User Guide
Page 7
ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 20/20W User's Guide 7 The ZyWALL icon is not an exact representation of your device. Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons.
ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 20/20W User's Guide 7 The ZyWALL icon is not an exact representation of your device. Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons.
User Guide
Page 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical...Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide ...
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical...Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide ...
User Guide
Page 13
... ...96 6.5.5 Policy Routes ...96 6.5.6 Static Routes ...98 6.5.7 Zones ...98 6.5.8 DDNS ...98 6.5.9 NAT ...98 6.5.10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects... an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
... ...96 6.5.5 Policy Routes ...96 6.5.6 Static Routes ...98 6.5.7 Zones ...98 6.5.8 DDNS ...98 6.5.9 NAT ...98 6.5.10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects... an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
User Guide
Page 14
... Peer-to-peer Calls 132 7.9.1 Turn On the ALG ...133 7.9.2 Set Up a NAT Policy For H.323 133 7.9.3 Set Up a Firewall Rule For H.323 135 7.10 How to Allow Public Access to a Web Server 136 7.10.1 Create the Address Objects 137 7.10.2 ...Configure NAT ...137 7.10.3 Set Up a Firewall Rule 138 7.11 How to Use an IPPBX on the DMZ 139 7.11.1 Turn On the ALG ...141 7.11.2 Create the...165 8.2 The Dashboard Screen ...165 8.2.1 The CPU Usage Screen 171 8.2.2 The Memory Usage Screen 172 14 ZyWALL USG 20/20W User's Guide
... Peer-to-peer Calls 132 7.9.1 Turn On the ALG ...133 7.9.2 Set Up a NAT Policy For H.323 133 7.9.3 Set Up a Firewall Rule For H.323 135 7.10 How to Allow Public Access to a Web Server 136 7.10.1 Create the Address Objects 137 7.10.2 ...Configure NAT ...137 7.10.3 Set Up a Firewall Rule 138 7.11 How to Use an IPPBX on the DMZ 139 7.11.1 Turn On the ALG ...141 7.11.2 Create the...165 8.2 The Dashboard Screen ...165 8.2.1 The CPU Usage Screen 171 8.2.2 The Memory Usage Screen 172 14 ZyWALL USG 20/20W User's Guide
User Guide
Page 18
...21.1.2 What You Need to Know 366 21.2 Authentication Policy Screen 366 21.2.1 Creating/Editing an Authentication Policy 369 Chapter 22 Firewall...373 22.1 Overview ...373 22.1.1 What You Can Do in this Chapter 373 22.1.2 What You Need to Know 374 22....1.3 Firewall Rule Example Applications 376 22.1.4 Firewall Rule Configuration Example 379 22.2 The Firewall Screen ...381 22.2.1 Configuring the Firewall Screen 382 22.2.2 The Firewall Add/Edit Screen 385 22.3 The Session Limit Screen 386 22.3.1 The Session Limit Add/Edit Screen 388 Chapter 23 IPSec VPN...391 18 ZyWALL USG 20/20W User...
...21.1.2 What You Need to Know 366 21.2 Authentication Policy Screen 366 21.2.1 Creating/Editing an Authentication Policy 369 Chapter 22 Firewall...373 22.1 Overview ...373 22.1.1 What You Can Do in this Chapter 373 22.1.2 What You Need to Know 374 22....1.3 Firewall Rule Example Applications 376 22.1.4 Firewall Rule Configuration Example 379 22.2 The Firewall Screen ...381 22.2.1 Configuring the Firewall Screen 382 22.2.2 The Firewall Add/Edit Screen 385 22.3 The Session Limit Screen 386 22.3.1 The Session Limit Add/Edit Screen 388 Chapter 23 IPSec VPN...391 18 ZyWALL USG 20/20W User...
User Guide
Page 29
... providing separate ports for a more detailed overview of the LAN1, WLAN, or DMZ. ZyWALL USG 20/20W User's Guide 29 Flexible configuration helps you can deploy the ZyWALL as a transparent firewall in an existing network with the reliability of the ZyWALL. The ZyWALL lets you set up the network and enforce security policies efficiently. You can also...
... providing separate ports for a more detailed overview of the LAN1, WLAN, or DMZ. ZyWALL USG 20/20W User's Guide 29 Flexible configuration helps you can deploy the ZyWALL as a transparent firewall in an existing network with the reliability of the ZyWALL. The ZyWALL lets you set up the network and enforce security policies efficiently. You can also...
User Guide
Page 38
...spam e-mail. You can also subscribe to category-based content filtering that are suspected of being used by spammers. 38 ZyWALL USG 20/20W User's Guide Anti-Spam The anti-spam feature can also inspect sessions. Use the black list to defined policies. See ... is not allowed unless it is a stateful inspection firewall. Use the white list to better handle applications such as port scans. The ZyWALL's ADP protects against defined access rules. Chapter 2 Features and Applications Firewall The ZyWALL's firewall is initiated by screening data packets against network-based ...
...spam e-mail. You can also subscribe to category-based content filtering that are suspected of being used by spammers. 38 ZyWALL USG 20/20W User's Guide Anti-Spam The anti-spam feature can also inspect sessions. Use the black list to defined policies. See ... is not allowed unless it is a stateful inspection firewall. Use the white list to better handle applications such as port scans. The ZyWALL's ADP protects against defined access rules. Chapter 2 Features and Applications Firewall The ZyWALL's firewall is initiated by screening data packets against network-based ...
User Guide
Page 49
WLAN (For USG 20W only) Configure settings for users and groups. Bridge ...which the ZyWALL does not apply IP/MAC binding. VPN Gateway Configure IKE tunnels. ZyWALL USG 20/20W User's Guide 49 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Policy Define rules to all connections. Firewall Firewall Create and ... a cellular Internet connection for an installed 3G card. Exempt List Configure ranges of concurrent client NAT/firewall sessions. Session Limit Limit the number of IP addresses to MAC address bindings for load balancing and ...
WLAN (For USG 20W only) Configure settings for users and groups. Bridge ...which the ZyWALL does not apply IP/MAC binding. VPN Gateway Configure IKE tunnels. ZyWALL USG 20/20W User's Guide 49 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Policy Define rules to all connections. Firewall Firewall Create and ... a cellular Internet connection for an installed 3G card. Exempt List Configure ranges of concurrent client NAT/firewall sessions. Session Limit Limit the number of IP addresses to MAC address bindings for load balancing and ...
User Guide
Page 53
... screen. Select the type of links to the Web Configurator screens. The following example shows which configuration settings reference the object. Figure 14 Object Reference ZyWALL USG 20/20W User's Guide 53 Click a screen's link to go to open the Object Reference screen. Chapter 3 Web Configurator 3.3.3.2 Site Map Click Site MAP to see... of object and the individual object and click Refresh to show which configuration settings reference the ldap-users user object (in this case the first firewall rule).
... screen. Select the type of links to the Web Configurator screens. The following example shows which configuration settings reference the object. Figure 14 Object Reference ZyWALL USG 20/20W User's Guide 53 Click a screen's link to go to open the Object Reference screen. Chapter 3 Web Configurator 3.3.3.2 Site Map Click Site MAP to see... of object and the individual object and click Refresh to show which configuration settings reference the ldap-users user object (in this case the first firewall rule).
User Guide
Page 57
.... In some tables you can select an entry and click Add to the number that you typed. In some lists ZyWALL USG 20/20W User's Guide 57 The ZyWALL confirms you want to put that entry and press [ENTER] to move it and click Activate. Chapter 3 Web Configurator... 3.3.4.2 Working with Table Entries The tables have icons for working with changes that you have not yet applied. Edit Double-click an entry or select it directly in order like the firewall...
.... In some tables you can select an entry and click Add to the number that you typed. In some lists ZyWALL USG 20/20W User's Guide 57 The ZyWALL confirms you want to put that entry and press [ENTER] to move it and click Activate. Chapter 3 Web Configurator... 3.3.4.2 Working with Table Entries The tables have icons for working with changes that you have not yet applied. Edit Double-click an entry or select it directly in order like the firewall...
User Guide
Page 87
... you change . When you are just getting started. You can have to configure a trunk for system management. 6.1 Object-based Configuration The ZyWALL stores information or settings as well. (You might also have firewall, content filter, and other settings use these objects whenever the interface's IP address settings change an object's settings, the... create a schedule object, you can create address objects based on page 95 identifies the features you should configure the member interfaces before and after you ZyWALL USG 20/20W User's Guide 87
... you change . When you are just getting started. You can have to configure a trunk for system management. 6.1 Object-based Configuration The ZyWALL stores information or settings as well. (You might also have firewall, content filter, and other settings use these objects whenever the interface's IP address settings change an object's settings, the... create a schedule object, you can create address objects based on page 95 identifies the features you should configure the member interfaces before and after you ZyWALL USG 20/20W User's Guide 87
User Guide
Page 88
...the interface-based, LAN subnet address object. Use interfaces in configuring other features. 88 ZyWALL USG 20/20W User's Guide You use the Configuration > Objects screens to apply security settings such as firewall, remote management. If you are configured and which configuration settings reference specific objects. ... physical ports when configuring port groups. Chapter 6 Configuration Basics change an Ethernet interface's IP address, the ZyWALL automatically updates the rules or settings that (layer-3) packets pass through. For a list of common objects, see what objects are ...
...the interface-based, LAN subnet address object. Use interfaces in configuring other features. 88 ZyWALL USG 20/20W User's Guide You use the Configuration > Objects screens to apply security settings such as firewall, remote management. If you are configured and which configuration settings reference specific objects. ... physical ports when configuring port groups. Chapter 6 Configuration Basics change an Ethernet interface's IP address, the ZyWALL automatically updates the rules or settings that (layer-3) packets pass through. For a list of common objects, see what objects are ...
User Guide
Page 92
...policy routes for traffic going from top to the default WAN trunk. Chapter 6 Configuration Basics Traffic in one 92 ZyWALL USG 20/20W User's Guide Examples of public IP addresses • Static and dynamic routes have their own category. 6.4.1 Routing Table Checking...soon as external interfaces. The ZyWALL automatically adds all LAN to WAN traffic). External interfaces include ppp and cellular interfaces as well as any Ethernet interfaces that are set as the packets match an entry in > Defragmentation > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification...
...policy routes for traffic going from top to the default WAN trunk. Chapter 6 Configuration Basics Traffic in one 92 ZyWALL USG 20/20W User's Guide Examples of public IP addresses • Static and dynamic routes have their own category. 6.4.1 Routing Table Checking...soon as external interfaces. The ZyWALL automatically adds all LAN to WAN traffic). External interfaces include ppp and cellular interfaces as well as any Ethernet interfaces that are set as the packets match an entry in > Defragmentation > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification...
User Guide
Page 93
... 340 for more . Figure 52 Routing Table Checking Flow 1 Direct-connected Subnets: The ZyWALL first checks to see Section 13.1 on page 297). 2 Policy Routes: These are destined for example the firewall check. If a private network server will initiate sessions to the outside clients use to ...of public IP addresses. Configure policy routes to send packets through the appropriate interface or VPN tunnel. ZyWALL USG 20/20W User's Guide 93 You can override this and have the ZyWALL translate the source IP address of the server's outgoing traffic to the same public IP address that will...
... 340 for more . Figure 52 Routing Table Checking Flow 1 Direct-connected Subnets: The ZyWALL first checks to see Section 13.1 on page 297). 2 Policy Routes: These are destined for example the firewall check. If a private network server will initiate sessions to the outside clients use to ...of public IP addresses. Configure policy routes to send packets through the appropriate interface or VPN tunnel. ZyWALL USG 20/20W User's Guide 93 You can override this and have the ZyWALL translate the source IP address of the server's outgoing traffic to the same public IP address that will...
User Guide
Page 98
... the Add icon. 6.5.8 DDNS Dynamic DNS maps a domain name to at most one zone. The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are automatically assigned to the ZyWALL. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide MENU ITEM(S) Configuration > Network > DDNS PREREQUISITES Interface 6.5.9 NAT Use Network Address Translation (NAT...
... the Add icon. 6.5.8 DDNS Dynamic DNS maps a domain name to at most one zone. The ZyWALL only checks regular (through-ZyWALL) firewall rules for packets that are automatically assigned to the ZyWALL. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide MENU ITEM(S) Configuration > Network > DDNS PREREQUISITES Interface 6.5.9 NAT Use Network Address Translation (NAT...
User Guide
Page 99
... Original and the Mapped Port fields. 6.5.10 HTTP Redirect Configure this feature to have the ZyWALL transparently forward HTTP (web) traffic to redirect incoming HTTP requests (lan1). ZyWALL USG 20/20W User's Guide 99 The ZyWALL does not check to-ZyWALL firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in through...
... Original and the Mapped Port fields. 6.5.10 HTTP Redirect Configure this feature to have the ZyWALL transparently forward HTTP (web) traffic to redirect incoming HTTP requests (lan1). ZyWALL USG 20/20W User's Guide 99 The ZyWALL does not check to-ZyWALL firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in through...
User Guide
Page 100
... schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). You can also configure the firewall to control who can receive calls. 100 ZyWALL USG 20/20W User's Guide You could configure a firewall rule to allow VoIP sessions from the LAN or WAN zone. You can configure...
... schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). You can also configure the firewall to control who can receive calls. 100 ZyWALL USG 20/20W User's Guide You could configure a firewall rule to allow VoIP sessions from the LAN or WAN zone. You can configure...
User Guide
Page 101
...ZyWALL USG 20/20W User's Guide 101 Chapter 6 Configuration Basics 1 Create a VoIP service object for UDP port 5060 traffic (Configuration > Object > Service). 2 Create an address object for the VoIP server (Configuration > Object > Address). 3 Click Configuration > Firewall to go to the firewall configuration. 4 Select from the DMZ zone to the LAN1 zone, and add a firewall..., remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to -ZyWALL firewall, firewall WHERE USED Policy routes, zones Example...
...ZyWALL USG 20/20W User's Guide 101 Chapter 6 Configuration Basics 1 Create a VoIP service object for UDP port 5060 traffic (Configuration > Object > Service). 2 Create an address object for the VoIP server (Configuration > Object > Address). 3 Click Configuration > Firewall to go to the firewall configuration. 4 Select from the DMZ zone to the LAN1 zone, and add a firewall..., remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to -ZyWALL firewall, firewall WHERE USED Policy routes, zones Example...
User Guide
Page 104
...firewall, content filter, user settings (force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to force user authentication 104 ZyWALL USG 20/20W... User's Guide The prerequisites are only used in to the ZyWALL before the ZyWALL routes traffic for them, you have to...
...firewall, content filter, user settings (force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to force user authentication 104 ZyWALL USG 20/20W... User's Guide The prerequisites are only used in to the ZyWALL before the ZyWALL routes traffic for them, you have to...
User Guide
Page 105
... Log & Report ZyWALL USG 20/20W User's Guide 105 Use Console Speed to set which to send log messages, and sends information to four syslog servers. It can also e-mail you want to allow an administrator to use HTTPS to manage the ZyWALL from which addresses ... > WWW to set the console speed. MENU ITEM(S) Configuration > System > DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM, Language PREREQUISITES To-ZyWALL firewall, zones, addresses, address groups, certificates (WWW, SSH, FTP, Vantage CNM), authentication methods (WWW) Example: Suppose you statistical reports on a daily basis. ...
... Log & Report ZyWALL USG 20/20W User's Guide 105 Use Console Speed to set which to send log messages, and sends information to four syslog servers. It can also e-mail you want to allow an administrator to use HTTPS to manage the ZyWALL from which addresses ... > WWW to set the console speed. MENU ITEM(S) Configuration > System > DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM, Language PREREQUISITES To-ZyWALL firewall, zones, addresses, address groups, certificates (WWW, SSH, FTP, Vantage CNM), authentication methods (WWW) Example: Suppose you statistical reports on a daily basis. ...