User Guide
Page 3
..., Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network... Tunnel 34 2.7 How to Set Up an IPv6-in-IPv4 Tunnel 38 Protecting Your Network ...45 3.1 Firewall ...45 3.2 User-aware Access Control ...46 3.3 Endpoint Security (EPS) ...47 3.4 Device and Service ......63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, ...
..., Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network... Tunnel 34 2.7 How to Set Up an IPv6-in-IPv4 Tunnel 38 Protecting Your Network ...45 3.1 Firewall ...45 3.2 User-aware Access Control ...46 3.3 Endpoint Security (EPS) ...47 3.4 Device and Service ......63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, ...
User Guide
Page 5
Security Router Security features include a stateful inspection firewall, intrusion, detection & prevention, anomaly detection & prevention, content filtering, anti-virus, and anti-spam. The ZyWALL can also purchase the ZyWALL OTPv2 One-Time ZyWALL USG100-PLUS User's Guide 5 Figure 2 Applications: IPv6 Routing VPN...policy routes and IPv6 objects. The following chapters have configuration tutorials. Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You can also route IPv6 packets through IPv4 networks using ...
Security Router Security features include a stateful inspection firewall, intrusion, detection & prevention, anomaly detection & prevention, content filtering, anti-virus, and anti-spam. The ZyWALL can also purchase the ZyWALL OTPv2 One-Time ZyWALL USG100-PLUS User's Guide 5 Figure 2 Applications: IPv6 Routing VPN...policy routes and IPv6 objects. The following chapters have configuration tutorials. Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. You can also route IPv6 packets through IPv4 networks using ...
User Guide
Page 13
.... ALG Configure SIP, H.323, and FTP pass-through settings. Tunnel Configure tunneling between IPv4 and IPv6 networks. Firewall Firewall Create and manage level-3 traffic rules. HTTP Redirect Set up and manage port forwarding rules. Licensing Registration Registration Register... anti-virus signatures immediately or by a schedule. Bridge Create and manage bridges and virtual bridge interfaces. VPN ZyWALL USG100-PLUS User's Guide 13 Service View the licensed service status and upgrade licensed services. Routing Policy Route Create and ...
.... ALG Configure SIP, H.323, and FTP pass-through settings. Tunnel Configure tunneling between IPv4 and IPv6 networks. Firewall Firewall Create and manage level-3 traffic rules. HTTP Redirect Set up and manage port forwarding rules. Licensing Registration Registration Register... anti-virus signatures immediately or by a schedule. Bridge Create and manage bridges and virtual bridge interfaces. VPN ZyWALL USG100-PLUS User's Guide 13 Service View the licensed service status and upgrade licensed services. Routing Policy Route Create and ...
User Guide
Page 18
...Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in the numbered list is one) gets pushed up (or down) one list... to the other . For features where the entry's position in order like the firewall for where you can also use the [Shift] or [Ctrl] key to select multiple entries, and...and click Add to the number that you are descriptions for table entries with Lists 18 ZyWALL USG100-PLUS User's Guide Table 6 Common Table Icons LABEL DESCRIPTION Add Click this to check which...
...Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in the numbered list is one) gets pushed up (or down) one list... to the other . For features where the entry's position in order like the firewall for where you can also use the [Shift] or [Ctrl] key to select multiple entries, and...and click Add to the number that you are descriptions for table entries with Lists 18 ZyWALL USG100-PLUS User's Guide Table 6 Common Table Icons LABEL DESCRIPTION Add Click this to check which...
User Guide
Page 24
... sequence. 1 Make sure the 3G device's SIM card is highly recommended that you can configure firewall rules to apply specific security settings to this VPN zone. 2.3 How to this example). 24 ZyWALL USG100-PLUS User's Guide It is installed. 2 Connect the 3G device to a zone. Select the 3G...Network 3 Back to the Member box and click OK. Select WIZ_VPN and move it to one of the ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. See www.zyxel.com for cellular WAN (Internet) connections. Enter the PIN Code provided by the cellular 3G service provider (0000...
... sequence. 1 Make sure the 3G device's SIM card is highly recommended that you can configure firewall rules to apply specific security settings to this VPN zone. 2.3 How to this example). 24 ZyWALL USG100-PLUS User's Guide It is installed. 2 Connect the 3G device to a zone. Select the 3G...Network 3 Back to the Member box and click OK. Select WIZ_VPN and move it to one of the ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. See www.zyxel.com for cellular WAN (Internet) connections. Enter the PIN Code provided by the cellular 3G service provider (0000...
User Guide
Page 45
... traffic and how stateful inspection works. A LAN user can use schedule, user, user groups, address, address group, service, and service group objects. Figure 26 Default Firewall Action LAN WAN ZyWALL USG100-PLUS User's Guide 45 Firewall rules can initiate a Telnet session from the DMZ. CHAPTER 3 Protecting Your Network These sections cover configuring the...
... traffic and how stateful inspection works. A LAN user can use schedule, user, user groups, address, address group, service, and service group objects. Figure 26 Default Firewall Action LAN WAN ZyWALL USG100-PLUS User's Guide 45 Firewall rules can initiate a Telnet session from the DMZ. CHAPTER 3 Protecting Your Network These sections cover configuring the...
User Guide
Page 46
... such as AD, LDAP or RADIUS must also enable the service in order and applies the first firewall rule the traffic matches. The ZyWALL can be authenticated locally by the ZyWALL or by an external (AD, RADIUS, or LDAP) authentication server. An external server such as HTTP..., you want to apply to the traffic comes before any user group. 46 ZyWALL USG100-PLUS User's Guide You cannot put access users and admin users in authenticating wireless clients, HTTP and HTTPS clients, IPSec gateways (extended ...
... such as AD, LDAP or RADIUS must also enable the service in order and applies the first firewall rule the traffic matches. The ZyWALL can be authenticated locally by the ZyWALL or by an external (AD, RADIUS, or LDAP) authentication server. An external server such as HTTP..., you want to apply to the traffic comes before any user group. 46 ZyWALL USG100-PLUS User's Guide You cannot put access users and admin users in authenticating wireless clients, HTTP and HTTPS clients, IPSec gateways (extended ...
User Guide
Page 64
...other, You must create a policy route for the ZyWALL and remote IPSec router first and make sure the To-ZyWALL firewall rules allow UDP port 4500 too. • Make sure regular firewall rules allow IPSec VPN traffic to the ZyWALL. Check the configuration for example, by RIP and would...It may be the remote IPSec router's self-signed certificate or that signed the remote IPSec router's certificate. 64 ZyWALL USG100-PLUS User's Guide Make sure both the ZyWALL and remote IPSec router have the same security settings for both computers have Internet access (via the IPSec routers). ...
...other, You must create a policy route for the ZyWALL and remote IPSec router first and make sure the To-ZyWALL firewall rules allow UDP port 4500 too. • Make sure regular firewall rules allow IPSec VPN traffic to the ZyWALL. Check the configuration for example, by RIP and would...It may be the remote IPSec router's self-signed certificate or that signed the remote IPSec router's certificate. 64 ZyWALL USG100-PLUS User's Guide Make sure both the ZyWALL and remote IPSec router have the same security settings for both computers have Internet access (via the IPSec routers). ...
User Guide
Page 66
... Tunnel 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Chapter 4 Create Secure Connections Across the Internet • Source: 192.168.11.0 • Destination: 192.168.12.0 • Next Hop: VPN Tunnel...; Remote Policy: 192.168.12.0/255.255.255.0 • Disable Policy Enforcement Concentrator • Add VPN tunnel 1 and VPN tunnel 2 to an IPSec VPN concentrator. Firewall • Block traffic from VPN tunnel 2 from accessing the LAN.
... Tunnel 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Chapter 4 Create Secure Connections Across the Internet • Source: 192.168.11.0 • Destination: 192.168.12.0 • Next Hop: VPN Tunnel...; Remote Policy: 192.168.12.0/255.255.255.0 • Disable Policy Enforcement Concentrator • Add VPN tunnel 1 and VPN tunnel 2 to an IPSec VPN concentrator. Firewall • Block traffic from VPN tunnel 2 from accessing the LAN.
User Guide
Page 67
This may require you to use the ZyWALL's VPN concentrator feature. Chapter 4 Create ... have ZLD-based ZyWALLs. • Branch A's ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch B's network. • Branch B's ZyWALL uses one VPN ... both the headquarters and branch A's networks. Here branch office A has a ZyNOS-based ZyWALL and headquarters (HQ) and branch office B have a VPN tunnel. Figure 28 Hub-...spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the concentrator's VPN tunnels are...
This may require you to use the ZyWALL's VPN concentrator feature. Chapter 4 Create ... have ZLD-based ZyWALLs. • Branch A's ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch B's network. • Branch B's ZyWALL uses one VPN ... both the headquarters and branch A's networks. Here branch office A has a ZyNOS-based ZyWALL and headquarters (HQ) and branch office B have a VPN tunnel. Figure 28 Hub-...spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the concentrator's VPN tunnels are...
User Guide
Page 69
..., set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the ZLD-based ZyWALLs' VPN tunnels are members of a single zone, make sure it is not set to block intra-zone traffic. •...must have at least one VPN rule. • To have all Internet access from the spoke routers to go through the VPN tunnel. 4.4 ZyWALL IPSec VPN Client Configuration Provisioning VPN configuration provisioning gives ZyWALL IPSec VPN Client users VPN rule settings automatically. ZyWALL USG100-PLUS User's Guide 69
..., set the VPN rules in the spoke routers to use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the ZLD-based ZyWALLs' VPN tunnels are members of a single zone, make sure it is not set to block intra-zone traffic. •...must have at least one VPN rule. • To have all Internet access from the spoke routers to go through the VPN tunnel. 4.4 ZyWALL IPSec VPN Client Configuration Provisioning VPN configuration provisioning gives ZyWALL IPSec VPN Client users VPN rule settings automatically. ZyWALL USG100-PLUS User's Guide 69
User Guide
Page 105
... often. • If you choose Custom in the Load Balancing Member screen and enter another IP address for 5 minutes. Click OK. ZyWALL USG100-PLUS User's Guide 105 Click Add to add WAN1 and WAN2 as the DNS request senders does not need to send new queries to have DNS ... for a member interface, make sure the entered IP address is configured in the Configuration table. Enter 300 in the Zone field to configure the corresponding firewall rules and NAT virtual server for all DNS query messages the WAN zone receives. Chapter 5 Managing Traffic 2 Click Add in the corresponding...
... often. • If you choose Custom in the Load Balancing Member screen and enter another IP address for 5 minutes. Click OK. ZyWALL USG100-PLUS User's Guide 105 Click Add to add WAN1 and WAN2 as the DNS request senders does not need to send new queries to have DNS ... for a member interface, make sure the entered IP address is configured in the Configuration table. Enter 300 in the Zone field to configure the corresponding firewall rules and NAT virtual server for all DNS query messages the WAN zone receives. Chapter 5 Managing Traffic 2 Click Add in the corresponding...
User Guide
Page 107
..., and click OK. DMZ_HTTP is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. Click Configuration > Firewall > Add. ZyWALL USG100-PLUS User's Guide 107 Set the From field as WAN and the To field as DMZ. Set the Access field to allow the public to...
..., and click OK. DMZ_HTTP is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. Click Configuration > Firewall > Add. ZyWALL USG100-PLUS User's Guide 107 Set the From field as WAN and the To field as DMZ. Set the Access field to allow the public to...
User Guide
Page 108
... 10.0.0.8 to be unexpectedly blocked. • The ZyWALL does not apply the firewall rule. The ZyWALL only apply's a zone's rules to the interfaces that comes earlier in order and applies the first firewall rule the traffic matches. Here is assigned to WAN...firewall to have a H.323 device on the LAN and using IP address 192.168.1.56. If traffic matches a rule that belong to -peer Calls Example 192.168.1.56 10.0.0.8 5.6.1.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. 108 ZyWALL USG100-PLUS...
... 10.0.0.8 to be unexpectedly blocked. • The ZyWALL does not apply the firewall rule. The ZyWALL only apply's a zone's rules to the interfaces that comes earlier in order and applies the first firewall rule the traffic matches. Here is assigned to WAN...firewall to have a H.323 device on the LAN and using IP address 192.168.1.56. If traffic matches a rule that belong to -peer Calls Example 192.168.1.56 10.0.0.8 5.6.1.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. 108 ZyWALL USG100-PLUS...
User Guide
Page 109
Set the Incoming Interface to 1720. ZyWALL USG100-PLUS User's Guide 109 You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls ... Original IP to the WAN address object (WAN_IP-for the rule (WAN-LAN_H323 here). Click OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Network > NAT > Add > Create...
Set the Incoming Interface to 1720. ZyWALL USG100-PLUS User's Guide 109 You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls ... Original IP to the WAN address object (WAN_IP-for the rule (WAN-LAN_H323 here). Click OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Network > NAT > Add > Create...
User Guide
Page 110
... LAN. Select Enable SIP ALG and Enable SIP Transformations and click Apply. In the From field select WAN. Chapter 5 Managing Traffic 1 Click Configuration > Firewall > Add. Configure a name for the IPPBX's private DMZ IP address of making an IPPBX x6004 using SIP in the DMZ zone accessible from the WAN... and also be able to send calls to the WAN so you will use the WAN interface. 110 ZyWALL USG100-PLUS User's Guide In this example you have public IP address 1.1.1.2 that you set the Classification to NAT 1:1. • Set the Incoming Interface ...
... LAN. Select Enable SIP ALG and Enable SIP Transformations and click Apply. In the From field select WAN. Chapter 5 Managing Traffic 1 Click Configuration > Firewall > Add. Configure a name for the IPPBX's private DMZ IP address of making an IPPBX x6004 using SIP in the DMZ zone accessible from the WAN... and also be able to send calls to the WAN so you will use the WAN interface. 110 ZyWALL USG100-PLUS User's Guide In this example you have public IP address 1.1.1.2 that you set the Classification to NAT 1:1. • Set the Incoming Interface ...
User Guide
Page 111
...SIP traffic to use it to connect to for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the LAN users to the IPPBX. ZyWALL USG100-PLUS User's Guide 111 Chapter 5 Managing Traffic • Set the... Original IP to traffic before applying the firewall rule. Figure 46 Configuration > Network > NAT > Add 5.6.2.3 Set Up a...
...SIP traffic to use it to connect to for SIP The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the LAN users to the IPPBX. ZyWALL USG100-PLUS User's Guide 111 Chapter 5 Managing Traffic • Set the... Original IP to traffic before applying the firewall rule. Figure 46 Configuration > Network > NAT > Add 5.6.2.3 Set Up a...
User Guide
Page 112
... the Destination to IPPBX_DMZ. Make sure the WAN interface is assigned to the SIP clients on the LAN. 1 Click Configuration > Firewall > Add. If traffic matches a rule that belong to the zone. The ZyWALL only apply's a zone's rules to the interfaces that comes earlier in order and applies the first... ZyWALL checks the firewall rules in the list, it may be unexpectedly blocked. • The ZyWALL does not apply the firewall rule. Set the From field as DMZ and the To field as LAN1. Leave the Access field to allow the IPPBX to send SIP traffic to WAN zone. 112 ZyWALL USG100-PLUS ...
... the Destination to IPPBX_DMZ. Make sure the WAN interface is assigned to the SIP clients on the LAN. 1 Click Configuration > Firewall > Add. If traffic matches a rule that belong to the zone. The ZyWALL only apply's a zone's rules to the interfaces that comes earlier in order and applies the first... ZyWALL checks the firewall rules in the list, it may be unexpectedly blocked. • The ZyWALL does not apply the firewall rule. Set the From field as DMZ and the To field as LAN1. Leave the Access field to allow the IPPBX to send SIP traffic to WAN zone. 112 ZyWALL USG100-PLUS ...
User Guide
Page 119
...ZyWALL...to Manage ZyWALL Configuration Files on page 124 • How to Manage ZyWALL Firmware ...on page 125 • How to Download and Upload a Shell Script on page 126 • How to Save System Logs to a USB Storage Device on page 127 • How to Get the ZyWALL...'s Diagnostic File on page 130 • How to Capture Packets on the ZyWALL on page 131 • How to Get the ZyWALL... and users are allowed to access the ZyWALL from the WAN using one of these services...ZyWALL firewall rule to block this traffic. To allow this traffic. To allow the ZyWALL to -ZyWALL firewall...
...ZyWALL...to Manage ZyWALL Configuration Files on page 124 • How to Manage ZyWALL Firmware ...on page 125 • How to Download and Upload a Shell Script on page 126 • How to Save System Logs to a USB Storage Device on page 127 • How to Get the ZyWALL...'s Diagnostic File on page 130 • How to Capture Packets on the ZyWALL on page 131 • How to Get the ZyWALL... and users are allowed to access the ZyWALL from the WAN using one of these services...ZyWALL firewall rule to block this traffic. To allow this traffic. To allow the ZyWALL to -ZyWALL firewall...
User Guide
Page 120
... > Service Group screen to edit it . 120 ZyWALL USG100-PLUS User's Guide Mouse over the Service field and if HTTPS is to access the ZyWALL from the specified computers. • ALL under Zone means that all ZyWALL zones are allowed to use this service. •...under Address means that all computers are allowed to communicate with the ZyWALL using this service. 3 If you want to create a different service control rule for details. 6.1.2 Check Firewall Settings 1 Click Configuration > Firewall. 2 If the WAN to ZyWALL firewall rule denies access, double-click it to edit it . Chapter ...
... > Service Group screen to edit it . 120 ZyWALL USG100-PLUS User's Guide Mouse over the Service field and if HTTPS is to access the ZyWALL from the specified computers. • ALL under Zone means that all ZyWALL zones are allowed to use this service. •...under Address means that all computers are allowed to communicate with the ZyWALL using this service. 3 If you want to create a different service control rule for details. 6.1.2 Check Firewall Settings 1 Click Configuration > Firewall. 2 If the WAN to ZyWALL firewall rule denies access, double-click it to edit it . Chapter ...