User Guide
Page 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical Reference ...163 Dashboard ...165 Monitor ...177 ... IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's...
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical Reference ...163 Dashboard ...165 Monitor ...177 ... IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's...
User Guide
Page 12
... 5.2.5 Quick Setup Interface Wizard: Summary 74 5.3 VPN Quick Setup ...75 5.4 VPN Setup Wizard: Wizard Type 76 5.5 VPN Express Wizard - Finish 80 5.5.4 VPN Advanced Wizard...VPN Advanced Wizard - Finish 86 Chapter 6 Configuration Basics...87 6.1 Object-based Configuration 87 6.2 Zones, Interfaces, and Physical Ports 88 6.2.1 Interface Types ...89 6.2.2 Default Interface and Zone Configuration 90 6.3 Terminology in the ZyWALL 91 6.4 Packet Flow ...91 6.4.1 Routing Table Checking Flow 92 6.4.2 NAT Table Checking Flow 94 6.5 Feature Configuration Overview 95 12 ZyWALL USG 20/20W...
... 5.2.5 Quick Setup Interface Wizard: Summary 74 5.3 VPN Quick Setup ...75 5.4 VPN Setup Wizard: Wizard Type 76 5.5 VPN Express Wizard - Finish 80 5.5.4 VPN Advanced Wizard...VPN Advanced Wizard - Finish 86 Chapter 6 Configuration Basics...87 6.1 Object-based Configuration 87 6.2 Zones, Interfaces, and Physical Ports 88 6.2.1 Interface Types ...89 6.2.2 Default Interface and Zone Configuration 90 6.3 Terminology in the ZyWALL 91 6.4 Packet Flow ...91 6.4.1 Routing Table Checking Flow 92 6.4.2 NAT Table Checking Flow 94 6.5 Feature Configuration Overview 95 12 ZyWALL USG 20/20W...
User Guide
Page 48
... the status of the ZyWALL's wireless clients. WLAN Status (For USG 20W only) Displays the connection status of all current sessions. You can also log out individual users and delete related session information. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Login Users Lists...
... the status of the ZyWALL's wireless clients. WLAN Status (For USG 20W only) Displays the connection status of all current sessions. You can also log out individual users and delete related session information. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Login Users Lists...
User Guide
Page 61
...uses a service name to an IP address and vice versa. Options are: ZyWALL USG 20/20W User's Guide 61 The DNS server is extremely important because without it . Select an authentication protocol for VPN, DDNS and the time server. Figure 26 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP... Parameters • Type the PPPoE Service Name from your (static) public IP address. Leave the field as 0.0.0.0 if you do not want to 64 characters long. • Authentication Type - Chapter 4 Installation Setup...
...uses a service name to an IP address and vice versa. Options are: ZyWALL USG 20/20W User's Guide 61 The DNS server is extremely important because without it . Select an authentication protocol for VPN, DDNS and the time server. Figure 26 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP... Parameters • Type the PPPoE Service Name from your (static) public IP address. Leave the field as 0.0.0.0 if you do not want to 64 characters long. • Authentication Type - Chapter 4 Installation Setup...
User Guide
Page 62
...address and vice versa. The DNS server is extremely important because without it . 62 ZyWALL USG 20/20W User's Guide Otherwise, type the Idle Timeout in the order you selected static IP address...VPN, DDNS and the time server. The ZyWALL uses these (in seconds that will connect with the user name. If you do not configure a DNS server, you do not want the connection to 64 ASCII characters except the [] and ?. Your ZyWALL... accepts either CHAP or PAP when requested by your (static) public IP address. Chapter 4 Installation Setup Wizard • CHAP/PAP -
...address and vice versa. The DNS server is extremely important because without it . 62 ZyWALL USG 20/20W User's Guide Otherwise, type the Idle Timeout in the order you selected static IP address...VPN, DDNS and the time server. The ZyWALL uses these (in seconds that will connect with the user name. If you do not configure a DNS server, you do not want the connection to 64 ASCII characters except the [] and ?. Your ZyWALL... accepts either CHAP or PAP when requested by your (static) public IP address. Chapter 4 Installation Setup Wizard • CHAP/PAP -
User Guide
Page 64
...and "n:name" format. The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. The DNS server is the security zone to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide This field is the connection type on the requirements of the PPTP server. •...ISP (if given). • Server IP: Type the IP address of your broadband modem or router. For example, C:12 or N:My ISP. Chapter 4 Installation Setup Wizard • Select Nailed-Up if you do not want the connection to you by your ISP. • Type the IP Subnet Mask assigned to...
...and "n:name" format. The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. The DNS server is the security zone to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide This field is the connection type on the requirements of the PPTP server. •...ISP (if given). • Server IP: Type the IP address of your broadband modem or router. For example, C:12 or N:My ISP. Chapter 4 Installation Setup Wizard • Select Nailed-Up if you do not want the connection to you by your ISP. • Type the IP Subnet Mask assigned to...
User Guide
Page 69
... Web Configurator. This chapter provides information on page 76. ZyWALL USG 20/20W User's Guide 69 See Section 5.2 on page 70. • VPN SETUP Use VPN SETUP to another computer or network. In the Web Configurator, click Configuration > Quick Setup to open a wizard to open the first Quick Setup screen. This wizard creates matching ISP account settings in this...
... Web Configurator. This chapter provides information on page 76. ZyWALL USG 20/20W User's Guide 69 See Section 5.2 on page 70. • VPN SETUP Use VPN SETUP to another computer or network. In the Web Configurator, click Configuration > Quick Setup to open a wizard to open the first Quick Setup screen. This wizard creates matching ISP account settings in this...
User Guide
Page 74
... It displays the IP address of a machine in order to resolve domain names for VPN, DDNS and the time server. Click Next to the previous screen. Leave the field as 0.0.0.0 if... IP address of a computer before you must know the IP address of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Back Next DNS (Domain Name System) is read-only and only appears for mapping...a PPPoE interface. The DNS server is extremely important because without it . Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION First DNS Server Second DNS Server These ...
... It displays the IP address of a machine in order to resolve domain names for VPN, DDNS and the time server. Click Next to the previous screen. Leave the field as 0.0.0.0 if... IP address of a computer before you must know the IP address of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Back Next DNS (Domain Name System) is read-only and only appears for mapping...a PPPoE interface. The DNS server is extremely important because without it . Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION First DNS Server Second DNS Server These ...
User Guide
Page 75
... the connection will belong. Yes means the ZyWALL uses the idle timeout. If the IP Address Assignment is how many seconds the connection can use later in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. This is Static, these...wizard. 5.3 VPN Quick Setup Click VPN Setup in configuring more VPN connections or other features. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you by your ISP. Click Next. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 Chapter 5 Quick Setup Table 12 ...
... the connection will belong. Yes means the ZyWALL uses the idle timeout. If the IP Address Assignment is how many seconds the connection can use later in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. This is Static, these...wizard. 5.3 VPN Quick Setup Click VPN Setup in configuring more VPN connections or other features. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you by your ISP. Click Next. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 Chapter 5 Quick Setup Table 12 ...
User Guide
Page 76
... device. 76 ZyWALL USG 20/20W User's Guide The VPN connection can be to another computer or network. Use this wizard to configure. Advanced: Use this screen to select which type of VPN connection you want to configure detailed VPN security settings such as using a pre-shared key and default security settings. Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard...
... device. 76 ZyWALL USG 20/20W User's Guide The VPN connection can be to another computer or network. Use this wizard to configure. Advanced: Use this screen to select which type of VPN connection you want to configure detailed VPN security settings such as using a pre-shared key and default security settings. Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard...
User Guide
Page 77
... • Site-to allow incoming connections from IPSec VPN clients. This ZyWALL can initiate the VPN tunnel. This ZyWALL is case-sensitive. Choose this to -site - Choose this VPN connection (and VPN gateway). ZyWALL USG 20/20W User's Guide 77 Figure 40 VPN Express Wizard: Step 2 Rule Name: Type the ... are also known as shown in user) and can initiate the VPN tunnel. • Site-to-site with Dynamic Peer - Chapter 5 Quick Setup 5.5 VPN Express Wizard - Select the scenario that best describes your intended VPN connection. Choose this if the remote IPSec device has a dynamic ...
... • Site-to allow incoming connections from IPSec VPN clients. This ZyWALL can initiate the VPN tunnel. This ZyWALL is case-sensitive. Choose this to -site - Choose this VPN connection (and VPN gateway). ZyWALL USG 20/20W User's Guide 77 Figure 40 VPN Express Wizard: Step 2 Rule Name: Type the ... are also known as shown in user) and can initiate the VPN tunnel. • Site-to-site with Dynamic Peer - Chapter 5 Quick Setup 5.5 VPN Express Wizard - Select the scenario that best describes your intended VPN connection. Choose this if the remote IPSec device has a dynamic ...
User Guide
Page 78
... IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password. This must use the same password. Configuration Figure 41 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field is not used on both ends. • Local Policy (IP/Mask...If this field, it is not configurable for the chosen scenario. Proceed a hexadecimal key with "0x". You can also specify a subnet. Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - This must match the remote IP address configured on the remote IPSec device. 78 ZyWALL USG 20/20W User's Guide
... IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password. This must use the same password. Configuration Figure 41 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field is not used on both ends. • Local Policy (IP/Mask...If this field, it is not configurable for the chosen scenario. Proceed a hexadecimal key with "0x". You can also specify a subnet. Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - This must match the remote IP address configured on the remote IPSec device. 78 ZyWALL USG 20/20W User's Guide
User Guide
Page 79
...ZyWALL USG 20/20W User's Guide 79 See the commands reference guide for Secure Gateway commands into another ZLD-based ZyWALL's command line interface to run the script in this field displays Any, only the remote IPSec device can initiate the VPN... connection. • Copy and paste the Configuration for details on the network behind your ZyWALL that can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. Chapter 5 Quick Setup 5.5.2 VPN...
...ZyWALL USG 20/20W User's Guide 79 See the commands reference guide for Secure Gateway commands into another ZLD-based ZyWALL's command line interface to run the script in this field displays Any, only the remote IPSec device can initiate the VPN... connection. • Copy and paste the Configuration for details on the network behind your ZyWALL that can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. Chapter 5 Quick Setup 5.5.2 VPN...
User Guide
Page 80
Figure 43 VPN Express Wizard: Step 6 Note: If you can use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 80 ZyWALL USG 20/20W User's Guide Finish Now you have not already done so, use the VPN tunnel. Chapter 5 Quick Setup 5.5.3 VPN Express Wizard -
Figure 43 VPN Express Wizard: Step 6 Note: If you can use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 80 ZyWALL USG 20/20W User's Guide Finish Now you have not already done so, use the VPN tunnel. Chapter 5 Quick Setup 5.5.3 VPN Express Wizard -
User Guide
Page 81
... Choose this if the remote IPSec device has a dynamic IP address. Only the clients can initiate the VPN tunnel. • Site-to display the following screen. ZyWALL USG 20/20W User's Guide 81 Scenario Click the Advanced radio button as dial-in Figure 39 on the left of the... from IPSec VPN clients. Only the remote IPSec device can initiate the VPN tunnel. • Remote Access (Server Role) - Choose this if the remote IPSec device has a static IP address or a domain name. The figure on page 76 to -site with Dynamic Peer - Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard ...
... Choose this if the remote IPSec device has a dynamic IP address. Only the clients can initiate the VPN tunnel. • Site-to display the following screen. ZyWALL USG 20/20W User's Guide 81 Scenario Click the Advanced radio button as dial-in Figure 39 on the left of the... from IPSec VPN clients. Only the remote IPSec device can initiate the VPN tunnel. • Remote Access (Server Role) - Choose this if the remote IPSec device has a static IP address or a domain name. The figure on page 76 to -site with Dynamic Peer - Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard ...
User Guide
Page 82
... the remote IPSec device (secure gateway) to use on DES 82 ZyWALL USG 20/20W User's Guide Note: Multiple SAs connecting through a secure gateway must know the same secret key, which can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Triple DES (3DES) is the client (dial-in...phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). The DES encryption algorithm uses a 56-bit key. This ZyWALL is a variation on your ZyWALL. • Negotiation Mode: Select Main for the chosen scenario. Chapter 5 Quick Setup • Remote Access (Client Role) -
... the remote IPSec device (secure gateway) to use on DES 82 ZyWALL USG 20/20W User's Guide Note: Multiple SAs connecting through a secure gateway must know the same secret key, which can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Triple DES (3DES) is the client (dial-in...phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). The DES encryption algorithm uses a 56-bit key. This ZyWALL is a variation on your ZyWALL. • Negotiation Mode: Select Main for the chosen scenario. Chapter 5 Quick Setup • Remote Access (Client Role) -
User Guide
Page 83
.... It also requires more secure than MD5, but renegotiation temporarily disconnects the VPN tunnel. • NAT Traversal: Select this if the VPN tunnel must also have NAT traversal enabled. Figure 46 VPN Advanced Wizard: Step 4 ZyWALL USG 20/20W User's Guide 83 Chapter 5 Quick Setup that was established in increased latency and decreased throughput. As a result, 3DES...
.... It also requires more secure than MD5, but renegotiation temporarily disconnects the VPN tunnel. • NAT Traversal: Select this if the VPN tunnel must also have NAT traversal enabled. Figure 46 VPN Advanced Wizard: Step 4 ZyWALL USG 20/20W User's Guide 83 Chapter 5 Quick Setup that was established in increased latency and decreased throughput. As a result, 3DES...
User Guide
Page 84
... address configured on your network. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is more secure, yet slower). • Local Policy (IP/Mask): Type the IP address...algorithms used to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure ...
... address configured on your network. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is more secure, yet slower). • Local Policy (IP/Mask): Type the IP address...algorithms used to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure ...
User Guide
Page 85
5.5.7 VPN Advanced Wizard - ZyWALL USG 20/20W User's Guide 85 Figure 47 VPN Advanced Wizard: Step 5 Chapter 5 Quick Setup • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. • Pre-Shared Key: VPN tunnel password. • Certificate: The certificate the ZyWALL uses to identify itself when...
5.5.7 VPN Advanced Wizard - ZyWALL USG 20/20W User's Guide 85 Figure 47 VPN Advanced Wizard: Step 5 Chapter 5 Quick Setup • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. • Pre-Shared Key: VPN tunnel password. • Certificate: The certificate the ZyWALL uses to identify itself when...
User Guide
Page 101
... Leave the Access field set to Allow and the Log field set to No. Note: The ZyWALL checks the firewall rules in the sequence. 6.5.14 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP... the DMZ zone to the LAN1 zone, and add a firewall rule using the items you can also use the Quick Setup VPN Setup wizard. ZyWALL USG 20/20W User's Guide 101 Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to...
... Leave the Access field set to Allow and the Log field set to No. Note: The ZyWALL checks the firewall rules in the sequence. 6.5.14 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP... the DMZ zone to the LAN1 zone, and add a firewall rule using the items you can also use the Quick Setup VPN Setup wizard. ZyWALL USG 20/20W User's Guide 101 Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to...