User Guide
Page 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...107 ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
User Guide
Page 13
...10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104 6.7 System ...105 6.7.1 DNS, WWW... Up Available Bandwidth on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User...
...10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104 6.7 System ...105 6.7.1 DNS, WWW... Up Available Bandwidth on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User...
User Guide
Page 20
Table of Contents 27.6 Uninstalling the ZyWALL SecuExtender 452 Chapter 28 Bandwidth Management...453 28.1 Overview ...453 28.1.1 What You Can Do in this Chapter 453 28.1.2 What You Need to Know 453 28.1.3 Bandwidth Management Examples 457 28.2 TheBandwidth Management Screen 461 28.2.1 The Bandwidth Management Add/Edit Screen 463 Chapter 29 ADP ...467 29.1 Overview ...467 ... Content Filter Blocked and Warning Messages 508 30.6 Content Filter Customization Screen 508 30.7 Content Filter Technical Reference 511 Chapter 31 Content Filter Reports ...513 20 ZyWALL USG 20/20W User's Guide
Table of Contents 27.6 Uninstalling the ZyWALL SecuExtender 452 Chapter 28 Bandwidth Management...453 28.1 Overview ...453 28.1.1 What You Can Do in this Chapter 453 28.1.2 What You Need to Know 453 28.1.3 Bandwidth Management Examples 457 28.2 TheBandwidth Management Screen 461 28.2.1 The Bandwidth Management Add/Edit Screen 463 Chapter 29 ADP ...467 29.1 Overview ...467 ... Content Filter Blocked and Warning Messages 508 30.6 Content Filter Customization Screen 508 30.7 Content Filter Technical Reference 511 Chapter 31 Content Filter Reports ...513 20 ZyWALL USG 20/20W User's Guide
User Guide
Page 29
...bandwidth management, Instant Messaging (IM) and Peer to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device. The ZyWALL lets you set ports to be part of dual WAN Gigabit Ethernet ports and load balancing. The ZyWALL... policies efficiently. The ZyWALL provides excellent throughput with minimal configuration. 1.2 Wall-mounting Do the following to a wall. ZyWALL USG 20/20W User's Guide 29 CHAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyWALL's features. The ZyWALL's security features include ...
...bandwidth management, Instant Messaging (IM) and Peer to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is a comprehensive security device. The ZyWALL lets you set ports to be part of dual WAN Gigabit Ethernet ports and load balancing. The ZyWALL... policies efficiently. The ZyWALL provides excellent throughput with minimal configuration. 1.2 Wall-mounting Do the following to a wall. ZyWALL USG 20/20W User's Guide 29 CHAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyWALL's features. The ZyWALL's security features include ...
User Guide
Page 37
It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. ZyWALL USG 20/20W User's Guide 37 CHAPTER 2 Features and Applications This chapter introduces the main features and applications of this section provides more 3G (cellular) connections. You ...
It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. ZyWALL USG 20/20W User's Guide 37 CHAPTER 2 Features and Applications This chapter introduces the main features and applications of this section provides more 3G (cellular) connections. You ...
User Guide
Page 38
.... Use the white list to identify spam e-mail. Chapter 2 Features and Applications Firewall The ZyWALL's firewall is initiated by spammers. 38 ZyWALL USG 20/20W User's Guide Anomaly Detection and Prevention (ADP) ADP (Anomaly Detection and Prevention) can also inspect... ratings of millions of servers that allows your ZyWALL to defined policies. The ZyWALL's ADP protects against defined access rules. It can detect malicious or suspicious packets and respond instantaneously. Bandwidth Management Bandwidth management allows you to allocate network resources according to ...
.... Use the white list to identify spam e-mail. Chapter 2 Features and Applications Firewall The ZyWALL's firewall is initiated by spammers. 38 ZyWALL USG 20/20W User's Guide Anomaly Detection and Prevention (ADP) ADP (Anomaly Detection and Prevention) can also inspect... ratings of millions of servers that allows your ZyWALL to defined policies. The ZyWALL's ADP protects against defined access rules. It can detect malicious or suspicious packets and respond instantaneously. Bandwidth Management Bandwidth management allows you to allocate network resources according to ...
User Guide
Page 91
ZyWALL USG 20/20W User's Guide 91 The DMZ zone has servers that are available to 192.168.3.254 range. 6.3 Terminology in which the ZyWALL applies its features and checks. The dmz interface uses private IP address 192.168.3.1 and the ... Address mapping Policy route Address mapping (VPN) IPSec VPN Interface bandwidth management Interface (outbound) General bandwidth management Policy route 6.4 Packet Flow Here is the order in the ZyWALL This section highlights some terminology or organization for ZLD-based ZyWALLs. Chapter 6 Configuration Basics • The DMZ zone contains the...
ZyWALL USG 20/20W User's Guide 91 The DMZ zone has servers that are available to 192.168.3.254 range. 6.3 Terminology in which the ZyWALL applies its features and checks. The dmz interface uses private IP address 192.168.3.1 and the ... Address mapping Policy route Address mapping (VPN) IPSec VPN Interface bandwidth management Interface (outbound) General bandwidth management Policy route 6.4 Packet Flow Here is the order in the ZyWALL This section highlights some terminology or organization for ZLD-based ZyWALLs. Chapter 6 Configuration Basics • The DMZ zone contains the...
User Guide
Page 92
... in > Defragmentation > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification > Content Filter > Anti-Spam > SNAT > Bandwidth Management > Fragmentation > Traffic Out. External interfaces include ppp and cellular interfaces as well as any Ethernet interfaces that are set up policy routes for... range of the external interfaces to route them and applies destination NAT. Chapter 6 Configuration Basics Traffic in one 92 ZyWALL USG 20/20W User's Guide Examples of private network addresses to WAN traffic). Figure 51 Packet Flow The packet flow is dead...
... in > Defragmentation > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification > Content Filter > Anti-Spam > SNAT > Bandwidth Management > Fragmentation > Traffic Out. External interfaces include ppp and cellular interfaces as well as any Ethernet interfaces that are set up policy routes for... range of the external interfaces to route them and applies destination NAT. Chapter 6 Configuration Basics Traffic in one 92 ZyWALL USG 20/20W User's Guide Examples of private network addresses to WAN traffic). Figure 51 Packet Flow The packet flow is dead...
User Guide
Page 94
... RIP and OSPF. See Chapter 13 on page 292 for any traffic that did not match any of requiring a separate policy route. 94 ZyWALL USG 20/20W User's Guide As soon as the default. 7 Main Routing Table: The default WAN trunk is expected to be used for how to...NAT loopback is from top to bottom. Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for dynamic IPSec rules up above the policy routes (see Section 23.2 on to bandwidth management. Disabling the IPSec VPN feature's Use Policy Route to 1) is also included in the NAT ...
... RIP and OSPF. See Chapter 13 on page 292 for any traffic that did not match any of requiring a separate policy route. 94 ZyWALL USG 20/20W User's Guide As soon as the default. 7 Main Routing Table: The default WAN trunk is expected to be used for how to...NAT loopback is from top to bottom. Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for dynamic IPSec rules up above the policy routes (see Section 23.2 on to bandwidth management. Disabling the IPSec VPN feature's Use Policy Route to 1) is also included in the NAT ...
User Guide
Page 96
... Routes Use policy routes to override the ZyWALL's default routing behavior in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, NAT Example: The dmz interface is no security applied on page 88 for bandwidth management (out of the features that use policy routes... ITEM(S) Configuration > Licensing > Registration PREREQUISITES Internet access to myZyXEL.com 6.5.3 Interface See Section 6.2 on it until you assign it to myZyXEL.com. Most of the ZyWALL), port triggering, 96 ZyWALL USG 20/20W User's Guide
... Routes Use policy routes to override the ZyWALL's default routing behavior in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, NAT Example: The dmz interface is no security applied on page 88 for bandwidth management (out of the features that use policy routes... ITEM(S) Configuration > Licensing > Registration PREREQUISITES Internet access to myZyXEL.com 6.5.3 Interface See Section 6.2 on it until you assign it to myZyXEL.com. Most of the ZyWALL), port triggering, 96 ZyWALL USG 20/20W User's Guide
User Guide
Page 102
...ZyWALL USG 20/20W User's Guide You can subscribe using the menu item or one of bandwidth and priorities. You must have a subscription in order to give a user named Bob FTP access but with a limited download speed of web site content, individual web sites and web features (such as cookies). Chapter 6 Configuration Basics 6.5.16 Bandwidth Management... Use bandwidth management (BWM) to configure a BWM rule for a specific IP address, destination port or IP range...
...ZyWALL USG 20/20W User's Guide You can subscribe using the menu item or one of bandwidth and priorities. You must have a subscription in order to give a user named Bob FTP access but with a limited download speed of web site content, individual web sites and web features (such as cookies). Chapter 6 Configuration Basics 6.5.16 Bandwidth Management... Use bandwidth management (BWM) to configure a BWM rule for a specific IP address, destination port or IP range...
User Guide
Page 120
... to create the user accounts instead. See Bandwidth Management on bandwidth management. No LAN1-TODMZ ACCESS Yes No Yes Yes No No The users are authenticated by an external RADIUS server at 192.168.1.200. Click the Add icon. 120 ZyWALL USG 20/20W User's Guide This is illustrated in the ZyWALL. This is a simple example that does...
... to create the user accounts instead. See Bandwidth Management on bandwidth management. No LAN1-TODMZ ACCESS Yes No Yes Yes No No The users are authenticated by an external RADIUS server at 192.168.1.200. Click the Add icon. 120 ZyWALL USG 20/20W User's Guide This is illustrated in the ZyWALL. This is a simple example that does...
User Guide
Page 245
... use the default gateway for the connectivity check. Check Default Select this value is still available. IP Address Assignment ZyWALL USG 20/20W User's Guide 245 MTU Maximum Transmission Unit. If a larger packet arrives, the ZyWALL divides it . Usually, this to make sure it is a failure. Check Period Enter the number of a WAN trunk... Connectivity Check Select this to it into smaller fragments. Check Method Select the method that domain name or IP address in WAN load balancing and bandwidth management. Click Policy Route to go to the network.
... use the default gateway for the connectivity check. Check Default Select this value is still available. IP Address Assignment ZyWALL USG 20/20W User's Guide 245 MTU Maximum Transmission Unit. If a larger packet arrives, the ZyWALL divides it . Usually, this to make sure it is a failure. Check Period Enter the number of a WAN trunk... Connectivity Check Select this to it into smaller fragments. Check Method Select the method that domain name or IP address in WAN load balancing and bandwidth management. Click Policy Route to go to the network.
User Guide
Page 255
... the network. Relay Server 2 This field is a DHCP Server. ZyWALL USG 20/20W User's Guide 255 Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from which the ZyWALL begins allocating IP addresses. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Relay Server 1 Enter the...
... the network. Relay Server 2 This field is a DHCP Server. ZyWALL USG 20/20W User's Guide 255 Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ZyWALL can receive from which the ZyWALL begins allocating IP addresses. If a larger packet arrives, the ZyWALL divides it into smaller fragments. Relay Server 1 Enter the...
User Guide
Page 285
.... At the time of 5.5.5.5, it might not find any . ZyWALL USG 20/20W User's Guide 285 In this case, you can only enter the IP address. In the example above, if the ZyWALL gets a packet with a destination address of writing, the ZyWALL does not support ingress bandwidth management. If two or more than one that was set...
.... At the time of 5.5.5.5, it might not find any . ZyWALL USG 20/20W User's Guide 285 In this case, you can only enter the IP address. In the example above, if the ZyWALL gets a packet with a destination address of writing, the ZyWALL does not support ingress bandwidth management. If two or more than one that was set...
User Guide
Page 298
... and can also use policy-based routing to or from different users through VPN tunnels. • Cost Savings - You can use schedules, NAT, and bandwidth management. 298 ZyWALL USG 20/20W User's Guide For example LAN to the Internet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet...
... and can also use policy-based routing to or from different users through VPN tunnels. • Cost Savings - You can use schedules, NAT, and bandwidth management. 298 ZyWALL USG 20/20W User's Guide For example LAN to the Internet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet...
User Guide
Page 300
Use this screen to see the configured policy routes and turn policy routing based bandwidth management on policy routing. 13.2 Policy Route Screen Click Configuration > Network > Routing to open the Policy Route screen. A policy route defines the matching criteria..., VPN tunnel, or trunk. • Limiting the amount of RAS in style and in implementation. Figure 185 Configuration > Network > Routing > Policy Route 300 ZyWALL USG 20/20W User's Guide The criteria can be taken include: • Routing the packet to take when a packet meets the criteria. The action is taken only...
Use this screen to see the configured policy routes and turn policy routing based bandwidth management on policy routing. 13.2 Policy Route Screen Click Configuration > Network > Routing to open the Policy Route screen. A policy route defines the matching criteria..., VPN tunnel, or trunk. • Limiting the amount of RAS in style and in implementation. Figure 185 Configuration > Network > Routing > Policy Route 300 ZyWALL USG 20/20W User's Guide The criteria can be taken include: • Routing the packet to take when a packet meets the criteria. The action is taken only...
User Guide
Page 301
...Select this button to have individual policy routes. To turn on an entry, select it and click Activate. any means all IP addresses. ZyWALL USG 20/20W User's Guide 301 Select an entry and click Add to open a screen where you typed. # Status User Schedule Incoming Source ...Static Routes The following table describes the labels in order of their numbering. See Section 6.4.1 on page 92 for enabling or disabling bandwidth management on which the packets are received. Double-click an entry or select it and click Inactivate. This is the name of the schedule...
...Select this button to have individual policy routes. To turn on an entry, select it and click Activate. any means all IP addresses. ZyWALL USG 20/20W User's Guide 301 Select an entry and click Add to open a screen where you typed. # Status User Schedule Incoming Source ...Static Routes The following table describes the labels in order of their numbering. See Section 6.4.1 on page 92 for enabling or disabling bandwidth management on which the packets are received. Double-click an entry or select it and click Inactivate. This is the name of the schedule...
User Guide
Page 306
...selected entry. It causes (triggers) the ZyWALL to a different number in order of the packets that matches this route. Select an entry and click this interface. This is bound, the virtual interface and physical interface must also enable bandwidth management in the main policy route screen (...to configure a new address (group) to the client computer that match this route. Configure trigger port forwarding to apply bandwidth shaping. 306 ZyWALL USG 20/20W User's Guide To use the IP address of the outgoing interface as what you need to create a firewall rule...
...selected entry. It causes (triggers) the ZyWALL to a different number in order of the packets that matches this route. Select an entry and click this interface. This is bound, the virtual interface and physical interface must also enable bandwidth management in the main policy route screen (...to configure a new address (group) to the client computer that match this route. Configure trigger port forwarding to apply bandwidth shaping. 306 ZyWALL USG 20/20W User's Guide To use the IP address of the outgoing interface as what you need to create a firewall rule...
User Guide
Page 352
...be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can also make a call from the WAN. ZyWALL USG 20/20W User's Guide The ALG on the LAN, you must also configure NAT (port forwarding) and firewall rules if you could make other ... port destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can function as SIP) to operate properly through the ZyWALL's NAT and firewall. Chapter 19 ALG 19.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can also apply bandwidth management to pass through.
...be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients can also make a call from the WAN. ZyWALL USG 20/20W User's Guide The ALG on the LAN, you must also configure NAT (port forwarding) and firewall rules if you could make other ... port destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can function as SIP) to operate properly through the ZyWALL's NAT and firewall. Chapter 19 ALG 19.1.2 What You Need to Know Application Layer Gateway (ALG), NAT and Firewall The ZyWALL can also apply bandwidth management to pass through.