User Guide
Page 7
The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 100/200 Series User's Guide 7 Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons.
The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 100/200 Series User's Guide 7 Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons.
User Guide
Page 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...63 Quick Setup ...73 Configuration Basics ...91 Tutorials ...115 L2TP VPN Example ...ALG ...431 IP/MAC Binding ...439 Authentication Policy ...445 Firewall ...453 IPSec VPN ...471 SSL VPN ...511 SSL User Screens ...525 SSL User Application Screens 535 SSL User File Sharing ...537 ZyWALL SecuExtender ...545 L2TP VPN ...549 Application Patrol ...553 Anti-Virus ...579 IDP ...595 ADP ...629 ZyWALL USG 100/200 Series User's Guide 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...63 Quick Setup ...73 Configuration Basics ...91 Tutorials ...115 L2TP VPN Example ...ALG ...431 IP/MAC Binding ...439 Authentication Policy ...445 Firewall ...453 IPSec VPN ...471 SSL VPN ...511 SSL User Screens ...525 SSL User Application Screens 535 SSL User File Sharing ...537 ZyWALL SecuExtender ...545 L2TP VPN ...549 Application Patrol ...553 Anti-Virus ...579 IDP ...595 ADP ...629 ZyWALL USG 100/200 Series User's Guide 9
User Guide
Page 13
...7 Tutorials ...115 7.1 How to Configure Interfaces, Port Roles, and Zones 115 7.1.1 Configure a WAN Ethernet Interface 116 ZyWALL USG 100/200 Series User's Guide 13 Policy ...106 6.5.14 Firewall ...106 6.5.15 IPSec VPN ...107 6.5.16 SSL VPN ...107 6.5.17 L2TP VPN ...108 6.5.18 Application Patrol 108 ... HA ...110 6.6 Objects ...111 6.6.1 User/Group ...111 6.7 System ...112 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in the ZyWALL 95 6.4 Packet Flow ...97 6.4.1 ZLD 2.20 Packet Flow Enhancements 97 6.4.2 Routing Table Checking Flow Enhancements 98 6.4.3 NAT Table Checking Flow 99 6.5...
...7 Tutorials ...115 7.1 How to Configure Interfaces, Port Roles, and Zones 115 7.1.1 Configure a WAN Ethernet Interface 116 ZyWALL USG 100/200 Series User's Guide 13 Policy ...106 6.5.14 Firewall ...106 6.5.15 IPSec VPN ...107 6.5.16 SSL VPN ...107 6.5.17 L2TP VPN ...108 6.5.18 Application Patrol 108 ... HA ...110 6.6 Objects ...111 6.6.1 User/Group ...111 6.7 System ...112 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in the ZyWALL 95 6.4 Packet Flow ...97 6.4.1 ZLD 2.20 Packet Flow Enhancements 97 6.4.2 Routing Table Checking Flow Enhancements 98 6.4.3 NAT Table Checking Flow 99 6.5...
User Guide
Page 14
... 148 7.7.3 Set Up User Authentication Using the RADIUS Server 148 7.7.4 Web Surfing Policies With Bandwidth Restrictions 150 7.7.5 Set Up MSN Policies 153 7.7.6 Set Up Firewall Rules 154 7.8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 155 7.9 How to Use Endpoint Security and Authentication Policies 157 7.9.1 ... On the ALG ...172 7.13.2 Create the Address Objects 172 7.13.3 Setup a NAT Policy for the IPPBX 173 7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP 174 7.13.5 Set Up a DMZ to LAN Firewall Rule for SIP 175 14 ZyWALL USG 100/200 Series User's Guide
... 148 7.7.3 Set Up User Authentication Using the RADIUS Server 148 7.7.4 Web Surfing Policies With Bandwidth Restrictions 150 7.7.5 Set Up MSN Policies 153 7.7.6 Set Up Firewall Rules 154 7.8 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 155 7.9 How to Use Endpoint Security and Authentication Policies 157 7.9.1 ... On the ALG ...172 7.13.2 Create the Address Objects 172 7.13.3 Setup a NAT Policy for the IPPBX 173 7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP 174 7.13.5 Set Up a DMZ to LAN Firewall Rule for SIP 175 14 ZyWALL USG 100/200 Series User's Guide
User Guide
Page 19
....1.2 What You Need to Know 446 23.2 Authentication Policy Screen 446 23.2.1 Creating/Editing an Authentication Policy 449 Chapter 24 Firewall...453 24.1 Overview ...453 24.1.1 What You Can Do in this Chapter 453 24.1.2 What You Need to Know 454 24.1.3 Firewall Rule Example Applications 456 ZyWALL USG 100/200 Series User's Guide 19
....1.2 What You Need to Know 446 23.2 Authentication Policy Screen 446 23.2.1 Creating/Editing an Authentication Policy 449 Chapter 24 Firewall...453 24.1 Overview ...453 24.1.1 What You Can Do in this Chapter 453 24.1.2 What You Need to Know 454 24.1.3 Firewall Rule Example Applications 456 ZyWALL USG 100/200 Series User's Guide 19
User Guide
Page 20
Table of Contents 24.1.4 Firewall Rule Configuration Example 459 24.2 The Firewall Screen ...461 24.2.1 Configuring the Firewall Screen 462 24.2.2 The Firewall Add/Edit Screen 465 24.3 The Session Limit Screen 466 24.3.1 The Session Limit Add/Edit Screen 468 Chapter 25 IPSec VPN...471 25.1 IPSec ... 27.1 Overview ...525 27.1.1 What You Need to Know 525 27.2 Remote User Login ...526 27.3 The SSL VPN User Screens 531 27.4 Bookmarking the ZyWALL 532 27.5 Logging Out of the SSL VPN User Screens 532 20 ZyWALL USG 100/200 Series User's Guide
Table of Contents 24.1.4 Firewall Rule Configuration Example 459 24.2 The Firewall Screen ...461 24.2.1 Configuring the Firewall Screen 462 24.2.2 The Firewall Add/Edit Screen 465 24.3 The Session Limit Screen 466 24.3.1 The Session Limit Add/Edit Screen 468 Chapter 25 IPSec VPN...471 25.1 IPSec ... 27.1 Overview ...525 27.1.1 What You Need to Know 525 27.2 Remote User Login ...526 27.3 The SSL VPN User Screens 531 27.4 Bookmarking the ZyWALL 532 27.5 Logging Out of the SSL VPN User Screens 532 20 ZyWALL USG 100/200 Series User's Guide
User Guide
Page 33
...introduces the management methods, and lists different ways to add an IEEE 802.11b/g-compliant wireless LAN. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and ...can set up multiple networks for reliable, secure service. Configure the ZyWALL USG 200's OPT Gigabit Ethernet port as a transparent firewall in an existing network with the reliability of the ZyWALL. ZyWALL USG 100/200 Series User's Guide 33 It also provides bandwidth management, Instant Messaging ...
...introduces the management methods, and lists different ways to add an IEEE 802.11b/g-compliant wireless LAN. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and ...can set up multiple networks for reliable, secure service. Configure the ZyWALL USG 200's OPT Gigabit Ethernet port as a transparent firewall in an existing network with the reliability of the ZyWALL. ZyWALL USG 100/200 Series User's Guide 33 It also provides bandwidth management, Instant Messaging ...
User Guide
Page 39
...ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. ZyWALL USG 100/200 Series User's Guide 39 Flexible Security Zones Many security settings are made by zone, not by interface, port, or...and to provide secure communication between these ports. • One or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and ...
...ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. ZyWALL USG 100/200 Series User's Guide 39 Flexible Security Zones Many security settings are made by zone, not by interface, port, or...and to provide secure communication between these ports. • One or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and ...
User Guide
Page 40
...mail, Voice-over-IP (VoIP), video conferencing and other business-critical applications. For example, traffic from a pre-defined list. 40 ZyWALL USG 100/200 Series User's Guide You can detect: • Anomalies based on page 606 for a list of the organization. Anomaly Detection and ...• Abnormal flows such as pornography or racial intolerance, from one zone is not allowed unless it is a stateful inspection firewall. Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. ...
...mail, Voice-over-IP (VoIP), video conferencing and other business-critical applications. For example, traffic from a pre-defined list. 40 ZyWALL USG 100/200 Series User's Guide You can detect: • Anomalies based on page 606 for a list of the organization. Anomaly Detection and ...• Abnormal flows such as pornography or racial intolerance, from one zone is not allowed unless it is a stateful inspection firewall. Intrusion Detection and Prevention (IDP) IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. ...
User Guide
Page 53
... device-level OSPF settings, including areas and virtual links. PPP Create and manage PPPoE and PPTP interfaces. ZyWALL USG 100/200 Series User's Guide 53 Firewall Firewall Create and manage level-3 traffic rules. VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Zone ...Configure zones used to set the ZyWALL's flexible ports as LAN1, WLAN, or DMZ. NAT Set up and manage ...
... device-level OSPF settings, including areas and virtual links. PPP Create and manage PPPoE and PPTP interfaces. ZyWALL USG 100/200 Series User's Guide 53 Firewall Firewall Create and manage level-3 traffic rules. VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Zone ...Configure zones used to set the ZyWALL's flexible ports as LAN1, WLAN, or DMZ. NAT Set up and manage ...
User Guide
Page 58
... identifies the configuration item that can appear in this field lists the referencing configuration item's position in this case the first firewall rule). Figure 18 Object Reference The fields vary with any entry. The following example shows which the configuration settings that references...the main window. The following table describes labels that references the object. Click the object's name to close the screen. 58 ZyWALL USG 100/200 Series User's Guide Refresh Click this screen. Click a service's name to update the information in this to display the service's ...
... identifies the configuration item that can appear in this field lists the referencing configuration item's position in this case the first firewall rule). Figure 18 Object Reference The fields vary with any entry. The following example shows which the configuration settings that references...the main window. The following table describes labels that references the object. Click the object's name to close the screen. 58 ZyWALL USG 100/200 Series User's Guide Refresh Click this screen. Click a service's name to update the information in this to display the service's ...
User Guide
Page 62
... an entry, select it and click Remove. Move To change an entry's position in order like the firewall for example), you can also use the [Shift] or [Ctrl] key to select multiple entries, and... Configurator Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in a numbered list, select it and click Move to display a field to type ... tables small red triangles display for table entries with Lists 62 ZyWALL USG 100/200 Series User's Guide The ZyWALL confirms you can modify the entry's settings.
... an entry, select it and click Remove. Move To change an entry's position in order like the firewall for example), you can also use the [Shift] or [Ctrl] key to select multiple entries, and... Configurator Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in a numbered list, select it and click Move to display a field to type ... tables small red triangles display for table entries with Lists 62 ZyWALL USG 100/200 Series User's Guide The ZyWALL confirms you can modify the entry's settings.
User Guide
Page 91
... when you are just getting started. You can have firewall, application patrol, content filter, and other settings use these ZyWALL USG 100/200 Series User's Guide 91 You use it. For example, if you create a schedule object, you can reuse it as objects. The ZyWALL automatically updates every rule or setting that uses these objects...
... when you are just getting started. You can have firewall, application patrol, content filter, and other settings use these ZyWALL USG 100/200 Series User's Guide 91 You use it. For example, if you create a schedule object, you can reuse it as objects. The ZyWALL automatically updates every rule or setting that uses these objects...
User Guide
Page 93
...VPN, zones, trunks, device HA, DDNS, policy routes, static routes, HTTP redirect, and NAT. In addition to being used as firewall, IDP, remote management, antivirus, and application patrol. Interfaces (Ethernet, VLAN,...) Interfaces are created when you use interfaces and zones in ...in various features, interfaces also describe the network that (layer-3) packets pass through. The auxiliary interface controls the AUX port. ZyWALL USG 100/200 Series User's Guide 93 You also configure RIP and OSPF in these interfaces. • Port groups create a hardware connection between...
...VPN, zones, trunks, device HA, DDNS, policy routes, static routes, HTTP redirect, and NAT. In addition to being used as firewall, IDP, remote management, antivirus, and application patrol. Interfaces (Ethernet, VLAN,...) Interfaces are created when you use interfaces and zones in ...in various features, interfaces also describe the network that (layer-3) packets pass through. The auxiliary interface controls the AUX port. ZyWALL USG 100/200 Series User's Guide 93 You also configure RIP and OSPF in these interfaces. • Port groups create a hardware connection between...
User Guide
Page 98
...first by enabling the policy route feature's Use Policy Route to the other checks, for example the firewall check. Figure 58 Routing Table Checking Flow Enhancements 1 Direct-connected Subnets: The ZyWALL first checks to bottom. You can override this and have their own category. As soon as one... checking the packets against the routing table and moves on to Override Direct Route option (see Section 15.1 on page 377). 98 ZyWALL USG 100/200 Series User's Guide Then it defragments them . Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT ...
...first by enabling the policy route feature's Use Policy Route to the other checks, for example the firewall check. Figure 58 Routing Table Checking Flow Enhancements 1 Direct-connected Subnets: The ZyWALL first checks to bottom. You can override this and have their own category. As soon as one... checking the packets against the routing table and moves on to Override Direct Route option (see Section 15.1 on page 377). 98 ZyWALL USG 100/200 Series User's Guide Then it defragments them . Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT ...
User Guide
Page 104
...6.5.8 Zones See Section 6.2 on a private network behind the ZyWALL available outside the private network. 104 ZyWALL USG 100/200 Series User's Guide MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, IDP, remote management, anti-virus, ADP, application patrol ...DNS maps a domain name to at most one zone. Zones cannot overlap. When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for background information. Chapter 6 Configuration Basics 6.5.7 Static Routes...
...6.5.8 Zones See Section 6.2 on a private network behind the ZyWALL available outside the private network. 104 ZyWALL USG 100/200 Series User's Guide MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, IDP, remote management, anti-virus, ADP, application patrol ...DNS maps a domain name to at most one zone. Zones cannot overlap. When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for background information. Chapter 6 Configuration Basics 6.5.7 Static Routes...
User Guide
Page 105
..., select Port. 7 Enter 21 in through -ZyWALL) firewall rules. The ZyWALL does not check to access that are redirected by HTTP redirect. MENU ITEM(S) Configuration > Network > HTTP Redirect PREREQUISITES Interfaces Example: Suppose you have the ZyWALL transparently forward HTTP (web) traffic to configure the NAT entry. ZyWALL USG 100/200 Series User's Guide 105 MENU ITEM(S) Configuration...
..., select Port. 7 Enter 21 in through -ZyWALL) firewall rules. The ZyWALL does not check to access that are redirected by HTTP redirect. MENU ITEM(S) Configuration > Network > HTTP Redirect PREREQUISITES Interfaces Example: Suppose you have the ZyWALL transparently forward HTTP (web) traffic to configure the NAT entry. ZyWALL USG 100/200 Series User's Guide 105 MENU ITEM(S) Configuration...
User Guide
Page 106
... policies before they can also configure the firewall to control traffic for remote management. Configure to-ZyWALL firewall rules for NAT (DNAT) and policy routes (SNAT). MENU ITEM(S) Configuration > Firewall Zones, schedules, users, user groups, addresses (source, PREREQUISITES destination), address groups (source, destination), services, service groups 106 ZyWALL USG 100/200 Series User's Guide Chapter 6 Configuration Basics...
... policies before they can also configure the firewall to control traffic for remote management. Configure to-ZyWALL firewall rules for NAT (DNAT) and policy routes (SNAT). MENU ITEM(S) Configuration > Firewall Zones, schedules, users, user groups, addresses (source, PREREQUISITES destination), address groups (source, destination), services, service groups 106 ZyWALL USG 100/200 Series User's Guide Chapter 6 Configuration Basics...
User Guide
Page 107
... zones, L2TP VPN Example: See Chapter 7 on the LAN can also use the Quick Setup VPN Setup wizard. Note: The ZyWALL checks the firewall rules in the sequence. 6.5.15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any ... > VPN > IPSec VPN; you have a SIP proxy server connected to -ZyWALL firewall, firewall ZyWALL USG 100/200 Series User's Guide 107 You could configure a firewall rule to allow VoIP sessions from the DMZ zone to the LAN1 zone, and add a firewall rule using the items you can receive calls. 1 Create a VoIP service object...
... zones, L2TP VPN Example: See Chapter 7 on the LAN can also use the Quick Setup VPN Setup wizard. Note: The ZyWALL checks the firewall rules in the sequence. 6.5.15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any ... > VPN > IPSec VPN; you have a SIP proxy server connected to -ZyWALL firewall, firewall ZyWALL USG 100/200 Series User's Guide 107 You could configure a firewall rule to allow VoIP sessions from the DMZ zone to the LAN1 zone, and add a firewall rule using the items you can receive calls. 1 Create a VoIP service object...
User Guide
Page 925
Chapter 57 Product Specifications Table 266 ZyWALL USG 200 Feature Specifications (continued) VERSION # FEATURE V2.12 New Session Rate (sessions per second) 1400 FIREWALL Firewall ACL Rules Maximum Session Limit per Host Rules 1000 1000 APPLICATION PATROL Maximum Rules for Other Protocols 24 Maximum Rules for Each Protocol 24 Allowed ... Trunks (user created) NA IPSEC VPN V2.20 1400 1000 1000 24 24 8 8 192 5 64 192 500 100 128 500 100 128 64 16 4 2 4 2 2 4 4 8 16 1 8 ZyWALL USG 100/200 Series User's Guide 925
Chapter 57 Product Specifications Table 266 ZyWALL USG 200 Feature Specifications (continued) VERSION # FEATURE V2.12 New Session Rate (sessions per second) 1400 FIREWALL Firewall ACL Rules Maximum Session Limit per Host Rules 1000 1000 APPLICATION PATROL Maximum Rules for Other Protocols 24 Maximum Rules for Each Protocol 24 Allowed ... Trunks (user created) NA IPSEC VPN V2.20 1400 1000 1000 24 24 8 8 192 5 64 192 500 100 128 500 100 128 64 16 4 2 4 2 2 4 4 8 16 1 8 ZyWALL USG 100/200 Series User's Guide 925