User Guide
Page 7
... Overview Contents Overview Introduction and Registration 43 Getting to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN ...Screens ...131 Bridge Screens ...143 WAN Screens ...151 DMZ Screens ...171 Wireless LAN Screens ...183 Security ...193 Firewall Screens ...195 Content Filtering Screens ...223 Content Filtering Reports ...245 IPSec VPN... ...415 Logs Screens ...417 Maintenance Screens ...447 ZyWALL 2 Plus User's Guide 7
... Overview Contents Overview Introduction and Registration 43 Getting to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN ...Screens ...131 Bridge Screens ...143 WAN Screens ...151 DMZ Screens ...171 Wireless LAN Screens ...183 Security ...193 Firewall Screens ...195 Content Filtering Screens ...223 Content Filtering Reports ...245 IPSec VPN... ...415 Logs Screens ...417 Maintenance Screens ...447 ZyWALL 2 Plus User's Guide 7
User Guide
Page 10
...VPN Wizard Gateway Setting 77 3.4 VPN Wizard Network Setting 78 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1 80 3.6 VPN Wizard IPSec Setting (IKE Phase 2 81 3.7 VPN Wizard Status Summary 83 3.8 VPN Wizard Setup Complete 85 Chapter 4 Tutorials ...87 4.1 Security Settings for VPN Traffic 87 4.1.1 Firewall Rule for VPN Example 87 4.1.2 Configuring the VPN...Testing the Connections 112 4.3 Using NAT with Multiple Game Players 112 4.4 How to Manage the ZyWALL's Bandwidth 113 4.4.1 Example Parameters and Scenario 113 4.4.2 Configuring Bandwidth Management Rules 114 4.5 Configuring ...
...VPN Wizard Gateway Setting 77 3.4 VPN Wizard Network Setting 78 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1 80 3.6 VPN Wizard IPSec Setting (IKE Phase 2 81 3.7 VPN Wizard Status Summary 83 3.8 VPN Wizard Setup Complete 85 Chapter 4 Tutorials ...87 4.1 Security Settings for VPN Traffic 87 4.1.1 Firewall Rule for VPN Example 87 4.1.2 Configuring the VPN...Testing the Connections 112 4.3 Using NAT with Multiple Game Players 112 4.4 How to Manage the ZyWALL's Bandwidth 113 4.4.1 Example Parameters and Scenario 113 4.4.2 Configuring Bandwidth Management Rules 114 4.5 Configuring ...
User Guide
Page 25
... SECURITY > VPN > VPN Rules (IKE 88 Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 89 Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 90 Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 91 Figure 37 SECURITY > FIREWALL > Rule Summary 92 Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 93 ZyWALL 2 Plus User's Guide...
... SECURITY > VPN > VPN Rules (IKE 88 Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 89 Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 90 Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 91 Figure 37 SECURITY > FIREWALL > Rule Summary 92 Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 93 ZyWALL 2 Plus User's Guide...
User Guide
Page 26
...SECURITY > FIREWALL > Rule Summary: Allow 94 Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 94 Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses 95 Figure 42 Tutorial Example...Setup: WWW 117 Figure 76 Tutorial Example: Bandwidth Management Class Setup Done 117 Figure 77 Tutorial Example: Bandwidth Management Monitor 118 Figure 78 SECURITY > CONTENT FILTER > General 119 Figure 79 SECURITY > CONTENT FILTER > Policy 120 Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default 120 Figure 81 HOME > DHCP Table ...121 26 ZyWALL 2 Plus...
...SECURITY > FIREWALL > Rule Summary: Allow 94 Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 94 Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses 95 Figure 42 Tutorial Example...Setup: WWW 117 Figure 76 Tutorial Example: Bandwidth Management Class Setup Done 117 Figure 77 Tutorial Example: Bandwidth Management Monitor 118 Figure 78 SECURITY > CONTENT FILTER > General 119 Figure 79 SECURITY > CONTENT FILTER > Policy 120 Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default 120 Figure 81 HOME > DHCP Table ...121 26 ZyWALL 2 Plus...
User Guide
Page 61
... to configure through which interface(s) and from which IP address(es) users can use an external server to authenticate wireless and/or VPN users. ZyWALL 2 Plus User's Guide 61 Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK TAB FUNCTION AUTH SERVER Local User Database... the local user account(s) on the ZyWALL. Port Forwarding Use this screen to set up the bandwidth classes. Class Setup Use this screen to access the ZyWALL. DHCP Use this screen to use FTP to configure servers behind the ZyWALL. REMOTE MGMT WWW Use this screen ...
... to configure through which interface(s) and from which IP address(es) users can use an external server to authenticate wireless and/or VPN users. ZyWALL 2 Plus User's Guide 61 Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK TAB FUNCTION AUTH SERVER Local User Database... the local user account(s) on the ZyWALL. Port Forwarding Use this screen to set up the bandwidth classes. Class Setup Use this screen to access the ZyWALL. DHCP Use this screen to use FTP to configure servers behind the ZyWALL. REMOTE MGMT WWW Use this screen ...
User Guide
Page 67
... 3.3 on the Wizard Setup screens in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you can select: • Internet Access Setup Click this link to set up an Internet connection for configuration. The following summarizes the wizards you configure Internet and VPN connection settings. Figure 14 Wizard Setup Welcome ZyWALL 2 Plus User's Guide 67 The...
... 3.3 on the Wizard Setup screens in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you can select: • Internet Access Setup Click this link to set up an Internet connection for configuration. The following summarizes the wizards you configure Internet and VPN connection settings. Figure 14 Wizard Setup Welcome ZyWALL 2 Plus User's Guide 67 The...
User Guide
Page 71
...client to a private server, creating a Virtual Private Network (VPN) using TCP/ IP-based networks. Apply Click Apply to save your WAN IP address in this field. ZyWALL 2 Plus User's Guide 71 " The ZyWALL supports one PPTP server connection at any given time. PPTP... supports on-demand, multi-protocol, and virtual private networking over public networks, such as 0.0.0.0 if you do not configure a DNS server, you do not want to configure DNS servers. Chapter 3 Wizard Setup...
...client to a private server, creating a Virtual Private Network (VPN) using TCP/ IP-based networks. Apply Click Apply to save your WAN IP address in this field. ZyWALL 2 Plus User's Guide 71 " The ZyWALL supports one PPTP server connection at any given time. PPTP... supports on-demand, multi-protocol, and virtual private networking over public networks, such as 0.0.0.0 if you do not configure a DNS server, you do not want to configure DNS servers. Chapter 3 Wizard Setup...
User Guide
Page 77
... Next. Figure 24 Internet Access Wizard: Registered Device Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use this screen to open the VPN configuration wizard. ZyWALL 2 Plus User's Guide 77 The first screen displays as shown next. Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 67) to name the...
... Next. Figure 24 Internet Access Wizard: Registered Device Figure 25 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use this screen to open the VPN configuration wizard. ZyWALL 2 Plus User's Guide 77 The first screen displays as shown next. Click VPN Setup in the Wizard Setup Welcome screen (Figure 14 on page 67) to name the...
User Guide
Page 78
... address. Set this field as 0.0.0.0. Remote Gateway Address Enter the WAN IP address or domain name of a VPN tunnel. 78 ZyWALL 2 Plus User's Guide The ZyWALL uses its IP address or a domain name. Back Click Back to return to identify the remote IPSec router by its... Click Next to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. Chapter 3 Wizard Setup Figure 26 VPN Wizard: Gateway Setting The following table describes the labels in this VPN gateway policy. Table 15 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up the...
... address. Set this field as 0.0.0.0. Remote Gateway Address Enter the WAN IP address or domain name of a VPN tunnel. 78 ZyWALL 2 Plus User's Guide The ZyWALL uses its IP address or a domain name. Back Click Back to return to identify the remote IPSec router by its... Click Next to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. Chapter 3 Wizard Setup Figure 26 VPN Wizard: Gateway Setting The following table describes the labels in this VPN gateway policy. Table 15 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up the...
User Guide
Page 79
...is configured to Single, enter a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ Subnet Mask When the Local Network field is N/A. ZyWALL 2 Plus User's Guide 79 Table 16 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is...Local Network field is a subnet mask on the LAN behind your ZyWALL. The ZyWALL does not apply the policy. Chapter 3 Wizard Setup Two active SAs cannot have the same local or remote IP address, but the ZyWALL drops trailing spaces. You may use any time. Network Policy Setting...
...is configured to Single, enter a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ Subnet Mask When the Local Network field is N/A. ZyWALL 2 Plus User's Guide 79 Table 16 VPN Wizard: Network Setting LABEL DESCRIPTION Network Policy Property Active If the Active check box is...Local Network field is a subnet mask on the LAN behind your ZyWALL. The ZyWALL does not apply the policy. Chapter 3 Wizard Setup Two active SAs cannot have the same local or remote IP address, but the ZyWALL drops trailing spaces. You may use any time. Network Policy Setting...
User Guide
Page 80
... a range of IP addresses. When the Remote Network field is N/A. Figure 28 VPN Wizard: IKE Tunnel Setting 80 ZyWALL 2 Plus User's Guide Back Click Back to return to the remote IPSec router's configured local IP addresses. Chapter 3 Wizard Setup Table 16 VPN Wizard: Network Setting LABEL DESCRIPTION Remote Network Remote IP addresses must be static...
... a range of IP addresses. When the Remote Network field is N/A. Figure 28 VPN Wizard: IKE Tunnel Setting 80 ZyWALL 2 Plus User's Guide Back Click Back to return to the remote IPSec router's configured local IP addresses. Chapter 3 Wizard Setup Table 16 VPN Wizard: Network Setting LABEL DESCRIPTION Remote Network Remote IP addresses must be static...
User Guide
Page 81
... (Secure Hash Algorithm) are temporarily disconnected. DH5 refers to Diffie-Hellman Group 1 a 768 bit random number. The minimum value is slower. ZyWALL 2 Plus User's Guide 81 DH1 (default) refers to Diffie-Hellman Group 5 a 1536-bit random number. Type from 8 to 31 case-sensitive ASCII...phase 2 IPSec SA. Select MD5 for minimal security and SHA-1 for phase 1 IKE setup. DH2 refers to the previous screen. A short SA Life Time increases security by forcing the two VPN gateways to authenticate packet data. AES is a variation on both sender and receiver must ...
... (Secure Hash Algorithm) are temporarily disconnected. DH5 refers to Diffie-Hellman Group 1 a 768 bit random number. The minimum value is slower. ZyWALL 2 Plus User's Guide 81 DH1 (default) refers to Diffie-Hellman Group 5 a 1536-bit random number. Type from 8 to 31 case-sensitive ASCII...phase 2 IPSec SA. Select MD5 for minimal security and SHA-1 for phase 1 IKE setup. DH2 refers to the previous screen. A short SA Life Time increases security by forcing the two VPN gateways to authenticate packet data. AES is a variation on both sender and receiver must ...
User Guide
Page 82
... (Secure Hash Algorithm) are temporarily disconnected. 82 ZyWALL 2 Plus User's Guide The SHA1 algorithm is more processing power, resulting in the IP packet. A short SA Life Time increases security by forcing the two VPN gateways to internal systems. Tunnel mode is slower. Chapter 3 Wizard Setup Figure 29 VPN Wizard: IPSec Setting The following table describes...
... (Secure Hash Algorithm) are temporarily disconnected. 82 ZyWALL 2 Plus User's Guide The SHA1 algorithm is more processing power, resulting in the IP packet. A short SA Life Time increases security by forcing the two VPN gateways to internal systems. Tunnel mode is slower. Chapter 3 Wizard Setup Figure 29 VPN Wizard: IPSec Setting The following table describes...
User Guide
Page 83
...to continue. 3.7 VPN Wizard Status Summary This read-only screen shows the status of the current VPN setting. Next Click Next to Diffie-Hellman Group 1 a 768 bit random number. Chapter 3 Wizard Setup Table 18 VPN Wizard: IPSec Setting... (continued) LABEL DESCRIPTION Perfect Forward Secrecy (PFS) Perfect Forward Secrecy (PFS) is not so secure. Back Click Back to return to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower). DH2 refers to the previous screen. Figure 30 VPN Wizard: VPN Status ZyWALL 2 Plus...
...to continue. 3.7 VPN Wizard Status Summary This read-only screen shows the status of the current VPN setting. Next Click Next to Diffie-Hellman Group 1 a 768 bit random number. Chapter 3 Wizard Setup Table 18 VPN Wizard: IPSec Setting... (continued) LABEL DESCRIPTION Perfect Forward Secrecy (PFS) Perfect Forward Secrecy (PFS) is not so secure. Back Click Back to return to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower). DH2 refers to the previous screen. Figure 30 VPN Wizard: VPN Status ZyWALL 2 Plus...
User Guide
Page 84
... (IKE Phase 2) Encapsulation Mode This shows Tunnel mode or Transport mode. 84 ZyWALL 2 Plus User's Guide Ending IP Address/ Subnet Mask When the local network is configured for a single IP address, this VPN network policy. When the local network is configured for a subnet, this is ...the remote IPSec router. When the local network is configured for phase 1 IKE setup. Chapter 3 Wizard Setup The following table describes the labels in this VPN gateway policy. Table 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this field ...
... (IKE Phase 2) Encapsulation Mode This shows Tunnel mode or Transport mode. 84 ZyWALL 2 Plus User's Guide Ending IP Address/ Subnet Mask When the local network is configured for a single IP address, this VPN network policy. When the local network is configured for a subnet, this is ...the remote IPSec router. When the local network is configured for phase 1 IKE setup. Chapter 3 Wizard Setup The following table describes the labels in this VPN gateway policy. Table 19 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this field ...
User Guide
Page 85
...ZyWALL. Figure 31 VPN Wizard Setup Complete ZyWALL 2 Plus User's Guide 85 Options can be DES, 3DES, AES or NULL. Otherwise, DH1, DH2 or DH5 are the security protocols used to enable PFS. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Chapter 3 Wizard Setup Table 19 VPN Wizard: VPN...time before an IKE SA automatically renegotiates. Back Click Back to return to complete and save the wizard setup. 3.8 VPN Wizard Setup Complete Congratulations! SA Life Time (Seconds) This is disabled (None) by default in phase 2 IPSec SA...
...ZyWALL. Figure 31 VPN Wizard Setup Complete ZyWALL 2 Plus User's Guide 85 Options can be DES, 3DES, AES or NULL. Otherwise, DH1, DH2 or DH5 are the security protocols used to enable PFS. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Chapter 3 Wizard Setup Table 19 VPN Wizard: VPN...time before an IKE SA automatically renegotiates. Back Click Back to return to complete and save the wizard setup. 3.8 VPN Wizard Setup Complete Congratulations! SA Life Time (Seconds) This is disabled (None) by default in phase 2 IPSec SA...
User Guide
Page 225
... belongs. Table 56 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this screen. Content filtering works on page 407 if you need to or from the ZyWALL's VPN tunnels. Enable Content Filter for traffic on the traffic going to use ... filtering to have the content filter apply to traffic that is not one of the gateways (VPN pass-through a VPN tunnel. Turn on the ZyWALL's external database content filtering settings. ZyWALL 2 Plus User's Guide 225 Chapter 12 Content Filtering Screens Figure 150 SECURITY > CONTENT FILTER > General...
... belongs. Table 56 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this screen. Content filtering works on page 407 if you need to or from the ZyWALL's VPN tunnels. Enable Content Filter for traffic on the traffic going to use ... filtering to have the content filter apply to traffic that is not one of the gateways (VPN pass-through a VPN tunnel. Turn on the ZyWALL's external database content filtering settings. ZyWALL 2 Plus User's Guide 225 Chapter 12 Content Filtering Screens Figure 150 SECURITY > CONTENT FILTER > General...
User Guide
Page 255
... the remote IPSec router to establish an IKE SA. The negotiation mode determines the number of steps to establish an IKE SA. ZyWALL 2 Plus User's Guide 255 Figure 170 IPSec Fields Summary Negotiation Mode It takes several steps to use the same negotiation mode. " Both routers ..., such as well. Main mode is faster. Sometimes, your ZyWALL might not know the IP address of the remote IPSec router (for the ZyWALL. Main mode provides better security, while aggressive mode is used in various examples in the VPN setup. You can usually provide a static IP address or a domain...
... the remote IPSec router to establish an IKE SA. The negotiation mode determines the number of steps to establish an IKE SA. ZyWALL 2 Plus User's Guide 255 Figure 170 IPSec Fields Summary Negotiation Mode It takes several steps to use the same negotiation mode. " Both routers ..., such as well. Main mode is faster. Sometimes, your ZyWALL might not know the IP address of the remote IPSec router (for the ZyWALL. Main mode provides better security, while aggressive mode is used in various examples in the VPN setup. You can usually provide a static IP address or a domain...
User Guide
Page 259
...using traffic redirect. If the WAN connection goes down . When the ZyWALL is in bridge mode, this field is in router mode, this check box to be rebuilt if the My ZyWALL IP address changes after setup. The VPN tunnel has to enable NAT traversal. In order to use that dynamic...Enable IPSec High Availability Turn on page 283 for the VPN tunnel when using dial backup or the LAN IP address when using Transport or Tunnel mode, but the ZyWALL drops trailing spaces. ZyWALL 2 Plus User's Guide 259 You can use a redundant (backup) VPN connection to 0.0.0.0 if the remote IPSec router has a ...
...using traffic redirect. If the WAN connection goes down . When the ZyWALL is in bridge mode, this field is in router mode, this check box to be rebuilt if the My ZyWALL IP address changes after setup. The VPN tunnel has to enable NAT traversal. In order to use that dynamic...Enable IPSec High Availability Turn on page 283 for the VPN tunnel when using dial backup or the LAN IP address when using Transport or Tunnel mode, but the ZyWALL drops trailing spaces. ZyWALL 2 Plus User's Guide 259 You can use a redundant (backup) VPN connection to 0.0.0.0 if the remote IPSec router has a ...
User Guide
Page 268
...VPN setup is processing intensive, the system is 180 seconds. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION SA Life Time (Seconds) Define the length of Service (DOS) attacks. Choices are less secure than the ones you configure for your VPN tunnels to let the ZyWALL... forward traffic coming in this check box. disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - Use this to allow the ZyWALL to the appropriate IP address on the LAN. 268 ZyWALL 2 Plus User...
...VPN setup is processing intensive, the system is 180 seconds. Chapter 14 IPSec VPN Screens Table 66 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION SA Life Time (Seconds) Define the length of Service (DOS) attacks. Choices are less secure than the ones you configure for your VPN tunnels to let the ZyWALL... forward traffic coming in this check box. disable PFS DH1 - enable PFS and use a 768-bit random number DH2 - Use this to allow the ZyWALL to the appropriate IP address on the LAN. 268 ZyWALL 2 Plus User...