User Guide
Page 26
Table of Contents 49.1 Overview ...725 49.1.1 What You Need To Know 725 49.2 The Shutdown Screen ...725 Chapter 50 Troubleshooting...727 50.1 Resetting the ZyWALL ...738 50.2 Getting More Troubleshooting Help 739 Chapter 51 Product Specifications ...741 51.1 Power Adaptor Specifications 745 Appendix A Log Descriptions 747 Appendix B Common Services 799 Appendix C Wireless LANs 803 Appendix D Importing Certificates 819 Appendix E Open Software Announcements 845 Appendix F Legal Information 935 Index...939 26 ZyWALL USG 20/20W User's Guide
Table of Contents 49.1 Overview ...725 49.1.1 What You Need To Know 725 49.2 The Shutdown Screen ...725 Chapter 50 Troubleshooting...727 50.1 Resetting the ZyWALL ...738 50.2 Getting More Troubleshooting Help 739 Chapter 51 Product Specifications ...741 51.1 Power Adaptor Specifications 745 Appendix A Log Descriptions 747 Appendix B Common Services 799 Appendix C Wireless LANs 803 Appendix D Importing Certificates 819 Appendix E Open Software Announcements 845 Appendix F Legal Information 935 Index...939 26 ZyWALL USG 20/20W User's Guide
User Guide
Page 50
... users. RADIUS-Group Create and manage groups of services. SSL Application Create SSL web application objects. 50 ZyWALL USG 20/20W User's Guide DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Setting Manage default settings for all users, general settings for ... to identify legitimate e-mail. Group Create and manage groups of authenticating users. Certificate My Certificates Create and manage the ZyWALL's certificates. Filter Profile Create and manage the detailed filtering rules for content filtering policies. Service Service Create and manage ...
... users. RADIUS-Group Create and manage groups of services. SSL Application Create SSL web application objects. 50 ZyWALL USG 20/20W User's Guide DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Setting Manage default settings for all users, general settings for ... to identify legitimate e-mail. Group Create and manage groups of authenticating users. Certificate My Certificates Create and manage the ZyWALL's certificates. Filter Profile Create and manage the detailed filtering rules for content filtering policies. Service Service Create and manage ...
User Guide
Page 90
The following figure uses letters to 192.168.1.254 range. 90 ZyWALL USG 20/20W User's Guide Chapter 6 Configuration Basics 6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL's default zone member physical interfaces and the default configuration of a private IP address. The LAN1...mail and FTP) Local management • The WAN zone contains the wan1 interface (physical port P1). Figure 50 Default Network Topology Table 14 ZyWALL USG 20 Default Port, Interface, and Zone Configuration PORT INTERFACE ZONE IP ADDRESS AND DHCP SUGGESTED USE WITH SETTINGS...
The following figure uses letters to 192.168.1.254 range. 90 ZyWALL USG 20/20W User's Guide Chapter 6 Configuration Basics 6.2.2 Default Interface and Zone Configuration This section introduces the ZyWALL's default zone member physical interfaces and the default configuration of a private IP address. The LAN1...mail and FTP) Local management • The WAN zone contains the wan1 interface (physical port P1). Figure 50 Default Network Topology Table 14 ZyWALL USG 20 Default Port, Interface, and Zone Configuration PORT INTERFACE ZONE IP ADDRESS AND DHCP SUGGESTED USE WITH SETTINGS...
User Guide
Page 95
... by default and included in the NAT table. 6.5 Feature Configuration Overview This section provides information about configuring the main features in Figure 50 on the network topology in the ZyWALL. After you create the object you configure the main screen(s) for this feature. WHERE USED These are other features to this feature... ITEM(S) This shows you configure the main screen(s) for information about any settings. See the web help or the related User's Guide chapter for this . ZyWALL USG 20/20W User's Guide 95
... by default and included in the NAT table. 6.5 Feature Configuration Overview This section provides information about configuring the main features in Figure 50 on the network topology in the ZyWALL. After you create the object you configure the main screen(s) for this feature. WHERE USED These are other features to this feature... ITEM(S) This shows you configure the main screen(s) for information about any settings. See the web help or the related User's Guide chapter for this . ZyWALL USG 20/20W User's Guide 95
User Guide
Page 119
Click OK. Make sure all firewalls between the ZyWALL and remote IPSec router should set up security policies (firewall rules and so on zones. Under VPN Gateway ... the VPN connection screen's Connect icon. 7.4.3 Configure Security Policies for the remote. To trigger the VPN, either try to the IPSec_VPN zone. ZyWALL USG 20/20W User's Guide 119 Figure 69 Configuration > VPN > IPSec VPN > VPN Connection > Add 5 Now set up the VPN settings on the...site and the VPN gateway (VPN_GW_EXAMPLE). If you should also allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP).
Click OK. Make sure all firewalls between the ZyWALL and remote IPSec router should set up security policies (firewall rules and so on zones. Under VPN Gateway ... the VPN connection screen's Connect icon. 7.4.3 Configure Security Policies for the remote. To trigger the VPN, either try to the IPSec_VPN zone. ZyWALL USG 20/20W User's Guide 119 Figure 69 Configuration > VPN > IPSec VPN > VPN Connection > Add 5 Now set up the VPN settings on the...site and the VPN gateway (VPN_GW_EXAMPLE). If you should also allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP).
User Guide
Page 223
...does not have an IP address yet. IP addresses are always static in dot decimal notation. For example, if you change . Table 50 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Remove Activate Inactivate Double-click an entry or select it and click Edit to open...Ethernet Edit The Ethernet Edit screen lets you can create a virtual Ethernet interface, select an Ethernet interface and click Create Virtual Interface. ZyWALL USG 20/20W User's Guide 223 See Section 11.3.2 on an interface, select it is a static IP address (STATIC) or dynamically assigned (DHCP)....
...does not have an IP address yet. IP addresses are always static in dot decimal notation. For example, if you change . Table 50 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Remove Activate Inactivate Double-click an entry or select it and click Edit to open...Ethernet Edit The Ethernet Edit screen lets you can create a virtual Ethernet interface, select an Ethernet interface and click Create Virtual Interface. ZyWALL USG 20/20W User's Guide 223 See Section 11.3.2 on an interface, select it is a static IP address (STATIC) or dynamically assigned (DHCP)....
User Guide
Page 287
...IP address and subnet mask. Table 75 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS 50.50.50.33 5 50.50.50.33 - 50.50.50.37 75.75.75.1 200 75.75.75.1 - 75.75.75.200 99.99.1.1 1023 99.99.1.1 - 99.99.4.255 120....computer names. It stores a mapping table of NetBIOS Name Server (NBNS) on Windows. In this way WINS is 253. • Subnet mask - ZyWALL USG 20/20W User's Guide 287 See IP Address Assignment on page 284. • Gateway - WINS WINS (Windows Internet Naming Service) is dynamically updated for the ...
...IP address and subnet mask. Table 75 Example: Assigning IP Addresses from a Pool START IP ADDRESS POOL SIZE RANGE OF ASSIGNED IP ADDRESS 50.50.50.33 5 50.50.50.33 - 50.50.50.37 75.75.75.1 200 75.75.75.1 - 75.75.75.200 99.99.1.1 1023 99.99.1.1 - 99.99.4.255 120....computer names. It stores a mapping table of NetBIOS Name Server (NBNS) on Windows. In this way WINS is 253. • Subnet mask - ZyWALL USG 20/20W User's Guide 287 See IP Address Assignment on page 284. • Gateway - WINS WINS (Windows Internet Naming Service) is dynamically updated for the ...
User Guide
Page 451
...Documents and Settings\11746\rasphone.pbk [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.log [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Connect to 172.23.31.19:443/...the system tray and select Log to open a notepad file of the ZyWALL SecuExtender's log. Right-click the ZyWALL SecuExtender icon in the system tray is green, you to keep the SSL VPN tunnel ZyWALL USG 20/20W User's Guide 451 Received This is how many bytes and packets the computer...
...Documents and Settings\11746\rasphone.pbk [ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.log [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Connect to 172.23.31.19:443/...the system tray and select Log to open a notepad file of the ZyWALL SecuExtender's log. Right-click the ZyWALL SecuExtender icon in the system tray is green, you to keep the SSL VPN tunnel ZyWALL USG 20/20W User's Guide 451 Received This is how many bytes and packets the computer...
User Guide
Page 458
...: 50 Mbps Inbound: 50 Mbps Priority: 4 No Max. The ZyWALL applies this limit before sending the traffic to the WAN. • Inbound traffic (to the LAN and DMZ from the LAN and DMZ) is limited to 200 kbps. U. U. B. The ZyWALL applies this limit before sending the traffic to LAN or DMZ. 458 ZyWALL USG 20/20W User...
...: 50 Mbps Inbound: 50 Mbps Priority: 4 No Max. The ZyWALL applies this limit before sending the traffic to the WAN. • Inbound traffic (to the LAN and DMZ from the LAN and DMZ) is limited to 200 kbps. U. U. B. The ZyWALL applies this limit before sending the traffic to LAN or DMZ. 458 ZyWALL USG 20/20W User...
User Guide
Page 460
... usage since you do not want to give FTP more bandwidth. Figure 285 FTP LAN to DMZ Bandwidth Management Example BWM Inbound: 50 Mbps BWM Outbound: 50 Mbps 460 ZyWALL USG 20/20W User's Guide Chapter 28 Bandwidth Management 28.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so...
... usage since you do not want to give FTP more bandwidth. Figure 285 FTP LAN to DMZ Bandwidth Management Example BWM Inbound: 50 Mbps BWM Outbound: 50 Mbps 460 ZyWALL USG 20/20W User's Guide Chapter 28 Bandwidth Management 28.1.3.5 FTP WAN to DMZ Bandwidth Management Example • ADSL supports more downstream than upstream so...
User Guide
Page 723
See also Section 1.5 on page 34 for example, if the device begins behaving erratically). Otherwise, the changes are lost when you reboot. ZyWALL USG 20/20W User's Guide 723 CHAPTER 48 Reboot 48.1 Overview Use this screen, click Maintenance > Reboot. If you made changes in the Web configurator, ...You Need To Know If you applied changes in the CLI, however, you reboot. Reboot is different to reset; (see Section 50.1 on different ways to restart the ZyWALL. Wait a few minutes until the login screen appears. You can restart the device. If the login screen does not appear, ...
See also Section 1.5 on page 34 for example, if the device begins behaving erratically). Otherwise, the changes are lost when you reboot. ZyWALL USG 20/20W User's Guide 723 CHAPTER 48 Reboot 48.1 Overview Use this screen, click Maintenance > Reboot. If you made changes in the Web configurator, ...You Need To Know If you applied changes in the CLI, however, you reboot. Reboot is different to reset; (see Section 50.1 on different ways to restart the ZyWALL. Wait a few minutes until the login screen appears. You can restart the device. If the login screen does not appear, ...
User Guide
Page 727
...page 207). Cannot access the ZyWALL from the LAN. • Check the cable connection between the ZyWALL and your User's Guide for about 5 seconds (or until the PWR LED starts to blink), then release it. ZyWALL USG 20/20W User's Guide 727 CHAPTER 50 Troubleshooting This chapter offers some ...suggestions to solve problems you have the power cord connected to the ZyWALL and plugged in for details). For the order in which the...
...page 207). Cannot access the ZyWALL from the LAN. • Check the cable connection between the ZyWALL and your User's Guide for about 5 seconds (or until the PWR LED starts to blink), then release it. ZyWALL USG 20/20W User's Guide 727 CHAPTER 50 Troubleshooting This chapter offers some ...suggestions to solve problems you have the power cord connected to the ZyWALL and plugged in for details). For the order in which the...
User Guide
Page 728
...rule I cannot access the Internet. • Check the ZyWALL's connection to the CONSOLE port using a console cable. So make sure that the license is not expired. Chapter 50 Troubleshooting • If you've forgotten the ZyWALL's IP address, you can use the commands through the ...console port to check it to a zone. Connect your ZyWALL has the content filter category service registered and that you enter the correct settings. I configured. 728 ZyWALL USG 20/20W User...
...rule I cannot access the Internet. • Check the ZyWALL's connection to the CONSOLE port using a console cable. So make sure that the license is not expired. Chapter 50 Troubleshooting • If you've forgotten the ZyWALL's IP address, you can use the commands through the ...console port to check it to a zone. Connect your ZyWALL has the content filter category service registered and that you enter the correct settings. I configured. 728 ZyWALL USG 20/20W User...
User Guide
Page 729
... no -where near the rates I cannot set up a PPP interface. For example, if you create a PPPoE or PPTP interface. Chapter 50 Troubleshooting The ZyWALL checks the firewall rules in the order that they are no longer work. I cannot enter the interface name I cannot set up a PPP... an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on an Ethernet interface. ZyWALL USG 20/20W User's Guide 729 You have changed. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum...
... no -where near the rates I cannot set up a PPP interface. For example, if you create a PPPoE or PPTP interface. Chapter 50 Troubleshooting The ZyWALL checks the firewall rules in the order that they are no longer work. I cannot enter the interface name I cannot set up a PPP... an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on an Ethernet interface. ZyWALL USG 20/20W User's Guide 729 You have changed. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum...
User Guide
Page 730
... use a different re-authentication timer setting. If a RADIUS server authenticates wireless stations, the re-authentication timer on . Chapter 50 Troubleshooting The actual cellular data rate you obtain varies depending on the cellular device you need to the service provider's base station... a compatible 3G device installed or connected. Each VLAN interface is not applying an interface's configured ingress bandwidth limit. 730 ZyWALL USG 20/20W User's Guide The wireless security is recommended. See Chapter 51 on different subnets. WPA2 or WPA2-PSK is not following the...
... use a different re-authentication timer setting. If a RADIUS server authenticates wireless stations, the re-authentication timer on . Chapter 50 Troubleshooting The actual cellular data rate you obtain varies depending on the cellular device you need to the service provider's base station... a compatible 3G device installed or connected. Each VLAN interface is not applying an interface's configured ingress bandwidth limit. 730 ZyWALL USG 20/20W User's Guide The wireless security is recommended. See Chapter 51 on different subnets. WPA2 or WPA2-PSK is not following the...
User Guide
Page 731
... profile to Internal or External. For example LAN to allow an incoming service. ZyWALL USG 20/20W User's Guide 731 You can also configure a policy route to General. The ZyWALL routes and applies SNAT for an interface with the Interface Type set to override the...signature file and now all custom signatures on the ZyWALL are not named 'custom.rules'. The ZyWALL's performance seems slower after configuring ADP. The ZyWALL is 'custom.rules'. You must have a public WAN IP address to external interfaces. Chapter 50 Troubleshooting At the time of my earlier custom signatures...
... profile to Internal or External. For example LAN to allow an incoming service. ZyWALL USG 20/20W User's Guide 731 You can also configure a policy route to General. The ZyWALL routes and applies SNAT for an interface with the Interface Type set to override the...signature file and now all custom signatures on the ZyWALL are not named 'custom.rules'. The ZyWALL's performance seems slower after configuring ADP. The ZyWALL is 'custom.rules'. You must have a public WAN IP address to external interfaces. Chapter 50 Troubleshooting At the time of my earlier custom signatures...
User Guide
Page 732
... and slowly. I cannot create a second HTTP redirect rule for both ZyXEL IPSec routers and check the settings in each (incoming) interface. This causes the ZyWALL to reset the connection, as the ZyWALL's LAN IP address, return traffic may not determine the proper IP address... the LAN without passing through the ZyWALL. Log into both routers side-by-side. 732 ZyWALL USG 20/20W User's Guide I cannot set the ZyWALL's firewall to permit the use virtual interfaces to display the settings for an incoming interface. Chapter 50 Troubleshooting • Make sure you have...
... and slowly. I cannot create a second HTTP redirect rule for both ZyXEL IPSec routers and check the settings in each (incoming) interface. This causes the ZyWALL to reset the connection, as the ZyWALL's LAN IP address, return traffic may not determine the proper IP address... the LAN without passing through the ZyWALL. Log into both routers side-by-side. 732 ZyWALL USG 20/20W User's Guide I cannot set the ZyWALL's firewall to permit the use virtual interfaces to display the settings for an incoming interface. Chapter 50 Troubleshooting • Make sure you have...
User Guide
Page 733
...IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for each VPN tunnel. The old route ... To test whether or not a tunnel is also helpful to have NAT traversal enabled. • The ZyWALL and remote IPSec router must use the same authentication method to establish the IKE SA. • Both routers... VPN traffic to which traffic may be routed. See also Chapter 23 on the zone to the ZyWALL. ZyWALL USG 20/20W User's Guide 733 If you enable NAT traversal, the remote IPSec device must use the same SPI...
...IKE uses UDP port 500, AH uses IP protocol 51, and ESP uses IP protocol 50. • The ZyWALL supports UDP port 500 and UDP port 4500 for each VPN tunnel. The old route ... To test whether or not a tunnel is also helpful to have NAT traversal enabled. • The ZyWALL and remote IPSec router must use the same authentication method to establish the IKE SA. • Both routers... VPN traffic to which traffic may be routed. See also Chapter 23 on the zone to the ZyWALL. ZyWALL USG 20/20W User's Guide 733 If you enable NAT traversal, the remote IPSec device must use the same SPI...
User Guide
Page 734
...less. Chapter 50 Troubleshooting • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are sending traffic elsewhere instead of through the VPN tunnels. The trusted certificate can no longer access the Internet. 734 ZyWALL USG 20/20W User's ...Guide The logo graphic must have the ZyWALL and remote IPSec router use a resolution of 127 x 57 pixels to see some of the resource links. ...
...less. Chapter 50 Troubleshooting • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are sending traffic elsewhere instead of through the VPN tunnels. The trusted certificate can no longer access the Internet. 734 ZyWALL USG 20/20W User's ...Guide The logo graphic must have the ZyWALL and remote IPSec router use a resolution of 127 x 57 pixels to see some of the resource links. ...
User Guide
Page 735
... the ext-user user accounts I configured. An external server such as AD, LDAP or RADIUS must authenticate the ext-user accounts. ZyWALL USG 20/20W User's Guide 735 The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 37 on an... attempt will always fail. (This is not being applied at the configured times. Chapter 50 Troubleshooting The ZyWALL automatically updates address objects based on page 573 for your LAN that are correct. If the ZyWALL tries to use the local database to a user group with access users.
... the ext-user user accounts I configured. An external server such as AD, LDAP or RADIUS must authenticate the ext-user accounts. ZyWALL USG 20/20W User's Guide 735 The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 37 on an... attempt will always fail. (This is not being applied at the configured times. Chapter 50 Troubleshooting The ZyWALL automatically updates address objects based on page 573 for your LAN that are correct. If the ZyWALL tries to use the local database to a user group with access users.