User Guide
Page 2
...shows how to connect the ZyWALL and access the Web Configurator wizards. (See the wizard real time help for help icon in any screen for information on the ZyWALL Video Example 80 Configuring L2TP... Set Up an IPv6-in-IPv4 Tunnel Video Example 42 Content Filtering Video Example 56 ZyWALL IPSec VPN Client Configuration Provisioning Video Example 72 SSL VPN Video Example 74 Configuring L2TP ... how to use the Web Configurator to configure the ZyWALL. Note: It is recommended you use the Command-Line Interface (CLI) to configure the ZyWALL. • Web Configurator Online Help Click the help...
...shows how to connect the ZyWALL and access the Web Configurator wizards. (See the wizard real time help for help icon in any screen for information on the ZyWALL Video Example 80 Configuring L2TP... Set Up an IPv6-in-IPv4 Tunnel Video Example 42 Content Filtering Video Example 56 ZyWALL IPSec VPN Client Configuration Provisioning Video Example 72 SSL VPN Video Example 74 Configuring L2TP ... how to use the Web Configurator to configure the ZyWALL. Note: It is recommended you use the Command-Line Interface (CLI) to configure the ZyWALL. • Web Configurator Online Help Click the help...
User Guide
Page 3
...an IPv6 6to4 Tunnel 34 2.7 How to Set Up an IPv6-in-IPv4 Tunnel 38 Protecting Your Network ...45 3.1 Firewall ...45 3.2 User-aware Access Control ...46 3.3 Endpoint Security (EPS) ...47 3.4 Device and Service Registration ...47 3.5 Anti-Virus Policy Configuration ...48 3.6 IDP Profile Configuration ... Across the Internet 63 4.1 IPSec VPN ...63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, and Windows 75 4.7 One-Time Password Version...
...an IPv6 6to4 Tunnel 34 2.7 How to Set Up an IPv6-in-IPv4 Tunnel 38 Protecting Your Network ...45 3.1 Firewall ...45 3.2 User-aware Access Control ...46 3.3 Endpoint Security (EPS) ...47 3.4 Device and Service Registration ...47 3.5 Anti-Virus Policy Configuration ...48 3.6 IDP Profile Configuration ... Across the Internet 63 4.1 IPSec VPN ...63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, and Windows 75 4.7 One-Time Password Version...
User Guide
Page 4
...Management 93 5.2 How to Configure a Trunk for WAN Load Balancing 100 5.3 How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic 103 5.4 How to Configure DNS Inbound Load Balancing 104 5.5 How to Allow Public Access to a Web Server 106 5.6 How to Manage Voice Traffic ...108... to Use a RADIUS Server to Authenticate User Accounts based on Groups 122 6.3 How to Use SSH for Secure Telnet Access 123 6.4 How to Manage ZyWALL Configuration Files 124 6.5 How to Manage ZyWALL Firmware 125 6.6 How to Download and Upload a Shell Script 126 6.7 How to Save System Logs to a USB ...
...Management 93 5.2 How to Configure a Trunk for WAN Load Balancing 100 5.3 How to Use Multiple Static Public WAN IP Addresses for LAN-to-WAN Traffic 103 5.4 How to Configure DNS Inbound Load Balancing 104 5.5 How to Allow Public Access to a Web Server 106 5.6 How to Manage Voice Traffic ...108... to Use a RADIUS Server to Authenticate User Accounts based on Groups 122 6.3 How to Use SSH for Secure Telnet Access 123 6.4 How to Manage ZyWALL Configuration Files 124 6.5 How to Manage ZyWALL Firmware 125 6.6 How to Download and Upload a Shell Script 126 6.7 How to Save System Logs to a USB ...
User Guide
Page 5
Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. Figure 2 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. Security Router Security features include a stateful inspection firewall, intrusion, detection & prevention...
Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. Figure 2 Applications: IPv6 Routing VPN Connectivity Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. Security Router Security features include a stateful inspection firewall, intrusion, detection & prevention...
User Guide
Page 6
...Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. Figure 4 SSL VPN With Full Tunnel Mode LAN (192.168.1.X) https:// Web Mail File Share Non-Web Web-based Application Application Server User-Aware Access Control Set up security policies to restrict access to access it. Chapter 1...a remote user and gives him a private IP address in the same subnet as the local network so he can access network resources in and cannot access either. 6 ZyWALL USG100-PLUS User's Guide User C is trying to sensitive information and shared resources based on the user who is not...
...Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. Figure 4 SSL VPN With Full Tunnel Mode LAN (192.168.1.X) https:// Web Mail File Share Non-Web Web-based Application Application Server User-Aware Access Control Set up security policies to restrict access to access it. Chapter 1...a remote user and gives him a private IP address in the same subnet as the local network so he can access network resources in and cannot access either. 6 ZyWALL USG100-PLUS User's Guide User C is trying to sensitive information and shared resources based on the user who is not...
User Guide
Page 7
Figure 5 Applications: User-Aware Access Control A B C Chapter 1 Introduction Load Balancing Set up multiple connections to interfaces may use "the WAN interface" rather than the specific name used in the following ways. In either case, you can manage the ZyWALL in your model. For example, this ...guide may be generic rather than "wan1" or "wan2". ZyWALL USG100-PLUS User's Guide 7 Figure 6 Applications: Multiple WAN Interfaces 1.2 Default Zones, Interfaces...
Figure 5 Applications: User-Aware Access Control A B C Chapter 1 Introduction Load Balancing Set up multiple connections to interfaces may use "the WAN interface" rather than the specific name used in the following ways. In either case, you can manage the ZyWALL in your model. For example, this ...guide may be generic rather than "wan1" or "wan2". ZyWALL USG100-PLUS User's Guide 7 Figure 6 Applications: Multiple WAN Interfaces 1.2 Default Zones, Interfaces...
User Guide
Page 8
Figure 8 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you must: • Use one of the following web browser versions or later: Internet Explorer 7, Firefox 3.5, Chrome 9.0, Opera 10.0, Safari 4.0 • Allow pop-up windows (blocked by the Vantage CNM server. Access it using an Internet browser. The default settings...
Figure 8 Managing the ZyWALL: Web Configurator Command-Line Interface (CLI) The CLI allows you must: • Use one of the following web browser versions or later: Internet Explorer 7, Firefox 3.5, Chrome 9.0, Opera 10.0, Safari 4.0 • Allow pop-up windows (blocked by the Vantage CNM server. Access it using an Internet browser. The default settings...
User Guide
Page 9
...a number and enter it is properly connected. Select how often to keep this request to its default configuration; ZyWALL USG100-PLUS User's Guide 9 If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is only good for one login. otherwise the dashboard appears. See the Quick Start Guide. 2 In your... to http://192.168.1.1. If you logged in using its HTTPS server, and it in the One-Time Password field. Chapter 1 Introduction 1.4.1 Web Configurator Access 1 Make sure your browser go to generate a new number the next time you log in. 4 Click Login.
...a number and enter it is properly connected. Select how often to keep this request to its default configuration; ZyWALL USG100-PLUS User's Guide 9 If you click Ignore, the Installation Setup Wizard opens if the ZyWALL is only good for one login. otherwise the dashboard appears. See the Quick Start Guide. 2 In your... to http://192.168.1.1. If you logged in using its HTTPS server, and it in the One-Time Password field. Chapter 1 Introduction 1.4.1 Web Configurator Access 1 Make sure your browser go to generate a new number the next time you log in. 4 Click Login.
User Guide
Page 14
... the ZyWALL IPSec VPN Client. Anti-Spam General Turn anti-spam on or off and manage anti-spam policies. Chapter 1 Introduction Table 4 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION IPSec VPN VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. SSL VPN Access Privilege Configure SSL VPN access rights...
... the ZyWALL IPSec VPN Client. Anti-Spam General Turn anti-spam on or off and manage anti-spam policies. Chapter 1 Introduction Table 4 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION IPSec VPN VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. SSL VPN Access Privilege Configure SSL VPN access rights...
User Guide
Page 15
... Create and manage host, range, and network (subnet) addresses. LDAP Configure the LDAP settings. Certificate My Certificates Create and manage the ZyWALL's certificates. Login Page Configure how the login and access user screens look. TELNET Configure telnet server settings for user sessions, and rules to force user authentication. SNMP Configure SNMP communities...
... Create and manage host, range, and network (subnet) addresses. LDAP Configure the LDAP settings. Certificate My Certificates Create and manage the ZyWALL's certificates. Login Page Configure how the login and access user screens look. TELNET Configure telnet server settings for user sessions, and rules to force user authentication. SNMP Configure SNMP communities...
User Guide
Page 25
... should contain a "cellular" entry. When its default trunk and you can use the Trunk screens to add it , use the 3G connection to access the Internet. 6 The ZyWALL automatically adds the cellular interface to the system default WAN trunk. This prevents you from being charged using a user-configured trunk as its connection...
... should contain a "cellular" entry. When its default trunk and you can use the Trunk screens to add it , use the 3G connection to access the Internet. 6 The ZyWALL automatically adds the cellular interface to the system default WAN trunk. This prevents you from being charged using a user-configured trunk as its connection...
User Guide
Page 26
... connecting to enable auto-configuration and configure prefix delegation. • DHCPv6 Setting - Chapter 2 How to Set Up Your Network This way the ZyWALL can still access the Internet, your cellular interface is properly configured and your cellular device is working. 2.4 How to Configure Ethernet, PPP, VLAN, Bridge and Policy Routing The ...
... connecting to enable auto-configuration and configure prefix delegation. • DHCPv6 Setting - Chapter 2 How to Set Up Your Network This way the ZyWALL can still access the Internet, your cellular interface is properly configured and your cellular device is working. 2.4 How to Configure Ethernet, PPP, VLAN, Bridge and Policy Routing The ...
User Guide
Page 45
... and the firewall allows the response. Firewall rules can initiate a Telnet session from within zones for an example). To-ZyWALL firewall rules control access to control services using static port numbers. The firewall also limits the number of management from the LAN, HTTPS from ... blocks Telnet traffic initiated from the DMZ. CHAPTER 3 Protecting Your Network These sections cover configuring the ZyWALL to protect your network. • Firewall on page 45 • User-aware Access Control on page 46 • Endpoint Security (EPS) on page 47 • Device and Service...
... and the firewall allows the response. Firewall rules can initiate a Telnet session from within zones for an example). To-ZyWALL firewall rules control access to control services using static port numbers. The firewall also limits the number of management from the LAN, HTTPS from ... blocks Telnet traffic initiated from the DMZ. CHAPTER 3 Protecting Your Network These sections cover configuring the ZyWALL to protect your network. • Firewall on page 45 • User-aware Access Control on page 46 • Endpoint Security (EPS) on page 47 • Device and Service...
User Guide
Page 46
... the ext-user accounts. • Attempts to add the admin users to a user group with access users will always fail if the ZyWALL tries to use the local database to allow access for the RADIUS server. An external server such as HTTP, you want to apply to have the...the firewall to authenticate an ext-user. You cannot have the ZyWALL use the authentication method in the RADIUS server. 2 Set up the authentication method, Click Configuration > Object > Auth. Doubleclick the default entry. You cannot put access users and admin users in order and applies the first firewall ...
... the ext-user accounts. • Attempts to add the admin users to a user group with access users will always fail if the ZyWALL tries to use the local database to allow access for the RADIUS server. An external server such as HTTP, you want to apply to have the...the firewall to authenticate an ext-user. You cannot have the ZyWALL use the authentication method in the RADIUS server. 2 Set up the authentication method, Click Configuration > Object > Auth. Doubleclick the default entry. You cannot put access users and admin users in order and applies the first firewall ...
User Guide
Page 47
... account and register the device. 2 Click the Service tab. Click Configuration > Licensing > Registration to be found on the Registration screen. ZyWALL USG100-PLUS User's Guide 47 Chapter 3 Protecting Your Network 3.3 Endpoint Security (EPS) Use endpoint security objects with a minimum version of ...with authentication policies or SSL VPN to make sure users' computers meet specific security requirements before they are allowed to access the network. 1 Configure endpoint security objects (Configuration > Object > Endpoint Security > Add). 2 Configure an authentication policy to ...
... account and register the device. 2 Click the Service tab. Click Configuration > Licensing > Registration to be found on the Registration screen. ZyWALL USG100-PLUS User's Guide 47 Chapter 3 Protecting Your Network 3.3 Endpoint Security (EPS) Use endpoint security objects with a minimum version of ...with authentication policies or SSL VPN to make sure users' computers meet specific security requirements before they are allowed to access the network. 1 Configure endpoint security objects (Configuration > Object > Endpoint Security > Add). 2 Configure an authentication policy to ...
User Guide
Page 54
... and select Enable Content Filter Category Service and select desired actions for the different web page categories. Click Apply. 54 ZyWALL USG100-PLUS User's Guide This tutorial shows you to control access to specific web sites or filter web content by checking against an external database. Note: You need to first activate...
... and select Enable Content Filter Category Service and select desired actions for the different web page categories. Click Apply. 54 ZyWALL USG100-PLUS User's Guide This tutorial shows you to control access to specific web sites or filter web content by checking against an external database. Note: You need to first activate...
User Guide
Page 56
Chapter 3 Protecting Your Network 3.8.1 Content Filtering Video Example Use Adobe Reader 9 or later or a recent version of access attempts to web sites belonging to register your iCard before you can also view content filtering reports during the free trial (up to 30 days). 1 ... reports. You need to confirm that you selected in your device content filter screen. Fill in your myZyXEL.com account information and click Login. 56 ZyWALL USG100-PLUS User's Guide After clicking play, you may need to the categories you want to play the content and click play this video.
Chapter 3 Protecting Your Network 3.8.1 Content Filtering Video Example Use Adobe Reader 9 or later or a recent version of access attempts to web sites belonging to register your iCard before you can also view content filtering reports during the free trial (up to 30 days). 1 ... reports. You need to confirm that you selected in your device content filter screen. Fill in your myZyXEL.com account information and click Login. 56 ZyWALL USG100-PLUS User's Guide After clicking play, you may need to the categories you want to play the content and click play this video.
User Guide
Page 64
...its Trusted Certificates to authenticate the remote IPSec router's certificate. Here are using). • If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too. • Make sure regular firewall rules allow IPSec VPN traffic to identify a configuration problem. ...so, ensure that are /were previously connected using a packet analyzer such as Wireshark). If the ZyWALL's certificate is also helpful to look at the other 's certificates. If you have Internet access (via the IPSec routers). • It is self-signed, import it is working, ping from...
...its Trusted Certificates to authenticate the remote IPSec router's certificate. Here are using). • If you enable this, make sure the To-ZyWALL firewall rules allow UDP port 4500 too. • Make sure regular firewall rules allow IPSec VPN traffic to identify a configuration problem. ...so, ensure that are /were previously connected using a packet analyzer such as Wireshark). If the ZyWALL's certificate is also helpful to look at the other 's certificates. If you have Internet access (via the IPSec routers). • It is self-signed, import it is working, ping from...
User Guide
Page 65
... have the same negotiation mode. Here a VPN concentrator connects ZLD-based ZyWALLs at headquarters (HQ) and branch offices A and B in one secure network. • Branch A's ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch B's network. • Branch B's ZyWALL uses one secure network. This reduces the number of through the...
... have the same negotiation mode. Here a VPN concentrator connects ZLD-based ZyWALLs at headquarters (HQ) and branch offices A and B in one secure network. • Branch A's ZyWALL uses one VPN rule to access both the headquarters (HQ) network and branch B's network. • Branch B's ZyWALL uses one secure network. This reduces the number of through the...
User Guide
Page 66
....12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Firewall • Block traffic from VPN tunnel 2 from accessing the LAN. Chapter 4 Create Secure Connections Across the Internet • Source: 192.168.11.0 • Destination: 192.168.12...
....12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Firewall • Block traffic from VPN tunnel 2 from accessing the LAN. Chapter 4 Create Secure Connections Across the Internet • Source: 192.168.11.0 • Destination: 192.168.12...