User Guide
Page 19
...configuration. 1.1.1 Key Applications Here are some UAG application scenarios. Alternatively, you set up the network and enforce security policies efficiently. Security Router Security features include a stateful inspection firewall, anomaly detection & prevention, and content filtering. The De-Militarized Zone (DMZ) increases LAN ... management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. Figure 1 Applications: Security Router UAG715 User's Guide 19 CHAPTER 1 Introduction 1.1 Overview The UAG is a comprehensive service gateway.
...configuration. 1.1.1 Key Applications Here are some UAG application scenarios. Alternatively, you set up the network and enforce security policies efficiently. Security Router Security features include a stateful inspection firewall, anomaly detection & prevention, and content filtering. The De-Militarized Zone (DMZ) increases LAN ... management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. Figure 1 Applications: Security Router UAG715 User's Guide 19 CHAPTER 1 Introduction 1.1 Overview The UAG is a comprehensive service gateway.
User Guide
Page 39
...server is the security zone to resolve domain names for this WAN connection's IP address. • Gateway IP Address: Enter the IP address of the router through which this WAN connection will belong. • IP Address: Enter your ISP. Leave the field as 0.0.0.0 if you by your (static) ...public IP address. UAG715 User's Guide 39 The Domain Name System (DNS) maps a domain name to you do not want to configure DNS servers. 3.1.3 Internet Access: PPPoE Note...
...server is the security zone to resolve domain names for this WAN connection's IP address. • Gateway IP Address: Enter the IP address of the router through which this WAN connection will belong. • IP Address: Enter your ISP. Leave the field as 0.0.0.0 if you by your (static) ...public IP address. UAG715 User's Guide 39 The Domain Name System (DNS) maps a domain name to you do not want to configure DNS servers. 3.1.3 Internet Access: PPPoE Note...
User Guide
Page 40
... -_@$./ characters, and it can be blank. • Select Nailed-Up if you selected Auto as the IP Address Assignment in seconds that elapses before the router automatically disconnects from your ISP. This field can be up to 31 characters long. • Type the Password associated with your ISP. • Zone: This... - Your UAG accepts PAP only. • MSCHAP - Your UAG accepts MSCHAP only. • MSCHAP-V2 - Otherwise, type the Idle Timeout in the previous screen. 40 UAG715 User's Guide Select an authentication protocol for outgoing connection requests.
... -_@$./ characters, and it can be blank. • Select Nailed-Up if you selected Auto as the IP Address Assignment in seconds that elapses before the router automatically disconnects from your ISP. This field can be up to 31 characters long. • Type the Password associated with your ISP. • Zone: This... - Your UAG accepts PAP only. • MSCHAP - Your UAG accepts MSCHAP only. • MSCHAP-V2 - Otherwise, type the Idle Timeout in the previous screen. 40 UAG715 User's Guide Select an authentication protocol for outgoing connection requests.
User Guide
Page 42
... to the first (see Section 3.1.1 on the requirements of your ISP (if given). • Server IP: Type the IP address of a computer before the router automatically disconnects from the PPTP server. 3.1.5.1 PPTP Configuration • Base Interface: This identifies the Ethernet interface you configure to connect with your (static) public IP... • Select Nailed-Up if you do not want the connection to time out. This field is optional and depends on page 37). 42 UAG715 User's Guide Otherwise, type the Idle Timeout in the order you specify here) to an IP address and vice versa.
... to the first (see Section 3.1.1 on the requirements of your ISP (if given). • Server IP: Type the IP address of a computer before the router automatically disconnects from the PPTP server. 3.1.5.1 PPTP Configuration • Base Interface: This identifies the Ethernet interface you configure to connect with your (static) public IP... • Select Nailed-Up if you do not want the connection to time out. This field is optional and depends on page 37). 42 UAG715 User's Guide Otherwise, type the Idle Timeout in the order you specify here) to an IP address and vice versa.
User Guide
Page 50
...Setup Wizards Figure 36 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in seconds that elapses before the router automatically disconnects from the PPPoE server. 0 means no timeout. Table 10 WAN and ISP Connection Settings LABEL ISP Parameter Encapsulation Authentication Type...- Select Nailed-Up if you are : CHAP/PAP - Your UAG accepts PAP only. Type the password associated with a modem or router. 50 UAG715 User's Guide This displays the type of the Ethernet interface you by this screen. Use the drop-down list box to you configure ...
...Setup Wizards Figure 36 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in seconds that elapses before the router automatically disconnects from the PPPoE server. 0 means no timeout. Table 10 WAN and ISP Connection Settings LABEL ISP Parameter Encapsulation Authentication Type...- Select Nailed-Up if you are : CHAP/PAP - Your UAG accepts PAP only. Type the password associated with a modem or router. 50 UAG715 User's Guide This displays the type of the Ethernet interface you by this screen. Use the drop-down list box to you configure ...
User Guide
Page 52
..., it displays here. IP Address Assignment This field displays whether the WAN IP address is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout. IP Address This field displays the WAN IP address. It displays the IP address of the...
..., it displays here. IP Address Assignment This field displays whether the WAN IP address is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout. IP Address This field displays the WAN IP address. It displays the IP address of the...
User Guide
Page 55
...for the chosen scenario. Otherwise, enter the WAN IP address or domain name of hexadecimal ("0-9", "A-F") characters. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password. Configuration Figure 42 VPN Express Wizard: Configuration • ...Secure Gateway: Any displays in this VPN connection (and VPN gateway). UAG715 User's Guide 55 This ZyWALL can use the tunnel. This must match the remote IP address configured on the remote IPSec device. ...
...for the chosen scenario. Otherwise, enter the WAN IP address or domain name of hexadecimal ("0-9", "A-F") characters. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password. Configuration Figure 42 VPN Express Wizard: Configuration • ...Secure Gateway: Any displays in this VPN connection (and VPN gateway). UAG715 User's Guide 55 This ZyWALL can use the tunnel. This must match the remote IP address configured on the remote IPSec device. ...
User Guide
Page 59
... processing power, resulting in the main IPSec VPN screens for IPSec. The stronger the algorithm the slower it is. • Key Group: DH5 is a NAT router between the IPSec devices). DH1 (default) refers to Diffie-Hellman Group 5 a 1536 bit random number. • SA Life Time: Set how often the UAG renegotiates... is more secure than DH1 or DH2 (although it may affect throughput). Phase 2 Phase 2 in an IKE uses the SA that uses a 168-bit key. UAG715 User's Guide 59
... processing power, resulting in the main IPSec VPN screens for IPSec. The stronger the algorithm the slower it is. • Key Group: DH5 is a NAT router between the IPSec devices). DH1 (default) refers to Diffie-Hellman Group 5 a 1536 bit random number. • SA Life Time: Set how often the UAG renegotiates... is more secure than DH1 or DH2 (although it may affect throughput). Phase 2 Phase 2 in an IKE uses the SA that uses a 168-bit key. UAG715 User's Guide 59
User Guide
Page 67
...since the UAG was last restarted. This is the number of validity. 0 displays if the service is either the static IP address of the license. UAG715 User's Guide 67 The Ethernet interface does not have a limited period of web pages the UAG has checked to see whether they belong to a ...subnet mask assigned to stop a PPPoE/PPTP connection. This is not licensed or has expired. If the interface cannot use one of an active virtual router, this field to get or to update the IP address for which the interface is valid, this field displays n/a. If the service license is ...
...since the UAG was last restarted. This is the number of validity. 0 displays if the service is either the static IP address of the license. UAG715 User's Guide 67 The Ethernet interface does not have a limited period of web pages the UAG has checked to see whether they belong to a ...subnet mask assigned to stop a PPPoE/PPTP connection. This is not licensed or has expired. If the interface cannot use one of an active virtual router, this field to get or to update the IP address for which the interface is valid, this field displays n/a. If the service license is ...
User Guide
Page 79
.... The maximum number of IP addresses or users in this report is indicated in this record. This field is coming into the router through the interface UAG715 User's Guide 79 The IP addresses and users are sorted by the amount of traffic. RX From- See Table 23 on page..., VLAN, bridge and PPPoE/PPTP interfaces. Choices are available when the Top is not tracked here real-time, but you can collect information from the router through the interface Egress - Ingress - Chapter 6 Monitor There is a limit on the number of records shown in this screen. Table 22 Monitor > System...
.... The maximum number of IP addresses or users in this report is indicated in this record. This field is coming into the router through the interface UAG715 User's Guide 79 The IP addresses and users are sorted by the amount of traffic. RX From- See Table 23 on page..., VLAN, bridge and PPPoE/PPTP interfaces. Choices are available when the Top is not tracked here real-time, but you can collect information from the router through the interface Egress - Ingress - Chapter 6 Monitor There is a limit on the number of records shown in this screen. Table 22 Monitor > System...
User Guide
Page 88
...; View a list of the users who are currently logged into the VPN SSL client Click Monitor > VPN Monitor > SSL to the remote IPSec router since the IPSec SA was established. This field displays N/A if the IPSec SA uses manual keys. Inbound (Bytes) This field displays the amount of... example, use a question mark or asterisk. 6.13 The SSL Connection Monitor Screen The UAG keeps track of active SSL VPN connections. 88 UAG715 User's Guide Wildcards (*) let multiple VPN connection or policy names match the pattern. The whole VPN connection or policy name has to match if...
...; View a list of the users who are currently logged into the VPN SSL client Click Monitor > VPN Monitor > SSL to the remote IPSec router since the IPSec SA was established. This field displays N/A if the IPSec SA uses manual keys. Inbound (Bytes) This field displays the amount of... example, use a question mark or asterisk. 6.13 The SSL Connection Monitor Screen The UAG keeps track of active SSL VPN connections. 88 UAG715 User's Guide Wildcards (*) let multiple VPN connection or policy names match the pattern. The whole VPN connection or policy name has to match if...
User Guide
Page 107
...of interfaces in the following table. Use Ethernet interfaces to open a screen that shows which physical ports exchange routing information with other routers and how much information is described in many ways. Table 40 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-...click an entry or select it before doing so. UAG715 User's Guide 107 They can provide DHCP services, and they can modify the entry's settings. The UAG supports two routing protocols, ...
...of interfaces in the following table. Use Ethernet interfaces to open a screen that shows which physical ports exchange routing information with other routers and how much information is described in many ways. Table 40 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-...click an entry or select it before doing so. UAG715 User's Guide 107 They can provide DHCP services, and they can modify the entry's settings. The UAG supports two routing protocols, ...
User Guide
Page 114
... or BDR. Enter the cost (between 1 and 255. This field is available if the Authentication is looking for a Designated Router (DR) or Backup Designated Router (BDR). This field is available if the Authentication is enabled. Select the RIP version(s) used for more information about OSPF..... otherwise, the UAG uses multicasting. Click OK to save your changes back to identify itself. Select this screen without saving. 114 UAG715 User's Guide Once it can be copied to route packets through this interface belongs. It will be between 1 and 65,535) to...
... or BDR. Enter the cost (between 1 and 255. This field is available if the Authentication is looking for a Designated Router (DR) or Backup Designated Router (BDR). This field is available if the Authentication is enabled. Select the RIP version(s) used for more information about OSPF..... otherwise, the UAG uses multicasting. Click OK to save your changes back to identify itself. Select this screen without saving. 114 UAG715 User's Guide Once it can be copied to route packets through this interface belongs. It will be between 1 and 65,535) to...
User Guide
Page 121
... identification number (ID). The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.) UAG715 User's Guide 121 Figure 85 Example: After VLAN Each VLAN is defined in the MAC header. Table... networks and three departments A, B, and C. Cancel Click Cancel to the UAG. The physical networks are connected to hubs, and the hubs are connected to the router. The ID is a 12-bit value that is stored in IEEE 802.1q. In this screen without saving.
... identification number (ID). The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.) UAG715 User's Guide 121 Figure 85 Example: After VLAN Each VLAN is defined in the MAC header. Table... networks and three departments A, B, and C. Cancel Click Cancel to the UAG. The physical networks are connected to hubs, and the hubs are connected to the router. The ID is a 12-bit value that is stored in IEEE 802.1q. In this screen without saving.
User Guide
Page 122
...can verify the gateway is layer-3 communication (network layer, IP addresses). In this screen, click Configuration > Network > Interface > VLAN. 122 UAG715 User's Guide Note: Each VLAN interface is handled by the switches. They restrict bandwidth and packet size. Chapter 8 Interfaces • Traffic ... top of only one or more logical groups of VLAN interfaces. Otherwise, VLAN interfaces are limited to make routing decisions. As a router, the UAG routes traffic between a VLAN and another VLAN. • Better manageability - They can provide DHCP services, and they...
...can verify the gateway is layer-3 communication (network layer, IP addresses). In this screen, click Configuration > Network > Interface > VLAN. 122 UAG715 User's Guide Note: Each VLAN interface is handled by the switches. They restrict bandwidth and packet size. Chapter 8 Interfaces • Traffic ... top of only one or more logical groups of VLAN interfaces. Otherwise, VLAN interfaces are limited to make routing decisions. As a router, the UAG routes traffic between a VLAN and another VLAN. • Better manageability - They can provide DHCP services, and they...
User Guide
Page 128
...can consist of alphanumeric characters and the underscore, and it can not be between 0 and 255) of a WAN trunk for bridge interfaces. 128 UAG715 User's Guide Click OK to save your changes back to 16 characters long. Enter the priority (between 1 and 255. This field is available... if the Authentication is looking for MD5 authentication. Choices are: Same as Area - Type the password for a Designated Router (DR) or Backup Designated Router (BDR). Click Policy Route to go to a screen where you can be part of this VLAN. Select None to associate traffic...
...can consist of alphanumeric characters and the underscore, and it can not be between 0 and 255) of a WAN trunk for bridge interfaces. 128 UAG715 User's Guide Click OK to save your changes back to 16 characters long. Enter the priority (between 1 and 255. This field is available... if the Authentication is looking for MD5 authentication. Choices are: Same as Area - Type the password for a Designated Router (DR) or Backup Designated Router (BDR). Click Policy Route to go to a screen where you can be part of this VLAN. Select None to associate traffic...
User Guide
Page 134
...DNS relay. Enter the IP address from its DHCP server. In this interface and the UAG works as the default router, select Custom Defined and enter the IP address. 134 UAG715 User's Guide If you set this field is limited by the interface's IP address and subnet mask, except for... the first address (network address), last address (broadcast address) and the interface's IP address. This default router will become the DHCP clients' default...
...DNS relay. Enter the IP address from its DHCP server. In this interface and the UAG works as the default router, select Custom Defined and enter the IP address. 134 UAG715 User's Guide If you set this field is limited by the interface's IP address and subnet mask, except for... the first address (network address), last address (broadcast address) and the interface's IP address. This default router will become the DHCP clients' default...
User Guide
Page 138
...If the UAG gets a packet with a destination address of the interfaces. For example, if there is dropped. In this case, the packet is a default router at 200.200.200.100 on the network. If the interface gets its IP address and subnet mask from Interfaces Table 53 Example: Routing Table... the routing table. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it might not find any . 138 UAG715 User's Guide If there is a point-to happen with DHCP clients. However, if there is the gateway for each interface should specify the metric....
...If the UAG gets a packet with a destination address of the interfaces. For example, if there is dropped. In this case, the packet is a default router at 200.200.200.100 on the network. If the interface gets its IP address and subnet mask from Interfaces Table 53 Example: Routing Table... the routing table. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it might not find any . 138 UAG715 User's Guide If there is a point-to happen with DHCP clients. However, if there is the gateway for each interface should specify the metric....
User Guide
Page 153
UAG715 User's Guide 153 You create one policy route to connect to services offered by your ISP behind another policy route to communicate with multiple routers where you use RIP or OSPF to propagate routing information to other routers. 10.1.1 What You Can Do in order to send packets through ...Routing Topology A R1 LAN WAN R3 R2 Note: You can generally just use static routes if you have a large network with a separate network behind router R2. The UAG routes most traffic from A to the UAG's LAN interface. For example, the next figure shows a computer (A) connected to the...
UAG715 User's Guide 153 You create one policy route to connect to services offered by your ISP behind another policy route to communicate with multiple routers where you use RIP or OSPF to propagate routing information to other routers. 10.1.1 What You Can Do in order to send packets through ...Routing Topology A R1 LAN WAN R3 R2 Note: You can generally just use static routes if you have a large network with a separate network behind router R2. The UAG routes most traffic from A to the UAG's LAN interface. For example, the next figure shows a computer (A) connected to the...
User Guide
Page 154
...can use policy-based routing to direct traffic from internal interfaces to external interfaces. For example LAN to different packet types. 154 UAG715 User's Guide DiffServ QoS is a way of managing traffic in the same flow are only used to prioritize source-to-destination ... mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by default for traffic it to other routers. Network administrators can use a routing policy on the UAG and propagate it routes from different users through VPN tunnels. • Cost Savings...
...can use policy-based routing to direct traffic from internal interfaces to external interfaces. For example LAN to different packet types. 154 UAG715 User's Guide DiffServ QoS is a way of managing traffic in the same flow are only used to prioritize source-to-destination ... mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by default for traffic it to other routers. Network administrators can use a routing policy on the UAG and propagate it routes from different users through VPN tunnels. • Cost Savings...