User Guide
Page 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical Reference ...163 Dashboard ...165 Monitor ...177 ...IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W...
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical Reference ...163 Dashboard ...165 Monitor ...177 ...IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W...
User Guide
Page 11
... Chapter 2 Features and Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User's Guide 11
... Chapter 2 Features and Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User's Guide 11
User Guide
Page 12
... 5.5.5 VPN Advanced Wizard - Phase 2 83 5.5.7 VPN Advanced Wizard - Finish 86 Chapter 6 Configuration Basics...87 6.1 Object-based Configuration 87 6.2 Zones, Interfaces, and Physical Ports 88 6.2.1 Interface Types ...89 6.2.2 Default Interface and Zone Configuration 90 6.3 Terminology in the ZyWALL 91 6.4 Packet Flow ...91 6.4.1 Routing Table Checking Flow 92 6.4.2 NAT Table Checking Flow 94 6.5 Feature Configuration Overview 95 12 ZyWALL USG 20/20W...
... 5.5.5 VPN Advanced Wizard - Phase 2 83 5.5.7 VPN Advanced Wizard - Finish 86 Chapter 6 Configuration Basics...87 6.1 Object-based Configuration 87 6.2 Zones, Interfaces, and Physical Ports 88 6.2.1 Interface Types ...89 6.2.2 Default Interface and Zone Configuration 90 6.3 Terminology in the ZyWALL 91 6.4 Packet Flow ...91 6.4.1 Routing Table Checking Flow 92 6.4.2 NAT Table Checking Flow 94 6.5 Feature Configuration Overview 95 12 ZyWALL USG 20/20W...
User Guide
Page 13
... ...110 7.2 How to Configure a Cellular Interface 111 7.3 How to Configure Load Balancing 113 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide...
... ...110 7.2 How to Configure a Cellular Interface 111 7.3 How to Configure Load Balancing 113 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide...
User Guide
Page 18
...Technical Reference 357 Chapter 20 IP/MAC Binding ...359 20.1 IP/MAC Binding Overview 359 20.1.1 What You Can Do in this Chapter 359 20.1.2 What You Need to Know 360 20.2 IP/MAC Binding Summary 360 20.2.1 IP/MAC Binding Edit 361 20.2.2 Static DHCP Edit ...362 20.3 IP/MAC Binding ...376 22.1.4 Firewall Rule Configuration Example 379 22.2 The Firewall Screen ...381 22.2.1 Configuring the Firewall Screen 382 22.2.2 The Firewall Add/Edit Screen 385 22.3 The Session Limit Screen 386 22.3.1 The Session Limit Add/Edit Screen 388 Chapter 23 IPSec VPN...391 18 ZyWALL USG 20/20W User's Guide
...Technical Reference 357 Chapter 20 IP/MAC Binding ...359 20.1 IP/MAC Binding Overview 359 20.1.1 What You Can Do in this Chapter 359 20.1.2 What You Need to Know 360 20.2 IP/MAC Binding Summary 360 20.2.1 IP/MAC Binding Edit 361 20.2.2 Static DHCP Edit ...362 20.3 IP/MAC Binding ...376 22.1.4 Firewall Rule Configuration Example 379 22.2 The Firewall Screen ...381 22.2.1 Configuring the Firewall Screen 382 22.2.2 The Firewall Add/Edit Screen 385 22.3 The Session Limit Screen 386 22.3.1 The Session Limit Add/Edit Screen 388 Chapter 23 IPSec VPN...391 18 ZyWALL USG 20/20W User's Guide
User Guide
Page 29
...ZyWALL's security features include VPN, firewall, content filtering, ADP (Anomaly Detection and Protection), and certificates. See Chapter 2 on page 37 for reliable, secure service. You can set up multiple networks for your ZyWALL to be part of the ZyWALL's features. Its flexible configuration ... device. The DeMilitarized Zone (DMZ) increases LAN security by providing separate ports for a third WAN connection. ZyWALL USG 20/20W User's Guide 29 Flexible configuration helps you can also use a 3G cellular USB (not included) for connecting publicly accessible servers. It explains...
...ZyWALL's security features include VPN, firewall, content filtering, ADP (Anomaly Detection and Protection), and certificates. See Chapter 2 on page 37 for reliable, secure service. You can set up multiple networks for your ZyWALL to be part of the ZyWALL's features. Its flexible configuration ... device. The DeMilitarized Zone (DMZ) increases LAN security by providing separate ports for a third WAN connection. ZyWALL USG 20/20W User's Guide 29 Flexible configuration helps you can also use a 3G cellular USB (not included) for connecting publicly accessible servers. It explains...
User Guide
Page 37
...configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more information about the features of the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL to zones. ZyWALL USG 20...simpler to set up and to change security settings in the ZyWALL. The rest of this section provides more of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewallcontent filtering, ADP (Anomaly Detection and Protection), and ...
...configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more information about the features of the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL to zones. ZyWALL USG 20...simpler to set up and to change security settings in the ZyWALL. The rest of this section provides more of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewallcontent filtering, ADP (Anomaly Detection and Protection), and ...
User Guide
Page 39
ZyWALL USG 20/20W User's Guide 39 You can configure the ZyWALL to provide SSL VPN network access to remote users. Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can also set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to provide better service. Chapter 2 Features and Applications 2.2 Applications These are...
ZyWALL USG 20/20W User's Guide 39 You can configure the ZyWALL to provide SSL VPN network access to remote users. Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can also set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to provide better service. Chapter 2 Features and Applications 2.2 Applications These are...
User Guide
Page 48
...log entries. 3.3.2.3 Configuration Menu Use the configuration menu screens to configure the ZyWALL's features. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W User's Guide...information and packet statistics. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Login Users Lists the users currently logged into the VPN SSL client portal. Anti-X Statistics...
...log entries. 3.3.2.3 Configuration Menu Use the configuration menu screens to configure the ZyWALL's features. Licensing Registration Registration Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W User's Guide...information and packet statistics. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Login Users Lists the users currently logged into the VPN SSL client portal. Anti-X Statistics...
User Guide
Page 49
...VPN IPSec VPN VPN Connection Configure IPSec tunnels. Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Interface Port Role Use this screen to each supported interface. PPP Create and manage PPPoE and PPTP interfaces. ALG Configure SIP, H.323, and FTP pass-through settings. ZyWALL USG 20.../20W User's Guide 49 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. RIP Configure device-level RIP settings.
...VPN IPSec VPN VPN Connection Configure IPSec tunnels. Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Interface Port Role Use this screen to each supported interface. PPP Create and manage PPPoE and PPTP interfaces. ALG Configure SIP, H.323, and FTP pass-through settings. ZyWALL USG 20.../20W User's Guide 49 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. RIP Configure device-level RIP settings.
User Guide
Page 61
... these (in the previous screen. The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. Options are: ZyWALL USG 20/20W User's Guide 61 The DNS server is extremely important because without it, you must know the IP address of ...Parameters • Type the PPPoE Service Name from your (static) public IP address. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as the IP Address Assignment in the order you selected static IP...
... these (in the previous screen. The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. Options are: ZyWALL USG 20/20W User's Guide 61 The DNS server is extremely important because without it, you must know the IP address of ...Parameters • Type the PPPoE Service Name from your (static) public IP address. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as the IP Address Assignment in the order you selected static IP...
User Guide
Page 62
...Domain Name System (DNS) maps a domain name to time out. The ZyWALL uses these (in the previous screen. • First / Second DNS...ZyWALL accepts either CHAP or PAP when requested by your (static) public IP address. Your ZyWALL accepts CHAP only. • PAP - This field can be up to configure...it . 62 ZyWALL USG 20/20W User's Guide Enter a DNS server's IP address(es). Auto displays if you selected Auto as 0.0.0.0 if you do not configure a DNS ...Wizard • CHAP/PAP - Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Otherwise, type the Idle Timeout in ...
...Domain Name System (DNS) maps a domain name to time out. The ZyWALL uses these (in the previous screen. • First / Second DNS...ZyWALL accepts either CHAP or PAP when requested by your (static) public IP address. Your ZyWALL accepts CHAP only. • PAP - This field can be up to configure...it . 62 ZyWALL USG 20/20W User's Guide Enter a DNS server's IP address(es). Auto displays if you selected Auto as 0.0.0.0 if you do not configure a DNS ...Wizard • CHAP/PAP - Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Otherwise, type the Idle Timeout in ...
User Guide
Page 64
... depends on the interface you do not want to an IP address and vice versa. Auto displays if you selected Auto as 0.0.0.0 if you are configuring to connect with a modem or router. • Type a Base IP Address (static) assigned to you by your ISP. • Type the IP Subnet...connect with your ISP. • Zone This is the security zone to resolve domain names for VPN, DDNS and the time server. The Domain Name System (DNS) maps a domain name to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide The DNS server is extremely important because without it . You can use ...
... depends on the interface you do not want to an IP address and vice versa. Auto displays if you selected Auto as 0.0.0.0 if you are configuring to connect with a modem or router. • Type a Base IP Address (static) assigned to you by your ISP. • Type the IP Subnet...connect with your ISP. • Zone This is the security zone to resolve domain names for VPN, DDNS and the time server. The Domain Name System (DNS) maps a domain name to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide The DNS server is extremely important because without it . You can use ...
User Guide
Page 69
This wizard creates matching ISP account settings in the ZyWALL if you configure Internet and VPN connection settings. ZyWALL USG 20/20W User's Guide 69 See the feature-specific chapters in the Web Configurator. Figure 31 Quick Setup • WAN Interface Click this User's Guide for a secure connection to configure a VPN (Virtual Private Network) tunnel for background information. See Section...
This wizard creates matching ISP account settings in the ZyWALL if you configure Internet and VPN connection settings. ZyWALL USG 20/20W User's Guide 69 See the feature-specific chapters in the Web Configurator. Figure 31 Quick Setup • WAN Interface Click this User's Guide for a secure connection to configure a VPN (Virtual Private Network) tunnel for background information. See Section...
User Guide
Page 74
...only and only appears for an interface with a static IP address. The ZyWALL uses a system DNS server (in the order you must know the IP address of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation ...This displays what encapsulation this screen. Server IP This field only appears for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not configure a DNS server, ...
...only and only appears for an interface with a static IP address. The ZyWALL uses a system DNS server (in the order you must know the IP address of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation ...This displays what encapsulation this screen. Server IP This field only appears for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not configure a DNS server, ...
User Guide
Page 75
... from the PPPoE server. 0 means no timeout. If the IP Address Assignment is static or dynamic (Auto). Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 If No displays the connection will belong. This identifies the interface you by your ISP. This field...main Quick Setup screen to connect with your ISP. Second DNS Server Close Click Close to exit the wizard. 5.3 VPN Quick Setup Click VPN Setup in configuring more VPN connections or other features. Chapter 5 Quick Setup Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION User Name Nailed-...
... from the PPPoE server. 0 means no timeout. If the IP Address Assignment is static or dynamic (Auto). Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 If No displays the connection will belong. This identifies the interface you by your ISP. This field...main Quick Setup screen to connect with your ISP. Second DNS Server Close Click Close to exit the wizard. 5.3 VPN Quick Setup Click VPN Setup in configuring more VPN connections or other features. Chapter 5 Quick Setup Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION User Name Nailed-...
User Guide
Page 116
Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply. Figure 66 VPN Example LAN LAN 116 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 20/20W User's Guide Figure 65 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard.
Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply. Figure 66 VPN Example LAN LAN 116 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 20/20W User's Guide Figure 65 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard.
User Guide
Page 615
... to access an application via standard web browsers (Section 41.2.1 on page 618). • You can also use SSL application objects in SSL VPN. ZyWALL USG 20/20W User's Guide 615 Configure an SSL application object to specify the type of application and the address of a folder on a Linux or Windows file server which remote...
... to access an application via standard web browsers (Section 41.2.1 on page 618). • You can also use SSL application objects in SSL VPN. ZyWALL USG 20/20W User's Guide 615 Configure an SSL application object to specify the type of application and the address of a folder on a Linux or Windows file server which remote...
User Guide
Page 948
Index transport encapsulation 399 tunnel encapsulation 399 VPN gateway 394 IPSec SA active protocol 421 and firewall 376, 733 and to-ZyWALL firewall 733 authentication algorithms 415, 416 authentication key (manual keys) 423 destination NAT ... for outbound traffic 424 status 196 transport mode 422 tunnel mode 422 when IKE SA is disconnected 421 IPSec VPN configuration overview 101 prerequisites 100, 101 see also IPSec troubleshooting 732 tutorial 116 where used 101 ISP account CHAP 613...LDAP load balancing 289 algorithms 290, 294 least load first 290 round robin 295 ZyWALL USG 20/20W User's Guide
Index transport encapsulation 399 tunnel encapsulation 399 VPN gateway 394 IPSec SA active protocol 421 and firewall 376, 733 and to-ZyWALL firewall 733 authentication algorithms 415, 416 authentication key (manual keys) 423 destination NAT ... for outbound traffic 424 status 196 transport mode 422 tunnel mode 422 when IKE SA is disconnected 421 IPSec VPN configuration overview 101 prerequisites 100, 101 see also IPSec troubleshooting 732 tutorial 116 where used 101 ISP account CHAP 613...LDAP load balancing 289 algorithms 290, 294 least load first 290 round robin 295 ZyWALL USG 20/20W User's Guide
User Guide
Page 950
... of feature application 91 OSPF 315 and Ethernet interfaces 224 and RIP 318 and static routes 318 and to -ZyWALL firewall 343 and VoIP pass through 354 and VPN 419 and VPN, see also VPN configuration overview 98 limitations 310 loopback 343 port forwarding, see NAT port translation, see NAT port triggering 310 port triggering... Stubby Area (NSSA) 316 stub areas 316 types of 316 OSPF routers 317 area border (ABR) 317 autonomous system boundary (ASBR) 318 backbone (BR) 318 ZyWALL USG 20/20W User's Guide
... of feature application 91 OSPF 315 and Ethernet interfaces 224 and RIP 318 and static routes 318 and to -ZyWALL firewall 343 and VoIP pass through 354 and VPN 419 and VPN, see also VPN configuration overview 98 limitations 310 loopback 343 port forwarding, see NAT port translation, see NAT port triggering 310 port triggering... Stubby Area (NSSA) 316 stub areas 316 types of 316 OSPF routers 317 area border (ABR) 317 autonomous system boundary (ASBR) 318 backbone (BR) 318 ZyWALL USG 20/20W User's Guide