next . Figure 199 New Connection Wizard: Connection Availability 5 Name the connection L2TP to ZyWALL and click Finish . Figure 200 New Connection Wizard: Naming the Connection 6 Click Proper ties .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 204 7 Click Security and select Advanced (custom settings) and click Settings . Figure 202 Connect L2TP to ZyW ALL: Security 8 Select Optional encryption allowed (connect even if no encryption) and the Allow these protocols radio button.
Chapter 8 L2TP VPN Exampl e ZyWALL USG 2000 User’s Guide 205 9 Click Networ king and select Laye r 2 Tunneling Protocol ( L2TP) from the drop-down list box. Click OK . Figure 204 Connect L2TP to ZyW ALL: Networking 10 Enter your user name and p assword and click Co nnect .
Chapter 8 L2TP VPN Example ZyWALL USG 2000 U ser’s Guide 206 12 Click Detail s and scroll down to see the addre ss that you recei v ed is from the L2TP range you specified on the Z yW ALL (192.
207 P ART II Technical Reference.
208.
ZyWALL USG 2000 User’s Guide 209 C HAPTER 9 Dashboard 9.1 Overview Use the Dashboard screens to check status information about the Z yWALL. 9.1.1 What Y ou Can Do in this Chapter Use the Dashboard screens for the following. •U s e t h e m a i n Dashboard screen (see Section 9.
Chapter 9 Das hb o ar d ZyWALL USG 2000 U ser’s Guide 210 interface status in widgets that you can re-arrange to suit y our needs. Y ou can also collapse, refresh, and close individual widgets. Figure 208 Dashboard The following table describes t he labels in this screen.
Chapter 9 D as hb oa rd ZyWALL USG 2000 User’s Guide 21 1 The following front and rear panel labels display when you hover y our cursor over a connected interface or slot. Name This field displays the name of each interface. Slot This field displays the name of each extension slot.
Chapter 9 Das hb o ar d ZyWALL USG 2000 U ser’s Guide 212 Device This identifies a device installed in one of the Z yW ALL’s extension slots, the Security Extension Module slot, or USB ports. For an installed SEM (Security Extension Module) card, this field displays what kind of SEM card is installed.
Chapter 9 D as hb oa rd ZyWALL USG 2000 User’s Guide 213 Status This field displays the current status of each interface. The possible values depend on what type of interface it is. F or Ethernet interfaces: Inactive - The Ethernet interface is disabled.
Chapter 9 Das hb o ar d ZyWALL USG 2000 U ser’s Guide 214 Action Use this field to get or to update the IP address for the interface. Click Renew to send a new DHCP request to a DHCP server . Click the Connect icon to hav e the ZyW ALL try to connect a PPP oE/PPTP interface or the auxiliary interface.
Chapter 9 D as hb oa rd ZyWALL USG 2000 User’s Guide 215 Number of Login Users This field displays the number of users currently logged in to the Z yWALL. Click the icon to pop-open a list of the users who are currently logged in to the Z yWALL. See Section 9.
Chapter 9 Das hb o ar d ZyWALL USG 2000 U ser’s Guide 216 9.2.1 The CPU Usage Screen Use this screen to look at a chart of the ZyW ALL’ s recent CPU usage.
Chapter 9 D as hb oa rd ZyWALL USG 2000 User’s Guide 217 The following table describes t he labels in this screen. 9.2.2 The Memory Usage Screen Use this screen to look at a chart of the Z yWALL’ s recent memory (RAM) usage. T o access this screen, click Memory Usage in the dashboard.
Chapter 9 Das hb o ar d ZyWALL USG 2000 U ser’s Guide 218 9.2.3 The Session Usage Screen Use this screen to look at a chart of the Z yW ALL’ s recent tr affic session usage. T o access this screen, click Session Usage in the dashboard. Figure 21 1 Dashboard > Session Usage The following table describes t he labels in this screen.
Chapter 9 D as hb oa rd ZyWALL USG 2000 User’s Guide 219 9.2.4 The VPN S t atus Screen Use this screen to look at the VPN tunnels that are currently establi shed. T o access this screen, click VPN Status in the das hboard. Figure 212 Dashboard > VPN S tatus The following table describes t he labels in this screen.
Chapter 9 Das hb o ar d ZyWALL USG 2000 U ser’s Guide 220 The following table describes t he labels in this screen. 9.2.6 The Number of Login Users Screen Use this screen to look at a list of the users current ly logged into the Z yW ALL. T o access this screen, click the dashboard’ s Number of Login Users icon.
Chapter 9 D as hb oa rd ZyWALL USG 2000 User’s Guide 221 The following table describes t he labels in this screen. T able 27 Dashboard > Number of Login Users LABEL DESCRIPTION # This field is a sequential v alue and is not associated with any entry .
Chapter 9 Das hb o ar d ZyWALL USG 2000 U ser’s Guide 222.
ZyWALL USG 2000 User’s Guide 223 C HAPTER 10 Monitor 10.1 Overview Use the Monitor screens to check stat us and st at i sti cs in formation. 10.1.1 What Y ou Can Do in this Chapter Use the Monitor screens for the foll owi ng. •U s e t h e System Status > Port Statistics screen (see Section 10.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 224 •U s e t h e VPN Monitor > L2TP over IPSec screen (see Section 10.13 on page 249 ) to display and manage the Z yWAL L ’ s connected L2TP VPN sessions. •U s e t h e Anti-X Statistics > Anti-Virus screen (see Section 10.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 225 The following table describes t he labels in this screen. T able 28 Monitor > System S t atus > Port S t atistics LABEL DESCRIPTION P oll Interval Enter how often you want this window to be updated automatically , and click Set Interval .
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 226 10.2.1 The Port S t atistics Graph Screen Use this screen to look at a line gr aph of packet statistics for each ph ysical port. T o access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button .
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 227 10.3 Interface S t atus Screen This screen lists all of the Z yWALL’ s interfaces and gives packet statistics for them. Click Monitor > System Status > Inter face Status to access this screen.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 228 Each field is desc ribed in the followi ng table. T able 30 Monitor > System S t atus > Interface S tatus LABEL DESCRIPTION Interface Status If an Ethernet interface does not hav e any physical ports associated with it, its entry is displayed in light gr ay text.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 229 HA Status This field displays the status of th e interface in the virtual router . Active - This interface is the master interface in the virtual router . Stand-By - This interface is a backup interface in the virtual router .
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 230 10.4 The T raffic S t atistics Screen Click Monitor > System Status > T r aff ic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example: • Most- visited W eb sites and the number of times each one w a s visited.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 231 Y ou use the Traffic Statistics screen to tel l the Z yWALL when to start and when to stop collec ting information for these reports. Y ou cannot schedule data collection; you ha ve to start and stop it manually in the Traffic Statistics sc reen.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 232 Interface Select the interface from which to collect information. Y ou can collect information from Ethernet, VLAN, bridge, PPPoE/PPTP , and auxiliary interfaces. T raffic T ype Select the type of report to display .
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 233 The following table displays the maximum number of records shown in the report, the byt e count limit, a nd the h it coun t limit. 10.5 The Session Monitor Screen The Session Mo nitor screen displays information about acti ve ses sions for debugging or statistical analysis.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 234 • Number of bytes tr ansmitted (so far) • Durati on (so far) Y ou can look at all the active sessions by user , service, source IP address, or destination IP address.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 235 User This field displays when View is set to all sessions . T ype the user whose sessions you want to view . It is not possible to type part of the user name or use wildcards in this field; you must enter the wh ole user name.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 236 10.6 The DDNS S t atus Screen The DDNS Status screen shows the status of the Z yW ALL’s DDNS d omain names.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 237 session with the Z yW ALL. Devices that ha v e never established a session with the Z yWALL do not display in the list. Figure 221 Monitor > System S tatus > IP/MAC Binding The following table describes t he labels in this screen.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 238 10.8 The Login Users Screen Use this screen to look at a list of the users current ly logged into the Z yW ALL.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 239 10.9 Cellular S t atus Screen This screen displays y our 3G connection status. click Monitor > System Status > Cellular Status to display this scre en. Figure 223 Monitor > System S tatus > Cellular S tatus The following table describes t he labels in this screen.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 240 Status No device - no 3G device is connected to the ZyW ALL. Device detected - displays when you connect a 3G device. Device error - a 3G device is connected but there is an error . Probe device fail - the Z yW ALL’ s test of the 3G device failed.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 241 10.10 Application Patrol S t atistics This screen displays a bandwi dth usage graph and stati stics for selected protocols. Click Monitor > AppPatrol Statistics to open the following screen. 10.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 242 10.10.2 Application Patrol S t atistics: Bandwid th St atistics The middle of the Monitor > AppPatrol S t atistics screen displays a bandwidth usage line gr aph for th e selected protocols.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 243 10.10.3 Application Patrol St atistics: Protocol St atistics The bottom of the Monitor > AppPatrol Statistics screen displays statistics f or each of the selected protocols.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 244 10.10.4 Application Patrol S t atistics: Individual Protocol S t atistics by Rule The bottom of the Monitor > AppPatrol Statistics screen displays statistics f or each of the selected protocols.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 245 The following table describes t he labels in this screen. 10.1 1 The IPSec Monitor Screen Y ou can use the IPSec Monitor screen to display and to manage acti ve IPSec SAs. T o access this screen, clic k Monitor > VPN Monitor > IPSec .
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 246 screen appears. Click a column’ s heading cell to sort the table entries by that column’s criteria. Click the headin g cell aga in to re verse the so rt order . Figure 228 Monitor > VPN Monitor > IPSec Each field is desc ribed in the followi ng table.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 247 10.1 1.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single char acte r in the VPN connecti on or policy name vary . F or example, use “a?c” (without the quotation marks) to specify abc, acc and so on.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 248 10.12 The SSL Connection Monitor Screen The Z yW ALL keeps tr ack of the users who are currentl y logged into the VPN SSL client portal. Click Monitor > VPN Monitor > SSL to display the user list.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 249 10.13 L2TP over IPSec Session Monitor Screen Click Monit or > VPN Monitor > L2TP over IPSec to open the following screen. Use this screen to disp lay and mana ge the Z yW ALL’ s connected L2TP VPN sessions.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 250 10.14 The Anti-V irus S t atistics Screen Click Monitor > Anti-X Statistics > Anti-Virus to displa y the following screen.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 251 The statistics displa y as follows when y ou display the top entri es by source. Figure 232 Monitor > Anti-X S tatistics > Anti-V irus: Source IP The statistics displa y as follows when y ou display the top entri es by destination.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 252 10.15 The IDP S t atistics Screen Click Monitor > Anti-X Statistics > IDP to display the followi ng screen.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 253 The statistics displa y as follows when y ou display the top entri es by source. Figure 235 Monitor > Anti-X S tatistics > IDP: Source The statistics displa y as follows when y ou display the top entri es by destination.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 254 10.16 The Content Filter S t atistics Screen Click Monitor > Anti-X Statistics > Content Filter to displa y the foll owing screen.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 255 10.17 Content Filter Cache Screen Click Monitor > Anti-X Statistics > Content Filter > Cache to display the Content Filter Cache screen. Use this screen to view and configure your Z yWALL ’s URL caching.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 256 Y ou can remove individual entries from the cache. When y ou do this, the Z yW ALL queries the external content filtering da tabase the next time someone tries to access that web site. This allows you to check whether a web site’ s category has been changed.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 257 Category This field shows whether access to the web site’s URL w as blocked or allowed. Click the column heading to sort the entries. P oint the triangle up to display the blocked URLs before the URLs to which access w as allowed.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 258 10.18 The Anti-S p am S t atistics Screen Click Monitor > Anti-X Statistics > Anti-Spam to disp lay the following screen. This screen displays sp am statistics. Figure 239 Monitor > Anti-X S tatistics > Anti-S pam The following table describes t he labels in this screen.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 259 Spam Mails This is the number of e-mails that the Z yW ALL has determined to be spam. Spam Mails Detected by Black List This is the number of e-mails that matched an entry in the Z yW ALL’ s anti- spam black list.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 260 10.19 The Anti-S p am St atus Screen Click Monitor > Anti-X Statistics > Anti-Spam > Status to display the Anti- Spam Status scre en. Use the Anti-Spam Status screen to see how many e-mail sessions the anti- spam feature is scanning an d statisti cs for the DNSBLs.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 261 10.20 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regu lar log, you can look at all the log messages by selecting All Logs , or you can select a specific category of log messages (for example, firewall or user).
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 262 The following table describes t he labels in this screen. T able 50 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide the filter settings.
Chapter 10 Monitor ZyWALL USG 2000 User’s Guide 263 The W eb Configur ator sav es the f ilter settings if you leave the View Log screen and return to it later . Priority This field displays the priority of the log message. It has the same range of values as the Priority field above.
Chapter 10 M o nito r ZyWALL USG 2000 U ser’s Guide 264.
ZyWALL USG 2000 User’s Guide 265 C HAPTER 11 Registration 1 1.1 Overview Use the Configura tion > Licensing > Registratio n screens to register y our Z yWALL and manage its service subscript ions. 1 1.1.1 What Y ou Can Do in this Chapter •U s e t h e Registration screen (see Section 11.
Chapter 11 Re g istr at ion ZyWALL USG 2000 U ser’s Guide 266 Subscription Services A vailable on the ZyW ALL Y ou can have the ZyW ALL use anti- virus, IDP/AppP atrol (Intrusi on Detection and Prevention and application patrol ), and cont ent filtering subscripti on services.
Chapter 11 Registration ZyWALL USG 2000 User’s Guide 267 1 1.2 The Registration Screen Use this screen to regi ster your Z y W ALL with m yZ yXEL.com and activ ate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to op en the screen as shown next.
Chapter 11 Re g istr at ion ZyWALL USG 2000 U ser’s Guide 268 Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. Y ou can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces.
Chapter 11 Registration ZyWALL USG 2000 User’s Guide 269 Note: If the ZyW ALL is registe red already , this screen is read-only and indicates whether trial services are activated (if any). Y ou can still select th e unchecked trial service(s) to activate it after registra tion.
Chapter 11 Re g istr at ion ZyWALL USG 2000 U ser’s Guide 270 The following table describes t he labels in this screen. T able 52 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry’ s position in the list.
ZyWALL USG 2000 User’s Guide 271 C HAPTER 12 Signature Update 12.1 Overview This chapter shows you how t o update the Z yWALL’ s signature packages. 12.1.1 What Y ou Can Do in this Chapter •U s e t h e Configuration > Licensing > Update > Anti-virus screen ( Section 12.
Chapter 12 Signature Update ZyWALL USG 2000 U ser’s Guide 272 12.2 The Antivirus Up date Screen Click Configuration > Licensing > Update > Anti-Virus to display th e following screen. Figure 245 Configu ration > Licensing > Update >Anti-V irus The following table describes t he labels in this screen.
Chapter 12 Signature Update ZyWALL USG 2000 User’s Guide 273 12.3 The IDP/AppPatrol Up date Screen Click Configuration > Licensing > Update > IDP/AppPatrol to displa y the following screen. The Z yWALL comes with signatures for th e IDP and application patrol features.
Chapter 12 Signature Update ZyWALL USG 2000 U ser’s Guide 274 signatures from my Z yXEL.com (see the Registration screens). Use th e Update IDP /AppPatrol screen to sched ul e or immediat ely download IDP signatures . Figure 246 Configu ration > Licensing > Update > IDP/AppPatrol The following table describes t he fields in this screen.
Chapter 12 Signature Update ZyWALL USG 2000 User’s Guide 275 12.4 The System Protect Up date Screen Click Configuration > Licensing > Update > System Protect to display the following screen. Use this screen to schedule or imme diately download system-protection signatures.
Chapter 12 Signature Update ZyWALL USG 2000 U ser’s Guide 276 The following table describes t he fields in this screen. T able 54 Configuration > Licensing > Update > System Protect LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the Z yWALL is using.
ZyWALL USG 2000 User’s Guide 277 C HAPTER 13 Interfaces 13.1 Interface Overview Use the Interface screens to configure the Z yWALL ’ s interfaces. Y ou can also create interfaces on top of other interfaces. • Ports are the physi cal ports to which you connec t cables.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 278 13.1.2 What Y ou Need to Know Interface Characteristics Interfaces generally have the followi ng characteristics (although not all characteristics apply to each type of interface). • An interface is a logical entit y through which (layer -3) packets pass.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 279 characteristics. These characteristics are listed in the following table and discussed in more det ail below. * - The format of interface names other than the Et hernet and pp p interface names is strict.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 280 * - Y ou cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 281 13.2.1 Port Grouping Overview Use port grouping to create port group s and to assign physical ports and port groups to Ethernet interfaces . Each physical port is assigned to one Et hernet interface.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 282 Each section in this screen is described below . 13.3 Ethernet Summary Screen This screen lists ev ery Ethernet interface and virtual interface created on top of Ethernet interfaces. T o access this screen, click Configuration > Network > Interface .
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 283 Figure 249 Configu ration > Network > Interface > Ethernet Each field is desc ribed in the followi ng table.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 284 13.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP set ti ngs, OSPF settings, DHCP settings, connectivit y check, and MAC address settings.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 285 Figure 250 Configuration > Network > Interface > Ethernet > Edit.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 286 This screen’ s fields are desc ribed in the table below . T able 59 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 287 Use Fixed IP Address This option appears when Interface Properties is Ex ternal or General . Select this if you want to specify the IP address, subnet mask, and gatewa y manually . IP Address Enter the IP address for this interface.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 288 Check P eriod Enter the number of seconds between connection check attempts. Check Timeout Enter the number of second s to wait for a response before the attempt is a failure.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 289 P ool Size Enter the number of IP addresse s to allocate. This number must be at least one and is limited by the interface’s Subnet Mask . For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Addr ess is 10.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 290 IP Address Enter the IP address to assign to a device with this entry’ s MAC address. MAC Address Enter the MAC address to which to assign this entry’ s IP address. Description Enter a description to help identify this static DHCP entry .
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 291 13.3.2 Object References When a configur ation screen includes an Object References icon, select a configur ation object and click Object Referenc es to open the Object References screen. Th is s cre en displays which c o nf ig u ration settings refere nc e the selected object.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 292 Figure 251 Object References The following table describes l abels that can appear in this screen. 13.4 PPP Interfaces Use PPPoE/PPT P interfaces to connect to your ISP . This way , you do not have to install or manage PPP oE/PPTP software on each computer in the network.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 293 Figure 252 Example: PPPoE/PP TP Interfaces PPP oE/PPTP interfaces are similar to other interfaces in som e ways. They hav e an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and pack et size; and they can verify the gatew ay is av ailable.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 294 Figure 253 Configuration > Network > Interface > PPP Each field is desc ribed in the table belo w .
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 295 13.4.2 PPP Interface Add or Edit Note: Y ou have to set up an ISP account bef ore you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. T o access this screen, click the Add icon or an Edit icon in the PPP Interface screen.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 296 Figure 254 Configuration > Network > Interface > PPP > Add Each field is explained in the following table.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 297 Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name Specify a name for the interface. It can use alphanumeric char acters, hyphens, and underscores, and it can be up to 11 characters long.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 298 Interface Pa ra m e t er s Egress Bandwidth Enter the maximum amount of tr affi c, in kilobits per second, the Z yWALL can send through the inte rface to the network. Allowed values are 0 - 1048576.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 299 13.5 Cellular Configuration Screen (3G) 3G (Third Generation) i s a digital, pack et -switched wireless te chnology . Bandwidth usage is optimized as mult iple users sh are the same channel and bandwidth is only allocated to users when they send da ta.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 300 If the signal strength of a 3G network is too low , the 3G card may switch t o an av ailable 2.5G or 2.75G network. See the following tab le for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 301 Figure 255 Configuration > Network > Interface > Cellular The following table describes t he labels in this screen. 13.5.1 Cellular Add/Edit Screen T o change your 3G settings, click Configuration > Network > Interface > Cellular > Add (or Edit ).
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 302 Figure 256 Configur ation > Network > Interface > Cellular > Add.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 303 The following table describes t he labels in this screen. T able 65 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configur ation fields.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 304 Dial String Enter the dial string if your ISP pro vides a string, which would include the APN, to initialize the 3G card. Y ou can enter up to 63 ASCII printable characters. Spaces are allowed.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 305 Egress Bandwidth Enter the maximum amount of tr affic, in kilobits per second, the Z yWALL can send through the interface to the n etwork. Allowed values are 0 - 1048576. This setting is used in W AN load balancing and bandwidth management.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 306 Get Automatically Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use Fixed IP Address Select this option If the ISP assigned a fixed IP address.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 307 Data Budget Select this and specify how much downstream and/or upstream data (in Mega bytes) can be transmitted via the 3G conn ection within one month. Select Download to set a limit on the downstream traffic (from the ISP to the Z yWALL).
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 308 13.6 VLAN Interfaces A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q. Figure 257 Example: Before VLAN In this examp le, there are two phy s ical networks and three departments A , B , and C .
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 309 Each VLAN is a separate network wit h se par ate IP addresses, subnet masks, and gateways . Each VLAN also has a unique iden tification number (ID). The ID is a 12- bit v alue that is stored in the MAC head er .
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 310 They restrict bandwidth and pack et size . They can provide DHCP services, and they can verify th e ga teway is available. 13.6.1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 31 1 13.6.2 VLAN Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs , and connectivit y check for each VLAN interface.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 312 Figure 260 Configur ation > Network > Interface > VLAN > Edit.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 313 Each field is explained in the following table. T able 67 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 314 Metric Enter the priority of the gateway (if any) on this interface. The Z yWALL decides which gatewa y to use based on this priority . The lower the number , the higher the priority . If two or more gateways have the same priority , the ZyW ALL uses the one that was configured first.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 315 DHCP Select what t ype of DHCP service the Z yWALL pro vides to the network. Choices are: None - the ZyW ALL does not provide any DHCP services. There is already a DHCP serv er on the network. DHCP Relay - the Z yWALL ro utes DHCP requests to one or m ore DHCP servers you specify .
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 316 Lease time Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 317 OSPF Setting See Section 16.3 on page 365 for more information about OSPF . Area Select the area in which this interface belongs.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 318 13.7 Bridge Interfaces This section introduces brid ges and bri dge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 319 If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 i n the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the pack et to port 2 accordingly .
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 320 13.7.1 Bridge Summary This screen lists every bridge interface and vi rtual interface created on top of bridge interfaces. T o access t his screen, click Configuration > Network > Interface > Bridge .
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 321 13.7.2 Bridge Add/Edit This screen lets you configure IP ad dress assignment, interface bandwidth parameters, DHCP setti ngs , and connectivit y check for each bridge interface.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 322 Figure 262 Configur ation > Network > Interface > Bridge > Add.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 323 Each field is desc ribed in the table belo w . T able 72 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 324 Gateway This field is enabled if you select Use Fixed IP Address . Enter the IP address of the gateway . The Z yWALL sends packets to the gatewa y when it does not know how to route the packet to its destination.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 325 IP P ool Start Address Enter the IP address from which the ZyW ALL begins allocating IP addresses. If you want to assign a static IP address to a specific computer , click Add Static DHCP . If this field is blank, the Pool Size must also be blank.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 326 Add Click this to create a new entry . Edit Select an entry and click this to be able to modify it. R emo v e Select an entry and click this to delete it. # This field is a sequential value, and it is not associated with a specific entry .
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 327 13.8 Auxiliary Interface This section introduces the auxil iary interf ace and then explains the screen for it. 13.8.1 Auxiliary Interface Overview Use the auxiliary interface to dial ou t from the Z yW ALL’ s auxiliary port.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 328 Figure 263 Configuration > Network > Interface > Auxiliary Each field is desc ribed in the table belo w .
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 329 13.9 V irtual Interfaces Use virtual interfaces to tell th e Z yW ALL where to route pack ets. Virtual in terfaces can also be used in VPN gatewa ys (see Chapter 25 on page 441 ) and VRRP groups (see Chapter 39 on page 667 ).
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 330 cannot change the MTU. The vi rtual in terface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not veri fy that the gatew ay is a vailable.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 331 13.10 Interface T echnical Reference Here is more detailed information about interfaces on the Z yW ALL. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routi ng table.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 332 For example, if the Z yW ALL gets a pa cket with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the Z yW ALL gets a pack et with a destination address of 200.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 333 • Egress bandwidth sets the amount of traffic the Z yWALL s ends out through the interface to the network. • Ingress bandwidth sets the amount of tr affic the Z yW ALL allows in throug h the interface from the network.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 334 • IP address - If the DHCP client’s MAC address is in the ZyW ALL’ s static DHCP table, the interface assig ns the corresponding IP address. If not, the interface assigns IP addresses from a pool, define d by the starting address of the pool and the pool size.
Chapter 13 Interfaces ZyWALL USG 2000 User’s Guide 335 PPPoE/PPTP Overview P o int -to-P oint Protocol over Ethernet (PPP oE, RFC 2516) and P oint -to-Point T unneling Protocol (PPTP , RFC 2637) are usually us ed to connect two computers over phone lines or broadband connectio ns.
Chapter 13 In te r fac es ZyWALL USG 2000 U ser’s Guide 336.
ZyWALL USG 2000 User’s Guide 337 C HAPTER 14 Trunks 14.1 Overview Use trunks for W AN tr affic load balancing to increase ov erall network throughput and reliability . Load balancing divides tr affic loads between multipl e interfaces. This allows y ou to improve quality of service and maximiz e bandwidth utilization for multiple ISP links.
Chapter 14 T run k s ZyWALL USG 2000 U ser’s Guide 338 14.1.2 What Y ou Need to Know • Add WAN interfaces to trunks to have multiple connections share the traffi c load. • If one W AN interface’ s connection goes down, the Z yW ALL sends traffic through another member of the trunk.
Chapter 14 Trunks ZyWALL USG 2000 User’s Guide 339 2 The Z yWALL is using activ e/active load balanci ng. So when LAN user A tries to access something on the server , the request goes out through ge3. 3 The server finds that the request comes from ge3’ s IP address instead of ge2’ s IP address and rejects the request.
Chapter 14 T run k s ZyWALL USG 2000 U ser’s Guide 340 Since W AN 2 has a smaller load balancing index (meaning that it is less utiliz ed than WAN 1), the Zy WALL will send the subsequent new session tr affic through WAN 2 .
Chapter 14 Trunks ZyWALL USG 2000 User’s Guide 341 interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoi d overloading the interface. In this example figure, the upper threshol d of the first int erface is set to 800K.
Chapter 14 T run k s ZyWALL USG 2000 U ser’s Guide 342 14.2 The T runk Summary Screen Click Configuration > Netw ork > Interface > Trun k to open the Trunk screen. This screen lists th e configured trunks and the load balancing al gorithm that each is configur ed to use.
Chapter 14 Trunks ZyWALL USG 2000 User’s Guide 343 14.3 Configuring a T runk Click Configuration > Netw ork > Interface > Trun k and then the Add (or Edit ) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry .
Chapter 14 T run k s ZyWALL USG 2000 U ser’s Guide 344 Each field is desc ribed in the table belo w . T able 80 Configuration > Network > Interface > T runk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editin g an existing trunk.
Chapter 14 Trunks ZyWALL USG 2000 User’s Guide 345 14.4 T runk T echnical Reference Round Robin Load Balancing Algorithm Ro und R obin scheduli ng services qu eues on a rotating basis and i s activated only when an interface has more traffic than i t can handle.
Chapter 14 T run k s ZyWALL USG 2000 U ser’s Guide 346.
ZyWALL USG 2000 User’s Guide 347 C HAPTER 15 Policy and Static Routes 15.1 Policy and S t atic Routes Overview Use policy routes and static rout es to ov erride the Z yW ALL’ s default routing behavior in order to send packets throug h the appropriate interface or VPN tunnel.
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 348 •U s e t h e Static Route screens (see Section 15.3 on page 357 ) to list and configure static routes .
Chapter 15 Policy and Sta tic Routes ZyWALL USG 2000 User’s Guide 349 Policy Routes V ersus St atic Routes • Policy routes are more flexible tha n static routes. Y ou can select m o re cr i ter ia for the tr affic to match and can also use schedules , NA T , and bandwidth management.
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 350 Finding Out More • See Section 6.5.6 on page 105 for related information on the policy route screens. • See Section 7. 13 on page 163 for an example of creating a policy route for using multiple static public W AN IP addresses for LAN t o WAN tr affic.
Chapter 15 Policy and Sta tic Routes ZyWALL USG 2000 User’s Guide 351 The following table describes t he labels in this screen. T able 81 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configur ation fields.
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 352 DSCP Code This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP v alues or no DSCP marker . default means traffic with a DSCP value of 0.
Chapter 15 Policy and Sta tic Routes ZyWALL USG 2000 User’s Guide 353 15.2.1 Policy Route Edit Screen Click Configuration > Netw ork > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen.
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 354 Incoming Select where the pack ets are coming from; any , an interface, a tunnel, an SSL VPN, or the Z yW ALL itself . For an interface, a tunnel, or an SSL VPN, you also need to select the indi vidual interface, VPN tunnel, or SSL VPN connection.
Chapter 15 Policy and Sta tic Routes ZyWALL USG 2000 User’s Guide 355 VPN T unnel This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the ZyW ALL directly .
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 356 Source Network Address T ranslation Select none to not use NA T for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route.
Chapter 15 Policy and Sta tic Routes ZyWALL USG 2000 User’s Guide 357 15.3 IP S t atic Route Screen Click Configuration > Network > Routing > Static Route to open the Static Route screen.
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 358 The following table describes t he labels in this screen. 15.3.1 S t atic Route Add/Edit Screen Select a static route index number and click Add or Edit . The screen shown next appears.
Chapter 15 Policy and Sta tic Routes ZyWALL USG 2000 User’s Guide 359 15.4 Policy Routing T echnical Reference Here is more detailed information about some of the features you can configure in policy routing.
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 360 following twelve DSCP encodi ngs from AF11 through AF43. The decimal equiv alent is listed in br ackets. Port T riggering Some services use a dedicated r ange of ports on the client side and a dedicated rang e of ports on the server side.
Chapter 15 Policy and Sta tic Routes ZyWALL USG 2000 User’s Guide 361 3 Computer A and game server 1 are connected to ea ch ot her until the connection is closed or times out.
Chapter 15 Policy an d Static Routes ZyWALL USG 2000 U ser’s Guide 362.
ZyWALL USG 2000 User’s Guide 363 C HAPTER 16 Routing Protocols 16.1 Routing Protocols Overview Routing protocols give the Z yWALL rout ing information about the network from other routers. The Z yWALL stores this rout ing information in the routing table it uses to make rout in g decision s.
Chapter 16 Routing Protocols ZyWALL USG 2000 U ser’s Guide 364 16.2 The RIP Screen RIP (R outing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other rout ers. RIP is a vector -space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest.
Chapter 16 Routing Protocols ZyWALL USG 2000 User’s Guide 365 The following table describes t he labels in this screen. 16.3 The OSPF Screen OSPF (Open Shortest P ath First, RFC 2328) is a link -sta.
Chapter 16 Routing Protocols ZyWALL USG 2000 U ser’s Guide 366 System (AS). OSPF offers some adv antag es over v ector-space routing protocols like RIP . • OSPF supports variable-lengt h subnet masks, which can be set up to use av ailable IP addresses more efficiently .
Chapter 16 Routing Protocols ZyWALL USG 2000 User’s Guide 367 Each type of area is illust rated in the following figure. Figure 279 OSPF: T ypes of Areas Thi s OSP F AS con sis ts o f fo ur a rea s, a rea s 0- 3. A rea 0 is always the ba ckbo ne. In this example, areas 1, 2, and 3 are all conn ected to it.
Chapter 16 Routing Protocols ZyWALL USG 2000 U ser’s Guide 368 • An Autonomous System Bounda ry Router (ASBR) exchanges routing information with routers in network s outside th e OSPF AS. This is called redistribution in OSPF . • A backbone router (BR) has at least one interface with area 0.
Chapter 16 Routing Protocols ZyWALL USG 2000 User’s Guide 369 to logically connect the area to t he backbo ne. This is illustr ated in the foll owing example. Figure 281 OSPF: V irtual Link In this example, area 100 does not hav e a direct connection to the backbone.
Chapter 16 Routing Protocols ZyWALL USG 2000 U ser’s Guide 370 Click Configuration > Network > Routing > OSPF to open the following screen. Figure 282 Configuration > Ne twork > Routin g > OSPF The following table describes the labels in this screen.
Chapter 16 Routing Protocols ZyWALL USG 2000 User’s Guide 371 T ype Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2 . Type 1 - cost = OSPF AS cost + external cost ( Metric ) Type 2 - cost = external cost ( Metric ); th e OSPF A S cost i s ignore d.
Chapter 16 Routing Protocols ZyWALL USG 2000 U ser’s Guide 372 16.3.2 OSPF Area Add/Edit Screen The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. T o access this scr een, go to the OSPF summary screen (see Section 16.
Chapter 16 Routing Protocols ZyWALL USG 2000 User’s Guide 373 16.3.3 V irtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OS PF add or edit screen (see Section 16.3.
Chapter 16 Routing Protocols ZyWALL USG 2000 U ser’s Guide 374 372 ) has the T ype set to Normal, a Virtual L ink table displays. Click either the Ad d icon or an entry and the Edit icon to di splay a screen lik e the following.
Chapter 16 Routing Protocols ZyWALL USG 2000 User’s Guide 375 Authentication T ypes Authentication is used to guar antee the in tegrity , but not the confidentiality , of routing updates.
Chapter 16 Routing Protocols ZyWALL USG 2000 U ser’s Guide 376.
ZyWALL USG 2000 User’s Guide 377 C HAPTER 17 Zones 17.1 Zones Overview Set up zones to configure network securit y and network policies in the Z yW ALL.
Chapter 17 Z o ne s ZyWALL USG 2000 U ser’s Guide 378 17.1.2 What Y ou Need to Know Effect s of Zones on Different T ypes of T raffic Z ones effectiv ely divide tr affic into three ty pes--intr a-z one traffic , inter- zone traffic, and extr a-zone tr affic--which are affected differen tly by zone-based security and policy settings.
Chapter 17 Zones ZyWALL USG 2000 User’s Guide 379 17.2 The Zone Screen The Zone screen provides a summary of all zones. In addition, this screen allows you to add, ed it, and remo v e zones. T o acces s this screen, c lick Conf iguration > Network > Zone .
Chapter 17 Z o ne s ZyWALL USG 2000 U ser’s Guide 380 17.3 Zone Edit The Zone Edit screen allows you to add or edit a z one. T o access this screen, go to the Zone screen (see Section 17.2 on page 379 ), and click the Add icon o r an Edit icon. Figure 287 Network > Zo ne > Add The following table describes t he labels in this screen.
ZyWALL USG 2000 User’s Guide 381 C HAPTER 18 DDNS 18.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 18.1.1 What Y ou Can Do in this Chapter •U s e t h e DDNS screen (see Section 18.2 on page 382 ) to view a list o f the configured DDNS domain names and their details.
Chapter 18 DDNS ZyWALL USG 2000 U ser’s Guide 382 Note: Record your DDNS account’s user name, p assword, and domain name to use to configure the ZyW ALL. After , you configur e th e Z yW ALL, it aut o matically sends updated IP addresses to the DDNS service provider , which help s redirect traffic accordingly .
Chapter 18 DDNS ZyWALL USG 2000 User’s Guide 383 Primary Interface/IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the Z yWALL determines the IP address for the domain name. from interface - The IP address comes from the specified interface.
Chapter 18 DDNS ZyWALL USG 2000 U ser’s Guide 384 18.2.1 The Dynamic DNS Add/Edit Screen The DDNS Add/Edit screen allows you to add a domain name to the ZyW ALL or to edit the configuration of an existing domain name. Click Configuratio n > Network > DDNS and then an Add or Edit icon to open this screen.
Chapter 18 DDNS ZyWALL USG 2000 User’s Guide 385 Username T ype the user name used when you registered your domain name. Y ou can use up to 31 alphanumeric characters and the u nderscore.
Chapter 18 DDNS ZyWALL USG 2000 U ser’s Guide 386 IP Address The options av ailable in this field vary by DDNS provider . Interface - The Z yW ALL uses the IP address of the specified interface. This option appears when y ou sele ct a specific interface in the Backup Binding Address Interface field.
ZyWALL USG 2000 User’s Guide 387 C HAPTER 19 NAT 19.1 NA T Overview NA T (Network Address T ranslation - NA T , RFC 1631) is the tr anslation of the IP address of a host in a packet. For exampl e, the source address of an out going packet, used within one network is change d to a different IP address known within another network.
Chapter 19 NA T ZyWALL USG 2000 U ser’s Guide 388 19.1.2 What Y ou Need to Know NA T is also known as virtual server , port forwarding, or port tr anslation. Finding Out More • See Section 6.5.10 on page 107 for related information on the se screens.
Chapter 19 NAT ZyWALL USG 2000 User’s Guide 389 Rem o v e T o remove an entry , select it and click Remove . The Z yWALL confirms you w ant to remove it before doing so. Activate T o turn on an entry , select it and click Activate . Inactivate T o turn off an entry , select it and click Inactivate .
Chapter 19 NA T ZyWALL USG 2000 U ser’s Guide 390 19.2.1 The NA T Add/Edit Screen The NAT Add/Edit screen lets you create new NA T rules and edit existing ones. T o open this window , open the NAT summary screen. (See Section 19.2 on page 388 .) Then, click on an Add icon or Edit icon to open the following screen.
Chapter 19 NAT ZyWALL USG 2000 User’s Guide 391 Classification Select what kind of NA T this rule is to perf orm. Virtual Server - This mak es computer s on a priv ate netw ork behind the Z yWALL a vailable to a public network outside the ZyW ALL (like the Internet).
Chapter 19 NA T ZyWALL USG 2000 U ser’s Guide 392 Mapped IP Subnet/Range This field displays for Many 1:1 NAT . Select to which translated destination IP address subnet or IP address range this NA T rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses.
Chapter 19 NAT ZyWALL USG 2000 User’s Guide 393 19.3 NA T T echnical Reference Here is more detailed information about NA T on the Z yWALL. NA T Loopback Suppose a NA T 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to g ive W AN users access.
Chapter 19 NA T ZyWALL USG 2000 U ser’s Guide 394 For examp le, a LAN user’ s computer at IP address 192.168.1. 89 queries a public DNS server to resolve the SMTP server ’ s domain name (xxx.LAN-SMTP .com in this example) and gets the SMTP serv er’s mapped public IP address of 1.
Chapter 19 NAT ZyWALL USG 2000 User’s Guide 395 SMTP server replied directly to the LAN us er without the tr affic going through NA T , the source would not match the original destination address whi ch would cause the LAN user’s comput er to shut down the session.
Chapter 19 NA T ZyWALL USG 2000 U ser’s Guide 396.
ZyWALL USG 2000 User’s Guide 397 C HAPTER 20 HTTP Redirect 20.1 Overview HT TP redirect forw ards the client’ s HT TP request (ex cept HT TP traffic destined for the Z yWALL) to a web pro xy server . In the following example, proxy server A is connected to the DMZ interface.
Chapter 20 HTT P Red ire ct ZyWALL USG 2000 U ser’s Guide 398 20.1.2 What Y ou Need to Know Web Proxy Server A proxy serv er helps client devices make in direct requests to access the Internet or outside network resources/services.
Chapter 20 HTTP Redirect ZyWALL USG 2000 User’s Guide 399 • a application patrol rule to allow HT TP traf fic between ge4 and ge2 . • a policy route to forw ard HT TP traffi c from proxy serv er A to the Internet. Finding Out More See Section 6.
Chapter 20 HTT P Red ire ct ZyWALL USG 2000 U ser’s Guide 400 20.2.1 The HTTP Redirect Edit Screen Click Networ k > HTTP Redi rect to open the HTTP Redirect screen. Then click the Add or Edit icon to open the HTTP Redirect Edit screen where you can configure the rule.
ZyWALL USG 2000 User’s Guide 401 C HAPTER 21 ALG 21.1 ALG Overview Application Laye r Gateway (ALG) al lows the following applications to oper ate properly through the Z yWALL’ s NA T . • SIP - Session Initiation Protocol (SIP) - An application-la yer protocol that can be used to create voice and multimedia sessions over Internet.
Chapter 21 ALG ZyWALL USG 2000 U ser’s Guide 402 21.1.2 What Y ou Need to Know Application Layer Gateway (ALG), NA T an d Firewall The Z yWALL can function as an Applicat ion Layer Gatew ay (ALG) to all ow certain NA T un-friendly applications (such as SIP) to operate properly through the Z yWALL ’s NA T and firewall.
Chapter 21 ALG ZyWALL USG 2000 User’s Guide 403 • There should be only one SIP serv er (t otal) on the ZyW ALL’ s private networks. Any other SIP servers must be on the WAN. So for example y ou could hav e a Back -to-Back User Ag ent such as the IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN bu t no t on both.
Chapter 21 ALG ZyWALL USG 2000 U ser’s Guide 404 can receive incoming calls from t he Internet, LAN IP addresses B and C can still make calls out to t he Internet.
Chapter 21 ALG ZyWALL USG 2000 User’s Guide 405 • See Section 21.3 on page 407 for ALG background/technical information. 21.1.3 Before Y ou Begin Y ou must also configure the firewall and enabl e NA T in the ZyW ALL to allow sessions initiated from the W AN.
Chapter 21 ALG ZyWALL USG 2000 U ser’s Guide 406 The following table describes t he labels in this screen. T able 101 Configuration > Network > ALG LABEL DESCRIPTION Enable SI P ALG T urn on the SIP ALG to detect SIP traffic and help build SIP sessions through the Z yW ALL’ s NA T .
Chapter 21 ALG ZyWALL USG 2000 User’s Guide 407 21.3 ALG T echnical Reference Here is more detailed information about t he Application Layer Gatew ay . ALG Some applications cannot operate through NA T (a re NA T un-friendly) because they embed IP addres ses and port number s in their packets’ data payload.
Chapter 21 ALG ZyWALL USG 2000 U ser’s Guide 408 connections to the second (passive) int erf ace when the acti ve interface’ s connection goes down.
ZyWALL USG 2000 User’s Guide 409 C HAPTER 22 IP/MAC Binding 22.1 IP/MAC Binding Overview IP address to MAC address binding helps en sure that only the i ntended devices get to use privileg ed IP addresses. The Z yWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Chapter 22 IP/MAC Binding ZyWALL USG 2000 U ser’s Guide 410 22.1.2 What Y ou Need to Know DHCP IP/MAC address bindings are based on the Z yW ALL’ s dynamic and stati c DHCP entries. Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface.
Chapter 22 IP/MAC Binding ZyWALL USG 2000 User’s Guide 41 1 The following table describes t he labels in this screen. 22.2.1 IP/MAC Binding Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen. Use this screen to configure an interface’ s IP to MAC address binding settings.
Chapter 22 IP/MAC Binding ZyWALL USG 2000 U ser’s Guide 412 The following table describes t he labels in this screen. 22.2.2 S t atic DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/ MAC Binding Edit screen.
Chapter 22 IP/MAC Binding ZyWALL USG 2000 User’s Guide 413 screen. Use this screen to configure an interface’ s IP to MAC address binding settings. Figure 307 Configur ation > Network > IP/MAC Binding > Edit > Add The following table describes t he labels in this screen.
Chapter 22 IP/MAC Binding ZyWALL USG 2000 U ser’s Guide 414 The following table describes t he labels in this screen. T able 105 Configuration > Network > IP/MAC Binding > Exempt List LABEL DESCRIPTION Add Click this to create a new entry .
ZyWALL USG 2000 User’s Guide 415 C HAPTER 23 Authentication Policy 23.1 Overview Use authentication polic ies to contro l who can access the network.
Chapter 23 Auth en tic at ion Policy ZyWALL USG 2000 U ser’s Guide 416 23.1.2 What Y ou Need to Know Authentication Policy and VPN Authentication polici es are applied based on a tr affic flow’ s source and destination IP addresses.
Chapter 23 Authentication Policy ZyWALL USG 2000 User’s Guide 417 Click Configuration > Auth. Policy to display the screen. Figure 310 Configuration > Au th.
Chapter 23 Auth en tic at ion Policy ZyWALL USG 2000 U ser’s Guide 418 The following table giv es an overview of the objects you can configure. T able 106 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication P olicy Select this to turn on the authentication policy feature.
Chapter 23 Authentication Policy ZyWALL USG 2000 User’s Guide 419 23.2.1 Creating/Editing an Authentication Policy Click Configuration > Auth. Policy and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an authentication policy .
Chapter 23 Auth en tic at ion Policy ZyWALL USG 2000 U ser’s Guide 420 Figure 312 Configuration > Aut h . Policy > Add The following table giv es an overview of the objects you can configure.
Chapter 23 Authentication Policy ZyWALL USG 2000 User’s Guide 421 Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the rule is always effective.
Chapter 23 Auth en tic at ion Policy ZyWALL USG 2000 U ser’s Guide 422.
ZyWALL USG 2000 User’s Guide 423 C HAPTER 24 Firewall 24.1 Overview Use the firewall t o block or allow servic es that use static port numbers. Use application patrol (see Chapter 32 on page 521 ) to control services using flexible/ dynamic port numbers.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 424 24.1.2 What Y ou Need to Know St ateful Inspection The Z yWALL has a stateful inspection fi rewall. The Z yW ALL restricts acces s by screening data pack ets ag ainst defined acce ss rules. It al so i nspec ts sessions.
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 425 • The Z yW ALL drops most pack ets from the DMZ z one to the Z yW ALL itself , except for DNS and NetBIOS traffic, and gener ates a log. When you configure a firewall rule for pack ets destined for the Z yW ALL itself , make sure it does not c onflict with your service control rule.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 426 traffic blocking to allo w or block VPN tr affic tr ansmitting between the VPN tunnel and other interfaces in the LAN zone.
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 427 the firewall rule to alwa ys be in effect. The following figure shows the results of this rule. Figure 314 Blocking All LAN to W AN IRC Traf fic Examp le Y our firewall would have the following rules.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 428 Now you configure a LAN to WAN f irewall rule that allows IRC tr affic from t he IP address of the CEO’ s computer (192.168.1.7 for example) to go to any destination address. Y ou do not need to specify a sch edule since you want the firewall rule to always be in effect.
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 429 • The first row allows any LAN computer to access the IRC service on the W AN by logging into the Z yW ALL with the CEO’ s user name. • The second row blocks LAN access to the IRC service on the WAN.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 430 5 The screen for configuring a se rvice object opens. Configure it as follows and click OK . Figure 318 Firewall Example: Create a Service Obje ct 6 Select From WAN and To LAN1 . 7 Enter the name of the firew al l rule.
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 431 9 The firewall rule appears in the firewall rule summary . Figure 320 Firewall Example: Doom Rule in Summary 24.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 432 4 The Z yWALL then sends it to the compu te r on the LAN in Subnet 1 . Figure 321 Using V irtual Interfaces to A void Asymmetrical Routes 24.2.1 Configuring the Firewall Screen Click Configuration > Firewall to open the Firewall screen.
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 433 • The ordering of your rules is v ery im portant as rules are applied in sequence. Figure 322 Configuratio n > F irewall The following table describes t he labels in this screen.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 434 From Z one / To Z o n e This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of pack ets to which they apply .
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 435 24.2.2 The Firewall Add/Edit Screen In the Firewall screen, click the Edit or Add icon to dis p lay the Firewall Rule Edit screen. Figure 323 Configuration > Fi rewall > Add The following table descri bes the labels in this screen.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 436 24.3 The Session Limit Screen Click Configuration > Firewall > Session Limit to displa y the Firewall Session Limit screen. Use this screen to limit th e number of concurrent NA T/ firewall sessions a client can use.
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 437 individual limi ts for specific users, addres ses, or both. The individual li mit takes priority if you apply both. Figure 324 Configuration > Firewall > Session Limit The following table descri bes the labels in this screen.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 438 24.3.1 The Session Limit Add/Edit Screen Click Configuration > Firewall > Session Limit and the Add or Edit icon to display t he Firewall Session Limit Edit screen. Use this screen to configure rules that define a session li mit for specific users or addresses.
Chapter 24 Firewall ZyWALL USG 2000 User’s Guide 439 User Select a user name or user group to which to apply the rule. The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out. Otherwise, select any and there is no need for user logging.
Chapter 24 Firewall ZyWALL USG 2000 U ser’s Guide 440.
ZyWALL USG 2000 User’s Guide 441 C HAPTER 25 IPSec VPN 25.1 IPSec VPN Overview A virtual priv ate network (VPN) pro vides secure communications between sit es without the expense of leased site-to-site lines. A s ecure VPN is a combination of tunneling, encryption, aut hentication, access control and auditing.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 442 •U s e t h e VPN Gateway screens (see Section 25.2.1 on page 446 ) to manage the ZyW ALL’ s VPN gate ways. A VPN gateway specifies th e IPS e c rout ers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings).
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 443 Application Scenarios The Z yW ALL’ s application scenarios make it easier to configure your VPN connection settings. Finding Out More • See Section 6.5.15 on page 110 for related information on the se screens.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 444 • See Section 25.5 on page 469 for IPSec VPN background information. • See Section 5.3 on page 83 for the IPSec VPN quick setup wizard. • See Section 7.4 on page 127 for an exampl e of configuring IPSec VPN.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 445 SA). Click a column’ s heading cell to so rt the table entries by that column’ s criteria. Click the heading cell again to reverse the sort order . Figure 328 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following tabl e.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 446 25.2.1 The VPN Connection Add/Edit (IKE) Screen The VPN Connection Add/Edit Gateway screen allows you to create a new VPN connection policy or edit an existing one. T o access this screen, go to the Configuration > VPN Connection screen (see Section 25.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 447 Figure 329 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE).
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 448 Each field is desc ribed in the followi ng table. T able 1 18 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 449 P olicy Local P olicy Select the address corresp onding to the local network. Use Create new Object if you need to configure a new one. Re mote Policy Select the address corresp onding to the remote network.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 450 Encryption This field is applicable when the Active Protocol is ESP . Select which key size and encryption algorithm to use in the IPSec SA.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 451 Check Method Select how the ZyW ALL checks the connection. The peer must be configured to respond to the method you select. Select icmp to have the ZyW ALL regularly ping the address you specify to make sure traffic can still go through the connection.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 452 Inbound T raffic Source NA T This translation hides the source address of computers in the remote network. Source Select the address object that re presents the original source address (or select Create Object to configure a new one).
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 453 25.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one us ing a manual key . This is useful if you have problems wi th IKE key management .
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 454 Secure Gateway Address T ype the IP address of the remote IPSec router in the IPSec SA. SPI T ype a unique SPI (Security Par ameter Index) between 256 and 4095. The SPI is used to identify the Z yW ALL during authentication.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 455 Encryption K ey This field is applicable when you select an Encr yption Algor ithm . Enter the encryption key , which depends on the encryption algorithm.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 456 25.3 The VPN Gateway Screen The VPN Gateway sum m ary screen displ ays the IPSec VPN gateway polici es in the Z yWALL, as wel l as the Z yWALL’ s addr ess, remote IPSec router’s address, and associated VPN connections for each one.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 457 25.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit scre en allo ws you to create a new VPN gateway policy or edit an existing one. T o access this screen, go to the VPN Gateway summary screen (see Section 25.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 458 Figure 332 Configuration > VPN > IPSec VPN > VPN Gateway > Edit.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 459 Each field is desc ribed in the followi ng table. T able 121 Configuration > VPN > IPSe c VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration field s.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 460 Pre-Shared Ke y Select this to have the Z yWA LL and remote IPSec router use a pre- shared key (password) to identify each other when they negotiate the IKE SA. T y pe the pre-shared key in the field to the right.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 461 Content This field is read-only if the Z yW ALL and remote IPSec router use certificates to identify each other . T ype the identity of the Z yW ALL during authentication. The identity depends on the Local ID Type .
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 462 Content This field is disabled if the Pe er ID Type is Any . T ype the identity of the remote IPSec router during au thentication.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 463 Negotiation Mode Select the negotiation mode to use to nego tiate the IKE S A. Choices are Main - this encrypts the Z yW ALL’ s and remote IPS.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 464 NA T T raversal Select this if any of these conditions are satisfied. • This IKE SA might be used to negotiate IPSec SAs that use ESP as the active protocol.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 465 25.4 VPN Concentrator A VPN concentr ator combines sever al IPSec VPN connections into one secure network. Figure 333 VPN T opologies (Fully Meshed and Hub and S poke) In a fully -meshed VPN topology ( 1 in the figure), there is a VPN connection between every pair of routers.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 466 • Branch office A ’ s Z yW ALL uses one VPN rule to access both the headquarters (HQ) network and branch office B’ s network. • Branch office B’ s ZyW ALL uses one VPN rule to access br anch of fice A ’ s network only .
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 467 VPN Connection (VPN T unnel 1): • Local P olicy: 192.168.1.0/255.255.255.0 • Remote P olicy:1 92.168.11.0/255.255.255.0 • Disable Policy Enforce ment VPN Gateway (VPN T unnel 2): • My Address: 10.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 468 • The local IP addresses configured in the VPN rules should not overlap . • The concentrator must have at least on e separate VPN rule for each spoke. In the local policy , specify the IP addresses of the net works with which the spoke is to be able to hav e a VPN tunnel.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 469 Concentrator summary screen (see Section 25.4 on page 465 ), and click either the Add icon or an Edit icon. Figure 336 Configu ration > VPN > IPSec VPN > Concentrator > Edit Each field is desc ribed in the followi ng table.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 470 IKE SA Overview The IKE SA provides a se cure connecti on between the ZyW ALL and remote IPSec router . It takes sev eral steps t o establish an IKE SA. The neg otiation mode determines how many .
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 471 The Z yWALL sends one or more proposals to the remote IPSec router . (In some devices, you can only set up one propos al.) Each proposal consists of an encryption al gorithm, auth entication algorithm, and DH key group that the Z yWALL wants to use in the IKE SA.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 472 the longer it takes to encrypt and decr ypt information. For example, DH2 keys (1024 bits) are more secure than DH1 keys (768 b its), but DH2 keys take longer to encrypt and decrypt.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 473 Router identity cons ists of ID typ e and content. The ID type can be domain name, IP address, or e-mail address, and the content i s a (properly-formatted) domai n name, IP address, or e-mail address.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 474 Negotiation Mode There are two negotiati on modes--main mo de and aggressiv e mode. Main mode provides better security , while aggressive mode is faster . Main mode takes six steps to establish an IKE S A.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 475 feature, router X and router Y can establish a VPN tunnel as long as the active protocol is ESP .
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 476 • The local and peer ID type and content come from the certifi cates. Note: Y ou must set up the certificates for the ZyW ALL and remote IPSec router first.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 477 These modes are illustrated below . In tunnel mode, the Z yW ALL uses the active protocol to encaps ulate the entire IP packet.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 478 Additional T opics for IPSec SA This section provi des more information about IPSec SA in your Z yW ALL. IPSec SA usi ng Manual Keys Y ou might set up an IPSec SA using manual k eys when you w ant to establish a VPN tunnel quickly , for example, for troubl eshooting.
Chapter 25 IPSec VPN ZyWALL USG 2000 User’s Guide 479 Each kind of tr anslation is explained below . The following example is used to help explain each one.
Chapter 25 IPSec VPN ZyWALL USG 2000 U ser’s Guide 480 • SNA T - the translated sourc e address; a different IP addres s (range of addresses) to hide the original source address.
ZyWALL USG 2000 User’s Guide 481 C HAPTER 26 SSL VPN 26.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VP N router or VPN client software. 26.1.1 What Y ou Can Do in this Chapter •U s e t h e VPN > SSL VPN > Access Privilege screens (see Section 26.
Chapter 26 SSL VPN ZyWALL USG 2000 U ser’s Guide 482 Y ou do not have to install additional client software on the remote user computers for access. Figure 343 Network Access Mode: Reverse Proxy Ful.
Chapter 26 SSL VPN ZyWALL USG 2000 User’s Guide 483 changes through the SSL poli cies that us e the object(s). When you delete an SSL policy , the objects are not remov ed. Y ou cannot delete an object that is refe renced b y an SSL access poli cy .
Chapter 26 SSL VPN ZyWALL USG 2000 U ser’s Guide 484 26.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. Figure 345 VPN > SSL VPN > Access Privilege The following table describes t he labels in this screen.
Chapter 26 SSL VPN ZyWALL USG 2000 User’s Guide 485 Apply Click Apply to save the settings. R eset Click Reset to discard all changes. T able 127 VPN > SSL VPN > Access Privilege LABEL DESCRIP.
Chapter 26 SSL VPN ZyWALL USG 2000 U ser’s Guide 486 26.2.1 The SSL Access Policy Add/Edit Screen T o create a new or edit an existing SSL access policy , click the Ad d or Edit icon in the Access Privilege screen.
Chapter 26 SSL VPN ZyWALL USG 2000 User’s Guide 487 The following table describes t he labels in this screen. T able 128 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen.
Chapter 26 SSL VPN ZyWALL USG 2000 U ser’s Guide 488 26.3 The SSL Global Setting Screen Click VPN > SSL V PN and click the Global Setting tab to display the foll owing screen.
Chapter 26 SSL VPN ZyWALL USG 2000 User’s Guide 489 on your network f or full tunnel mode ac cess, enter access messages or upl oad a custom logo to be displ ayed on the remote user screen. Figure 347 VPN > SSL VPN > Global Setting The following table describes t he labels in this screen.
Chapter 26 SSL VPN ZyWALL USG 2000 U ser’s Guide 490 26.3.1 How to Upload a Custom Logo Fol low the steps below to upload a custom logo to displa y on the remote user SSL VPN screens. 1 Click VPN > SSL VPN and click the Global Setting tab to di splay the configur ati on screen.
Chapter 26 SSL VPN ZyWALL USG 2000 User’s Guide 491 The following shows an example logo on the remote user screen. Figure 348 Example Logo Graphic Display 26.4 Est ablishing an SSL VPN Connection After you hav e configured the S SL VPN settings on the Z yW ALL, use the Z yWALL login screen’ s SSL VPN button to es tablish an SSL VPN connection.
Chapter 26 SSL VPN ZyWALL USG 2000 U ser’s Guide 492 2 SSL VPN connection starts. This may take sever al minutes depending on yo ur network connection. Once the connection is up , you should see the client portal screen. The following shows an example.
ZyWALL USG 2000 User’s Guide 493 C HAPTER 27 SSL User Screens 27.1 Overview This chapter introduces the remote user S SL VPN screens. The following figure shows a network example where a remote user ( A ) logs into the Z yW ALL from the Internet to access the web serv er ( WWW ) on the local network.
Chapter 27 SSL User Screen s ZyWALL USG 2000 U ser’s Guide 494 System Requirement s Here are the browser and computer system requirements for remote user access. • Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or 2000 (32-bit) • Internet Explorer 7 and above or Firefox 1.
Chapter 27 SSL User Screens ZyWALL USG 2000 User’s Guide 495 1 Open a web browser and enter the web site address or IP address of the Z yW ALL. For examp le, “http://sslvpn.myc ompany .com” . Figure 352 Enter the Address in a We b Browser 2 Click OK or Yes if a security screen displays.
Chapter 27 SSL User Screen s ZyWALL USG 2000 U ser’s Guide 496 5 Y our computer starts esta blishing a se cure connection to the Z yW ALL after a successful login. Thi s may take up to two minutes. If you get a message about needing Jav a, download and install it and restart y our browser and re-login.
Chapter 27 SSL User Screens ZyWALL USG 2000 User’s Guide 497 7 The Z yW ALL tries to install the SecuExtend er client. Y ou may need to click a pop- up to get your browser to allow this. In Internet Explorer , click Install . Figure 357 SecuExtender Blocked by Internet Exp lorer 8 The Z yW ALL tries to run the “ss ltun” applic ation.
Chapter 27 SSL User Screen s ZyWALL USG 2000 U ser’s Guide 498 10 If a screen like t he following displays, click Continue Anyway to finish installing the SecuExtender client on y our computer . Figure 360 Hardware Inst allation W arning 11 The Application screen displays showing the list of resources av ailable to you.
Chapter 27 SSL User Screens ZyWALL USG 2000 User’s Guide 499 27.3 The SSL VPN User Screens This section describes the main elem ents in the remote us er screens. Figure 361 Remote User Screen The following table describes t he various parts of a remot e user screen.
Chapter 27 SSL User Screen s ZyWALL USG 2000 U ser’s Guide 500 27.4 Bookmarking the ZyW ALL Y ou can create a bookmark of the ZyW ALL by clicki ng the Add to Favorite icon. This allows you to access the Z yW ALL using the bookmark without having to enter the address every time.
Chapter 27 SSL User Screens ZyWALL USG 2000 User’s Guide 501 3 An information screen displays to indicate that t he SSL VPN connection is about to terminate.
Chapter 27 SSL User Screen s ZyWALL USG 2000 U ser’s Guide 502.
ZyWALL USG 2000 User’s Guide 503 C HAPTER 28 SSL User Application Screens 28.1 SSL User Application Screens Overview Use the Application screen to access web-based applic ations (such as web sites and e-mail) on the network through the SSL VPN conne ct i on.
Chapter 28 SSL User Application Screens ZyWALL USG 2000 U ser’s Guide 504.
ZyWALL USG 2000 User’s Guide 505 C HAPTER 29 SSL User File Sharing 29.1 Overview The File Sharing screen lets you access files on a file server through the SSL VPN connection. 29.1.1 What Y ou Need to Know Use the File Sharing screen to display and access shared files/folders on a fil e server .
Chapter 29 SSL Use r File Sharing ZyWALL USG 2000 U ser’s Guide 506 29.2 The Main File Sharing Screen The first File Sharing screen displays the name(s) of the shared folder(s) av ailable. The following figure show s an example with one file share. Figure 366 File Sh aring 29.
Chapter 29 SS L User File Sh aring ZyWALL USG 2000 User’s Guide 507 3 If an access user name and password ar e requi red, a screen displays as shown in the following figure.
Chapter 29 SSL Use r File Sharing ZyWALL USG 2000 U ser’s Guide 508 4 A list of files/ fo lders display s . Cl ic k on a file to open i t in a separate browser window . Y ou can also click a folder to access it . For t his example, click on a .doc file t o open the W ord document.
Chapter 29 SS L User File Sh aring ZyWALL USG 2000 User’s Guide 509 29.3.2 Saving a File After you ha ve opened a file i n a web browser , you can save a copy of the file by clicking File > Save As and fo ll ow ing the on-s c reen instructi o ns .
Chapter 29 SSL Use r File Sharing ZyWALL USG 2000 U ser’s Guide 510 29.5 Renaming a File or Folder T o rename a file or f older , click the Rename icon nex t to the file/folder . Figure 371 File Sh aring: Rename A popup window displays. Specify the new na me and/or file exte nsio n in th e field provided.
Chapter 29 SS L User File Sh aring ZyWALL USG 2000 User’s Guide 51 1 29.7 Uploading a File Fol low the steps below to upload a file to the file serv er . 1 Log into the remote user screen and click the File Sharing tab. 2 Specify the location and/or name of th e file you w ant to upload.
Chapter 29 SSL Use r File Sharing ZyWALL USG 2000 U ser’s Guide 512.
ZyWALL USG 2000 User’s Guide 513 C HAPTER 30 ZyWALL SecuExtender The Z yWALL aut omatically loads the Z yW ALL SecuExtender client program to your computer after a successful logi n. The Z yW ALL SecuExtender lets you: • Access servers , remote desktops and mana ge files as if you were on the local network.
Chapter 30 ZyW ALL SecuExtender ZyWALL USG 2000 U ser’s Guide 514 30.2 S t atistics Right- click the Z yW ALL SecuExtender ic on in the system tr ay and s elect Status to open the Status screen. Use this screen to view the ZyW ALL SecuExtender’s statistics.
Chapter 30 ZyWALL SecuExtender ZyWALL USG 2000 User’s Guide 515 30.3 V iew Log If you h ave prob lems w ith th e ZyWALL SecuExtender , customer support may request you to pro vide information from the log. Right -click the Z yW ALL SecuExtender icon in the sys tem tr a y and select Log to open a notepad fil e of the Z yWALL SecuExtender’s log.
Chapter 30 ZyW ALL SecuExtender ZyWALL USG 2000 U ser’s Guide 516 connected but not send any traffi c throug h it until y ou right-click the icon and resume the connection. 30.5 S top the Connection Right- click the icon and select Stop Connection to disconnect t he SSL VPN tunnel.
ZyWALL USG 2000 User’s Guide 517 C HAPTER 31 L2TP VPN 31.1 Overview L2TP VPN let s remote users use the L2TP and IPSec client soft ware includ e d with their computers’ operating systems to secu rely connect to the network behind t he Z yWALL . The remote users do not need their own IPSec gatewa ys or VPN client software.
Chapter 31 L2T P VPN ZyWALL USG 2000 U ser’s Guide 518 • Use transp ort mode. • Not be a manual key VPN connection. •U s e Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2T P VPN cl ients to connect fro m more than one IP address.
Chapter 31 L2TP VPN ZyWALL USG 2000 User’s Guide 519 Finding Out More • See Section 6.5.17 on page 111 for related information on the se screens. • See Chapter 8 on page 171 for an example of how to create a basic L2TP VPN tunnel. 31.2 L2TP VPN Screen Click Configuration > VPN > L2TP VPN to open t he following screen.
Chapter 31 L2T P VPN ZyWALL USG 2000 U ser’s Guide 520 VPN Connection Select the IPSec VPN connection the ZyW ALL uses for L2TP VPN. All of the configured VPN connections displa y here, but the one you use must meet the requirements listed in IPSec Configuration R equired for L2TP VPN on page 517 .
ZyWALL USG 2000 User’s Guide 521 C HAPTER 32 Application Patrol 32.1 Overview Application patrol provides a convenie nt w ay to manage the use of v arious applications on the network.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 522 32.1.2 What Y ou Need to Know If you w ant to use a service, mak e sure both the firew all and application patrol allow the service’ s packets to go through the Z yW ALL.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 523 numbers for SIP tr affic. Likewise, configuring the SIP ALG to use custom port numbers for SIP tr affic also configures applicati on patrol to use the same port numbers for SIP tr affic.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 524 • The outbound tr affic flows from the connection initiator to the connection responder . • The inbound tr affic flows from the connecti on responder to the connection initiator .
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 525 Bandwid th Management Priority • The Z yW ALL gives band width to higher -priority tr affic first, until it reaches its configured bandwidth r ate. • Then lower-pri o rit y traffic gets bandwid th.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 526 Configured Rate Effect In the following table the configured r ates total less than t he avai lable bandwidth and maximize bandwidth usage is disabled, both servers get t heir configured r ate.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 527 regardless of its priority , server B gets almost no bandwidth with this configu ration. Finding Out More • See Section 6.5.18 on page 111 for related information on the se screens. • See Section 7.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 528 • FTP traffic from the LAN to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connection s, but it must be the lowest priority and limited so it does not inte rfere with SIP and HT TP tr affic.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 529 • Enable maximi ze bandwidth usage so the SIP tr affic can borrow unus ed bandwidth. Figure 386 SIP Any to W AN Bandwidth Management Example 32.1.3.3 SIP W AN to Any Ba ndwid th Management Example Y ou also create a policy for calls coming in from the SIP server on the WAN.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 530 32.1.3.5 FTP W AN to DMZ Ba ndwid th Management Example • ADSL supports more downstream than upstream so you al low remote users 300 kbps for uploads to the DMZ F TP serv er (outbound) but only 100 kbps for downloads (inbound).
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 531 32.2 Application Patrol General Screen Use this screen to enable and d isable applicati on patrol. It also lists the registration st atus and details about the sig nature set the Z yW ALL is using.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 532 32.3 Application Patrol Applications Use the application patrol Common , Instant Messenger , Peer to Peer , VoIP , or Streaming screen to manage traf fic of individual applications.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 533 Click Configuration > App Patro l > Co mmon to open the following screen. Figure 391 Configur ation > App Patrol > Common The following table describes the labels in this screen.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 534 Streaming screen and click an application’ s Edit icon. The screen displayed here is for the MSN instant messenger service. Figure 392 Application Edit The following table describes t he labels in this screen.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 535 # This field is a sequential value, and it is not associated with a specific entry . Note: The ZyW ALL checks ports in the order they appear in the list.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 536 Access This field displays what the Z yWALL does with packets for this application that match this policy .
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 537 32.3.2 The Application Patrol Policy Edit Screen The Application Policy Edit screen allows you to edit a group of settings f or an application.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 538 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Ch ap te r 4 3 o n p ag e 7 17 for details). Otherwise, select none to mak e the policy always effective.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 539 Action Block For som e applications, you can select individual uses of the application that the policy will have the Z yW ALL block. These fields only apply when Access is set to forwar d .
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 540 32.4 The Other Applications Screen Sometimes, the Z yW ALL cannot identify the application. For example, the application might be a new application, or the pack ets might arriv e out of sequence.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 541 Click AppPatrol > Other to open the Other ( applicatio ns) screen. Figure 394 AppPatrol > Other The following table describes the labels in this screen. See Secti on 32.4.1 on page 543 for more information as well.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 542 Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination. Protocol This is the protocol of the traffic to which this po licy applies.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 543 32.4.1 The Other Applications Add/Edit Screen The Other Configuration Add/Edit screen allows you to create a new condition or edit an existing one. T o access this screen, go to the Other Protocol screen (see Section 32.
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 544 Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one (see Ch ap te r 4 3 o n p ag e 7 17 for details). Otherwise, select any to make the policy always effective.
Chapter 32 Application Patrol ZyWALL USG 2000 User’s Guide 545 Inbound kbps T ype how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the Z yWALL sends to a connection’ s initiator .
Chapter 32 App licat ion Patr ol ZyWALL USG 2000 U ser’s Guide 546 OK Click OK to save your changes back to the Z yW ALL. Cancel Click Cancel to exit this screen without saving your changes.
ZyWALL USG 2000 User’s Guide 547 C HAPTER 33 Anti-Virus 33.1 Overview Use the Z yWALL’ s anti- virus feature to pr otect y our connected network from virus / spyware infect ion. The Z yW ALL checks tr af fi c going in the direction( s) y ou specif y for signature matches.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 548 33.1.2 What Y ou Need to Know Anti-Virus Engines Subscribe to signature files for Z yXEL ’ s anti-v irus engine or one powered by K aspersky . When using the trial, you can switch from one engine to the other in the Regi stration screen.
Chapter 33 Anti- Viru s ZyWALL USG 2000 User’s Guide 549 2 If the packets are not session connection setup packets ( such as SYN, ACK and FIN), the Z yWALL records the sequence of the packets. 3 The scanning engine ch ecks the contents of the packets for virus.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 550 33.1.3 Before Y ou Begin • Before using anti-virus, see Chapter 11 on page 26 5 for how to register for the anti-vir us service. • Y ou may need to customize the zones (in the Network > Zone ) used for the anti-vi rus scanning direction.
Chapter 33 Anti- Viru s ZyWALL USG 2000 User’s Guide 551 The following table describes t he labels in this screen. T able 143 Configuration > Anti-X > Anti-Virus > Genera l LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a grea ter or lesser number of configuration fields.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 552 Protocol These are the protocols of traffic to scan for viruses. FTP applies to traffic using the T CP port number specified for FTP in the ALG screen. HTTP applies to traffic using T CP ports 80, 8080 and 3128.
Chapter 33 Anti- Viru s ZyWALL USG 2000 User’s Guide 553 33.2.1 Anti-V irus Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus > General screen to displa y the configur ation screen as shown next.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 554 Actions When Matched Destroy infected file When you select this check bo x, if a virus pattern is matched, the Z yW ALL overwrites the infected portion of the file (and the rest of the file) with zeros.
Chapter 33 Anti- Viru s ZyWALL USG 2000 User’s Guide 555 33.3 Anti-V irus Black List Click Configuration > Anti-X > Anti-Virus > Black/White List to displa y the screen shown next. Use the Black List screen to set up the Anti-Virus black (blocked) list of virus file patterns.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 556 The following table describes t he labels in this screen. 33.4 Anti-V irus Black List or White List Add/Edit From the Configuration > Ant.
Chapter 33 Anti- Viru s ZyWALL USG 2000 User’s Guide 557 The following table describes t he labels in this screen. 33.5 Anti-V irus White List Click Configuration > Anti-X > Anti-Virus > Black/White List > White List to display the screen shown next.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 558 column’ s heading cell to sort t he table en tries by that col umn’s criteria. Click the heading cell again to reverse the sort order . Figure 401 Configuration > Anti-X > Anti-Viru s > Black/White List > White List The following table describes t he labels in this screen.
Chapter 33 Anti- Viru s ZyWALL USG 2000 User’s Guide 559 If Internet Explorer op en s a warning screen ab out a scri pt making Internet Explorer run slowly and the computer ma ybe becoming unresponsiv e, just click No to continue. Cl ick a column’ s heading ce ll to sort the table entries by that column’s criteria.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 560 The following table describes t he labels in this screen. T able 148 Configuration > Anti-X > Anti-Virus > Sig nature LABEL DESCRIPTION Signatures Search Select the criteria on which to perform the search.
Chapter 33 Anti- Viru s ZyWALL USG 2000 User’s Guide 561 33.7 Anti-V irus T echnical Reference T ypes of Computer Viruses The following table describes some of the common computer vi ruses. Computer Virus Inf ection and Prevention The following describes a simpl e life cycle of a computer virus.
Chapter 33 Anti- Viru s ZyWALL USG 2000 U ser’s Guide 562 A host-b ased anti- virus (HA V) scanner is often soft ware installed on computers and/or servers in the network. It i nspects files for virus patterns as they are moved i n and out of the hard driv e.
ZyWALL USG 2000 User’s Guide 563 C HAPTER 34 IDP 34.1 Overview This chapter introduces pack et inspection IDP (Intrusi on, Detection and Prevention), IDP profiles, binding an IDP prof ile to a tr affic flow , custom signatures and updating signatures.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 564 IDP Profiles An IDP profile is a set of related IDP sign atures that y o u can activ ate as a set and configure common log and action s ettings. Y ou can apply IDP profiles to tr affic flowing from one zone to another .
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 565 34.2 The IDP General Screen Click Configuration > Anti-X > IDP > Ge neral to open this screen. Use this screen to turn IDP on or off , bind IDP profiles to traffic directions, and view registra tion and signature information.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 566 Re move Select an entry and click this to delete it. Activate T o turn on an entry , select it and click Activate .
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 567 34.3 Introducing IDP Profiles An IDP profile is a set of packet inspection signatures. P acket inspection si gnatures examine packet content for malicious data. Pack et inspection applies t o OSI (Open System Int erconnection) layer -4 to lay er-7 contents.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 568 34.3.1 Base Profiles The Z yW ALL comes with sever al base profiles. Y o u use base profiles to create new profiles. In the Configuration > Anti-X > IDP > Profile screen, cli c k Add to display the following screen.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 569 34.4 The Profile Summary Screen Select Anti-X > IDP > Profile . Use this screen to: • Add a new profile • Edit an existing prof ile • Delete an existing profile. Click a column’ s heading cell to sort the table entries by that column’ s criteria.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 570 34.5 Creating New Profiles Y ou may want to create a new profile if not all signa tures in a base profile are applicable to your network. In this case y ou should disable non- applicable signatures so as t o improve Z yW ALL IDP proc essing efficiency .
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 571 34.6 Profiles: Packet Inspection Select Configuration > Anti -X > IDP > Pr ofile and then add a new or edit an existing profile select. P ack et insp ec tion signatures examine the contents of a packet for mal icious data.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 572 The following table describes t he fields in this screen. T able 153 Configuration > Anti-X > IDP > Profile > Group V iew LABEL DESCRIPTION Name This is the name of the profile.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 573 Action T o edit what action the Z yW ALL tak es when a packet matches a signature, select the signature and use the Action icon. none : Select this action on an individual signature or a complete service group to have the Z yW ALL take no action when a pack et matches the signature(s).
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 574 34.6.2 Policy T ypes This section describes IDP poli cy types, also known as attack types, as c a tegorized in the ZyW ALL. Y ou may refer to these types when categorizing your own custom rules. Log These are the log options.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 575 34.6.3 IDP Service Group s An IDP service group is a set of re lated packet i nspection signatures. Scan A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 576 The following figure shows the WEB_PHP se rvice group that contains signatures related to attacks on web servers us ing PHP exploits . PH P (PHP: Hypertext Preprocessor) is a serv er-side HTML embedd ed scripting language that allows web developers to build dynamic websites.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 577 signatures by criteria such as name, ID , severity , attack type, vulner able attack platforms, service category , log options or act ions. Figure 408 Configuration > Ant i -X > IDP > Profile: Q u ery View The following table describes t he fields specific to this screen’ s query view .
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 578 Severity Search for signatures by severit y level(s). Hold down the [Ctrl] key if you want to make multiple selections. These ar e the sev erities as defi ned in the Z yW ALL. Th e number in brackets is the number you use if using commands .
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 579 34.6.5 Query Example This example shows a search with these criteria: • Severity: severe and high • Attac k T ype: DDoS • Platform: Windows 2000.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 580 •A c t i o n s : A n y Figure 409 Query Example Search Criteria Figure 410 Query Example Search Result s.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 581 34.7 Introducing IDP Custom Signatures Create custom signatures for new attack s or attacks peculiar to y our network. Custom signatures c an also be sav ed to/f rom y our computer so as to s hare with others.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 582 34.8 Configuring Custom Signatures Select Configuration > Anti-X > IDP > Cu stom Signature s. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 583 Note: The ZyW A LL checks all signatures and contin ues searching even af ter a match is found. If two or more rules have conflicting actions fo r the sa me p acket, then the ZyW ALL applies the more restrictive action ( reject-both, reject-receiver or reject-sender , drop, none in this order).
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 584 34.8.1 Creating or Editing a Custom Signature Click the Add icon to c reate a new signature or c lick the Edit icon to edit an existing signature in the screen as shown in Figure 412 on page 583 . A packet must match all items you configur e in this screen before it matches the signature.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 585 T ry to write signatures that target a vulner ability , for example a certain t ype of traffic on certain operating s ystems, instead of a specific exploit.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 586 The following table describes the fields in this screen. T able 159 Configuration > Anti-X > IDP > Custom Signatures > Ad d/Edit LABEL DESCRIPTION Name T ype the name of your custom signature.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 587 Fragmentation A fragmentation flag identifies whether the IP datagr am should be fragmented, not fr agmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 588 Flow If selected, the signature only ap plies to certain directions of the traffic flow and only to c lients or servers.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 589 P ayload Size This field may be used to check for abno rmally sized packets or for detecting buffer overflows . Select the check box, then select Equal , Smalle r or Greater and then type the payload size.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 590 34.8.2 Custom Signature Example Before creating a custom signature, you must first clearly understand the vulnerabilit y . 34.8.2.1 Underst a nd the V ulnerability Check the ZyW ALL logs when the attack oc curs.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 591 34.8.2.2 Analyze Packet s Use the packet capture screen (se e Section 53.3 on page 860 ) and a packet analyzer (also known as a network or pr otocol analyzer) such as Wireshark or Ethereal to inv estigate some more.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 592 The final custom signature should look like as shown in the following figure. Figure 415 Example Custom Signatu re 34.
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 593 Y ou can activate the signature, configur e what action to take when a packet matches it and if it should gener ate a log or alert i n a profil e. Then bind the profil e to a zone. Figure 416 Example: Custom Signat ure in IDP Profile 34.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 594 destination port is the service port (53 for DNS in this case) that the attack tries to exploit. Figure 417 Custom Signature Log 34.9 IDP T echnical Reference This section contains some background information on IDP .
Chapter 34 IDP ZyWALL USG 2000 User’s Guide 595 Network Intrusions Network - based intrusions hav e the goal of bringing down a ne twork or networks by attacking computer(s), switch(es), rout er(s) or modem(s). If a LAN switch is compromised for example, then the wh ole LA N is compro mised.
Chapter 34 ID P ZyWALL USG 2000 U ser’s Guide 596 Note: Not all Snort functionality is supported in the ZyW ALL. Same IP sameip T ransport Protocol T ransport Protocol: T CP P ort (In Snort rule hea.
ZyWALL USG 2000 User’s Guide 597 C HAPTER 35 ADP 35.1 Overview This chapter introduces ADP (Anomaly De tection and Prev ention), anomaly profiles and applying an ADP profile to a traffic direction.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 598 Protocol Anomalies Protocol anomalies are packets t hat do not comply with the relevant RFC (R equest For Comments). Protocol anomaly detect ion includes HT TP Inspection, T CP Decoder , UDP Decoder and ICMP Decoder .
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 599 35.2 The ADP General Screen Click Configuration > Anti-X > ADP > General . Use this screen to turn anomaly detection on or off and apply an omaly profiles to tr affic directions.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 600 35.3 The Profile Summary Screen Use this screen to: • Create a new profile using an existing base profile • Edit an existing prof ile • Delete an existing profile Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 601 35.3.1 Base Profiles The Z yWALL comes with base profiles. Y ou use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 602 The following table describes t he fields in this screen. 35.3.3 Creating New ADP Profiles Y o u may want to create a new profile if not all rules in a base profile are app licable to your networ k.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 603 belonging to this profile, mak e sure you hav e clicked OK or Save to save the changes before selecting the Traffic Anomaly tab.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 604 The following table describes t he fields in this screen. T able 164 Configuration > ADP > Profile > T raffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 605 35.3.5 Protocol Anomaly Profiles Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against th e relev ant RFC (Request for Comments).
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 606 Figure 422 Profile s: Protocol Anomaly.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 607 The following table describes t he fields in this screen. T able 165 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profil e.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 608 Action T o edit what action the ZyW A LL takes when a packet matches a signature, select the signature and use the Act ion icon. original se tting : Select this action to return each signature in a service group to its previously saved configuration.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 609 35.4 ADP T echnical Reference This section is divided i nto traff ic anomaly background information and protocol anomaly background information. T raffic Anomaly Background Information The following sections may help you conf igure the traffic anomaly profile screen ( Section 35.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 610 Decoy Port Scans Decoy port scans are scans where the atta cker has spoofed the source address. These are some decoy scan types: •T C P D e c o y P o r t s c a n • UDP Decoy P ortscan • IP Decoy P ortscan Distributed Port Scans Distributed port scans are many -to-one port scans.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 61 1 Flood Detection Flood attacks satur ate a network with useless data, use up all av ailable bandwidth, and therefore mak e communi cati ons in the network impossible.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 612 the initiator responds with an ACK (ack nowledgment). After this handshak e, a connection is established. Figure 424 TCP Three-W ay Handshake A SYN flood attack is when an attacker sends a series of SYN packets.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 613 UDP Flood Attack UDP is a connection-less protocol and it does not require any connection setup procedure to tr ansfer d ata. A UDP flood at tack is p ossible when an at tack er s ends a UDP packet to a random port on the victim system.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 614 DOUBLE-ENCODING ATT A C K This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done.
Chapter 35 ADP ZyWALL USG 2000 User’s Guide 615 WEBROO T -DIRECTORY - TRAV ERSAL A T T ACK This is when a directory traversal tr averses past the web server root directory . This generates much fewer false positives than the directory option, because it doesn’t alert on directory tra versals that stay within the web serv er directory structure.
Chapter 35 AD P ZyWALL USG 2000 U ser’s Guide 616 TRUNCA TED-HEADER ATT A C K This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length.
ZyWALL USG 2000 User’s Guide 617 C HAPTER 36 Content Filtering 36.1 Overview Use the content filtering feature to cont rol access to specific web sites or web content. 36.1.1 What Y ou Can Do in this Chapter •U s e t h e General screens ( Section 36.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 618 Content Filtering Profiles A content filtering profile convenient ly stores your custom set tings for the following featur es .
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 619 Since the Z yWALL checks the URL ’ s domain name (or IP address) and fil e path separately , it will not fi nd items that go across the two . For exampl e, with the URL www .zyxel.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 620 your list of content filter policies , create a denial of access message or specify a redirect URL and check your external we b filtering service regis tration status.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 621 Move T o change an entry’ s position in the numbered list, select it and click Move to display a field to type a number for where y ou want to put that entry and press [ENTER] to move the entry to the number that you typed.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 622 36.3 Content Filter Policy Add or Edit Screen Click Configuration > Anti-X > Content Filter > General > Add or Edit to open the Content Filter Policy screen.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 623 filter policy . A content filter policy defi nes which content filter p rofile should be applied, when it should be app lied, and to whose web access it shoul d be applied.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 624 36.4 Content Filter Profile Screen Click Configuration > Anti-X > Content Filter > Filter Profile to open the Filter Profile screen. A content filter profile de fines to which web se rvices, web sites or web site categories acce ss is to be all owed or denied.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 625 See Chapter 37 on page 641 for how to view content filtering reports. Figure 429 Configur ation > Anti-X > Content Filter >.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 626 The following table describes t he labels in this screen. T able 170 Configuration > Anti-X > Content Filter > Filter Profile > Add LABEL DESCRIPTION License Status This read-only field displays the status of y our content-filtering database service registration.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 627 Action for Unsafe W eb Pa g es Sele ct Pass to allow users to access web pages that match the unsafe categories that you select below . Select Block to prevent users from accessing web pages that match the unsafe categories that you select below .
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 628 Action When Category Server Is Unav ailable Select Pass to allow users to access any requested web page if the external content filtering database is unav ailable. Select Block to block access to any requested web page if the external content filtering database is unavailable.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 629 Spyware/Malware Sources This category includes pages which distribute spyware and other malware.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 630 Nudity This category includes pages containing nude or seminude depictions of the human body . These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 631 Arts/Entertainment This category incl udes pages that promote and provide information about motion pictures, videos, television, music and programming guides, books, comics, movie theatres, galleries, artists or reviews on entertainment.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 632 Government/Legal This category includes pages sponsored by or which provide information on government, government agencies and government services such as taxation and emergency services.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 633 Re ligion This category includes pages that promote and provide information on conventional or unconventional religious or quasi-religious subjects, as well as churches, synagogues, or other houses of worship.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 634 Sports/Recreation/ Hobbies This category includes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 635 Alcohol Sites that promote, offer for sale, glorify , review, or in any w ay advocate the use or creation of alcoholic bever ages, including but not limited to beer , wine , and hard liquors.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 636 36.5.1 Content Filter Blocked and W arning Messages These are the content filtering warnin g messages.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 637 36.6 Content Filter Customization Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Customization to open the Customization screen.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 638 Allow W eb tr af fic for trusted web sites only When this box is selected, the Z yWALL blocks W eb access to sites that are not on the Trusted Web Sites list. If they are chosen carefully , this is the most effective way to block objectionable material.
Chapter 36 Co n te nt F ilt ering ZyWALL USG 2000 User’s Guide 639 36.7 Content Filter T echnical Reference This section provi des content filtering background informati on. Forbidden W eb Sites This list displays the forbidden web sites already added.
Chapter 36 Content Filtering ZyWALL USG 2000 U ser’s Guide 640 External Content Filter Server Lookup Procedure The content filter lookup process is described below . Figure 432 Content Filter Lookup Procedure 1 A computer behind the Z yW ALL tries to access a web site.
ZyWALL USG 2000 User’s Guide 641 C HAPTER 37 Content Filter Reports 37.1 Overview Y ou can view content filtering reports afte r y ou have activ ated the category -based content filtering sub scription service. See Chapter 11 on page 265 on how t o create a myZ yXEL.
Chapter 37 Content Filter Reports ZyWALL USG 2000 U ser’s Guide 642 2 Fill in your myZ yXEL.com account information and click Login . Figure 433 myZyXEL.
Chapter 3 7 Content Filt er Reports ZyWALL USG 2000 User’s Guide 643 3 A welcome screen displays. Cl ick your Z yWALL’ s model name and/or MAC address under Registered ZyXEL Products (the ZyW ALL 70 is shown as an example here).
Chapter 37 Content Filter Reports ZyWALL USG 2000 U ser’s Guide 644 4 In the Service Management screen click Content Filter in the Service Name column to open the content filter reports screens. Figure 435 myZyXEL.com: Service Ma nagement 5 In the Web Filter Home screen, click the Reports tab.
Chapter 3 7 Content Filt er Reports ZyWALL USG 2000 User’s Guide 645 6 Select items under Global Reports to view the corresponding reports. Figure 437 Content Filter Reports: Report Home 7 Select a .
Chapter 37 Content Filter Reports ZyWALL USG 2000 U ser’s Guide 646 8 A chart and/or list of requeste d web site categories disp lay in the lower half of the screen.
Chapter 3 7 Content Filt er Reports ZyWALL USG 2000 User’s Guide 647 9 Y ou can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requ es te d.
Chapter 37 Content Filter Reports ZyWALL USG 2000 U ser’s Guide 648.
ZyWALL USG 2000 User’s Guide 649 C HAPTER 38 Anti-Spam 38.1 Overview The anti-spam feature can mark or disc ard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use t he black list to identify spam e- mail.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 650 Black List Configure black list entri es to identify spam. The black list entries ha ve the Z yWALL classify an y e-mail that is from or forwarded by a specified IP address or uses a specified header field and header v alue as being spam.
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 651 E-mail Header Buffer Size The Z yW ALL has a 5 K buffer for an individu al e-mail header . If an e-mail’ s header is longer than 5 K, the Z yW ALL only checks up to the first 5 K.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 652 spam policies. Y ou can also select the action the Z yW ALL takes when the mail sessions threshold is reached. Figure 440 Configu ration > Anti-X > Anti-S pam > General The following table describes t he labels in this screen.
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 653 38.3.1 The Anti-S p am Policy Add or Edit Screen Click the Add or Edit icon in the Configuration > Anti-X > Anti-Spam > General screen to display the configur ation sc reen as shown next.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 654 check, which e-mail protocols to scan, the scanning options, and the action to t ake on spam tr affic. Figure 441 Configu ration > Anti-X > Anti-S pam > General > Add The following table describes t he labels in this screen.
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 655 38.4 The Anti-S p am Black List Screen Click Configuration > Anti-X > Anti-Spam > Black / White L ist to display the Anti-Spam Black List screen. Configure the black li st to identify spam e-mail.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 656 specific subject t ext. Click a column’ s heading cell to sort the table entries b y that column’s criteria.
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 657 38.4.1 The Anti-S p am Black or White List Add/Edit Screen In the anti-spam Black List or White List screen, click the Add icon or an Edit icon to displa y the following screen. Use this screen to configure an anti-spam bl ack list entry to identi f y spam e-mail.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 658 38.4.2 Regular Expressions in Black or White List Entries The following applies for a black or white li st entry based on an e-mail subj ect, e- mail address, or e-mail header v alue. • Use a question mark (?) to let a single char acter v ary .
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 659 38.5 The Anti-S p am White List Screen Click Configuration > Anti-X > Anti-Spam > Black/White List and then the White List tab to displa y the Anti-Spam White List screen. Configure the white list to identify legi timate e-mail.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 660 38.6 The DNSBL Screen Click Configuration > Anti-X > Anti-Spam > DNSBL to display the anti-spam DNSBL screen. Use this screen to co nfigure the Z yWALL to chec k the sender and relay IP addresses in e-mail headers ag ainst DNS (Domain Name Service)-based spam Black Lists (DNSBLs).
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 661 The following table describes t he labels in this screen. T able 177 Configuration > Anti-X > Anti-S p am > DNSBL LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser num ber of configuration fields.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 662 38.7 Anti-S p am T echnical Reference Here is more detailed anti-spam information. DNSBL • T h e Zy W A L L c he c k s o nl y p ub l i c s en de r a n d relay IP addresses, it does not check private IP addresses.
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 663 Here is an example of an e- mail classified as spam based on DNSBL repl ies. Figure 446 DNSBL S pam Detection Example 1 The Z yW ALL receives an e- mail that was se nt from IP address a.a.a.a and relay ed by a n e- ma il s erve r a t IP ad dre ss b.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 664 Here is an example of an e-mail classifi ed as legitimate based on DNSBL replies. Figure 447 DNSBL Legitimate E-mail Detection Example 1 The Z yWALL receives an e-mail that was sent f rom IP address c.
Chapter 38 Anti-Spa m ZyWALL USG 2000 User’s Guide 665 If the Z yW ALL rec eiv es conflic ting DNSBL repli es for an e-mail routing IP address, the Z yWALL classifies the e-mail as spam. Here is an example. Figure 448 Conflicting DN SBL Replies Exam ple 1 The Z yW ALL receives an e-mail that was sent from IP addres s a.
Chapter 38 Anti- S pa m ZyWALL USG 2000 U ser’s Guide 666.
ZyWALL USG 2000 User’s Guide 667 C HAPTER 39 Device HA 39.1 Overview Device HA lets a backup Z yW ALL ( B ) automatically tak e ov er if the master Zy W A L L ( A ) fails. Figure 449 Device HA Backup T aking Over for the Master 39.1.1 What Y ou Can Do in this Chapter •U s e t h e General screen ( Section 39.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 668 • Legacy mode allows for more complex relationships between the master and backup Z yW ALLs, such as active- active or using di fferent Z yW ALLs as the master Z yW ALL for individual interfaces.
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 669 39.2 Device HA General The Configuration > Device HA General screen lets you enable or disable device HA, and displa ys which device HA mode the Z yW ALL is set to use along with a summary of th e monitored inter fac es .
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 670 39.3 The Active-Passive Mode Screen Virtual Router The master and backup Z y WALL form a single ‘virtual router’ . In the following example, master Z yWALL A and backup Z yW ALL B form a virtual router .
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 671 B form a virtual router that uses cluster ID 1. Z y WALLs C and D form a virtual router that uses cluster ID 2. Figure 452 Cluster IDs for Multiple Virtual Routers Monitored Interfaces in Acti ve-Passive Mode Device HA Y ou can select which interfaces device HA monitors.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 672 192.168.1.5 and Z yW ALL B has its own LAN management IP address of 192.168.1.6. These do not change when Z yWALL B bec omes the master .
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 673 The following table describes t he labels in this screen. See Section 39.4 on page 675 for more information as well.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 674 Monitored Interface Summary This table shows the status of the device HA settings and status of t he Zy WA L L ’s i n t e r f a c e s . Edit Select an entry and click this to be able to modify it.
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 675 39.4 Configuring an Active-Passive Mode Monitored Interface The Device HA Active-Passive Mo de Monitored Interface Edit screen lets you enable or disable monitoring of an interface and set the interface’ s management IP address and subnet mask.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 676 A bridge interface’ s device HA settings ar e not retained if y ou del et e the bridge interface. Figure 455 Configuration > Dev ice HA > Active-Passi ve Mode > Edit The following table descri bes the labels in this screen.
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 677 39.5 The Legacy Mode Screen Virtual Router Redundancy Protocol (VRRP) Legacy mode device HA uses Virtual R out er R edundancy Protoc ol (VRRP) to create redundant backup gatewa ys to ensure that a default g ateway is always available.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 678 39.6 Configuring the Legacy Mode Screen The Device HA Legacy Mode screen lets you configure general legacy mode HA settings including link monitoring, co nfigure the VRRP group and synchronize backup Z yW ALLs.
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 679 R emove Select an entry and click this to delete it. Activate T o turn on an entry , select it and click Activa te . Activating a VRRP group has the Z yW ALL monitor the connection of the group’ s interface.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 680 Use the VRRP Group Add/Edit screen to add or edit VRRP groups. • Y ou can only use interfaces that ha ve static IP addresses. In addition, y ou should set the stat ic IP address t o the IP ad dress of the virtual router .
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 681 The following table descri bes the labels in this screen. T able 182 Configuration > Device HA > Legacy Mode > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greate r or lesser number of configur ation fields.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 682 39.7 Device HA T echnical Reference Active-Passive Mode Device HA with Bridge Interfaces Here are two wa ys to avoid a broadcast storm when you connect the bridge interfaces on two Z yWALLs.
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 683 1 Make sure the bridge i nterfaces of the master Z yWALL ( A ) and the backup Zy W A L L ( B ) are not connected. 2 Configure the bridge interface on the mast er ZyW ALL, set the bridge interface as a monitored interface, and act ivate device HA.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 684 4 Connect the Z yWALLs. Second Option for Connecting the Bridge Interfaces on T wo ZyW ALLs Another option is to disab le the bridge interfaces, connect the bridge interfaces, activ ate device HA, and finally reacti vate the bridge interfaces as shown in the following example.
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 685 2 Configure a corresponding disabled bridge int erface on the back up Z yWALL. Then set the bridge interface as a monitored interface, and activat e device HA. 3 Enable the bridge interface on the master Z yW ALL and then on the backup Zy WA L L .
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 686 Legacy Mode ZyW ALL VRRP Application In VRRP , a virtual router represents a nu mber of Zy WALLs associated with one IP address, the IP address of the default gateway . Each virtual router is identified by a unique 8-bit identifi cation number calle d a Virtual R outer ID (VR ID).
Chapter 39 Dev ice HA ZyWALL USG 2000 User’s Guide 687 If Z yWALL A becomes a vailable again, Z yW ALL A preempts ZyW ALL B and becomes the master again (the network returns to t he state shown in Figure 458 on page 686 ). Synchronization During synchronizat ion, the master Z yWALL sends the following in formation to the backup Z yW ALL.
Chapter 39 Device HA ZyWALL USG 2000 U ser’s Guide 688.
ZyWALL USG 2000 User’s Guide 689 C HAPTER 40 User/Group 40.1 Overview This chapter describes how t o set up user accounts, user groups, and user settings for the Z yWAL L. Y ou can also set up rules that c ontrol when users have to log in to the Z yWALL before the Zy WALL routes traffic for them.
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 690 Note: The default admin account is alwa ys authenticated locally , regardless of the authentication method setting. (See Chapter 44 on page 723 for more information about authenticat ion methods.
Chapter 40 User/Group ZyWALL USG 2000 User’s Guide 691 See Setting up User Attr ibutes in an External Server on page 7 03 for a lis t of attributes and how to set up the at tributes in an external server .
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 692 40.2 User Summary Screen The User screen provides a summary of all us er accounts. T o access this screen, login to th e W eb Configurator , an d click Config uration > Object > User/Grou p .
Chapter 40 User/Group ZyWALL USG 2000 User’s Guide 693 •- [ d a s h e s ] The first character must be alphabetical (A -Z a- z), an underscore (_), or a dash (- ).
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 694 The following table describes t he labels in this screen. T able 185 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name T ype the user name for this user account.
Chapter 40 User/Group ZyWALL USG 2000 User’s Guide 695 40.3 User Group Summary Screen User groups consist of access users and other user groups. Y ou cannot put admin users in user groups. The Gr oup screen provides a summar y of all user groups. In addition, this screen allows y o u to add, edi t, and remove user groups.
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 696 40.3.1 Group Add/Edit Screen The Group Add/Edit screen allows you to create a new user group or edit an existing one. T o access this screen, go to the Group screen (see Section 40.3 on page 695 ), and click either the Ad d icon or an Edit icon.
Chapter 40 User/Group ZyWALL USG 2000 User’s Guide 697 40.4 Setting Screen The Setting screen controls default settings, login settings, loc kout settings, and other user settings for the Z yWAL L. Y ou ca n also use this screen to specify when users must log in to the Z yW ALL before it routes tr affic for them.
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 698 T o access this screen, lo gin to the W eb Configur ator , and click Configuration > Object > User/Group > Setting . Figure 464 Configuration > Obje ct > User/Group > Setti ng The following table descri bes the labels in this screen.
Chapter 40 User/Group ZyWALL USG 2000 User’s Guide 699 User T ype These are the kinds of user account the ZyW ALL supports. • admin - this user can look at and change the configuration of the Z yW.
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 700 40.4.1 Default User Authenti cation T imeout Settings Edit Screens The Default Authentication Timeout Settings Edit screen allows y ou to set the default au th ent ication time out settin g s for th e selected typ e of us er acc o u nt.
Chapter 40 User/Group ZyWALL USG 2000 User’s Guide 701 T o access this screen, g o to the Configuration > Obje ct > User/Group > Setting screen (see Section 40.4 on page 697 ), and click one of the Default Authentication Timeout Settings section’s Edit icons.
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 702 40.4.2 User A ware Login Example Access users cannot use the W eb Configurator to browse the configuration of the Z yWALL . Instead, after access users lo g into the Z y WALL, the following screen appears.
Chapter 40 User/Group ZyWALL USG 2000 User’s Guide 703 40.5 User /Group T echnical Reference This section provi des some informat ion on us e rs who use an exte rn al authentication server in order to log in.
Chapter 40 Us er /G ro up ZyWALL USG 2000 U ser’s Guide 704.
ZyWALL USG 2000 User’s Guide 705 C HAPTER 41 Addresses 41.1 Overview Address objects can represent a single IP address or a r ange of IP addresses. Address groups are composed of addr ess objects and other address groups. 41.1.1 What Y ou Can Do in this Chapter •T h e Address screen ( Section 41.
Chapter 41 Add re sse s ZyWALL USG 2000 U ser’s Guide 706 • RANGE - a range address is defined by a Starting IP Address and an Ending IP Address . • SUBNET - a network address is defined by a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the Z yWALL.
Chapter 41 Addresses ZyWALL USG 2000 User’s Guide 707 41.2.1 Address Add/Edit Screen The Configuration > Address Add/Edit screen allows you to create a new address or edit an existing one. T o access this screen, go to t he Address screen (see Section 41.
Chapter 41 Add re sse s ZyWALL USG 2000 U ser’s Guide 708 41.3 Address Group Summary Screen The Address Group screen provides a summary of all address groups. T o access this screen, click C onfiguration > Object > Address > Address Group .
Chapter 41 Addresses ZyWALL USG 2000 User’s Guide 709 41.3.1 Address Group Add/Edit Screen The Address Group Add/Edit screen allows you to create a new addres s group or edit an existing one. T o access this screen, go to the Address Group screen (see Section 41.
Chapter 41 Add re sse s ZyWALL USG 2000 U ser’s Guide 710.
ZyWALL USG 2000 User’s Guide 71 1 C HAPTER 42 Services 42.1 Overview Use service objects to define T CP applications, UDP applicat ions, and ICMP messages. Y ou can also create service groups to refer to mul tiple service objects in other features. 42.
Chapter 42 Serv ice s ZyWALL USG 2000 U ser’s Guide 712 Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number . Some port numbers hav e b een standardized and are used by low- level system processes; man y othe rs have no particular meaning.
Chapter 42 Services ZyWALL USG 2000 User’s Guide 713 entries by that col umn’s criteria. Click the heading cell again to reverse the sort order . Figure 473 Configu ration > Object > Service > Service The following table describes t he labels in this screen.
Chapter 42 Serv ice s ZyWALL USG 2000 U ser’s Guide 714 42.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. T o access this screen, go to the Service scre en (see Section 42.2 on page 712 ), and click either the Ad d icon or an Edit icon.
Chapter 42 Services ZyWALL USG 2000 User’s Guide 715 T o access this screen, l og in to the W eb Confi gurator , and cli ck Configuration > Object > Service > Service Group . Figure 475 Configu ration > Object > Service > Service Group The following table describes the labels in this screen.
Chapter 42 Serv ice s ZyWALL USG 2000 U ser’s Guide 716 42.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. T o access this screen, go to the Service Group screen (see Section 42.
ZyWALL USG 2000 User’s Guide 717 C HAPTER 43 Schedules 43.1 Overview Use schedules to set up one-time and recurring schedules for policy routes, firewall rul es, application patrol, and co ntent filtering. The Z yW ALL supports one- time and recurring schedules.
Chapter 43 Sc he du le s ZyWALL USG 2000 U ser’s Guide 718 Finding Out More • See Section 6.6 on page 114 for rel ated informat ion on these screens. • See Section 50.3 on page 785 for information about the Z yW ALL’ s current date and time. 43.
Chapter 43 Sc hedules ZyWALL USG 2000 User’s Guide 719 43.2.1 The One-T ime Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-ti me schedule or edit an existing one. T o access this screen, go to the Schedule screen (see Section 43.
Chapter 43 Sc he du le s ZyWALL USG 2000 U ser’s Guide 720 43.2.2 The Recurring Schedule Add/Edit Screen The Recurring Schedule Add/Edit screen allows you to defi ne a recurring schedule or edit an existing one. T o access this screen, go to the Schedule screen Date Time StartDate Specify the year , month, and day when the schedule begins.
Chapter 43 Sc hedules ZyWALL USG 2000 User’s Guide 721 (see Section 43.2 on page 718 ), and click either the Add icon or an Edit icon i n the Recurring se ct ion. Figure 479 Configu ration > Object > Schedule > Edit (Recurring) The Year , Month , and Day columns are not used in recurring sched ules and are disabled in this screen.
Chapter 43 Sc he du le s ZyWALL USG 2000 U ser’s Guide 722.
ZyWALL USG 2000 User’s Guide 723 C HAPTER 44 AAA Server 44.1 Overview Y ou can use a AAA (Authentication, Authori zation, Accounting) server t o provide access control to your network. The AAA serv er can be a Acti ve Directory , LDAP , or RADIUS server .
Chapter 44 AAA Server ZyWALL USG 2000 U ser’s Guide 724 44.1.2 RADIUS Server RADIUS (Remote Authentication Dial- In User Service) authentication is a popular protocol used to au thenticate use rs by me ans of an external server instead of (or in addition to) an internal device user database that is l imited to the memory capacity of the d evice.
Chapter 44 AAA Server ZyWALL USG 2000 User’s Guide 725 •U s e t h e Configuration > Object > AAA Serv er > RADIUS screen ( Section 44.3 on page 729 ) to configure the default extern al RADIUS server to use for user authentication.
Chapter 44 AAA Server ZyWALL USG 2000 U ser’s Guide 726 organizational boundaries. The following figure shows a basic directory structure branchi ng from countries to organizations to organization al units to individuals. Figure 482 Basic Direc tory S tru cture Distinguished Name (DN) A DN uniquely identifies an entry in a directory .
Chapter 44 AAA Server ZyWALL USG 2000 User’s Guide 727 • See Section 7.7 on page 142 for an example of how to use a RADIUS server to authenticate user acco unts based on groups.
Chapter 44 AAA Server ZyWALL USG 2000 U ser’s Guide 728 following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 484 Configura tion > Object > AAA Server > Active Directory (or LDAP) > Ad d The following table describes t he labels in this screen.
Chapter 44 AAA Server ZyWALL USG 2000 User’s Guide 729 44.3 RADIUS Server Summary Use the RADIUS screen to manage the list of RADIUS servers the Z yW ALL can use in authenticating users. Base DN Specify the directory (up to 127 alphanumerical characters).
Chapter 44 AAA Server ZyWALL USG 2000 U ser’s Guide 730 Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 485 Configuration > Object > AAA Server > RADIUS The following table describes t he labels in this screen.
Chapter 44 AAA Server ZyWALL USG 2000 User’s Guide 731 44.3.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to disp lay the followi ng screen. Use this screen to create a new AD or LDAP entry or edit an existing one.
Chapter 44 AAA Server ZyWALL USG 2000 U ser’s Guide 732 Timeout S pecify the timeout period (betwee n 1 and 300 seconds) before the Z yWALL disconn ects from the RADIUS server . In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.
ZyWALL USG 2000 User’s Guide 733 C HAPTER 45 Authentication Method 45.1 Overview Authentication method objects set ho w the ZyW ALL authentica te s HTTP/HT TPS clients, peer IPSec routers (extended au thentication ), and L2 T P V PN clients.
Chapter 45 Auth en tic ation Method ZyWALL USG 2000 U ser’s Guide 734 3 Select Server Mode and select an auth entication method object from the drop- down list box. 4 Click OK to sav e the settings. Figure 487 Example: Using Authentication Method in VPN 45.
Chapter 45 Authentication Method ZyWALL USG 2000 User’s Guide 735 45.2.1 Creating an Authentication Method Object Follow the steps below to create an au thenticati on me thod object. 1 Click Configuration > Object > Auth. Method . 2 Click Add .
Chapter 45 Auth en tic ation Method ZyWALL USG 2000 U ser’s Guide 736 7 Click OK to sav e the settings or click Cancel to discard all changes and return to the previous screen. Figure 489 Configuration > O bj e ct > Auth. Method > Ad d The following table describes t he labels in this screen.
Chapter 45 Authentication Method ZyWALL USG 2000 User’s Guide 737 Add icon Click Add to add a new entry . Click Edit to edit the settings of an entry . Click Delete to delete an entry . OK Click OK to sa ve the changes. Cancel Click Cancel to discard the changes.
Chapter 45 Auth en tic ation Method ZyWALL USG 2000 U ser’s Guide 738.
ZyWALL USG 2000 User’s Guide 739 C HAPTER 46 Certificates 46.1 Overview The Z yWALL can use certificates (also call ed digital IDs) to authenticate us ers. Certificates are based on public-priv ate k ey pairs. A certificate contains the certificate owner’ s identity and public k ey .
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 740 2 Tim keeps the private key and makes the pu blic key op enly av ailable. This means that anyone who receives a message seeming to come from Tim c an read it and verify whether it is really from him or not.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 741 Factory Default Certificate The Zy W ALL gener ates its own unique self -s igned certific ate when you first turn it on. This cert if i cat e is referred to in the GUI as the fa ctory defau lt ce rtificate.
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 742 2 Make sure that the certificat e has a “. cer” or “.crt” file name extension. Figure 490 Remote Ho st Certi fica tes 3 Double-click the certificate’ s icon to open the Certificate window .
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 743 46.2 The My Certificates Screen Click Configuration > Object > Ce rtificate > My Certificates to open the My Certificates screen. This is th e Z yWALL’ s summa r y l ist of certificat es and certification requests.
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 744 46.2.1 The My Certificates Add Screen Click Configuration > Object > Cert ificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the T ype This field displays what kind of certificate this is.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 745 Z yWALL create a self-si gned certificate, enroll a certificate with a certification authority or gener ate a certification request.
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 746 The following table describes t he labels in this screen. T able 210 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name T ype a name to identify this certificate.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 747 Create a certification request and save it locally for later manual enrollment Select this to have the Z yWALL gener ate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority .
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 748 If you confi gu red the My Certificate Create screen to hav e the Zy WALL enroll a certificate and the certificate enrol lment is not successful, y ou see a screen with a Return button that take s you back to the My Certificate Create screen.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 749 46.2.2 The My Certificates Edit Screen Click Configuration > Object > Cert ificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. Y ou can use this screen to view in-depth certificate information an d change the certificate’ s name.
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 750 The following table describes t he labels in this screen. T able 21 1 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 751 K ey Algorithm This field displays the type of algorithm that was used to generate the certificate’s k ey pair (the Z yWALL uses RS A encryption) and the length of the key set in bits (1024 bits for example).
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 752 46.2.3 The My Certificates Import Screen Click Configuration > Object > Certific ate > My Certificates > Import to open the My Certificate Import screen. F ollow the instructions in this screen to save an exi sting certificate to t he Z yWALL.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 753 46.3 The T rusted Certificates Screen Click Co nfiguration > Object > Cert ificate > Truste d Certificates to open the Trusted Certificates screen. This screen d isplays a summary list of certificates that yo u have s et th e ZyW ALL to acce pt as trusted.
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 754 46.3.1 The T rusted Certificates Edit Screen Click Configuration > Object > Cert ificate > Trusted Certificates and then a certificate’ s Edit icon to open the Trusted Certificates Edit screen.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 755 authority’ s list of revo k ed certificates befo re trusting a certificate issued by the certification authority .
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 756 The following table describes t he labels in this screen. T able 214 Configuration > Object > Certificate > T rusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifyin g name of this certificate.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 757 T ype This field displays general inform ation about the certifica te. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’ s owne r signed the certificate (not a certification authority).
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 758 46.3.2 The T rusted Certificates Import Screen Click Configuration > Object > Certificat e > Trusted Certificates > Import to open the Trusted Certifica tes Import screen. Follow the inst ructions in this screen to save a trusted certificate to the Z yW ALL.
Chapter 46 Certificates ZyWALL USG 2000 User’s Guide 759 The following table describes t he labels in this screen. 46.4 Certificates T echnical Reference OCSP OCSP (Online Certificate Stat us Protocol) allows an application or device to check whether a certificate is v alid.
Chapter 46 Certificates ZyWALL USG 2000 U ser’s Guide 760.
ZyWALL USG 2000 User’s Guide 761 C HAPTER 47 ISP Accounts 47.1 Overview Use ISP accounts to manage Internet Se rvice Prov ider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPP oE or PPTP .
Chapter 47 IS P Accoun ts ZyWALL USG 2000 U ser’s Guide 762 The following table describes t he labels in this screen. See the ISP Accou nt Ed it section below for more information as well. 47.2.1 ISP Account Edit The ISP Account Edit screen lets you add i nformation about new accounts and edit inform ation about existing ac coun ts.
Chapter 47 IS P Accoun ts ZyWALL USG 2000 User’s Guide 763 The following table describes t he labels in this screen. T able 217 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you ar e editing an existing account.
Chapter 47 IS P Accoun ts ZyWALL USG 2000 U ser’s Guide 764 Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about fou r .
ZyWALL USG 2000 User’s Guide 765 C HAPTER 48 SSL Application 48.1 Overview Y ou use S S L application objects in S SL VPN. Configure an SSL application object to specify the t ype of application and the address of t he local computer , server , or web site SSL us ers are to be able to access.
Chapter 48 SSL Application ZyWALL USG 2000 U ser’s Guide 766 Remote Desktop Connections Use SSL VPN to allow remote users to ma nage LAN computers. Depending on the functions supported by the remote deskto p softw are, they can install or remove software, run progr ams, change set tings, an d open, copy , create, and delete files.
Chapter 48 SSL Application ZyWALL USG 2000 User’s Guide 767 2 Click the Add button and select Web Application in the Ty pe field. In the Server Type field, select Web Server . Enter a descriptive name in t he Display Name field. For example, “CompanyIntranet” .
Chapter 48 SSL Application ZyWALL USG 2000 U ser’s Guide 768 The following table describes t he labels in this screen. 48.2.1 Creating/Editing a W eb-based SSL Application Object A web-based application all ows remote user s to access an application via standard web browsers.
Chapter 48 SSL Application ZyWALL USG 2000 User’s Guide 769 The following table describes t he labels in this screen. T able 219 Configuration > Object > SSL Application > Add/Edit: Web Applica tion LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings This displays for VNC or RDP type web application objects.
Chapter 48 SSL Application ZyWALL USG 2000 U ser’s Guide 770 48.2.2 Creating/Editing a File Sharing SSL Application Object Y ou can specify the name of a folder on a file server (Li nux or Windows) which remote users can access. R emote users can access files using a standard web browser and files are displa yed as links on the screen.
Chapter 48 SSL Application ZyWALL USG 2000 User’s Guide 771 The following table describes t he labels in this screen. T able 220 Configuration > Object > SSL Application > Add/Edit: File Sh aring LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen.
Chapter 48 SSL Application ZyWALL USG 2000 U ser’s Guide 772.
ZyWALL USG 2000 User’s Guide 773 C HAPTER 49 Endpoint Security 49.1 Overview Use Endpoint Security (EPS), also known as endpoi nt control, to make sure users’ computers comply with defined corpor ate policies before they can access the network or an SSL VPN tunnel.
Chapter 49 End po int Secu rity ZyWALL USG 2000 U ser’s Guide 774 49.1.1 What Y ou Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens ( Sect ion 49.2 on page 775 ) to create and manage endpoint securit y objects.
Chapter 49 Endpoint Security ZyWALL USG 2000 User’s Guide 775 49.2 End point Security Screen The Endpoint Security screen displays the endpoi nt security objects you have configured on the Z yWALL. Click Configuration > Obje ct > E nd point Security to display the screen.
Chapter 49 End po int Secu rity ZyWALL USG 2000 U ser’s Guide 776 Apply Click this button to save your changes to the Z yW ALL. R eset C lick this button to return the screen to its last -saved settings.
Chapter 49 Endpoint Security ZyWALL USG 2000 User’s Guide 777 49.3 End point Security Add/Edit Click Configuration > Object > Endpo int Security and then the Add (or Edit ) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint secu rity object.
Chapter 49 End po int Secu rity ZyWALL USG 2000 U ser’s Guide 778 Figure 508 Configuration > O bject > Endpoint Secu rit y > Add.
Chapter 49 Endpoint Security ZyWALL USG 2000 User’s Guide 779 The following table giv es an overview of the objects you can configure. T able 222 Configuration > Object > End point Security &g.
Chapter 49 End po int Secu rity ZyWALL USG 2000 U ser’s Guide 780 Checking Item - Personal Firewall If you selected Windows as the operating system, you can select whether or not the user’s computer is required to have personal firew all softw are installed.
Chapter 49 Endpoint Security ZyWALL USG 2000 User’s Guide 781 Checking Item - File Information If you selected Windows or Linux as the oper ating system, you can use this table to check details of specific files on the user’s computer .
Chapter 49 End po int Secu rity ZyWALL USG 2000 U ser’s Guide 782.
ZyWALL USG 2000 User’s Guide 783 C HAPTER 50 System 50.1 Overview Use the system screens to configure general Z yW ALL settings. 50.1.1 What Y ou Can Do in this Chapter •U s e t h e System > Host Name screen (see Section 50.2 on page 784 ) to configure a unique name for the ZyW ALL in your network.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 784 • Connect an external seri al modem to the AUX port to provid e a management connection in case the Z yW ALL’ s ot her W AN connections are down. Use the System > Dial-in Mgmt. screen (see Section 50.
Chapter 50 System ZyWALL USG 2000 User’s Guide 785 50.3 Date and T ime For ef fective scheduling and logg ing, the Z yWAL L system time must be accurat e.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 786 Manual Select this radio button to en ter the time and date manually . If you configure a new time and date, time zone and daylight sa ving at the same time, the time zone and daylight saving will affect the new time and date you entered.
Chapter 50 System ZyWALL USG 2000 User’s Guide 787 50.3.1 Pre-defined NTP T ime Servers List When you turn on the Z yW ALL for the firs t time, the date and time start at 2003- 01-01 00:00:00. The Z yW ALL then attempts to synchronize with one of the following pre-defined list of Netw ork Time Protocol (NTP) time servers.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 788 50.3.2 T ime Server Synchronization Click the Synchronize Now button to get the time and date from the t ime server you specified in the Time Server Address field. When the Please Wait... screen a ppears, you may have to wait up to one minute.
Chapter 50 System ZyWALL USG 2000 User’s Guide 789 5 Under Time and Date Setup , enter a Time Server A ddress ( T able 225 on page 787 ). 6 Click Apply . 50.4 Console Port S peed This section shows you how to set the cons ole port speed when you connect to the Z yWALL via the console port using a terminal emulation program.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 790 50.5.1 DNS Server Address Assignment The Z yWALL can get the DNS server ad dresses in the following w ays. • The ISP tells you the DNS serv er addresses, usually in the form of an info r matio n sh e e t, wh e n you si gn up.
Chapter 50 System ZyWALL USG 2000 User’s Guide 791 The following table describes t he labels in this screen. T able 227 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Rec o r d This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 792 DNS Serv er This is the IP address of a DN S server . This field displays N/A if you have the Z yW ALL get a DNS server IP address from the ISP dynamically but the specified interface is not active.
Chapter 50 System ZyWALL USG 2000 User’s Guide 793 50.5.3 Address Record An address record contains the mapping of a Fully-Qua lified Domain Name (FQDN) to an IP address.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 794 The following table describes t he labels in this screen. 50.5.6 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address. The Z yW ALL can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server .
Chapter 50 System ZyWALL USG 2000 User’s Guide 795 The following table describes t he labels in this screen. 50.5.8 MX Record A MX (Mail eXchange) record indicat es whic h host is respons ibl e for the mail for a particular domain, that is, c ontrols where mail is sent for that domain.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 796 50.5.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 516 Configuration > Syste m > DNS > MX Record Add The following table describes t he labels in this screen.
Chapter 50 System ZyWALL USG 2000 User’s Guide 797 The following table describes t he labels in this screen. 50.6 WWW Overview The following figure shows secure and insecure management of the Z yW ALL coming in from the W AN. HT TPS and SSH access are secure.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 798 • See T o-Z yW ALL Rules on page 424 for more on T o-ZyW ALL firewall rules. • See Section 7.9 on page 147 for an example of configuring service control to block administr ator HT TPS access from all z ones except the LAN.
Chapter 50 System ZyWALL USG 2000 User’s Guide 799 It relies upon certificates, p ublic keys, and priv ate keys (see Chapter 46 on page 739 for more information). HT TPS on the Z yW ALL is used so that you can securely access the Z yW ALL using the W eb Configurator .
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 800 Note: Admin Service Contro l deals with management access (to the W eb Configurator). User Service Control deals with user access to the ZyW A LL (logging into SSL VPN for example).
Chapter 50 System ZyWALL USG 2000 User’s Guide 801 Server P ort The HTTPS server listens on port 443 by default. If you change the HT TPS server port to a different number on the ZyW ALL, for example 8443, then you must notify people who need to acce ss the Z yW ALL W eb Configurator to use “https://Z yWALL IP Address: 8443 ” as the URL.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 802 HT TP Enable Select the check box to allow or disallo w the computer with the IP address that matches the IP address(es) in the Serv ice Con trol table to access the Z yW ALL W eb Configur ator using HT TP connections.
Chapter 50 System ZyWALL USG 2000 User’s Guide 803 50.6.5 Service Control Rules Click Add or Edit in the Service Cont rol table in a WWW , SSH , Telnet , FTP or SNMP screen to add a service control rule. Figure 521 Configur ation > System > Service Control Rule > Edit The following table describes t he labels in this screen.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 804 also customize the page that di splays after an access user l ogs into the W eb Configurator to access network servi ces like the In ternet. See Chapter 40 on page 689 for more on access user accounts.
Chapter 50 System ZyWALL USG 2000 User’s Guide 805 The following figures identify the p arts you can customize in the login and access pages. Figure 523 Login Page Customization Figure 524 Access Pa.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 806 •C l i c k Color to displa y a screen of web-safe colo rs from which to choose. • Enter the name of the desired color . • Enter a pound sig n (#) followed by the six -digit hexadecimal number that represents the desired color .
Chapter 50 System ZyWALL USG 2000 User’s Guide 807 50.6.7 HTTPS Example If you hav e n’t changed the default HT TP S port on the ZyW ALL, then i n your browser enter “https://Z yW ALL IP Addre ss/” as the web site address where “Z yWALL IP Address” is the IP address or domain name of the Z yWALL y ou wish to access.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 808 50.6.7.2 Net scape Na vigator W arning Messages When you attempt to access the Z yWALL HT TPS server , a Website Certified by an Unknown Authority scre en p ops up as king if yo u tr ust the server certificate.
Chapter 50 System ZyWALL USG 2000 User’s Guide 809 • The issuing certificat e authority of the Z yW ALL’ s HT TPS server certificate is not one of the browser’s trusted certificate authorities.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 810 Apply for a certificate from a Certificatio n Au thority (CA) that is trusted by the Z yWALL (see the Z yW ALL’ s Trusted C A We b C o n f i g u ra t o r sc r e e n ) .
Chapter 50 System ZyWALL USG 2000 User’s Guide 81 1 50.6.7.5.2 Installing Y our Personal Certificate(s) Y ou ne ed a password in advance. The CA may issue the password or you may have to specify it during th e enrollment.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 812 3 Enter the password g iven to yo u by the CA. Figure 533 Persona l Certificate Import Wizard 3 4 Have the wizard determine where the ce rtificate should be sav ed on your computer or se le ct Place all certificates in the following store and choose a different location.
Chapter 50 System ZyWALL USG 2000 User’s Guide 813 5 Click Finish to complet e the wi zard and begin the import process. Figure 535 Persona l Certificate Import Wizard 5 6 Y ou should see the following scre en when the certificate is correctly installed on your com put er .
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 814 2 When Authenticate Client Certificates is selected on the Z yW ALL, the following screen asks you t o select a personal cert ificate to send to th e ZyW ALL. This screen displays ev en if you only ha ve a si ngle certificate as in the example.
Chapter 50 System ZyWALL USG 2000 User’s Guide 815 SSH is a secure communication protocol t hat combines authentication and data encryption to provide secure encryp ted communication between two hosts over an unsecured network.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 816 2 Encryption Method Once the identification is v erified, both the client and server must agree on the type of encryption method t o use.
Chapter 50 System ZyWALL USG 2000 User’s Guide 817 Note: It is recommended that you disable T elnet and FTP when you configure SSH for secure connections. Figure 542 Configuration > Syst em > SSH The following table describes t he labels in this screen.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 818 50.7.5 Secure T elnet Using SSH Examples This section shows two examples usin g a command interface and a gr aphical interface SSH client progr am to remotely access the Z yW ALL. The configurati on and connection steps are similar for most S SH client prog r ams.
Chapter 50 System ZyWALL USG 2000 User’s Guide 819 Enter the password to log in to the Z yW ALL. The CLI screen displays next. 50.7.5.2 Example 2: Linux This section describes how to access the Z yW ALL using the OpenSSH client program t hat comes with most Linux dis tributions.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 820 50.8.1 Configuring T elnet Click Configuration > System > TELNET to configure your Z yWALL for remote T elnet access. Use this screen to specify from whi ch zones T elnet can be used to manage the Z yW ALL.
Chapter 50 System ZyWALL USG 2000 User’s Guide 821 50.9 FTP Y ou can upload and download the Z yWALL’ s firmware a nd configuration files using FTP . T o use this feature , your computer must have an FTP client. Please see Chapter 52 on page 847 for more information about firmw are and configuration files.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 822 be used to access the Z yW ALL. Y ou can also specify from which IP addresses the access can come. Figure 547 Configu ration > System > FTP The following table describes t he labels in this screen.
Chapter 50 System ZyWALL USG 2000 User’s Guide 823 50.10 SNMP Simple Network Manageme nt Protocol is a protocol used for ex changing management information between network de vices. Y our ZyW ALL supports SNMP agent functionality , which allows a manager stat ion to manage and monitor the Z yW ALL through the network.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 824 and version two (SNMPv2c). The next fi gure illustrates an SNMP management operation. Figure 548 SNMP Manageme nt Model An SNMP managed network consists of two main types of component: agents and a manager .
Chapter 50 System ZyWALL USG 2000 User’s Guide 825 • GetNext - Allows the manager to retriev e the next object v ariable from a table or list within an agent. In SNMPv1, when a manager wants to retriev e all elements of a table from an agent, it initiates a Get operat ion, followed by a series of GetNext oper ations.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 826 settings, including from which z ones SNMP can be used to access the Z y W ALL. Y ou can also specify from whi ch IP addresses the access can come. Figure 549 Configuration > Sy st em > SNMP The following table describes t he labels in this screen.
Chapter 50 System ZyWALL USG 2000 User’s Guide 827 50.1 1 Dial-in Management Connect an external serial modem t o the AUX port to provi de a management connection in case the Z yW ALL’ s other WA N connections are down.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 828 Hang Up check box is selected, the Z yW ALL uses this hardware signal to force the WAN device to hang up, in addition to i ssuing the drop command ATH .
Chapter 50 System ZyWALL USG 2000 User’s Guide 829 50.12 V ant age CNM V antage CNM (Centr alized Network Management) i s a browser-based global management solution that allows an admi nistr ator from any lo cation to easily configure, manage, monitor and troubleshoot Z yXEL devices located worldwide.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 830 50.12.1 Configuring V antage CNM V antage CNM is disabled on th e devi ce by default. Click Configuration > System > Vantage CNM to configure your device’ s V antage CNM setti ngs.
Chapter 50 System ZyWALL USG 2000 User’s Guide 831 Tr a n s f e r Protocol Select whether the V antage CNM sessions should use regular HT TP connections or secure HT TPS connections. Note: HTTPS is recommended. The V antage CNM server must u se the same setting.
Chapter 50 Sy stem ZyWALL USG 2000 U ser’s Guide 832 50.13 Language Screen Click Configuration > Sys tem > Language to open the following screen.
ZyWALL USG 2000 User’s Guide 833 C HAPTER 51 Log and Report 51.1 Overview Use these screens to configure da ily reportin g an d log sett in gs. 51.1.1 What Y ou Can Do In this Chapter •U s e t h e Email Daily Report screen ( Section 51.2 on page 833 ) to config ure where and how to send daily reports and what reports to s end.
Chapter 51 Log and Report ZyWALL USG 2000 U ser’s Guide 834 Click Configuration > Log & Report > Email Daily Report to displa y the following screen. Configure this screen to have t h e ZyW ALL e - mail yo u sys t em statistics ev ery day .
Chapter 51 Log and Report ZyWALL USG 2000 User’s Guide 835 The following table describes t he labels in this screen. 51.3 Log Setting Screens The Log Setting screens control log messages and alerts.
Chapter 51 Log and Report ZyWALL USG 2000 U ser’s Guide 836 The Log Setting tab also controls what information is saved in each log. Fo r the system log, you can also specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed.
Chapter 51 Log and Report ZyWALL USG 2000 User’s Guide 837 51.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes th e e-mail profiles). Go to the Log Settings Summary screen (see Section 51.
Chapter 51 Log and Report ZyWALL USG 2000 U ser’s Guide 838 Figure 555 Configu ration > Log & Report > Log Setting > Edit (Syste m Log).
Chapter 51 Log and Report ZyWALL USG 2000 User’s Guide 839 The following table describes t he labels in this screen. T able 245 Configuration > Log & Report > Log Setting > Edit (System Log ) LABEL DESCRIPTION E-Mail Se rv er 1/2 Active Sele ct this to send log messages and alerts according to the information in this section.
Chapter 51 Log and Report ZyWALL USG 2000 U ser’s Guide 840 E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings.
Chapter 51 Log and Report ZyWALL USG 2000 User’s Guide 841 Active Sele ct this to activate log consolidation. Log consolidation aggregates multiple log messages th at arrive within the specified Log Consolidation Interval .
Chapter 51 Log and Report ZyWALL USG 2000 U ser’s Guide 842 51.3.3 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 51.
Chapter 51 Log and Report ZyWALL USG 2000 User’s Guide 843 The following table describes t he labels in this screen. T able 246 Configuration > Log & Report > Log Setting > Edit (Remote.
Chapter 51 Log and Report ZyWALL USG 2000 U ser’s Guide 844 51.3.4 Active Log Summary Screen The Active L og Summary screen allows you to vi ew and to edit what information is included in the system log, e-mail profiles, and remote servers at the same time.
Chapter 51 Log and Report ZyWALL USG 2000 User’s Guide 845 The following table describes t he fields in this screen. T able 247 Configuration > Log & Report > Log Setting > Active Log Summary LABEL DESCRIPTION System log Use the System Log drop-down list to change the log settings for all of the log categories.
Chapter 51 Log and Report ZyWALL USG 2000 U ser’s Guide 846 Syst em log Select whi ch events y ou want to log by Log Category . There are three choices: disable all logs (red X) - do not log any inf.
ZyWALL USG 2000 User’s Guide 847 C HAPTER 52 File Manager 52.1 Overview Configuration files d efine the Z yW ALL’ s settings. Shell scrip ts are files of commands that you can store on the Z y W ALL and run when you need them. Y ou can apply a configuration file or run a sh ell script without the Z yW ALL restarting.
Chapter 52 File Manager ZyWALL USG 2000 U ser’s Guide 848 These files have the same syntax, which is also identical to the way y ou run CLI commands manually . An example is shown below . While configur ation files and shell scri pts hav e the same syntax, the Z yW ALL applies configur ation files differently than it runs shell scripts.
Chapter 52 File Manager ZyWALL USG 2000 User’s Guide 849 Y our configuration files or shell scri pts can use “exit” or a command line consisting of a single “! ” to have the Z yW ALL exit sub c ommand mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyW ALL exit sub command mode.
Chapter 52 File Manager ZyWALL USG 2000 U ser’s Guide 850 52.2 The Configuration File Screen Click Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configur at ion files.
Chapter 52 File Manager ZyWALL USG 2000 User’s Guide 851 The following table describes t he labels in this screen. T able 249 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Ren a m e Use this button to change the label of a configur ation file on the ZyW ALL.
Chapter 52 File Manager ZyWALL USG 2000 U ser’s Guide 852 Copy Use this button to sav e a duplicate of a configuration file on the ZyW ALL. Click a configuration file’ s row to select it and click Copy to open the Copy File screen.
Chapter 52 File Manager ZyWALL USG 2000 User’s Guide 853 Apply Use this button to have the Z yW ALL use a specific configur ation file. Click a configuration file’ s row to select it and click Apply to have th e Z yWALL use that configuration file.
Chapter 52 File Manager ZyWALL USG 2000 U ser’s Guide 854 52.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmw are to the ZyW ALL.
Chapter 52 File Manager ZyWALL USG 2000 User’s Guide 855 Note: The Web Configurator is the recommended method for uploading firmware. Y ou only need to use the comma nd line interface if you need to recover the firmware. See the CLI Reference Guide for how to d etermine if you need to recover the firmware and how to recover it.
Chapter 52 File Manager ZyWALL USG 2000 U ser’s Guide 856 After you see the Firmware Upload in Process screen, wait two minu tes befor e logging in to the ZyW ALL a ga i n . Figure 564 Firmware Upload In Process Note: The ZyW ALL automatically reboot s after a successful uploa d.
Chapter 52 File Manager ZyWALL USG 2000 User’s Guide 857 Note: Y ou should include write commands in your script s. If you do not use the write command, the changes will be lost when the ZyW ALL rest arts. Y ou could use multiple write commands in a long script.
Chapter 52 File Manager ZyWALL USG 2000 U ser’s Guide 858 Copy Use this button to save a duplicate of a shell script file on the Z yWALL. Click a shell script file’ s row to select it and click Copy to open the Copy File screen. Figure 569 Maintenance > File Ma nager > Shell Script > Copy Specify a name for the duplicate file.
ZyWALL USG 2000 User’s Guide 859 C HAPTER 53 Diagnostics 53.1 Overview Use the diagnostics screen s for troubleshooting. 53.1.1 What Y ou Can Do in this Chapter •U s e t h e Maintenance > Diagnostics screen (see Sect ion 53.
Chapter 53 Diagnostics ZyWALL USG 2000 U ser’s Guide 860 The following table describes t he labels in this screen. 53.3 The Packet Capture Screen Use this screen to capture network traffi c going throu gh th e Z yWALL’ s interface s. Studying these packet captures may help you i dentify network problems.
Chapter 53 Diagnostics ZyWALL USG 2000 User’s Guide 861 The following table describes t he labels in this screen. T able 253 Maintenance > Diagnostics > Packet Capture LABEL DESCRIPTION Interfaces Enabled interfaces (except for virtual interfaces) appear under Available Interfaces .
Chapter 53 Diagnostics ZyWALL USG 2000 U ser’s Guide 862 53.3.1 The Packet Capture Files Screen Click Maintenance > Diagnostics > Packet Capture > Files to open the packet capt ure files screen. This screen lists the files of pack et captures the Z yWALL has performed.
Chapter 53 Diagnostics ZyWALL USG 2000 User’s Guide 863 53.3.2 Example of V iewing a Packet Capture File Here is an example of a packet capture file viewed in the Wire shark packet analyzer . Notice that the size of fr ame 15 on the wire is 1514 bytes while the captured size is only 1500 bytes.
Chapter 53 Diagnostics ZyWALL USG 2000 U ser’s Guide 864.
ZyWALL USG 2000 User’s Guide 865 C HAPTER 54 Reboot 54.1 Overview Use this to restart the device (for example, if the device beg ins behaving erratically). See also Secti on 1.5 on page 41 for information on d ifferent ways to start and stop the Z yWALL.
Chapter 54 Reboot ZyWALL USG 2000 U ser’s Guide 866.
ZyWALL USG 2000 User’s Guide 867 C HAPTER 55 Shutdown 55.1 Overview Use this to shutdown t he device in preparat ion for disconnecting the power . See also Section 1.
Chapter 55 Shu tdo wn ZyWALL USG 2000 U ser’s Guide 868.
ZyWALL USG 2000 User’s Guide 869 C HAPTER 56 Troubleshooting This chapter offers some suggestions to solv e problems you might encounter . • Y ou can also refer to the logs (see Chapter 10 on page 261 ). F or individual log descriptions, Append ix A on pa ge 899 .
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 870 • Ping the Z yW ALL from a LAN computer . Make s ure yo ur c o mp u ter ’s Eth e rne t card is installed and functioning properly . Al so make sure that its IP address is in the same subnet as the Z yW ALL’ s.
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 871 I cannot update the IDP/application patrol signatures. • Make sure your Z yW ALL has the IDP/appl icat ion patrol service registered and that the license i s not expired. Purchase a new license if the lic ense is expired.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 872 The Z yWALL checks the firewall rules in the order that they are listed. So make sure that your custom firewall rule come s before an y other rules that the tr affic would also match.
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 873 The data rates through my cellular c onnection are no-where near the rates I expected. The actual cellular data r ate you obtain v aries depending on the cellular d evice you use, the signal strength to the serv ice pr ovider’ s base stat ion, and so on.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 874 The ZyW ALL is not applyi ng my application patrol bandwid th management settings. Bandwidth management in polic y routes has priority o ver application patrol bandwidth management. The ZyW ALL’s performance slowed down af ter I configured ma ny new application patrol entries.
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 875 The ZyW ALL’ s performance seems sl ower after configuring IDP . Depending on your network topol ogy and traffic l oad, binding every packet direction to an IDP profi le may affect the Z yW ALL’ s performance.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 876 The ZyW ALL routes and applies SNA T for traffic from some interfaces but not from others. The ZyW ALL automaticall y us es SN A T for traffic it routes from inte rnal interfaces to external interfaces.
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 877 I cannot get the application pa trol to manage H.323 traf fic. Make sure you ha ve the H.323 ALG enabl ed. I cannot get the application pa trol to manage FTP traf fic. Make s u re yo u have t he F TP A LG en able d .
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 878 • The Z yWALL and remote IPSec router must use the same authentication method to establish the IKE S A. • Both routers must use the same negotiation mode. • Both routers must use the same encryption algorithm, authentication algori thm, and DH key group .
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 879 of its Trusted Certificates to authenticate the remote IPSec router’ s certificate. The trust ed certificate can be the remot e IPSec router’s self-sig ned certificate or that of a tru s ted CA th at signed the remot e IPS e c rou ter’s certificate.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 880 I uploaded a logo to show in the SSL VPN user screens but it does not display properly . The logo gr aphic must be GIF , JPG, or PNG format. The gr aphic should use a resolution of 127 x 57 pixels t o avoid di s tortion when displayed.
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 881 decompressed option while you download the firmware package. See Section 33.2.1 on page 553 for more on the anti- virus Destroy compressed files that could not be decompressed option. I changed the LAN IP addr ess and can no longer access the Internet.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 882 • Y ou may need to disable STP (Spanning T ree Protocol). • The master and its backups must all use the same device HA mode (either active-passiv e or legacy). • Configure a static IP add re ss for each inte rfac e that you will have device HA monitor .
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 883 I cannot add the admin users to a user group with access users. Y ou cannot put access user s and admin users in the same user gr oup. I cannot add the default admin account to a user group.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 884 2 Y o u must remove any spaces from the certificate’ s filename before you can import the certificate. 3 Any certificate that you w ant to import has to be in one of these file formats: • Binary X.
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 885 I uploaded a logo to use as the screen or window background but it does not display properly . Make sure the logo file is a GIF , JPG, or PNG of 100 kilobytes or less. The ZyW ALL’ s traffic throug hput rate decreased after I started collecting traf fic statistics.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 886 See the CLI Reference Guide for how to determin e if you need to recover the firmware and how to recover it.
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 887 2 Press the RESET button and hold it until the SYS LED begins to blink. (Thi s usually takes about fiv e seconds.) 3 Release the RESET button, and wait for the Z yWALL to restart. Y ou should be able to access the Z yW ALL using the default settings.
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 888 5 Use the handle to slide out th e power module and remove it. Figure 577 Removing the Power Module 6 Install the new Z yW ALL power module. Figure 578 Inst alling the Replacement Powe r Module 7 Tighten the power module’ s retaining screw .
Chapter 56 Trou bleshooting ZyWALL USG 2000 User’s Guide 889 8 Connect the power cord to the new Z yW ALL power module. 9 Reconnect the power cord to the power outlet. 10 Push the Z yWAL L power module switch to the on positi on. 56.3 Getting More T roubleshooting Help Search for support information for your model at www .
Chapter 56 Tro u blesh oo tin g ZyWALL USG 2000 U ser’s Guide 890.
ZyWALL USG 2000 User’s Guide 891 C HAPTER 57 Product Specifications The followin g s pe cificatio ns are subj ect to change without notice. See Chapter 2 on page 43 for a gener al overvi ew of key feat ures. This table provides b asic device specifications.
Chapter 57 Product Specifications ZyWALL USG 2000 U ser’s Guide 892 This table gives detail s about the Z yWAL L’ s features. AUX po rt RS-232, DB9M connector USB Slots 2, 2.0 plug and play Compatible USB Cards (3G) Huawei: E220, E270, E160, E169, E8 00, and E180 HDD Slot Slot for an optional 2.
Chapter 57 Product Specifications ZyWALL USG 2000 User’s Guide 893 Static Routes 10 ,000 (shared with the policy routes) 10,000 (shared with the policy routes) 10,000 (shared with the policy routes).
Chapter 57 Product Specifications ZyWALL USG 2000 U ser’s Guide 894 Maximum Number of LDAP Groups 32 32 32 Maximum Number of LDAP Serv ers for Each LDAP Group 444 Maximum Number of RADIUS Groups 32 .
Chapter 57 Product Specifications ZyWALL USG 2000 User’s Guide 895 Sysl og S er ver s 4 4 4 IDP Maximum Number of IDP Profiles 32 32 32 Custom Signatures 512 512 51 2 Maximum Number of IDP R ules 64.
Chapter 57 Product Specifications ZyWALL USG 2000 U ser’s Guide 896 The following table, which is not exhaust ive, lists standards referenced by Z yW ALL features.
Chapter 57 Product Specifications ZyWALL USG 2000 User’s Guide 897 57.1 3G PCMCIA Card Inst allation Only insert a compatible 3G card. Slide th e connector end of the card into the slot.
Chapter 57 Product Specifications ZyWALL USG 2000 U ser’s Guide 898.
ZyWALL USG 2000 User’s Guide 899 A PPENDIX A Log Descriptions This appendix provides descript ions of example log message s for the ZLD-based Z yWA LLs. The logs do not all apply to all of the ZLD-based Z yWALL s. Y ou will not necessecarily see al l of th ese logs in your de vice.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 900 T able 261 Blocked Web Site Logs LOG MESSAGE DESCRIPTION %s :%s The rating server responded that the web site is in a specified category and access was blocked according to a content filter profile.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 901 %s: Proxy mode is detected The system detected a proxy connection an d blocked access according to a profile. %s: website host %s: Forbidden Web si te The web site is in forbidden web site list.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 902 Black List checking has been activated. The anti-spam black list has been turned on. Black List checking has been deactivated. The anti-spam black list has been turned off . Black List rule %d has been added.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 903 T able 263 SSL VPN Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in SSLVPN A user has logged into SSL VPN. The first %s is the type of user account. The second %s is the user’s user name.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 904 The %s address-object is wrong type for 'network' in SSL Policy %s. The listed address object (first %s ) is not the right kind to be specified as a network in the listed SSL VPN policy (second %s).
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 905 %s %s is accessed. sent=<bytes> rcvd=<bytes> The listed SSL VPN access was used to send and receive the listed numbers of bytes. The first %s is the type of SS L VPN access (web application, file sharing, or network extension).
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 906 T able 264 L2TP Over IPSec Logs LOG MESSAGE DESCRIPTION The configuration of L2TP over IPSec has been changed. The L2TP over IPSec configur ation has been modified. L2TP over IPSec may not work since Crypto Map %s using Manual Key.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 907 The Z ySH logs deal with internal system errors. T able 265 ZySH Logs LOG MESSAGE DESCRIPTION Invalid message queue.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 908 Can't remove %s 1st:zysh list name Table OPS %s: cannot retrieve entries from table! 1st:zysh table name %s: index is out of rang.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 909 T able 266 ADP Logs LOG MESSAGE DESCRIPTION from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The Z yWALL detected an an omaly in traffic tr aveling between the specified zones.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 910 T able 267 Anti-Virus Logs LOG MESSAGE DES CRIPTION Initializing Anti-Virus signature reference table has failed. The Z yWALL failed to initialize the anti-virus signatures due to an internal error .
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 91 1 AV signature update has failed. Can not update last update time. The anti-virus signatur es update did not succeed.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 912 Anti-Virus rule %d has been modified. The anti-virus rule of the specified number has bee n changed. Anti-Virus rule %d has been inserted. An anti-virus rule has been inserted. %d is the number of the new rule.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 913 T able 268 User Logs LOG MESSAGE DES CRIPTION %s %s from %s has logged in ZyWALL A user logged into the ZyW ALL. 1st %s: The type of user account. 2nd %s: The user ’ s user name. 3rd %s: The name of the servi ce the user is using (HT TP , HTTPS, F T P , T eln e t, SSH , or c onsol e).
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 914 Failed login attempt to ZyWALL from %s (login on a lockout address) A login attempt came from an IP address that the Z yWALL has locked out. %u.%u.%u.%u: the source address of the user’ s login attempt Failed login attempt to ZyWALL from %s (reach the max.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 915 Registration has failed. Because of lack must fields. The device received an incomplete response from the myZ yXEL.com serv er and it caused a parsing error for the device. %s:Trial service activation has failed:%s.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 916 Do device register. The device started device registration. Do trial service activation. The device started tr ail service activation. Do standard service activation. The device started standard service activ ation.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 917 Device has latest signature file; no need to update The device already has the latest version of the signature file so no update is needed. Connect to update server has failed. The device cannot connect to the update server .
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 918 Get server response has failed. The device sent packets to the server , but did not receive a response. The root cause may be that the connection is abnormal. Expiration daily- check has failed:%s.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 919 Self signed certificate. V erification of a server’s certificate failed because it is self- signed. Self signed certificate in certificate chain. V erification of a serv er ’s certificate failed because there is a self-signed certificate in the server’s certificate chain.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 920 Enable IDP engine succeeded. The device turned on the IDP engine. Disable IDP engine succeeded. The device turned off the IDP engine. IDP service is not registered. IDP will not be activated.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 921 Add custom signature error: signature <sid> is over length. An attempt to add a custom IDP signature failed because the signature’s contents were too long. Edit custom signature error: signature <sid> is over length.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 922 from <zone> to <zone> [type=<type>] <message> , Action: <action>, Severity: <severity> The Z yWALL detected an intrusion in tr affic trav eling between the specified zones.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 923 Duplicate sid <sid> in import file at line <linenum>. The listed signature ID is duplicated at the listed line number in the signature file. IDP rule <num> has been deleted.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 924 Protocol %s has been enabled. The listed protocol has been turned on in the application patrol. Protocol %s has been disabled. The listed protocol has been turned off in the application patrol.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 925 T able 272 IKE Logs LOG MESSAGE DESCRIPTION Peer has not announced DPD capability The remote IPSec router has not announced its dead peer detection (DPD) capability to this device. [COOKIE] Invalid cookie, no sa found Cannot find SA according to the cookie.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 926 [SA] : Tunnel [%s] Phase 1 invalid protocol %s is the tunnel name. When nego tiating Phase-1, the packet was not a ISKAMP pack et in the protocol field. [SA] : Tunnel [%s] Phase 1 invalid transform %s is the tunnel name.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 927 Could not dial manual key tunnel "%s" %s is the tunnel name. The manual key tunnel can not be dialed. DPD response with invalid ID When receiving a DPD response with invalid ID ignored.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 928 VPN gateway %s was enabled %s is the gatewa y name. An administrator enabled the VPN gateway . XAUTH fail! My name: %s %s is the my xauth name. This indicates that m y name is inv alid.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 929 Get outbound transform fail When outgoing packet need to be transformed, the engine cannot obtain the transform context.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 930 Firewall %s %s rule %d was %s. 1st %s is from zone, 2nd %s is to zone, %d is the index of the rule 3rd %s is appended/inserted/modified Firewall %s %s rule %d has been moved to %d.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 931 The policy route %d uses empty user group! Use an empty object group. %d: the policy route rule number The policy route %d uses empty source address group! Use an empty object group.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 932 HTTPS port has been changed to port %s. An administrator changed the port number for HT TPS. %s is port number HTTPS port has been changed to default port. An administrator chan ged the po rt number for HT TPS back to the default (443).
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 933 Console baud has b een reset to %d. An administrator changed the console port baud r ate back to the default (115200).
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 934 DNS access control rule %u has been moved to %d. An administrator mo ved the rule %u to index %d. %u is previous index %d variable is current index The default record of Zone Forwarder have reached the maximum number of 128 DNS servers.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 935 Access control rule %u of %s was modified. An access control rule was modified successfully . %u is the index of the access control rule. %s is HT TP/HT TPS/SSH/SNMP/FTP/TELNET . Access control rule %u of %s was deleted.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 936 DHCP Server executed with cautious mode disabled DHCP Server ex ecuted with cautious mode disabled. Received packet is not an ARP response pack et A packet was received but it is not an ARP response packet.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 937 Device is rebooted by administrator! An administr ator restarted the device. Insufficient memory. Cannot allocate system memory . Connect to dyndns server has failed. Cannot connect to members.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 938 Update the profile %s has failed because the feature requested is only available to donators. Update profile failed because the feature requested is only av ailable to donators, %s is the profile name.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 939 The profile %s has been paused because the HA interface of VRRP status was standby. The profile is paused by Device-HA, because the VRRP status of that HA iface is standby , %s is the profile name.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 940 T able 279 Connectivity Check Logs LOG MESSAGE DESCRIPTION Can't open link_up2 Cannot recover routing status which is link -down. Can not open %s.pid Cannot open connectivity check process ID file.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 941 Can't use MULTICAST IP for destination The connectivity check process can't use multicast address to check link -status. The destination is invalid, because destination IP is broadcast IP The connectivity check process can't use broadcast address to check link -status.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 942 %s file not existed, Skip syncing it fo r %s There is no file to be synchronized from the Master when syncing a object (A V/AS/IDP/Cer.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 943 Device HA authentication type for VRRP group %s maybe wrong. A VRRP group’ s Authentication T ype (Md5 or IPSec AH) configuration ma y not match between the Backup and the Master . %s: The name of the VRRP group.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 944 T able 281 Routing Protocol Logs LOG MESSAGE DESCRIPTION RIP on interface %s has been stopped because Device-HA binds this interface. Device-HA is currently running on the interface %s, so all the local service have to be stopped including RIP .
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 945 RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted. RIP redistribute OSPF routes has been disabled.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 946 Invalid OSPF virtual- link %s authentication of area %s. Virtual-link %s authentication has been set to same- as-area but the area has invalid authen tication co nf iguration. %s: Virtual-Link ID Invalid OSPF md5 authentication on interface %s.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 947 Register SIP ALG signal port=%d failed. SIP ALG apply signal port failed. %d: Po rt number Register H.323 ALG extra port=%d failed. H323 A LG apply additional signal port failed. %d: Po rt number Register H.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 948 SCEP enrollment "%s" successfully, CA "%s", URL "%s" The device used SCEP to enroll a certificate. 1st %s is a request name, 2nd %s is the CA name, 3rd %s is the URL .
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 949 Export X509 certificate "%s" from "Trusted Certificate" successfully The device exported a x509 format certificate from T rusted Certificates. %s is the certificate request name.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 950 25 Database method failed due to timeout. 26 Database method failed. 27 P ath was not verified. 28 Maximum path length reached. T able 284 Interface Logs LOG MESSAGE DESCRIPTION Interface %s has b een deleted.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 951 Interface %s is enabled. An administrator enabled an in terface. %s: interface name. Interface %s is disabled. An administrator disabled an interface. %s: interface name. %s MTU > (%s MTU - 8), %s may not work correctly.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 952 Interface %s connect failed: MS-CHAP authentication failed. MS-CHAP authentication failed (the server must support MS- CHAP and verify that the authentication failed, this does n ot include cases where the server does not support MS-CHAP).
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 953 "SIM card has been successfully unlocked by PUK code on interface cellular%d. Y ou entered the correct PUK code and unlocked the SIM card for the cellular device associated with the listed cellular interface (%d).
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 954 "Cellular device [%s %s] has been removed from %s. The cellular device (identified by its manufacturer and model) has been removed from the specified slot. Interface cellular%d required authentication password.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 955 T able 287 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled. Force user authentication will be turned on because HT TP server was turned on.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 956 T able 289 DHCP Logs LOG MESSAGE DESCRIPTION Can't find any lease f or this client - %s, DHCP pool full! All of the IP addresses in the DHCP pool are already assigned to DHCP clients, so there is no IP address to give to the listed DHCP client.
Appendix A Log Descriptions ZyWALL USG 2000 User’s Guide 957 T able 291 IP-MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet %s- %u.%u.%u.%u- %02X:%02X:%02X:%02 X:%02X:%02X The IP-MAC binding feature dr opped an Ethernet packet. The interface the packet came in through and the sender’s IP address and MAC address are also shown.
Appendix A Log Descrip tio ns ZyWALL USG 2000 U ser’s Guide 958.
ZyWALL USG 2000 User’s Guide 959 A PPENDIX B Common Services The following table lists some commonl y-used services and their associated protocols and port numbers. F or a comprehe nsiv e list of p ort numbers, ICMP type/ code numbers and services , visit the IANA (Internet Assigned Number Authority) web site.
Appendix B Com mon Servic es ZyWALL USG 2000 U ser’s Guide 960 ESP (IPSEC_TUNNEL) User -Defined 50 The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
Appendix B Common Services ZyWALL USG 2000 User’s Guide 961 PPTP TCP 1723 Point -to-P oint T unneling Protocol enables secure transfer of data ov er public networks. This is the control channel. PPTP_TUNNEL (GRE) User -Defined 47 PPTP (P oint -to-Point T unneling Protocol) enables secure transfer of data over public networks.
Appendix B Com mon Servic es ZyWALL USG 2000 U ser’s Guide 962 TFTP UDP 69 T rivial File T ransfer Protocol is an Internet file transfer protocol similar to FTP , but uses the UDP (User Datagram Protocol) r ather than TCP (T ransmission Control Protocol).
ZyWALL USG 2000 User’s Guide 963 A PPENDIX C Displaying Anti-V irus Alert Messages in Windows With the anti- virus packet s can, when a virus is detected, you can have the Z yW ALL displa y an alert message on Miscrosoft Windows-based computers.
Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 2000 U ser’s Guide 964 2 Select the Messenge r service and click Start . Figure 581 Windows XP: S tarting the Messenger Service 3 Close the window when you are done. Windows 2000 1 Click Start > Settings > Control Panel > Administrative Tools > Services .
Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 2000 User’s Guide 965 2 Select the Messenge r service and click Start Service .
Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 2000 U ser’s Guide 966 1 Right- click on the program t ask bar and click Properties . Figure 585 WIndows 98 SE: Program T ask Bar 2 Click the Start Menu Programs tab and click Advanced .
Appendix C Displaying Anti-Virus Alert Messages in Windows ZyWALL USG 2000 User’s Guide 967 4 Right- click in the StartUp pane and click New , Shortcut . Figure 587 Windows 98 SE: S tartUp 5 A Create Shortcut wi ndow displays. Enter “wi npopup” in the Command line field and click Next .
Appendix C Dis playing Anti-Virus Alert Messages in Windows ZyWALL USG 2000 U ser’s Guide 968 6 Specify a nam e for the shortcu t or ac ce pt the defa ul t and c lic k Finish . Figure 589 Windows 98 SE: S tartup: Select a T itle for the Program 7 A shortcut is created i n the StartUp pane.
ZyWALL USG 2000 User’s Guide 969 A PPENDIX D Importing Certificates This appendix shows you how to import public k ey certificates into your web browser . Public key certificates are used by web br owsers to ensure that a secure web site is legitimate.
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 970 1 If your device’ s W eb Configurator is set to use SSL certificati on, then the first time you browse to i t you are presented with a certificati on error . Figure 591 Internet Explorer 7: Cert ification Error 2 Click Continue to this website (not recommended) .
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 971 4 In the Certificate dialog bo x, click Install Certificate . Figure 594 Internet Explorer 7: Cert ificate 5 In the Certificate Import Wizard , click Next .
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 972 6 If you w ant Internet E xplorer to Automatically select certificate store based on the type of certificate , click Next again and then go to step 9.
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 973 8 In the Select Certificate Store dialog box, choose a location in which to sa ve the certificate and then clic k OK . Figure 598 Internet Explorer 7: Select Certificate S tore 9 In the Completing the Certificate Import Wizard screen, click Finish .
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 974 10 If you are presented with another Security Warning , c lick Yes . Figure 600 Internet Explorer 7: Security W arning 11 Finally , click OK when presented with the successful certificate installation message.
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 975 Inst alling a St and-Alone Certific ate File in Internet Explorer Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public key certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you.
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 976 1 Open Internet Explorer and click Tools > Internet Options . Figure 605 Internet Explorer 7: T ools Menu 2 In the Internet Options dialog box, cl ick Content > Certificates .
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 977 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificat e that yo u w ant to delete, and then click Remove . Figure 607 Internet Explorer 7: Cert ificates 4 In the Certificates confirmation, click Yes .
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 978 6 The next time you go to the web site that issued the public k ey certificate you just removed, a certification error appears. Firefox The following example uses Mozilla Firefox 2 on Windows XP Professional; however , the screens can also apply to Firefox 2 on all platforms.
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 979 3 The certificate is stored and you ca n now connect securely to the W eb Configurator . A sealed padlock appears in the address bar , which you can click to open the Page Info > Security windo w to view the web page’ s security informat ion.
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 980 1 Open Firefox and click Tools > Options . Figure 612 Firefox 2: T ools Menu 2 In the Options dialog bo x, cli ck Advanced > Encryption > View Certifica t es .
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 981 3 In the Certificate Manager dialog box, cl ick Web Si tes > Import . Figure 614 Firefox 2: Cert ificate Manager 4 Use the Select File dialog bo x to locate the certificate and then click Op en .
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 982 Removing a Certificate in Firefox This section shows y ou how to remove a public key certificate in Fi refox 2. 1 Open Firefox and click Tools > Options . Figure 616 Firefox 2: T ools Menu 2 In the Options dialog bo x, cli ck Advanced > Encryption > View Certifica t es .
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 983 3 In the Certificate Manager dialog box, select the Web Sites tab , select the certificate that you w ant to remove, and then click Delete . Figure 618 Firefox 2: Cert ificate Manager 4 In the Delete Web Site Certificates dialog bo x, cli ck OK .
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 984 1 If your device’ s W eb Configurator is set to use SSL certificati on, then the first time you browse to i t you are presented with a certificati on error . 2 Click Install to accept the certi ficate.
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 985 Inst alling a St and-Alone Ce rtificate File in Opera Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public key certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you.
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 986 2 In Preferences , click Advanced > Security > Manage certificates . Figure 623 Opera 9: Prefer ences.
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 987 3 In the Certificates Manager , click Authorities > Import . Figure 624 Opera 9: Certificate manager 4 Use the Import certificate dialog box to locate the certificate and then click Open.
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 988 5 In the Install authority certificate dialog box, c lick Ins tall . Figure 626 Opera 9: Inst all authority certificate 6 Next, click OK .
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 989 1 Open Opera and click Tools > Preferences . Figure 628 Opera 9: T ools Menu 2 In Preferences , Advanced > Security > Manage certificates .
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 990 3 In the Certificates manager , sele ct the Authorities tab, select th e certificat e that you wan t to r emove , and th en c l i ck Delete .
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 991 2 Click Continue . Figure 631 Konquero r 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate.
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 992 Inst alling a St and-Alone Ce rtificate File in Konqueror Rather t han browsing to a Z yXEL W eb Co nfigurator and installing a public key certificate when prompted, y ou can install a stand- alone certific ate file if one has been issued to you.
Appendix D Importi ng Certificates ZyWALL USG 2000 User’s Guide 993 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Inf ormation window to view the web page’ s security details. Removing a Certificate in Konqueror This section shows y ou how to remove a public k ey certificate in K onqueror 3.
Appendix D Importing Certificates ZyWALL USG 2000 U ser’s Guide 994 4 The next time you go to the web site that issued the public k ey certificate you just removed, a certification error appears.
ZyWALL USG 2000 User’s Guide 995 A PPENDIX E Open Sof tware Announcement s End-User License Agreement for “ZyW ALL USG 2000” WARNING: Z y XEL Communications Co rp. IS WILLING TO LICENSE THE SOFTWARE T O YOU ONL Y UPON THE CONDITION THA T Y OU ACCEPT ALL OF THE TERMS CONT AINED IN THIS LICENSE AG REEMENT .
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 996 Y ou may not remove an y proprietary notice of Z yXEL or any of its licensors from any copy of the Softw are or Documentation.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 997 6.No W arranty THE SOFTWARE IS PROVIDED "AS IS." T O THE MAXIMUM EXTENT PERMITTED BY LAW , Z yXEL DISCLAIMS ALL WAR.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 998 9.Audit Rights Z yXEL SHALL HAVE THE RIGHT , A T ITS OWN EXPENSE, UPON REASONABLE PRIOR NOTICE, T O PERIODICALL Y INSPECT AN D AUDIT Y OUR RECORDS T O ENSUR E YOUR COMPLIANCE WITH THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT .
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 999 bridge-utils 0.9.5. http://linux-n et.osdl.org/in dex.php/Bridge dhcpcd-1.3.2 2-pl4 1.3.22-pl4 http://www .phystech.com/download/ ppp-2.4.2 2.4.2 http://ppp.sam ba.org/ppp/index.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1000 Notice Information herein is subject to change without notice. Comp anies, names, and data used in exampl es herein are fictit ious unless otherwise noted.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1001 PPP License Copyright (c) 1993 The Austr alian National University . All rights reserved.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1002 All rights reserved. Re di stribution and use in source and bina ry forms, with or without modification , are permitted provided that the following conditions are met: 1.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1003 This Product includes expat-1.95.6 softw are under the Expat License Expat License Copyright (c) 1998, 1999, 2000 Thai Open .
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1004 •This license is compatible with The GN U General Pu blic License, V ersion 2 This is j ust like a Simple Permissive lic ense, bu t it requ ires that a copyri ght noti ce be main ta ined.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1005 2. R edistributions in binary form must reproduce the above copyright notice, this list of conditions and the following d isclaimer in the documentation and/or other materials provided with the dis tribution.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1006 be it the RC4, RS A, lhash, DES, etc. , code; not just the S SL code. The SSL documentation included with this distribu tion i s covered by the same copyright terms except that the hol der is Tim Huds on (tjh@cryptsoft.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1007 This Product includes libevent -1.1a and xinetd-2.3.14 softw are under the a 3- clause BSD License a 3-clause BSD-style lice.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1008 * Neither the name of [original copyright holder] nor the names of its cont ributors may be used to endors e or promote products deriv ed from this software without specific prior written permission.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1009 DIRECT , INDIRECT , OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHA TSOEVER RESUL TING FROM LOS S OF USE, DA T A OR PROFITS , WHETHER IN AN ACTION OF CONTRACT , NEGLIGENCE OR O THER T OR TIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1010 P ermission to use, copy , modify , and distri bute this softw a re for any purpose with or without fee is hereby gr anted, provided that th e above copy ri ght notice and this permission notice appear in all copies.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 101 1 "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1012 "Contributor" shall mean Lice nsor and any individual or Legal Entit y on behalf of whom a Contribution has been receiv ed by Licensor and subsequently incorporated wi thin the W ork.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1013 attribution notices within Deriv ative W orks that Y ou distribute, alongside or as an addendum to the NO TICE text from the W ork, provided that such additional attribution notices cannot be construed as modifyin g t he L ic e ns e.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1014 Contributor harmless for any liabili ty incurred by , or claims asserted against, such Contributor by reason of your accepting an y such warr anty or additional liability . END OF TERMS AND CONDITIONS Ve r s i o n 1 .
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1015 USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS SIBILITY OF SUCH DAMAGE. This software consis ts of voluntary contrib utions made by many individ uals on behalf of the Apache Softw are Found ati on.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1016 guarantee y our freedom to share and chan ge free software--to mak e sure the software is free fo r all its use rs .
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1017 Most GNU software, including so me libraries, is cov ered by the ordinary GNU General Publi c License. This lic ense, th e GNU Lesser Gener al Public Licen s e , applies to certain des ignated libraries, and is quite different from the ordinary General Public License.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1018 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright h.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1019 still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a li brary to comp ute square roots has a purpose that is entirely well-defined indepe ndent of the application.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1020 "work that uses the Library". Such a work, in isolation, is not a derivati v e work of the Libr ary , and therefore falls outside the scope of this Lic ense.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1021 version is interface-compatible with the version that the work was made with.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1022 10. Each time you redi stribute the Libr ar y (or any work base d on the Library), the recipient automatically recei ves a license from the original licensor to copy , distribute, li nk with or modify the Li br ary subject to these terms and c onditions.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1023 Library does not specify a license version number , you may choose any version ever published by the Fr ee Softw are Foundation.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1024 pcmcia-cs-3.2.8, lib eeprog, mgetty -1.1.35, gmp-4.1, msmtp-1. 4.12 and libqsearch 0.8 software under GPL license. GNU GENERAL PUBLIC LICENSE V ersion 2, June 1991 Copyright (C) 1989, 1991 Free Software F oundation, Inc.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1025 the software. Also, for each author's protec tion and ours, we want to make certain that everyone unde rs tan ds that there is no warr anty for this free software.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1026 b) Y ou must cause any work that you distribute or publish, that in whole or in part contains or is deriv ed from the Progra m or any part thereof , to be licensed as a whole at no charge to all third p art ies under the terms of this License.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1027 source code means all the source code for all modules it contains, plus any associated interface definition fi les, plus the scripts used to control compil ation and i n s tall at ion of th e ex ecutable.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1028 whole is intended to apply in other circum stances. It is not the purpose of this section to induce you to infringe any pate.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1029 DEFECTIVE, YOU ASSUME THE COST OF ALL NECESS ARY SERVICING, REP AIR OR CORRECTION.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1030 means a mechanism generally accept ed in the software dev elopment community for the el ectronic tr ansfer of data. 1.5. "Executable" means Covered Code in an y form other than Source Code.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1031 1.11. "Source Code" means the preferred form of the Co vered Code for making modifications to it, includ in g all .
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1032 Subject to third party intellect ual property claims, each Contributor hereby gr ants Y ou a world-wide, royalty -free, non-.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1033 made av ailable via Electronic Distribution Mechanism, must remain av ailable for at least twelv e (12) months after the dat.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1034 Y ou must duplicate the noti ce in Exhibit A in each file of the Source Code.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1035 regulation then Y ou mus t: (a) com ply with the term s of th is L icen se to the maximum extent possible; and (b) descri be the limitations and the code they affect. Such description must be included in the legal file described in Section 3.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1036 (not the initial developer or any other contributor) assume the cost of any necessary servicing, repair or correction. This disclaimer of warr anty constitutes an essential part of this license.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1037 granted by Y ou or any distributor hereun der prior to ter mination shall survive terminatio n.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1038 As between Initial Developer and the Contributors, each party is responsible for claims and damages arisi ng, directly or in.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1039 NOTE : The text of this Exhibit A ma y differ slightly from the t ext of the notices in the Source Code files of the Original Code . Y ou should use the text of this Exhibit A rather t han the text found in the Original Code Source Cod e for Y our Modifications.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1040 USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS SIBILITY OF SUCH DAMAGE. This Product includes libxml2-2.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1041 Re distribution and us e of this software and assoc iated documentation("Softw are"), wi th or wit hout modification, are permitted provid ed that the following conditi ons are met: 1.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1042 Copyright 1999-2003 The OpenLD AP F oundation, R edwood City , California, USA. All Rights R eserved. P ermi ssion to copy and distribute v erbatim copies of this document is gr anted.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1043 use of gd. If you have questions, ask. "D erived works" incl udes all progr ams that utilize the library . Credit must be gi ven in user- accessible documentation. This software is pro vided "AS IS.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1044 Copyright (C) 1999, 2000, 2002 Aladdi n Enterprises. All right s reserved. This software is provided 'as-is', wi thou t an y express or implied warr anty . In no event will the aut hors be held liable for any damages arising from the use of this software.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1045 3. This notice may not b e removed or altered from an y source distribution. COPYRIGHT NOTICE, DISCLAIMER, and LICENSE: * * If you modify libpng you may insert additional notices immediatel y following * this sentence.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1046 * There is no w arranty against interference with y our enjoyment of the * libr ary or against infringeme nt. There is no w arranty that our * efforts or the libr ary will fulfill any of your parti cular purposes * or needs.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1047 * Greg R oelofs * T om T anner * * libpng versions 0. 5, May 1995, through 0.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1048 * to the following restrictions: * * 1. The origin of this source code must not be misrepresented. * * 2. Altered ve rsions must be plainly marked as such and * must not be misrepresented as being the original source.
Appendix E Open Softwar e Announcements ZyWALL USG 2000 User’s Guide 1049 2. R edistributions in binary form must reproduce the above copyright notice, this list of conditions and the following d isclaimer in the documentation and/or other materials provided with the dis tribution.
Appendix E Open Software Announcements ZyWALL USG 2000 U ser’s Guide 1050 P AR TICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUT ORS BE LIABLE FOR ANY DIRE CT , INDIRECT , I.
ZyWALL USG 2000 User’s Guide 1051 A PPENDIX F Legal Information Copyright Copyright © 2010 by Z yXEL Communications Corpor ation. The contents of this publication ma y not be reproduced in any part.
Appendix F Legal Information ZyWALL USG 2000 U ser’s Guide 1052 • This device may not cause harmful interference. • This dev ice must acc e pt any interf eren ce received, including interference that may cause undesired operations.
Appendix F Legal Information ZyWALL USG 2000 User’s Guide 1053 Notices Changes or modifications not expressly appro ved by the party responsible for compliance could v oid the user's authority to oper ate the equipment. This Class B digital appar atus complies wi th Canadian ICES-003.
Appendix F Legal Information ZyWALL USG 2000 U ser’s Guide 1054 T o obtain the services of this w arr ant y , contac t your vend or . Y o u may also r efe r to the warrant y policy for the region in wh ich you bought the devic e at http:// www .zyxel.
Index ZyWALL USG 2000 User’s Guide 1055 Index Symbols Numerics 1 to 1 NA T 102 1 to 1 SNA T 103 3322 Dynamic DNS 381 3DES 471 3G 122 3G see also cellular 299 A AAA Base DN 726 Bind DN 726 , 729 dire.
Index ZyWALL USG 2000 U ser’s Guide 1056 and SNMP 827 and SSH 818 and T elnet 821 and VPN connections 444 and WWW 803 HOST 705 RANGE 706 SUBNET 706 types of 705 where used 11 4 address record 793 ad.
Index ZyWALL USG 2000 User’s Guide 1057 real-time alert message 965 registration status 552 scanner types 561 signatures 558 statistics 250 trial service activation 268 troubleshooting 871 , 874 tro.
Index ZyWALL USG 2000 U ser’s Guide 1058 truncated-options 615 truncated-timestamp-header 616 TTC P - d e te c t e d 615 types of 574 u-encoding 614 undersize-len 615 undersize-offset 615 UTF-8-enco.
Index ZyWALL USG 2000 User’s Guide 1059 bridge interfaces 278 , 319 and virtual interfaces of members 319 basic characteristics 279 effect on routing table 319 member interfaces 319 virtual 329 brid.
Index ZyWALL USG 2000 U ser’s Guide 1060 computer names 289 , 315 , 325 , 334 , 520 computer virus 548 infection and prevention 561 see also virus concurrent e-mail sessions 259 , 652 configuration .
Index ZyWALL USG 2000 User’s Guide 1061 D dashboard 53 , 55 , 209 Data Encryption Standard, see DES Data T erminal Ready , see DTR date 785 daylight savings 786 DDNS 381 backup mail exchanger 386 co.
Index ZyWALL USG 2000 U ser’s Guide 1062 file structure 725 directory trav ersal attack 613 directory trav ersals 613 disclaimer 5 , 1051 Distinguished Name (DN) 726 , 727 , 72 9 , 730 Distributed D.
Index ZyWALL USG 2000 User’s Guide 1063 basic characteristics 279 virtual 329 Ethernet ports 33 , 35 default settings 36 examples (tutorials) 11 9 exceptional services 418 experimental-options attac.
Index ZyWALL USG 2000 U ser’s Guide 1064 FTP 821 additional signaling port 407 ALG 401 and address groups 823 and address objects 823 and certificates 822 and zones 823 signaling port 407 troublesho.
Index ZyWALL USG 2000 User’s Guide 1065 action 573 , 608 alerts 572 and services 712 applying custom signatures 592 base profiles 564 , 56 8 configuration o v erv iew 112 custom signature example 59.
Index ZyWALL USG 2000 U ser’s Guide 1066 and layer-3 virtualization 27 8 and NA T 391 and physical ports 96 , 278 and policy routes 355 and static routes 359 and VPN gateways 444 and VRRP groups 677 and zones 96 , 278 as DHCP relays 333 as DHCP servers 333 , 784 auxiliary , see also auxiliary interface.
Index ZyWALL USG 2000 User’s Guide 1067 Perfect F orward Secrecy 45 0 PFS 450 phase 2 settings 449 policy enf orcement 449 remote access 448 remote IPSec router 441 remote network 441 remote policy .
Index ZyWALL USG 2000 U ser’s Guide 1068 remote user configuration 175 session monitor 249 troubleshooting 879 where used 111 WINS 520 LAN interface 33 IP address 33 LAND attack 612 lastgood.
Index ZyWALL USG 2000 User’s Guide 1069 main routing table 102 main window 60 maintenance menu 60 malware 629 managed web pages 627 management access troubleshooting 884 management access and device.
Index ZyWALL USG 2000 U ser’s Guide 1070 NetBIOS Broad c ast over IP Sec 448 Name Server , see NBNS . NetBIOS Name Server , see N BNS NetMeeting 408 see also H.
Index ZyWALL USG 2000 User’s Guide 1071 offset attack 615 request-uri-directory attack 614 P P1 33 P1~P8 LEDs 40 P2P (Peer-to-peer) 574 attacks 574 see also Peer-to-peer packet flow 100 inspection s.
Index ZyWALL USG 2000 U ser’s Guide 1072 port sweep 610 port translation, see NA T port triggering 360 and firewall 356 , 876 and policy routes 356 and service groups 356 and services 356 troublesho.
Index ZyWALL USG 2000 User’s Guide 1073 regular expressions 247 reject (IDP) both 573 , 608 receiver 573 , 608 sender 573 , 608 related documentation 3 Relativ e Distinguished Name (RDN) 726 , 727 ,.
Index ZyWALL USG 2000 U ser’s Guide 1074 SCEP (Simple Certificate Enrollment Protocol) 747 schedule troubleshooting 883 schedules 717 and content filtering 617 , 61 8 and current date/time 717 and f.
Index ZyWALL USG 2000 User’s Guide 1075 and firewall 403 and R TP 408 media inactivity timeout 406 signaling inactivity timeout 406 signaling port 406 troubleshooting 876 site map 61 SMTP 650 smurf .
Index ZyWALL USG 2000 U ser’s Guide 1076 access policy 482 configuration o v erv iew 110 full tunnel mode 47 , 482 network access mode 46 prerequisites 11 0 remote desktop connections 766 reverse proxy mode 46 , 481 see also SSL 481 troubleshooting 880 weblink 766 where used 111 stac compression 764 starting the Z yWALL 41 , 42 startup-config.
Index ZyWALL USG 2000 User’s Guide 1077 port numbers 712 portscan 609 portsweep 610 RST 610 SYN (synchronize) 61 1 SYN flood 61 1 window size 588 technical reference 207 Te l n e t 819 and address g.
Index ZyWALL USG 2000 U ser’s Guide 1078 PPP 872 PWR 869 RADIUS server 882 routing 876 schedules 883 security settings 871 shell scripts 885 SIP 876 SNA T 876 SSL 880 SSL V PN 880 throughput rate 88.
Index ZyWALL USG 2000 User’s Guide 1079 user portal links 765 logo 490 see SSL user screens 493 , 499 user sessions, see sessions user SSL screens 493 , 499 access methods 493 bookmarks 500 certific.
Index ZyWALL USG 2000 U ser’s Guide 1080 see also ALG 402 VPN 441 active protocol 476 and NA T 474 and the firewall 425 basic troubleshooting 877 hub-and-spoke, see VPN concentrator IKE SA, see IKE .
Index ZyWALL USG 2000 User’s Guide 1081 and authentication method objects 802 and certificates 801 and zones 803 see also HTTP , HT TPS 148 , 79 9 Z zipped files troubleshooting 874 zones 96 , 377 a.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté ZyXEL Communications USG 2000 c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du ZyXEL Communications USG 2000 - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation ZyXEL Communications USG 2000, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le ZyXEL Communications USG 2000 va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le ZyXEL Communications USG 2000, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du ZyXEL Communications USG 2000.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le ZyXEL Communications USG 2000. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei ZyXEL Communications USG 2000 ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.