User Guide
Page 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical Reference ...163 Dashboard ...165 Monitor ...177 ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User...
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 Technical Reference ...163 Dashboard ...165 Monitor ...177 ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User...
User Guide
Page 12
... 12 ZyWALL USG 20/20W User's Guide Finish 65 4.2 Device Registration ...65 Chapter 5 Quick Setup ...69 5.1 Quick Setup Overview ...69 5.2 WAN Interface Quick Setup 70 5.2.1 Choose an Ethernet Interface 70 5.2.2 Select WAN Type ...70 5.2.3 Configure WAN Settings 71 5.2.4 WAN and ISP Connection Settings 72 5.2.5 Quick Setup Interface Wizard: Summary 74 5.3 VPN Quick Setup ...75 5.4 VPN Setup Wizard: Wizard Type 76 5.5 VPN Express...
... 12 ZyWALL USG 20/20W User's Guide Finish 65 4.2 Device Registration ...65 Chapter 5 Quick Setup ...69 5.1 Quick Setup Overview ...69 5.2 WAN Interface Quick Setup 70 5.2.1 Choose an Ethernet Interface 70 5.2.2 Select WAN Type ...70 5.2.3 Configure WAN Settings 71 5.2.4 WAN and ISP Connection Settings 72 5.2.5 Quick Setup Interface Wizard: Summary 74 5.3 VPN Quick Setup ...75 5.4 VPN Setup Wizard: Wizard Type 76 5.5 VPN Express...
User Guide
Page 48
...currently logged into the ZyWALL. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W User's Guide Traffic Statistics Collect and display traffic statistics. Login Users Lists the users currently logged into the VPN SSL client portal....ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics. Licensing Registration Registration Register the device and activate trial services. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN...
...currently logged into the ZyWALL. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W User's Guide Traffic Statistics Collect and display traffic statistics. Login Users Lists the users currently logged into the VPN SSL client portal....ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics. Licensing Registration Registration Register the device and activate trial services. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN...
User Guide
Page 61
Chapter 4 Installation Setup Wizard • IP Address: Enter your service provider. The ZyWALL uses these (in the previous screen. You can ... 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your (static) public IP address. Options are: ZyWALL USG 20/20W User's Guide 61 The DNS server is extremely important because without it . PPPoE uses a service name to...selected static IP address assignment. Auto displays if you by your ISP. Select an authentication protocol for VPN, DDNS and the time server. The Domain Name System (DNS) maps a domain name to you ...
Chapter 4 Installation Setup Wizard • IP Address: Enter your service provider. The ZyWALL uses these (in the previous screen. You can ... 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your (static) public IP address. Options are: ZyWALL USG 20/20W User's Guide 61 The DNS server is extremely important because without it . PPPoE uses a service name to...selected static IP address assignment. Auto displays if you by your ISP. Select an authentication protocol for VPN, DDNS and the time server. The Domain Name System (DNS) maps a domain name to you ...
User Guide
Page 62
... blank. • Select Nailed-Up if you can be up to access it. 62 ZyWALL USG 20/20W User's Guide If you do not configure a DNS server, you must know the... DNS Server: These fields display if you selected static IP address assignment. Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Chapter 4 Installation Setup Wizard • CHAP/PAP - Otherwise, type the Idle Timeout in the order... vice versa. The ZyWALL uses these (in seconds that elapses before you do not want the connection to resolve domain names for VPN, DDNS and the time server. Your ZyWALL accepts either CHAP or...
... blank. • Select Nailed-Up if you can be up to access it. 62 ZyWALL USG 20/20W User's Guide If you do not configure a DNS server, you must know the... DNS Server: These fields display if you selected static IP address assignment. Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Chapter 4 Installation Setup Wizard • CHAP/PAP - Otherwise, type the Idle Timeout in the order... vice versa. The ZyWALL uses these (in seconds that elapses before you do not want the connection to resolve domain names for VPN, DDNS and the time server. Your ZyWALL accepts either CHAP or...
User Guide
Page 64
... before you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you can access it ...can use alphanumeric and -_: characters, and it . Chapter 4 Installation Setup Wizard • Select Nailed-Up if you do not want the connection to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide Leave the field as the IP Address Assignment in the order you specify...
... before you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you can access it ...can use alphanumeric and -_: characters, and it . Chapter 4 Installation Setup Wizard • Select Nailed-Up if you do not want the connection to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide Leave the field as the IP Address Assignment in the order you specify...
User Guide
Page 69
... configuring the quick setup screens in the ZyWALL if you configure Internet and VPN connection settings. Figure 31 Quick Setup • WAN Interface Click this User's Guide for a secure connection to open a wizard to set up a WAN (Internet) connection. ZyWALL USG 20/20W User's Guide 69 CHAPTER 5 Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you...
... configuring the quick setup screens in the ZyWALL if you configure Internet and VPN connection settings. Figure 31 Quick Setup • WAN Interface Click this User's Guide for a secure connection to open a wizard to set up a WAN (Internet) connection. ZyWALL USG 20/20W User's Guide 69 CHAPTER 5 Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you...
User Guide
Page 74
...of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays what encapsulation this screen. Server IP This field only appears for an interface with a static IP address. Chapter 5 Quick Setup Table 11 WAN and ISP ...Connection Settings (continued) LABEL DESCRIPTION First DNS Server Second DNS Server These fields only display for a PPTP interface. Leave the field as 0.0.0.0 if you can access it . The DNS server is read-only and only appears for VPN, DDNS...
...of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays what encapsulation this screen. Server IP This field only appears for an interface with a static IP address. Chapter 5 Quick Setup Table 11 WAN and ISP ...Connection Settings (continued) LABEL DESCRIPTION First DNS Server Second DNS Server These fields only display for a PPTP interface. Leave the field as 0.0.0.0 if you can access it . The DNS server is read-only and only appears for VPN, DDNS...
User Guide
Page 75
... automatically disconnects from the PPPoE server. 0 means no timeout. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you configure to exit the wizard. 5.3 VPN Quick Setup Click VPN Setup in configuring more VPN connections or other features. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 If No displays the connection will...
... automatically disconnects from the PPPoE server. 0 means no timeout. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you configure to exit the wizard. 5.3 VPN Quick Setup Click VPN Setup in configuring more VPN connections or other features. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 If No displays the connection will...
User Guide
Page 76
.... Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another ZLD-based ZyWALL or other IPSec device. 76 ZyWALL USG 20/20W User's Guide Advanced: Use this screen to select which type of VPN connection you want to create a VPN connection with another ZLD-based ZyWALL using certificates. Figure 39 VPN Setup Wizard: Wizard Type...
.... Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another ZLD-based ZyWALL or other IPSec device. 76 ZyWALL USG 20/20W User's Guide Advanced: Use this screen to select which type of VPN connection you want to create a VPN connection with another ZLD-based ZyWALL using certificates. Figure 39 VPN Setup Wizard: Wizard Type...
User Guide
Page 77
...character cannot be a number. Choose this VPN connection (and VPN gateway). This ZyWALL is case-sensitive. Choose this to connect to display the following screen. Choose this if the remote IPSec device has a static IP address or a domain name. ZyWALL USG 20/20W User's Guide 77 Only the ...remote IPSec device can initiate the VPN tunnel. Choose this if the remote IPSec device has a dynamic IP address. The figure on page 76 to an IPSec server. Chapter 5 Quick Setup 5.5 VPN Express Wizard -
...character cannot be a number. Choose this VPN connection (and VPN gateway). This ZyWALL is case-sensitive. Choose this to connect to display the following screen. Choose this if the remote IPSec device has a static IP address or a domain name. ZyWALL USG 20/20W User's Guide 77 Only the ...remote IPSec device can initiate the VPN tunnel. Choose this if the remote IPSec device has a dynamic IP address. The figure on page 76 to an IPSec server. Chapter 5 Quick Setup 5.5 VPN Express Wizard -
User Guide
Page 78
...configured on the remote IPSec device. 78 ZyWALL USG 20/20W User's Guide Both ends of a computer behind the remote IPSec device. You can also specify a subnet. If this field, it is configurable, type the IP address of the VPN tunnel must match the local IP address ...in this field is not configurable for the chosen scenario. You can also specify a subnet. Proceed a hexadecimal key with "0x". Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - If this field, it is not configurable for the chosen scenario. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP...
...configured on the remote IPSec device. 78 ZyWALL USG 20/20W User's Guide Both ends of a computer behind the remote IPSec device. You can also specify a subnet. If this field, it is configurable, type the IP address of the VPN tunnel must match the local IP address ...in this field is not configurable for the chosen scenario. You can also specify a subnet. Proceed a hexadecimal key with "0x". Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - If this field, it is not configurable for the chosen scenario. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP...
User Guide
Page 79
... the network behind the remote IPSec device that can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. If this list. ZyWALL USG 20/20W User's Guide 79 Then you can initiate the VPN connection. • Copy and paste the Configuration for details on... the network behind your ZyWALL that you can use the file manager to save these commands as a shell script file with a ".zysh" filename extension. Chapter 5 Quick Setup 5.5.2 VPN...
... the network behind the remote IPSec device that can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. If this list. ZyWALL USG 20/20W User's Guide 79 Then you can initiate the VPN connection. • Copy and paste the Configuration for details on... the network behind your ZyWALL that you can use the file manager to save these commands as a shell script file with a ".zysh" filename extension. Chapter 5 Quick Setup 5.5.2 VPN...
User Guide
Page 80
Figure 43 VPN Express Wizard: Step 6 Note: If you can use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 80 ZyWALL USG 20/20W User's Guide Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you have not already done so, use the VPN tunnel.
Figure 43 VPN Express Wizard: Step 6 Note: If you can use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like Content Filter. Click Close to exit the wizard. 80 ZyWALL USG 20/20W User's Guide Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you have not already done so, use the VPN tunnel.
User Guide
Page 81
... static IP address or a domain name. ZyWALL USG 20/20W User's Guide 81 This value is case-sensitive. Figure 44 VPN Advanced Wizard: Scenario Rule Name: Type the name used to -site with Dynamic Peer - Choose this VPN connection (and VPN gateway). The clients have dynamic IP addresses and... to match the scenario you select. • Site-to allow incoming connections from IPSec VPN clients. Choose this if the remote IPSec device has a dynamic IP address. Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Choose this to -site - Only the remote IPSec device can initiate ...
... static IP address or a domain name. ZyWALL USG 20/20W User's Guide 81 This value is case-sensitive. Figure 44 VPN Advanced Wizard: Scenario Rule Name: Type the name used to -site with Dynamic Peer - Choose this VPN connection (and VPN gateway). The clients have dynamic IP addresses and... to match the scenario you select. • Site-to allow incoming connections from IPSec VPN clients. Choose this if the remote IPSec device has a dynamic IP address. Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Choose this to -site - Only the remote IPSec device can initiate ...
User Guide
Page 82
Phase 1 Settings There are two phases to use on DES 82 ZyWALL USG 20/20W User's Guide Use 0.0.0.0 if the remote IPSec device has a dynamic WAN IP address. • My Address (interface): Select an interface from dynamic IP addresses ..., the higher the security (this field, it is a variation on your ZyWALL. • Negotiation Mode: Select Main for the chosen scenario. Chapter 5 Quick Setup • Remote Access (Client Role) - This ZyWALL is the client (dial-in this may affect throughput). Figure 45 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: If Any displays in...
Phase 1 Settings There are two phases to use on DES 82 ZyWALL USG 20/20W User's Guide Use 0.0.0.0 if the remote IPSec device has a dynamic WAN IP address. • My Address (interface): Select an interface from dynamic IP addresses ..., the higher the security (this field, it is a variation on your ZyWALL. • Negotiation Mode: Select Main for the chosen scenario. Chapter 5 Quick Setup • Remote Access (Client Role) - This ZyWALL is the client (dial-in this may affect throughput). Figure 45 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: If Any displays in...
User Guide
Page 83
...device must pass through the IKE SA. If it responds, the ZyWALL transmits the data. AES192 uses a 192-bit key and AES256 uses a 256-bit key. • Authentication Algorithm: MD5 gives minimal security. Chapter 5 Quick Setup that was established in phase 1 to negotiate SAs for IPSec. As... life time increases security, but is slower. • Key Group: DH5 is a NAT router between the IPSec devices). Figure 46 VPN Advanced Wizard: Step 4 ZyWALL USG 20/20W User's Guide 83 It also requires more secure than 3DES. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash...
...device must pass through the IKE SA. If it responds, the ZyWALL transmits the data. AES192 uses a 192-bit key and AES256 uses a 256-bit key. • Authentication Algorithm: MD5 gives minimal security. Chapter 5 Quick Setup that was established in phase 1 to negotiate SAs for IPSec. As... life time increases security, but is slower. • Key Group: DH5 is a NAT router between the IPSec devices). Figure 46 VPN Advanced Wizard: Step 4 ZyWALL USG 20/20W User's Guide 83 It also requires more secure than 3DES. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash...
User Guide
Page 84
A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is more secure, yet slower). • Local Policy (IP/Mask): Type the IP address of a computer behind ... Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide Chapter 5 Quick Setup • Active Protocol: ESP is compatible with NAT, AH is not. • Encapsulation:...
A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is more secure, yet slower). • Local Policy (IP/Mask): Type the IP address of a computer behind ... Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide Chapter 5 Quick Setup • Active Protocol: ESP is compatible with NAT, AH is not. • Encapsulation:...
User Guide
Page 85
...Quick Setup • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. • Pre-Shared Key: VPN tunnel password. • Certificate: The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel...• Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL's command line interface. • Click Save to save the VPN rule. 5.5.7 VPN Advanced Wizard - ZyWALL USG 20/20W User's Guide 85 Summary This is a read-only summary of the computers ...
...Quick Setup • Rule Name: Identifies the VPN connection (and the VPN gateway). • Secure Gateway: IP address or domain name of the remote IPSec device. • Pre-Shared Key: VPN tunnel password. • Certificate: The certificate the ZyWALL uses to identify itself when setting up the VPN tunnel...• Copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL's command line interface. • Click Save to save the VPN rule. 5.5.7 VPN Advanced Wizard - ZyWALL USG 20/20W User's Guide 85 Summary This is a read-only summary of the computers ...
User Guide
Page 101
...Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN. ZyWALL USG 20/20W User's Guide 101 MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES ...firewall rule using the items you can also use the Quick Setup VPN Setup wizard. Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See ...
...Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN. ZyWALL USG 20/20W User's Guide 101 MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES ...firewall rule using the items you can also use the Quick Setup VPN Setup wizard. Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See ...