User Guide
Page 7
Contents Overview Contents Overview Introduction and Registration 43 Getting to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN Screens ...131 Bridge......151 DMZ Screens ...171 Wireless LAN Screens ...183 Security ...193 Firewall Screens ...195 Content Filtering Screens ...223 Content Filtering Reports ...245 IPSec VPN Screens ...253 Certificates Screen ...295 Authentication Server Screens 323 Advanced ...329 Network Address Translation (NAT) Screens 331 Static Route Screens ...347 Bandwidth Management...
Contents Overview Contents Overview Introduction and Registration 43 Getting to Know Your ZyWALL 45 Introducing the Web Configurator 49 Wizard Setup ...67 Tutorials ...87 Registration Screens ...125 Network ...129 LAN Screens ...131 Bridge......151 DMZ Screens ...171 Wireless LAN Screens ...183 Security ...193 Firewall Screens ...195 Content Filtering Screens ...223 Content Filtering Reports ...245 IPSec VPN Screens ...253 Certificates Screen ...295 Authentication Server Screens 323 Advanced ...329 Network Address Translation (NAT) Screens 331 Static Route Screens ...347 Bandwidth Management...
User Guide
Page 9
... I: Introduction and Registration 43 Chapter 1 Getting to Know Your ZyWALL 45 1.1 ZyWALL Internet Security Appliance Overview 45 1.2 Applications for the ZyWALL 45 1.2.1 Secure Broadband Internet Access via Cable or DSL Modem 45 1.2.2 VPN Application ...46 1.3 Ways to Manage the ZyWALL 46 1.4 Good Habits for Managing the ZyWALL 47 1.5 LEDs ...47 Chapter 2 Introducing the Web Configurator 49...
... I: Introduction and Registration 43 Chapter 1 Getting to Know Your ZyWALL 45 1.1 ZyWALL Internet Security Appliance Overview 45 1.2 Applications for the ZyWALL 45 1.2.1 Secure Broadband Internet Access via Cable or DSL Modem 45 1.2.2 VPN Application ...46 1.3 Ways to Manage the ZyWALL 46 1.4 Good Habits for Managing the ZyWALL 47 1.5 LEDs ...47 Chapter 2 Introducing the Web Configurator 49...
User Guide
Page 10
... Internet Access Wizard: Service Activation 77 3.3 VPN Wizard Gateway Setting 77 3.4 VPN Wizard Network Setting 78 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1 80 3.6 VPN Wizard IPSec Setting (IKE Phase 2 81 3.7 VPN Wizard Status Summary 83 3.8 VPN Wizard Setup Complete 85 Chapter 4 Tutorials ...through the Firewall 105 4.2.6 Testing the Connections 112 4.3 Using NAT with Multiple Game Players 112 4.4 How to Manage the ZyWALL's Bandwidth 113 4.4.1 Example Parameters and Scenario 113 4.4.2 Configuring Bandwidth Management Rules 114 4.5 Configuring Content Filtering 118 4.5.1 Enable...
... Internet Access Wizard: Service Activation 77 3.3 VPN Wizard Gateway Setting 77 3.4 VPN Wizard Network Setting 78 3.5 VPN Wizard IKE Tunnel Setting (IKE Phase 1 80 3.6 VPN Wizard IPSec Setting (IKE Phase 2 81 3.7 VPN Wizard Status Summary 83 3.8 VPN Wizard Setup Complete 85 Chapter 4 Tutorials ...through the Firewall 105 4.2.6 Testing the Connections 112 4.3 Using NAT with Multiple Game Players 112 4.4 How to Manage the ZyWALL's Bandwidth 113 4.4.1 Example Parameters and Scenario 113 4.4.2 Configuring Bandwidth Management Rules 114 4.5 Configuring Content Filtering 118 4.5.1 Enable...
User Guide
Page 13
... VPN Screens...253 14.1 Overview ...253 14.1.1 What You Can Do in the IPSec VPN Screens 253 14.1.2 What You Need to Know About IPSec VPN 254 14.2 The VPN Rules (IKE) Screen 256 14.2.1 The VPN ...Rules (IKE) Gateway Policy Edit Screen 257 14.2.2 The VPN Rules (IKE)... Port Forwarding Screen 268 14.2.4 The Network Policy Move Screen 270 14.3 The VPN Rules (Manual) Screen 271 14.3.1 The VPN Rules (Manual) Edit Screen 272 14.4 The SA Monitor Screen 275 14.5 The...
... VPN Screens...253 14.1 Overview ...253 14.1.1 What You Can Do in the IPSec VPN Screens 253 14.1.2 What You Need to Know About IPSec VPN 254 14.2 The VPN Rules (IKE) Screen 256 14.2.1 The VPN ...Rules (IKE) Gateway Policy Edit Screen 257 14.2.2 The VPN Rules (IKE)... Port Forwarding Screen 268 14.2.4 The Network Policy Move Screen 270 14.3 The VPN Rules (Manual) Screen 271 14.3.1 The VPN Rules (Manual) Edit Screen 272 14.4 The SA Monitor Screen 275 14.5 The...
User Guide
Page 14
... Example 279 14.6.2 Telecommuters Using Unique VPN Rules Example 279 14.7 VPN and Remote Management 281 14.8 Hub-and-spoke VPN ...281 14.8.1 Hub-and-spoke VPN Example 282 14.8.2 Hub-and-spoke Example VPN Rule Addresses 283 14.8.3 Hub-and-spoke VPN Requirements and Suggestions 283 14.9 IPSec VPN Technical Reference 283 Chapter 15 Certificates Screen... User Database Screen 324 16.3 The RADIUS Screen ...326 Part IV: Advanced 329 Chapter 17 Network Address Translation (NAT) Screens 331 17.1 Overview ...331 14 ZyWALL 2 Plus User's Guide
... Example 279 14.6.2 Telecommuters Using Unique VPN Rules Example 279 14.7 VPN and Remote Management 281 14.8 Hub-and-spoke VPN ...281 14.8.1 Hub-and-spoke VPN Example 282 14.8.2 Hub-and-spoke Example VPN Rule Addresses 283 14.8.3 Hub-and-spoke VPN Requirements and Suggestions 283 14.9 IPSec VPN Technical Reference 283 Chapter 15 Certificates Screen... User Database Screen 324 16.3 The RADIUS Screen ...326 Part IV: Advanced 329 Chapter 17 Network Address Translation (NAT) Screens 331 17.1 Overview ...331 14 ZyWALL 2 Plus User's Guide
User Guide
Page 25
... 33 SECURITY > VPN > VPN Rules (IKE 88 Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 89 Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 90 Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 91 Figure 37 SECURITY > FIREWALL > Rule Summary 92 Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 93 ZyWALL 2 Plus...
... 33 SECURITY > VPN > VPN Rules (IKE 88 Figure 34 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 89 Figure 35 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 90 Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 91 Figure 37 SECURITY > FIREWALL > Rule Summary 92 Figure 38 SECURITY > FIREWALL > Rule Summary > Edit: Allow 93 ZyWALL 2 Plus...
User Guide
Page 26
List of Figures Figure 39 SECURITY > FIREWALL > Rule Summary: Allow 94 Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 94 Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses 95 Figure 42 Tutorial Example: WAN Connection with a Static Public IP ... 119 Figure 79 SECURITY > CONTENT FILTER > Policy 120 Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default 120 Figure 81 HOME > DHCP Table ...121 26 ZyWALL 2 Plus User's Guide
List of Figures Figure 39 SECURITY > FIREWALL > Rule Summary: Allow 94 Figure 40 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN 94 Figure 41 Tutorial Example: Using NAT with Static Public IP Addresses 95 Figure 42 Tutorial Example: WAN Connection with a Static Public IP ... 119 Figure 79 SECURITY > CONTENT FILTER > Policy 120 Figure 80 SECURITY > CONTENT FILTER > Policy > External Database (Default 120 Figure 81 HOME > DHCP Table ...121 26 ZyWALL 2 Plus User's Guide
User Guide
Page 28
... Configuration 214 Figure 143 My Service Firewall Rule Example: Rule Summary: Completed 215 Figure 144 From LAN to VPN Example 217 Figure 145 From VPN to LAN Example 217 Figure 146 From VPN to VPN Example 218 Figure 147 Using IP Alias to Solve the Triangle Route Problem 219 Figure 148 Three-Way Handshake... Home ...248 Figure 164 Global Report Screen Example 249 Figure 165 Requested URLs Example 250 Figure 166 Web Page Review Process Screen 251 Figure 167 VPN: Example ...253 28 ZyWALL 2 Plus User's Guide
... Configuration 214 Figure 143 My Service Firewall Rule Example: Rule Summary: Completed 215 Figure 144 From LAN to VPN Example 217 Figure 145 From VPN to LAN Example 217 Figure 146 From VPN to VPN Example 218 Figure 147 Using IP Alias to Solve the Triangle Route Problem 219 Figure 148 Three-Way Handshake... Home ...248 Figure 164 Global Report Screen Example 249 Figure 165 Requested URLs Example 250 Figure 166 Web Page Review Process Screen 251 Figure 167 VPN: Example ...253 28 ZyWALL 2 Plus User's Guide
User Guide
Page 29
...VPN > VPN Rules (IKE 256 Figure 172 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 258 Figure 173 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 264 Figure 174 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 269 Figure 175 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 270 Figure 176 SECURITY > VPN > VPN Rules (Manual 271 Figure 177 SECURITY > VPN > VPN... Remote Hosts > Import 318 Figure 209 SECURITY > CERTIFICATES > Directory Servers 319 Figure 210 SECURITY > CERTIFICATES > Directory Server > Add 320 ZyWALL 2 Plus User's Guide 29
...VPN > VPN Rules (IKE 256 Figure 172 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy 258 Figure 173 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy 264 Figure 174 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy > Port Forwarding 269 Figure 175 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy 270 Figure 176 SECURITY > VPN > VPN Rules (Manual 271 Figure 177 SECURITY > VPN > VPN... Remote Hosts > Import 318 Figure 209 SECURITY > CERTIFICATES > Directory Servers 319 Figure 210 SECURITY > CERTIFICATES > Directory Server > Add 320 ZyWALL 2 Plus User's Guide 29
User Guide
Page 37
... 56 Table 5 Bridge and Router Mode Features Comparison 58 Table 6 Screens Summary ...59 Table 7 HOME > Show Statistics ...63 Table 8 HOME > DHCP Table ...64 Table 9 HOME > VPN Status ...65 Table 10 ADVANCED > BW MGMT > Monitor 66 Table 11 ISP Parameters: Ethernet Encapsulation 68 Table 12 ISP Parameters: PPPoE Encapsulation 70 Table 13... NETWORK > WAN > Traffic Redirect 165 Table 36 NETWORK > WAN > Dial Backup 166 Table 37 NETWORK > WAN > Dial Backup > Edit 169 Table 38 NETWORK > DMZ ...175 ZyWALL 2 Plus User's Guide 37
... 56 Table 5 Bridge and Router Mode Features Comparison 58 Table 6 Screens Summary ...59 Table 7 HOME > Show Statistics ...63 Table 8 HOME > DHCP Table ...64 Table 9 HOME > VPN Status ...65 Table 10 ADVANCED > BW MGMT > Monitor 66 Table 11 ISP Parameters: Ethernet Encapsulation 68 Table 12 ISP Parameters: PPPoE Encapsulation 70 Table 13... NETWORK > WAN > Traffic Redirect 165 Table 36 NETWORK > WAN > Dial Backup 166 Table 37 NETWORK > WAN > Dial Backup > Edit 169 Table 38 NETWORK > DMZ ...175 ZyWALL 2 Plus User's Guide 37
User Guide
Page 38
... 76 VPN Example: Mismatching ID Type and Content 286 Table 77 SECURITY > CERTIFICATES > My Certificates 298 Table 78 SECURITY > CERTIFICATES > My Certificates > Details 300 Table 79 SECURITY > CERTIFICATES > My Certificates > Export 302 Table 80 SECURITY > CERTIFICATES > My Certificates > Import 304 Table 81 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 304 38 ZyWALL...
... 76 VPN Example: Mismatching ID Type and Content 286 Table 77 SECURITY > CERTIFICATES > My Certificates 298 Table 78 SECURITY > CERTIFICATES > My Certificates > Details 300 Table 79 SECURITY > CERTIFICATES > My Certificates > Export 302 Table 80 SECURITY > CERTIFICATES > My Certificates > Import 304 Table 81 SECURITY > CERTIFICATES > My Certificates > Import: PKCS#12 304 38 ZyWALL...
User Guide
Page 45
...an access point (AP) to an Ethernet port in an existing network with security features including VPN, firewall, content filtering and certificates. You can also deploy the ZyWALL as well. ZyWALL 2 Plus User's Guide 45 See Chapter 46 on page 613 for a complete list of ...features. 1.2 Applications for the ZyWALL Here are some examples of the ZyWALL. 1.1 ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with minimal configuration. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic...
...an access point (AP) to an Ethernet port in an existing network with security features including VPN, firewall, content filtering and certificates. You can also deploy the ZyWALL as well. ZyWALL 2 Plus User's Guide 45 See Chapter 46 on page 613 for a complete list of ...features. 1.2 Applications for the ZyWALL Here are some examples of the ZyWALL. 1.1 ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with minimal configuration. The ZyWALL guarantees not only high speed Internet access, but secure internal network protection and traffic...
User Guide
Page 46
... and telecommuters over the Internet without the need (and expense) for leased lines between sites. Chapter 1 Getting to Know Your ZyWALL Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem 1.2.2 VPN Application ZyWALL VPN is a text-based configuration menu that you can use to configure your device. • FTP for firmware upgrades and...
... and telecommuters over the Internet without the need (and expense) for leased lines between sites. Chapter 1 Getting to Know Your ZyWALL Figure 1 Secure Internet Access via Cable, DSL or Wireless Modem 1.2.2 VPN Application ZyWALL VPN is a text-based configuration menu that you can use to configure your device. • FTP for firmware upgrades and...
User Guide
Page 54
... in hh:mm:ss format) along with the difference from the ZyWALL. The bar displays what percent of the maximum number of the heap memory the ZyWALL is also adjusted for running processes like NAT, VPN and the firewall. The bar turns from GMT is in order ...lists. System Resources Flash The first number shows how many sessions are currently traversing the ZyWALL, terminating at a time. CPU This field displays what percent of the flash the ZyWALL is currently used by ZyNOS (ZyXEL Network Operating System) and is activated. Chapter 2 Introducing the Web Configurator Table 3...
... in hh:mm:ss format) along with the difference from the ZyWALL. The bar displays what percent of the maximum number of the heap memory the ZyWALL is also adjusted for running processes like NAT, VPN and the firewall. The bar turns from GMT is in order ...lists. System Resources Flash The first number shows how many sessions are currently traversing the ZyWALL, terminating at a time. CPU This field displays what percent of the flash the ZyWALL is currently used by ZyNOS (ZyXEL Network Operating System) and is activated. Chapter 2 Introducing the Web Configurator Table 3...
User Guide
Page 55
...Screen: Bridge Mode The following screen displays when the ZyWALL is the reason for the alert. N/A displays when the service subscription has expired. You can update your existing network. DHCP Table Click DHCP Table to display the active VPN connections. The LAN, WAN, DMZ and WLAN interfaces...it last started up the PPTP, PPPoE or dial backup connection. VPN Click VPN to show current DHCP client information. If you connect your computer directly to the ZyWALL, you also need to access the ZyWALL for each port. System Status Port Statistics Click Port Statistics to ...
...Screen: Bridge Mode The following screen displays when the ZyWALL is the reason for the alert. N/A displays when the service subscription has expired. You can update your existing network. DHCP Table Click DHCP Table to display the active VPN connections. The LAN, WAN, DMZ and WLAN interfaces...it last started up the PPTP, PPPoE or dial backup connection. VPN Click VPN to show current DHCP client information. If you connect your computer directly to the ZyWALL, you also need to access the ZyWALL for each port. System Status Port Statistics Click Port Statistics to ...
User Guide
Page 56
... model name of other features that are available in the MAINTENANCE > General screen. Firmware Version This is ZyXEL's proprietary Network Operating System design. The ZyWALL starts up . ZyNOS is the ZyNOS Firmware version and the date created. Refresh Click this button to the... screen where you reset it (MAINTENANCE > Restart), or when you can specify a name for this screen. Bootbase Version This is the System Name you can use the firewall and VPN...
... model name of other features that are available in the MAINTENANCE > General screen. Firmware Version This is ZyXEL's proprietary Network Operating System design. The ZyWALL starts up . ZyNOS is the ZyNOS Firmware version and the date created. Refresh Click this button to the... screen where you reset it (MAINTENANCE > Restart), or when you can specify a name for this screen. Bootbase Version This is the System Name you can use the firewall and VPN...
User Guide
Page 57
...mask of BPDUs (Bridge Protocol Data Units) from GMT is being approached. Network Status IP/Netmask Address This is currently used by ZyNOS (ZyXEL Network Operating System) and is disabled. The Tree Protocol following labels or values relative to red when the maximum is based on or off... 57 It is using . When this percentage is close to 100%, the ZyWALL is the predefined interval that can configure the ZyWALL as a router or a bridge. Bridge Max Age This is running processes like NAT, VPN and the firewall. CPU This field displays what percent of the maximum number of...
...mask of BPDUs (Bridge Protocol Data Units) from GMT is being approached. Network Status IP/Netmask Address This is currently used by ZyNOS (ZyXEL Network Operating System) and is disabled. The Tree Protocol following labels or values relative to red when the maximum is based on or off... 57 It is using . When this percentage is close to 100%, the ZyWALL is the predefined interval that can configure the ZyWALL as a router or a bridge. Bridge Max Age This is running processes like NAT, VPN and the firewall. CPU This field displays what percent of the maximum number of...
User Guide
Page 58
... expires. Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it displays Down when the link is the reason for each port. VPN Click VPN to configure ZyWALL features. Security Services Content Filter Expiration Date This is active on the ...navigation panel to display the active VPN connections. Message This is not ready or has failed. Table 5...
... expires. Web Site Blocked This displays how many web site hits the ZyWALL has blocked since it displays Down when the link is the reason for each port. VPN Click VPN to configure ZyWALL features. Security Services Content Filter Expiration Date This is active on the ...navigation panel to display the active VPN connections. Message This is not ready or has failed. Table 5...
User Guide
Page 59
... sub-menus. Port Roles Use this screen to access the wizards, statistics and DHCP table. ZyWALL 2 Plus User's Guide 59 Use this screen to change the LAN/DMZ/WLAN port roles. Static DHCP... fixed IP addresses on the LAN. Chapter 2 Introducing the Web Configurator Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE WLAN Firewall Y Content Filter Y VPN Y Certificates Y Authentication Server Y NAT Static Route Bandwidth Management Y DNS Remote Management Y UPnP Custom APP Y ALG Y Logs Y Maintenance Y ROUTER MODE Y Y Y Y Y Y Y Y...
... sub-menus. Port Roles Use this screen to access the wizards, statistics and DHCP table. ZyWALL 2 Plus User's Guide 59 Use this screen to change the LAN/DMZ/WLAN port roles. Static DHCP... fixed IP addresses on the LAN. Chapter 2 Introducing the Web Configurator Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE WLAN Firewall Y Content Filter Y VPN Y Certificates Y Authentication Server Y NAT Static Route Bandwidth Management Y DNS Remote Management Y UPnP Custom APP Y ALG Y Logs Y Maintenance Y ROUTER MODE Y Y Y Y Y Y Y Y...
User Guide
Page 60
...and certification requests. Directory Servers Use this screen to display and manage active VPN connections. Object Use this screen to configure VPN connections using manual key management and view the rule summary. VPN VPN Rules (IKE) Use this screen to customize the content filter list. WAN... summary. VPN Rules (Manual) Use this screen to configure the threshold for external database content filtering and view reports. Static DHCP Use this screen to change your WLAN connection. Port Roles Use this screen to assign fixed IP addresses on the ZyWALL. Static ...
...and certification requests. Directory Servers Use this screen to display and manage active VPN connections. Object Use this screen to configure VPN connections using manual key management and view the rule summary. VPN VPN Rules (IKE) Use this screen to customize the content filter list. WAN... summary. VPN Rules (Manual) Use this screen to configure the threshold for external database content filtering and view reports. Static DHCP Use this screen to change your WLAN connection. Port Roles Use this screen to assign fixed IP addresses on the ZyWALL. Static ...