User Guide
Page 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials... Binding ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials... Binding ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
User Guide
Page 11
... and Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User's Guide 11
... and Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User's Guide 11
User Guide
Page 13
...6.5.8 DDNS ...98 6.5.9 NAT ...98 6.5.10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104... on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
...6.5.8 DDNS ...98 6.5.9 NAT ...98 6.5.10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104... on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
User Guide
Page 15
Table of Contents 8.2.3 The Active Sessions Screen 173 8.2.4 The VPN Status Screen 174 8.2.5 The DHCP Table Screen 174 8.2.6 The Number of Login Users Screen 175 Chapter 9 Monitor...177 ...9.11 USB Storage Screen ...195 9.12 The IPSec Monitor Screen 196 9.12.1 Regular Expressions in Searching IPSec SAs 198 9.13 The SSL Connection Monitor Screen 198 9.14 The Content Filter Statistics Screen 200 9.15 Content Filter Cache Screen 202 9.16 The Anti-Spam Statistics ...Overview ...217 11.1.1 What You Can Do in this Chapter 217 11.1.2 What You Need to Know 218 ZyWALL USG 20/20W User's Guide 15
Table of Contents 8.2.3 The Active Sessions Screen 173 8.2.4 The VPN Status Screen 174 8.2.5 The DHCP Table Screen 174 8.2.6 The Number of Login Users Screen 175 Chapter 9 Monitor...177 ...9.11 USB Storage Screen ...195 9.12 The IPSec Monitor Screen 196 9.12.1 Regular Expressions in Searching IPSec SAs 198 9.13 The SSL Connection Monitor Screen 198 9.14 The Content Filter Statistics Screen 200 9.15 Content Filter Cache Screen 202 9.16 The Anti-Spam Statistics ...Overview ...217 11.1.1 What You Can Do in this Chapter 217 11.1.2 What You Need to Know 218 ZyWALL USG 20/20W User's Guide 15
User Guide
Page 19
... User Login ...438 25.3 The SSL VPN User Screens 443 25.4 Bookmarking the ZyWALL 444 25.5 Logging Out of the SSL VPN User Screens 444 Chapter 26 SSL User Application Screens 447 26.1 SSL User Application Screens Overview 447 26.2... The Application Screen 447 Chapter 27 ZyWALL SecuExtender...449 27.1 The ZyWALL SecuExtender Icon 449 27.2 Statistics ...450 27.3 View Log ...451 27.4 Suspend and Resume the Connection 451 27.5 Stop the Connection ...452 ZyWALL USG 20/20W...
... User Login ...438 25.3 The SSL VPN User Screens 443 25.4 Bookmarking the ZyWALL 444 25.5 Logging Out of the SSL VPN User Screens 444 Chapter 26 SSL User Application Screens 447 26.1 SSL User Application Screens Overview 447 26.2... The Application Screen 447 Chapter 27 ZyWALL SecuExtender...449 27.1 The ZyWALL SecuExtender Icon 449 27.2 Statistics ...450 27.3 View Log ...451 27.4 Suspend and Resume the Connection 451 27.5 Stop the Connection ...452 ZyWALL USG 20/20W...
User Guide
Page 37
...ZyWALL USG 20/20W User's Guide 37 CHAPTER 2 Features and Applications This chapter introduces the main features and applications of this section provides more 3G (cellular) connections. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more of the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL...IP for communication. You can add interfaces and VPN tunnels to change security settings in the ZyWALL. The rest of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewallcontent filtering, ADP (Anomaly Detection and ...
...ZyWALL USG 20/20W User's Guide 37 CHAPTER 2 Features and Applications This chapter introduces the main features and applications of this section provides more 3G (cellular) connections. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more of the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL...IP for communication. You can add interfaces and VPN tunnels to change security settings in the ZyWALL. The rest of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewallcontent filtering, ADP (Anomaly Detection and ...
User Guide
Page 39
..., telecommuters, and business travelers to provide secure access to your ZyWALL. You can configure the ZyWALL to provide SSL VPN network access to remote users. Chapter 2 Features and Applications 2.2 Applications These are some example applications for configuration tutorial examples. 2.2.1 VPN Connectivity Set up additional connections to the Internet to provide better service. ZyWALL USG 20/20W User's Guide 39
..., telecommuters, and business travelers to provide secure access to your ZyWALL. You can configure the ZyWALL to provide SSL VPN network access to remote users. Chapter 2 Features and Applications 2.2 Applications These are some example applications for configuration tutorial examples. 2.2.1 VPN Connectivity Set up additional connections to the Internet to provide better service. ZyWALL USG 20/20W User's Guide 39
User Guide
Page 48
...SSL Lists users currently logged into the ZyWALL. Log Lists log entries. 3.3.2.3 Configuration Menu Use the configuration menu screens to configure the ZyWALL's features. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W...that have received an IP address from ZyWALL interfaces using IP/MAC binding. VPN Monitor IPSec Displays and manages the active IPSec SAs. Session Monitor Displays the status of the ZyWALL's wireless clients. Table 7 Configuration ...
...SSL Lists users currently logged into the ZyWALL. Log Lists log entries. 3.3.2.3 Configuration Menu Use the configuration menu screens to configure the ZyWALL's features. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W...that have received an IP address from ZyWALL interfaces using IP/MAC binding. VPN Monitor IPSec Displays and manages the active IPSec SAs. Session Monitor Displays the status of the ZyWALL's wireless clients. Table 7 Configuration ...
User Guide
Page 49
... used to force user authentication. ALG Configure SIP, H.323, and FTP pass-through settings. ZyWALL USG 20/20W User's Guide 49 RIP Configure device-level RIP settings. OSPF Configure device-level OSPF settings, including areas and virtual links. SSL VPN Access Privilege Configure SSL VPN access rights for an installed 3G card. DDNS Profile Define and manage the...
... used to force user authentication. ALG Configure SIP, H.323, and FTP pass-through settings. ZyWALL USG 20/20W User's Guide 49 RIP Configure device-level RIP settings. OSPF Configure device-level OSPF settings, including areas and virtual links. SSL VPN Access Privilege Configure SSL VPN access rights for an installed 3G card. DDNS Profile Define and manage the...
User Guide
Page 96
...Chapter 6 Configuration Basics 6.5.2 Licensing Registration Use these screens to register your ZyWALL and subscribe to set up load balancing using two or more SSL VPN tunnels, and content filtering. Most of the ZyWALL), port triggering, 96 ZyWALL USG 20/20W User's Guide MENU ITEM(S) Configuration > Network > Interface > Trunk PREREQUISITES.... Note: When you create an interface, there is in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, NAT Example: The dmz interface is no security applied on it until you ...
...Chapter 6 Configuration Basics 6.5.2 Licensing Registration Use these screens to register your ZyWALL and subscribe to set up load balancing using two or more SSL VPN tunnels, and content filtering. Most of the ZyWALL), port triggering, 96 ZyWALL USG 20/20W User's Guide MENU ITEM(S) Configuration > Network > Interface > Trunk PREREQUISITES.... Note: When you create an interface, there is in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, NAT Example: The dmz interface is no security applied on it until you ...
User Guide
Page 97
... to set up the criteria, next-hops, and NAT settings first. Note: The ZyWALL checks the policy routes in the order that goes out from the FTP server through ...source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to set a...the FTP traffic. You may also want to the policy route configuration screen. ZyWALL USG 20/20W User's Guide 97 If you are listed.
... to set up the criteria, next-hops, and NAT settings first. Note: The ZyWALL checks the policy routes in the order that goes out from the FTP server through ...source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to set a...the FTP traffic. You may also want to the policy route configuration screen. ZyWALL USG 20/20W User's Guide 97 If you are listed.
User Guide
Page 98
... > Network > NAT 98 ZyWALL USG 20/20W User's Guide The ZyWALL only checks regular (through-ZyWALL) firewall rules for the new zone. MENU ITEM(S) Configuration > Network > Routing > Static Route PREREQUISITES Interfaces 6.5.7 Zones See Section 6.2 on a private network behind the ZyWALL available outside the private network. MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, remote...
... > Network > NAT 98 ZyWALL USG 20/20W User's Guide The ZyWALL only checks regular (through-ZyWALL) firewall rules for the new zone. MENU ITEM(S) Configuration > Network > Routing > Static Route PREREQUISITES Interfaces 6.5.7 Zones See Section 6.2 on a private network behind the ZyWALL available outside the private network. MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, remote...
User Guide
Page 101
... set to No. Make sure each rule is in the correct place in order. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for communication. MENU ITEM(S) Configuration > VPN > IPSec VPN; ZyWALL USG 20/20W User's Guide 101 Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network...
... set to No. Make sure each rule is in the correct place in order. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for communication. MENU ITEM(S) Configuration > VPN > IPSec VPN; ZyWALL USG 20/20W User's Guide 101 Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network...
User Guide
Page 104
..., SSL VPN 6.6.1 User/Group Use these screens to the object first. The ZyWALL provides the following table introduces the objects. ext-group-user External group user account. Table 16 Objects Overview OBJECT WHERE USED user/group See the User/Group section on page 104 for them, you have to force user authentication 104 ZyWALL USG 20/20W...
..., SSL VPN 6.6.1 User/Group Use these screens to the object first. The ZyWALL provides the following table introduces the objects. ext-group-user External group user account. Table 16 Objects Overview OBJECT WHERE USED user/group See the User/Group section on page 104 for them, you have to force user authentication 104 ZyWALL USG 20/20W...
User Guide
Page 130
The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to block administrator HTTPS access from all zones except the LAN1. 1 Click Configuration > System > ... to block that access. 7.8.1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to the ZyWALL. Figure 82 Configuration > System > WWW > Service Control Rule Edit 130 ZyWALL USG 20/20W User's Guide Chapter 7 Tutorials user access (logging into SSL VPN for more on service control. See Chapter 43 on page 629 for example).
The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to block administrator HTTPS access from all zones except the LAN1. 1 Click Configuration > System > ... to block that access. 7.8.1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to the ZyWALL. Figure 82 Configuration > System > WWW > Service Control Rule Edit 130 ZyWALL USG 20/20W User's Guide Chapter 7 Tutorials user access (logging into SSL VPN for more on service control. See Chapter 43 on page 629 for example).
User Guide
Page 132
...to log into the ZyWALL from any of how to configure NAT and the firewall to have a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to -peer Calls Suppose you have the ZyWALL forward H.323 traffic destined 132 ZyWALL USG 20/20W User's Guide Here is... an example of the ZyWALL's zones (to use SSL VPN for example). 7.9 How to Allow Incoming H.323 Peer-to -peer calls from the LAN1 zone. Non-...
...to log into the ZyWALL from any of how to configure NAT and the firewall to have a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to -peer Calls Suppose you have the ZyWALL forward H.323 traffic destined 132 ZyWALL USG 20/20W User's Guide Here is... an example of the ZyWALL's zones (to use SSL VPN for example). 7.9 How to Allow Incoming H.323 Peer-to -peer calls from the LAN1 zone. Non-...
User Guide
Page 178
...Statistics 178 ZyWALL USG 20/20W User's Guide To access this screen to look at packet statistics for each Gigabit Ethernet port. You can also clear the log in this screen. 9.2 The Port Statistics Screen Use this screen, click Monitor > System Status > Port Statistics. Chapter 9 Monitor • Use the VPN Monitor >... IPSec screen (Section 9.12 on page 196) to display and manage active IPSec SAs. • Use the VPN Monitor > SSL screen (see how many mail sessions the ZyWALL is displayed, you can e-mail the log, and you can change the way the log is currently checking and DNSBL ...
...Statistics 178 ZyWALL USG 20/20W User's Guide To access this screen to look at packet statistics for each Gigabit Ethernet port. You can also clear the log in this screen. 9.2 The Port Statistics Screen Use this screen, click Monitor > System Status > Port Statistics. Chapter 9 Monitor • Use the VPN Monitor >... IPSec screen (Section 9.12 on page 196) to display and manage active IPSec SAs. • Use the VPN Monitor > SSL screen (see how many mail sessions the ZyWALL is displayed, you can e-mail the log, and you can change the way the log is currently checking and DNSBL ...
User Guide
Page 198
... example would match. Click Monitor > VPN Monitor > SSL to specify abc, acc and so on. Inbound (Bytes) This field displays the amount of active SSL VPN connections. • Log out individual users and delete related session information. 198 ZyWALL USG 20/20W User's Guide Use this screen to do... not use "a?c" (without the quotation marks) to specify any VPN connection or policy name that has ...
... example would match. Click Monitor > VPN Monitor > SSL to specify abc, acc and so on. Inbound (Bytes) This field displays the amount of active SSL VPN connections. • Log out individual users and delete related session information. 198 ZyWALL USG 20/20W User's Guide Use this screen to do... not use "a?c" (without the quotation marks) to specify any VPN connection or policy name that has ...
User Guide
Page 199
... index number. Access This field displays the name of bytes transmitted by the ZyWALL on this connection. User This field displays the account user name used to establish this SSL VPN connection. Connected Time This field displays the time this screen. ZyWALL USG 20/20W User's Guide 199 Chapter 9 Monitor Once a user logs out, the corresponding entry...
... index number. Access This field displays the name of bytes transmitted by the ZyWALL on this connection. User This field displays the account user name used to establish this SSL VPN connection. Connected Time This field displays the time this screen. ZyWALL USG 20/20W User's Guide 199 Chapter 9 Monitor Once a user logs out, the corresponding entry...
User Guide
Page 212
... more SSL VPN tunnels. Chapter 10 Registration Subscription Services Available on the ZyWALL You can also purchase and enter a license key to have the ZyWALL use more information about these features. 10.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL....com and activate a service, such as shown next. Figure 154 Configuration > Licensing > Registration 212 ZyWALL USG 20/20W User's Guide Click Configuration > Licensing > Registration in the navigation panel...
... more SSL VPN tunnels. Chapter 10 Registration Subscription Services Available on the ZyWALL You can also purchase and enter a license key to have the ZyWALL use more information about these features. 10.2 The Registration Screen Use this screen to register your ZyWALL with myZyXEL....com and activate a service, such as shown next. Figure 154 Configuration > Licensing > Registration 212 ZyWALL USG 20/20W User's Guide Click Configuration > Licensing > Registration in the navigation panel...