User Guide
Page 3
..., Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network... Tunnel 34 2.7 How to Set Up an IPv6-in-IPv4 Tunnel 38 Protecting Your Network ...45 3.1 Firewall ...45 3.2 User-aware Access Control ...46 3.3 Endpoint Security (EPS) ...47 3.4 Device and Service ......63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, ...
..., Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network... Tunnel 34 2.7 How to Set Up an IPv6-in-IPv4 Tunnel 38 Protecting Your Network ...45 3.1 Firewall ...45 3.2 User-aware Access Control ...46 3.3 Endpoint Security (EPS) ...47 3.4 Device and Service ......63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, ...
User Guide
Page 5
.... Security Router Security features include a stateful inspection firewall, intrusion, detection & prevention, anomaly detection & prevention, content filtering, anti-virus, and anti-spam. Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. The ZyWALL can also purchase the ZyWALL OTPv2 One-Time ZyWALL USG100-PLUS User's Guide 5 CHAPTER 1 Introduction 1.1 Overview Here...
.... Security Router Security features include a stateful inspection firewall, intrusion, detection & prevention, anomaly detection & prevention, content filtering, anti-virus, and anti-spam. Figure 1 Applications: Security Router IPv6 Routing The ZyWALL supports IPv6 Ethernet, PPP, VLAN, and bridge routing. The ZyWALL can also purchase the ZyWALL OTPv2 One-Time ZyWALL USG100-PLUS User's Guide 5 CHAPTER 1 Introduction 1.1 Overview Here...
User Guide
Page 13
... Internet connection for load balancing. Routing Policy Route Create and manage routing policies. DDNS Profile Define and manage the ZyWALL's DDNS domain names. Network Interface Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. Trunk Create and manage trunks (...including areas and virtual links. NAT Set up and manage HTTP redirection rules. Auth. Firewall Firewall Create and manage level-3 traffic rules. VPN ZyWALL USG100-PLUS User's Guide 13 Service View the licensed service status and upgrade licensed services. Tunnel ...
... Internet connection for load balancing. Routing Policy Route Create and manage routing policies. DDNS Profile Define and manage the ZyWALL's DDNS domain names. Network Interface Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. Trunk Create and manage trunks (...including areas and virtual links. NAT Set up and manage HTTP redirection rules. Auth. Firewall Firewall Create and manage level-3 traffic rules. VPN ZyWALL USG100-PLUS User's Guide 13 Service View the licensed service status and upgrade licensed services. Tunnel ...
User Guide
Page 18
...Common Table Icons Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in order like the firewall for example), you can select an entry and click Add to create a new entry after the selected entry. Disconnect .... For example, if you type 6, the entry you are descriptions for table entries with changes that you typed. Working with Lists 18 ZyWALL USG100-PLUS User's Guide Inactivate To turn on an entry, select it and click Inactivate. Activate To turn off an entry, select it and click...
...Common Table Icons Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in order like the firewall for example), you can select an entry and click Add to create a new entry after the selected entry. Disconnect .... For example, if you type 6, the entry you are descriptions for table entries with changes that you typed. Working with Lists 18 ZyWALL USG100-PLUS User's Guide Inactivate To turn on an entry, select it and click Inactivate. Activate To turn off an entry, select it and click...
User Guide
Page 24
...and move it to the Member box and click OK. See www.zyxel.com for cellular WAN (Internet) connections. In this 3G connection. Enter...to reverse the sequence. 1 Make sure the 3G device's SIM card is highly recommended that you can configure firewall rules to apply specific security settings to this VPN zone. 2.3 How to the 3G connection. Chapter 2 How...Set Up Your Network 3 Back to the Configuration > Network > Zone screen and click Add in this example). 24 ZyWALL USG100-PLUS User's Guide Select the 3G device's entry and click Edit. 4 Enable the interface and add it to a zone....
...and move it to the Member box and click OK. See www.zyxel.com for cellular WAN (Internet) connections. In this 3G connection. Enter...to reverse the sequence. 1 Make sure the 3G device's SIM card is highly recommended that you can configure firewall rules to apply specific security settings to this VPN zone. 2.3 How to the 3G connection. Chapter 2 How...Set Up Your Network 3 Back to the Configuration > Network > Zone screen and click Add in this example). 24 ZyWALL USG100-PLUS User's Guide Select the 3G device's entry and click Edit. 4 Enable the interface and add it to a zone....
User Guide
Page 45
... Configuration on page 113 for NAT (DNAT) and policy routes (SNAT). A LAN user can also control traffic for an example). Figure 26 Default Firewall Action LAN WAN ZyWALL USG100-PLUS User's Guide 45 The firewall can initiate a Telnet session from within zones for services using flexible/dynamic port numbers (see Section 5.7 on page 60...
... Configuration on page 113 for NAT (DNAT) and policy routes (SNAT). A LAN user can also control traffic for an example). Figure 26 Default Firewall Action LAN WAN ZyWALL USG100-PLUS User's Guide 45 The firewall can initiate a Telnet session from within zones for services using flexible/dynamic port numbers (see Section 5.7 on page 60...
User Guide
Page 46
... You can configure many policies and security settings for certain interfaces. Here is not applying your firewall rules for specific users or groups of the authentication method setting. Method. The ZyWALL only apply's a zone's rules to the interfaces that the traffic would also match. •...Even if you must authenticate the ext-user accounts. • Attempts to add the admin users to authenticate users before any user group. 46 ZyWALL USG100-PLUS User's Guide Users can use a RADIUS server to a user group with access users will fail. Click Configuration > Object > AAA Server >...
... You can configure many policies and security settings for certain interfaces. Here is not applying your firewall rules for specific users or groups of the authentication method setting. Method. The ZyWALL only apply's a zone's rules to the interfaces that the traffic would also match. •...Even if you must authenticate the ext-user accounts. • Attempts to add the admin users to authenticate users before any user group. 46 ZyWALL USG100-PLUS User's Guide Users can use a RADIUS server to a user group with access users will fail. Click Configuration > Object > AAA Server >...
User Guide
Page 64
... and to which traffic may be the remote IPSec router's self-signed certificate or that signed the remote IPSec router's certificate. 64 ZyWALL USG100-PLUS User's Guide Chapter 4 Create Secure Connections Across the Internet 4.1.3 What Can Go Wrong If the IPSec tunnel does not build properly,... using manual keys, both IPSec routers and check the settings in the routing table. Before doing so, ensure that CA. Regular firewall rules check packets the ZyWALL sends before testing your ISP supports AH or ESP (whichever you are using). • If you enable NAT traversal, the remote...
... and to which traffic may be the remote IPSec router's self-signed certificate or that signed the remote IPSec router's certificate. 64 ZyWALL USG100-PLUS User's Guide Chapter 4 Create Secure Connections Across the Internet 4.1.3 What Can Go Wrong If the IPSec tunnel does not build properly,... using manual keys, both IPSec routers and check the settings in the routing table. Before doing so, ensure that CA. Regular firewall rules check packets the ZyWALL sends before testing your ISP supports AH or ESP (whichever you are using). • If you enable NAT traversal, the remote...
User Guide
Page 66
... 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Firewall • Block traffic from VPN tunnel 2 from accessing the LAN. Chapter 4 Create Secure Connections Across the Internet • Source: 192.168.11.0 •...
... 2): • Local Policy: 192.168.12.0/255.255.255.0 • Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route 66 ZyWALL USG100-PLUS User's Guide Firewall • Block traffic from VPN tunnel 2 from accessing the LAN. Chapter 4 Create Secure Connections Across the Internet • Source: 192.168.11.0 •...
User Guide
Page 67
...168.11.0 • Next Hop: VPN Tunnel 2 4.2.1 What Can Go Wrong Consider the following settings. Branch Office A (ZyNOS-based ZyWALL): Gateway Policy (Phase 1): • My Address: 10.0.0.2 ZyWALL USG100-PLUS User's Guide 67 This may require you to use more than one VPN rule for each spoke. • To have all...Concentrator Here is an example of a hub-and-spoke VPN that does not use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the concentrator's VPN tunnels are members of the networks with which the spoke is not set ...
...168.11.0 • Next Hop: VPN Tunnel 2 4.2.1 What Can Go Wrong Consider the following settings. Branch Office A (ZyNOS-based ZyWALL): Gateway Policy (Phase 1): • My Address: 10.0.0.2 ZyWALL USG100-PLUS User's Guide 67 This may require you to use more than one VPN rule for each spoke. • To have all...Concentrator Here is an example of a hub-and-spoke VPN that does not use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the concentrator's VPN tunnels are members of the networks with which the spoke is not set ...
User Guide
Page 69
...rules in the spoke routers to use the ZyWALL IPSec VPN Client to go through the VPN tunnel. 4.4 ZyWALL IPSec VPN Client Configuration Provisioning VPN configuration provisioning gives ZyWALL IPSec VPN Client users VPN rule settings automatically. ZyWALL USG100-PLUS User's Guide 69 This may require you...wizard. 2 Configure a username and password for the rule on the ZyWALL. 3 On a computer, use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the ZLD-based ZyWALLs' VPN tunnels are members of a single zone, make sure it ...
...rules in the spoke routers to use the ZyWALL IPSec VPN Client to go through the VPN tunnel. 4.4 ZyWALL IPSec VPN Client Configuration Provisioning VPN configuration provisioning gives ZyWALL IPSec VPN Client users VPN rule settings automatically. ZyWALL USG100-PLUS User's Guide 69 This may require you...wizard. 2 Configure a username and password for the rule on the ZyWALL. 3 On a computer, use 0.0.0.0 (any) as the remote IP address. • Your firewall rules can still block VPN packets. • If the ZLD-based ZyWALLs' VPN tunnels are members of a single zone, make sure it ...
User Guide
Page 105
...Name. Select any in the IP Address field and WAN in the Time to Live field to apply this rule for 5 minutes. ZyWALL USG100-PLUS User's Guide 105 Enter 300 in the Zone field to have DNS query senders keep the resolved DNS entries on their computers for all...the WAN zone receives. Select Enable, enter *.example.com as the load balancing algorithm. Continue to go to the Configuration > Firewall and Configuration > Network > NAT screens to the ZyWALL that often. • If you choose Custom in the Load Balancing Member screen and enter another IP address for a member ...
...Name. Select any in the IP Address field and WAN in the Time to Live field to apply this rule for 5 minutes. ZyWALL USG100-PLUS User's Guide 105 Enter 300 in the Zone field to have DNS query senders keep the resolved DNS entries on their computers for all...the WAN zone receives. Select Enable, enter *.example.com as the load balancing algorithm. Continue to go to the Configuration > Firewall and Configuration > Network > NAT screens to the ZyWALL that often. • If you choose Custom in the Load Balancing Member screen and enter another IP address for a member ...
User Guide
Page 107
If a domain name is the destination because the ZyWALL applies NAT to the HTTP server's DMZ IP address object (DMZ_HTTP). Set the Access field to allow the public to send HTTP traffic to IP ... HTTP, and click OK. Set the From field as WAN and the To field as DMZ. Set the Destination to traffic before applying the firewall rule. Click Configuration > Firewall > Add. Chapter 5 Managing Traffic 5.5.2 Set Up a Firewall Rule Create a firewall rule to allow and the Service to access the web server. ZyWALL USG100-PLUS User's Guide 107
If a domain name is the destination because the ZyWALL applies NAT to the HTTP server's DMZ IP address object (DMZ_HTTP). Set the Access field to allow the public to send HTTP traffic to IP ... HTTP, and click OK. Set the From field as WAN and the To field as DMZ. Set the Destination to traffic before applying the firewall rule. Click Configuration > Firewall > Add. Chapter 5 Managing Traffic 5.5.2 Set Up a Firewall Rule Create a firewall rule to allow and the Service to access the web server. ZyWALL USG100-PLUS User's Guide 107
User Guide
Page 108
...'s a zone's rules to the interfaces that comes earlier in order and applies the first firewall rule the traffic matches. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. 108 ZyWALL USG100-PLUS User's Guide Here is assigned to WAN zone. 5.6 How to Manage Voice Traffic Here... are examples of how to configure NAT and the firewall to have a H.323 device on the LAN and using IP address...
...'s a zone's rules to the interfaces that comes earlier in order and applies the first firewall rule the traffic matches. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. 108 ZyWALL USG100-PLUS User's Guide Here is assigned to WAN zone. 5.6 How to Manage Voice Traffic Here... are examples of how to configure NAT and the firewall to have a H.323 device on the LAN and using IP address...
User Guide
Page 109
...for -H323 IP address to go to LAN IP address 192.168.1.56. Click OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to the WAN interface. Figure 43 Configuration > Network > ALG Chapter 5 Managing Traffic...Type to Port, the Protocol Type to TCP and the original and mapped ports to the H.323 device's LAN IP address object (LAN_H323). ZyWALL USG100-PLUS User's Guide 109 Set the Mapped IP to 1720. Configure a name for the rule (WAN-LAN_H323 here). Set the Incoming Interface to ...
...for -H323 IP address to go to LAN IP address 192.168.1.56. Click OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to the WAN interface. Figure 43 Configuration > Network > ALG Chapter 5 Managing Traffic...Type to Port, the Protocol Type to TCP and the original and mapped ports to the H.323 device's LAN IP address object (LAN_H323). ZyWALL USG100-PLUS User's Guide 109 Set the Mapped IP to 1720. Configure a name for the rule (WAN-LAN_H323 here). Set the Incoming Interface to ...
User Guide
Page 110
Click OK. 5.6.2 How to Use an IPPBX on the DMZ This is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. In the To field select LAN1. Repeat to create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2. • Configure... an IPv4 host address object for the rule (WAN-to the WAN so you will use the WAN interface. 110 ZyWALL USG100-PLUS User's Guide Chapter 5 Managing Traffic 1 Click Configuration > Firewall > Add. The local SIP clients are on the WAN interface and map to the IPPBX's private IP address of ...
Click OK. 5.6.2 How to Use an IPPBX on the DMZ This is the destination because the ZyWALL applies NAT to traffic before applying the firewall rule. In the To field select LAN1. Repeat to create a host address object named IPPBX-Public for the public WAN IP address 1.1.1.2. • Configure... an IPv4 host address object for the rule (WAN-to the WAN so you will use the WAN interface. 110 ZyWALL USG100-PLUS User's Guide Chapter 5 Managing Traffic 1 Click Configuration > Firewall > Add. The local SIP clients are on the WAN interface and map to the IPPBX's private IP address of ...
User Guide
Page 111
... Network > NAT > Add 5.6.2.3 Set Up a WAN to the IPPBX. IPPBX_DMZ is the destination because the ZyWALL applies NAT to allow the public to send SIP traffic to DMZ Firewall Rule for making SIP calls. If a domain name is registered for IP address 1.1.1.2, users can use it to... for IP address 1.1.1.2, users can use the IPPBX. • Click OK. Set the Access field to traffic before applying the firewall rule. ZyWALL USG100-PLUS User's Guide 111 Chapter 5 Managing Traffic • Set the Original IP to the IPPBX's DMZ IP address object (DMZ_SIP). Click Configuration...
... Network > NAT > Add 5.6.2.3 Set Up a WAN to the IPPBX. IPPBX_DMZ is the destination because the ZyWALL applies NAT to allow the public to send SIP traffic to DMZ Firewall Rule for making SIP calls. If a domain name is registered for IP address 1.1.1.2, users can use it to... for IP address 1.1.1.2, users can use the IPPBX. • Click OK. Set the Access field to traffic before applying the firewall rule. ZyWALL USG100-PLUS User's Guide 111 Chapter 5 Managing Traffic • Set the Original IP to the IPPBX's DMZ IP address object (DMZ_SIP). Click Configuration...
User Guide
Page 112
...Traffic 5.6.2.4 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN1 zone by default so you need to create a firewall rule to allow and click OK. 5.6.3 What Can Go Wrong • The ZyWALL checks the firewall rules in the list, it may be... unexpectedly blocked. • The ZyWALL does not apply the firewall rule. Set the Source to WAN zone. 112 ZyWALL USG100-PLUS User's Guide Make sure the WAN interface is assigned to IPPBX_DMZ....
...Traffic 5.6.2.4 Set Up a DMZ to LAN Firewall Rule for SIP The firewall blocks traffic from the DMZ zone to the LAN1 zone by default so you need to create a firewall rule to allow and click OK. 5.6.3 What Can Go Wrong • The ZyWALL checks the firewall rules in the list, it may be... unexpectedly blocked. • The ZyWALL does not apply the firewall rule. Set the Source to WAN zone. 112 ZyWALL USG100-PLUS User's Guide Make sure the WAN interface is assigned to IPPBX_DMZ....
User Guide
Page 119
... is set to accept. • The to-ZyWALL firewall rules allow the ZyWALL to be accessed from a remote user using HTTPs...ZyWALL from WAN There are more secure than others. CHAPTER 6 Maintenance These sections cover managing and maintaining the ZyWALL... How to Manage ZyWALL Configuration Files on page 124 • How to Manage ZyWALL Firmware on page ...ZyWALL's Diagnostic File on page 130 • How to Capture Packets on the ZyWALL on page 131 • How to Get the ZyWALL...ZyWALL firewall rule to block this traffic. HTTPS and SSH access are several ways that remote users can manage the ZyWALL...
... is set to accept. • The to-ZyWALL firewall rules allow the ZyWALL to be accessed from a remote user using HTTPs...ZyWALL from WAN There are more secure than others. CHAPTER 6 Maintenance These sections cover managing and maintaining the ZyWALL... How to Manage ZyWALL Configuration Files on page 124 • How to Manage ZyWALL Firmware on page ...ZyWALL's Diagnostic File on page 130 • How to Capture Packets on the ZyWALL on page 131 • How to Get the ZyWALL...ZyWALL firewall rule to block this traffic. HTTPS and SSH access are several ways that remote users can manage the ZyWALL...
User Guide
Page 120
... use this service. 3 If you want to create a different service control rule for details. 6.1.2 Check Firewall Settings 1 Click Configuration > Firewall. 2 If the WAN to ZyWALL firewall rule denies access, double-click it to edit it . Refer to How to Configure Service Control in the... Default_Allow_WAN_To_ZyWALL service group list go to the Object > Service > Service Group screen to edit it . 120 ZyWALL USG100-PLUS User's Guide ...
... use this service. 3 If you want to create a different service control rule for details. 6.1.2 Check Firewall Settings 1 Click Configuration > Firewall. 2 If the WAN to ZyWALL firewall rule denies access, double-click it to edit it . Refer to How to Configure Service Control in the... Default_Allow_WAN_To_ZyWALL service group list go to the Object > Service > Service Group screen to edit it . 120 ZyWALL USG100-PLUS User's Guide ...