User Guide
Page 13
... SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104 6.7 System ...105 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM 105 6.7.2 Logs and Reports ...105 6.7.3 File Manager ...106 6.7.4 Diagnostics ...106 6.7.5 Shutdown ...106 Chapter 7 Tutorials ...107 7.1 How to Configure... an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
... SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104 6.7 System ...105 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM 105 6.7.2 Logs and Reports ...105 6.7.3 File Manager ...106 6.7.4 Diagnostics ...106 6.7.5 Shutdown ...106 Chapter 7 Tutorials ...107 7.1 How to Configure... an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
User Guide
Page 17
... ...331 16.1.1 What You Can Do in this Chapter 331 16.1.2 What You Need to Know 331 16.2 The DDNS Screen ...332 16.2.1 The Dynamic DNS Add/Edit Screen 334 Chapter 17 NAT...337 17.1 NAT Overview ...337 17.1.1 What You Can Do in this Chapter 337 17.1.2 What You Need... 18.1 Overview ...347 18.1.1 What You Can Do in this Chapter 347 18.1.2 What You Need to Know 348 18.2 The HTTP Redirect Screen 349 ZyWALL USG 20/20W User's Guide 17
... ...331 16.1.1 What You Can Do in this Chapter 331 16.1.2 What You Need to Know 331 16.2 The DDNS Screen ...332 16.2.1 The Dynamic DNS Add/Edit Screen 334 Chapter 17 NAT...337 17.1 NAT Overview ...337 17.1.1 What You Can Do in this Chapter 337 17.1.2 What You Need... 18.1 Overview ...347 18.1.1 What You Can Do in this Chapter 347 18.1.2 What You Need to Know 348 18.2 The HTTP Redirect Screen 349 ZyWALL USG 20/20W User's Guide 17
User Guide
Page 24
...of Contents 43.4.2 Time Server Synchronization 635 43.5 Console Port Speed ...636 43.6 DNS Overview ...636 43.6.1 DNS Server Address Assignment 637 43.6.2 Configuring the DNS Screen 637 43.6.3 Address Record ...640 43.6.4 PTR Record ...640 43.6.5 Adding an... Adding a Domain Zone Forwarder 641 43.6.8 MX Record ...642 43.6.9 Adding a MX Record 643 43.6.10 Adding a DNS Service Control Rule 643 43.7 WWW Overview ...644 43.7.1 Service Access Limitations 644 43.7.2 System Timeout ...645 43.7.3 HTTPS ...Overview ...679 44.1.1 What You Can Do In this Chapter 679 24 ZyWALL USG 20/20W User's Guide
...of Contents 43.4.2 Time Server Synchronization 635 43.5 Console Port Speed ...636 43.6 DNS Overview ...636 43.6.1 DNS Server Address Assignment 637 43.6.2 Configuring the DNS Screen 637 43.6.3 Address Record ...640 43.6.4 PTR Record ...640 43.6.5 Adding an... Adding a Domain Zone Forwarder 641 43.6.8 MX Record ...642 43.6.9 Adding a MX Record 643 43.6.10 Adding a DNS Service Control Rule 643 43.7 WWW Overview ...644 43.7.1 Service Access Limitations 644 43.7.2 System Timeout ...645 43.7.3 HTTPS ...Overview ...679 44.1.1 What You Can Do In this Chapter 679 24 ZyWALL USG 20/20W User's Guide
User Guide
Page 38
... it is a stateful inspection firewall. You can also subscribe to category-based content filtering that the ZyWALL can detect: • Anomalies based on the kinds of being used by spammers. 38 ZyWALL USG 20/20W User's Guide For example, traffic from a pre-defined list. Requests for more on violations ... Detection and Prevention (ADP) ADP (Anomaly Detection and Prevention) can also create your own custom ADP rules. It can protect against a DNS black list (DNSBL) of IP addresses of servers that are suspected of attacks that allows your network to identify spam e-mail. The...
... it is a stateful inspection firewall. You can also subscribe to category-based content filtering that the ZyWALL can detect: • Anomalies based on the kinds of being used by spammers. 38 ZyWALL USG 20/20W User's Guide For example, traffic from a pre-defined list. Requests for more on violations ... Detection and Prevention (ADP) ADP (Anomaly Detection and Prevention) can also create your own custom ADP rules. It can protect against a DNS black list (DNSBL) of IP addresses of servers that are suspected of attacks that allows your network to identify spam e-mail. The...
User Guide
Page 50
DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Object User/Group User Create and ...- Default Active Directory- Method Create and manage ways of users. Certificate My Certificates Create and manage the ZyWALL's certificates. ISP Account Create and manage ISP account information for content filtering policies. Chapter 3 Web Configurator Table... services. LDAP-Default Configure the default LDAP settings. SSL Application Create SSL web application objects. 50 ZyWALL USG 20/20W User's Guide Anti-Spam General Turn anti-spam on or off and manage anti-spam policies...
DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Object User/Group User Create and ...- Default Active Directory- Method Create and manage ways of users. Certificate My Certificates Create and manage the ZyWALL's certificates. ISP Account Create and manage ISP account information for content filtering policies. Chapter 3 Web Configurator Table... services. LDAP-Default Configure the default LDAP settings. SSL Application Create SSL web application objects. 50 ZyWALL USG 20/20W User's Guide Anti-Spam General Turn anti-spam on or off and manage anti-spam policies...
User Guide
Page 51
...daily reports and what reports to be managed by the Vantage CNM server. USB Storage Configure the settings for the ZyWALL. DNS Configure the DNS server and address records for the connected USB devices. SSH Configure SSH server and SSH service settings. Shell Script Manage... Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Endpoint Security Create Endpoint Security (EPS) objects. ZyWALL USG 20/20W User's Guide 51 Login Page Configure how the login and access user screens look. Log Setting Configure the system log...
...daily reports and what reports to be managed by the Vantage CNM server. USB Storage Configure the settings for the ZyWALL. DNS Configure the DNS server and address records for the connected USB devices. SSH Configure SSH server and SSH service settings. Shell Script Manage... Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION Endpoint Security Create Endpoint Security (EPS) objects. ZyWALL USG 20/20W User's Guide 51 Login Page Configure how the login and access user screens look. Log Setting Configure the system log...
User Guide
Page 61
...an IP address and vice versa. Chapter 4 Installation Setup Wizard • IP Address: Enter your service provider. Options are: ZyWALL USG 20/20W User's Guide 61 Enter a DNS server's IP address(es). Select an authentication protocol for VPN, DDNS and the time server. You can use alphanumeric and _@$./ ...to you can be up to resolve domain names for outgoing connection requests. The ZyWALL uses these (in the previous screen. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly ...
...an IP address and vice versa. Chapter 4 Installation Setup Wizard • IP Address: Enter your service provider. Options are: ZyWALL USG 20/20W User's Guide 61 Enter a DNS server's IP address(es). Select an authentication protocol for VPN, DDNS and the time server. You can use alphanumeric and _@$./ ...to you can be up to resolve domain names for outgoing connection requests. The ZyWALL uses these (in the previous screen. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly ...
User Guide
Page 62
... field can use alphanumeric and _@$./ characters, and it . 62 ZyWALL USG 20/20W User's Guide If you do not configure a DNS server, you by the remote node. • CHAP - Chapter 4 Installation Setup Wizard • CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by your ISP. You can... ISP. • Zone: This is the security zone to time out. Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only. • Type the User Name given to configure DNS servers. Use up to 31 characters long. • Type the Password associated with...
... field can use alphanumeric and _@$./ characters, and it . 62 ZyWALL USG 20/20W User's Guide If you do not configure a DNS server, you by the remote node. • CHAP - Chapter 4 Installation Setup Wizard • CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by your ISP. You can... ISP. • Zone: This is the security zone to time out. Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - Your ZyWALL accepts MSCHAP-V2 only. • Type the User Name given to configure DNS servers. Use up to 31 characters long. • Type the Password associated with...
User Guide
Page 64
... the IP address of the PPTP server. • Type a Connection ID or connection name. Enter a DNS server's IP address(es). The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you by your ISP. • Type the IP Subnet Mask assigned to ...modem or router. Auto displays if you selected Auto as 0.0.0.0 if you can access it. The Domain Name System (DNS) maps a domain name to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide Leave the field as the IP Address Assignment in the order you specify here) to you by your...
... the IP address of the PPTP server. • Type a Connection ID or connection name. Enter a DNS server's IP address(es). The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you by your ISP. • Type the IP Subnet Mask assigned to ...modem or router. Auto displays if you selected Auto as 0.0.0.0 if you can access it. The Domain Name System (DNS) maps a domain name to configure DNS servers. 64 ZyWALL USG 20/20W User's Guide Leave the field as the IP Address Assignment in the order you specify here) to you by your...
User Guide
Page 74
... the IP address of a computer before you can access it. Back Next DNS (Domain Name System) is for mapping a domain name to the Internet. If you must know the IP address of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Click Back to return to access it , you do ...not want to the right. Click Next to resolve domain names for a PPPoE interface. The ZyWALL uses a system DNS server (in the field(s) to configure DNS servers. Chapter 5 Quick Setup Table 11...
... the IP address of a computer before you can access it. Back Next DNS (Domain Name System) is for mapping a domain name to the Internet. If you must know the IP address of the PPTP server. 74 ZyWALL USG 20/20W User's Guide Click Back to return to access it , you do ...not want to the right. Click Next to resolve domain names for a PPPoE interface. The ZyWALL uses a system DNS server (in the field(s) to configure DNS servers. Chapter 5 Quick Setup Table 11...
User Guide
Page 75
... WAN LABEL DESCRIPTION User Name Nailed-Up Idle Timeout Connection ID WAN Interface Zone IP Address Assignment First DNS Server This is Static, these fields display the DNS server IP address(es). The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects... No displays the connection will belong. Second DNS Server Close Click Close to which security zone this interface and Internet connection will not time out. Yes means the ZyWALL uses the idle timeout. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 Click Next. This...
... WAN LABEL DESCRIPTION User Name Nailed-Up Idle Timeout Connection ID WAN Interface Zone IP Address Assignment First DNS Server This is Static, these fields display the DNS server IP address(es). The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects... No displays the connection will belong. Second DNS Server Close Click Close to which security zone this interface and Internet connection will not time out. Yes means the ZyWALL uses the idle timeout. Figure 38 VPN Quick Setup Wizard ZyWALL USG 20/20W User's Guide 75 Click Next. This...
User Guide
Page 98
...Zone and then the Add icon. 6.5.8 DDNS Dynamic DNS maps a domain name to at most one zone. MENU ITEM(S) Configuration > Network > DDNS PREREQUISITES Interface 6.5.9 NAT Use Network Address Translation (NAT) to -ZyWALL firewall rules. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide A zone is a group of... can be assigned to a dynamic IP address. Chapter 6 Configuration Basics 6.5.6 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the same zone as firewall rules and remote management. When you create a zone, the...
...Zone and then the Add icon. 6.5.8 DDNS Dynamic DNS maps a domain name to at most one zone. MENU ITEM(S) Configuration > Network > DDNS PREREQUISITES Interface 6.5.9 NAT Use Network Address Translation (NAT) to -ZyWALL firewall rules. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide A zone is a group of... can be assigned to a dynamic IP address. Chapter 6 Configuration Basics 6.5.6 Static Routes Use static routes to tell the ZyWALL about networks not directly connected to the same zone as firewall rules and remote management. When you create a zone, the...
User Guide
Page 101
...Create a VoIP service object for UDP port 5060 traffic (Configuration > Object > Service). 2 Create an address object for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to give ...; You don't need to specify the destination address. • Leave the Access field set to Allow and the Log field set to No. ZyWALL USG 20/20W User's Guide 101 Make sure each rule is in the correct place in order. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL...
...Create a VoIP service object for UDP port 5060 traffic (Configuration > Object > Service). 2 Create an address object for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to give ...; You don't need to specify the destination address. • Leave the Access field set to Allow and the Log field set to No. ZyWALL USG 20/20W User's Guide 101 Make sure each rule is in the correct place in order. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL...
User Guide
Page 105
... Use these screens to set which services or protocols can come. MENU ITEM(S) Configuration > Log & Report ZyWALL USG 20/20W User's Guide 105 MENU ITEM(S) Configuration > System > DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM, Language PREREQUISITES To-ZyWALL firewall, zones, addresses, address groups, certificates (WWW, SSH, FTP, Vantage CNM), authentication methods (WWW) Example: Suppose...
... Use these screens to set which services or protocols can come. MENU ITEM(S) Configuration > Log & Report ZyWALL USG 20/20W User's Guide 105 MENU ITEM(S) Configuration > System > DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM, Language PREREQUISITES To-ZyWALL firewall, zones, addresses, address groups, certificates (WWW, SSH, FTP, Vantage CNM), authentication methods (WWW) Example: Suppose...
User Guide
Page 205
...Spam > Status screen. Top Sender By Use this field to set whether the ZyWALL forwards or drops sessions that exceed this threshold. ZyWALL USG 20/20W User's Guide 205 Select Sender IP to set whether the ZyWALL forwards or drops sessions that exceed this threshold. Use the Anti-Spam > ... can check the sender and relay IP addresses in an e-mail's header against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Occurrence This field displays how many e-mail sessions the ZyWALL allowed because they exceeded the maximum number of e-mail sessions that the anti-spam...
...Spam > Status screen. Top Sender By Use this field to set whether the ZyWALL forwards or drops sessions that exceed this threshold. ZyWALL USG 20/20W User's Guide 205 Select Sender IP to set whether the ZyWALL forwards or drops sessions that exceed this threshold. Use the Anti-Spam > ... can check the sender and relay IP addresses in an e-mail's header against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). Occurrence This field displays how many e-mail sessions the ZyWALL allowed because they exceeded the maximum number of e-mail sessions that the anti-spam...
User Guide
Page 206
... receiving a reply. This is the entry's index number in this screen. Use the Anti-Spam Status screen to see how many DNS queries the ZyWALL sent to update the information displayed on this screen. These statistics are the statistics for how long it takes to clear the DNSBL ...currently being used. This is when an e-mail client and e-mail server (or two e-mail servers) connect through the ZyWALL. DNSBL Statistics # DNSBL Domain Total Queries Avg. ZyWALL USG 20/20W User's Guide Concurrent Mail The darker shaded part of the bar shows how much of the bar and the pop-...
... receiving a reply. This is the entry's index number in this screen. Use the Anti-Spam Status screen to see how many DNS queries the ZyWALL sent to update the information displayed on this screen. These statistics are the statistics for how long it takes to clear the DNSBL ...currently being used. This is when an e-mail client and e-mail server (or two e-mail servers) connect through the ZyWALL. DNSBL Statistics # DNSBL Domain Total Queries Avg. ZyWALL USG 20/20W User's Guide Concurrent Mail The darker shaded part of the bar shows how much of the bar and the pop-...
User Guide
Page 229
...or more DHCP servers you specify. enter a static IP address. ZyWALL USG 20/20W User's Guide 229 Choices are: None - The DHCP server(s) may be blank. the ZyWALL assigns IP addresses and provides subnet mask, gateway, and DNS server information to use for a TCP connectivity check. These fields appear.... DHCP Relay - IP Pool Start Address Enter the IP address from its DHCP server. In this interface and the ZyWALL works as a DNS relay. select the DNS server that another network. These fields appear when Interface Properties is a DHCP Server. DHCP Select what type of IP ...
...or more DHCP servers you specify. enter a static IP address. ZyWALL USG 20/20W User's Guide 229 Choices are: None - The DHCP server(s) may be blank. the ZyWALL assigns IP addresses and provides subnet mask, gateway, and DNS server information to use for a TCP connectivity check. These fields appear.... DHCP Relay - IP Pool Start Address Enter the IP address from its DHCP server. In this interface and the ZyWALL works as a DNS relay. select the DNS server that another network. These fields appear when Interface Properties is a DHCP Server. DHCP Select what type of IP ...
User Guide
Page 255
...network. If this value is reserved for the first address (network address), last address (broadcast address) and the interface's IP address. ZyWALL USG 20/20W User's Guide 255 Choices are 0 - 1048576. Relay Server 2 This field is used in WAN load balancing and bandwidth management. ...MTU Maximum Transmission Unit. the ZyWALL routes DHCP requests to the network. the ZyWALL assigns IP addresses and provides subnet mask, gateway, and DNS server information to one or more DHCP servers you specify. Relay Server 1...
...network. If this value is reserved for the first address (network address), last address (broadcast address) and the interface's IP address. ZyWALL USG 20/20W User's Guide 255 Choices are 0 - 1048576. Relay Server 2 This field is used in WAN load balancing and bandwidth management. ...MTU Maximum Transmission Unit. the ZyWALL routes DHCP requests to the network. the ZyWALL assigns IP addresses and provides subnet mask, gateway, and DNS server information to one or more DHCP servers you specify. Relay Server 1...
User Guide
Page 256
... using the interface's IP Pool Start Address and Pool Size. Enter the MAC address to which to assign this interface and works as a DNS relay. You can use alphanumeric and characters, and it has to request the information again. enter a static IP address. From ISP - ...especially the IP address) before it can assign every IP address allowed by the interface's Subnet Mask. select this interface. 256 ZyWALL USG 20/20W User's Guide Otherwise, the ZyWALL assigns an IP address dynamically using . Select this to modify it . Custom Defined - For example, if the Subnet Mask ...
... using the interface's IP Pool Start Address and Pool Size. Enter the MAC address to which to assign this interface and works as a DNS relay. You can use alphanumeric and characters, and it has to request the information again. enter a static IP address. From ISP - ...especially the IP address) before it can assign every IP address allowed by the interface's Subnet Mask. select this interface. 256 ZyWALL USG 20/20W User's Guide Otherwise, the ZyWALL assigns an IP address dynamically using . Select this to modify it . Custom Defined - For example, if the Subnet Mask ...
User Guide
Page 271
...broadcast address) and the interface's IP address. Pool Size Enter the number of this interface and the ZyWALL works as a DNS relay. The DHCP server(s) may be blank. In this case, the ZyWALL can assign every IP address allowed by the interface's Subnet Mask. If this field is blank, the ...Interfaces Table 66 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION DHCP Select what type of a DHCP server for the network. DHCP Relay - ZyWALL USG 20/20W User's Guide 271 Relay Server 2 This field is a DHCP Relay. Choices are currently using.
...broadcast address) and the interface's IP address. Pool Size Enter the number of this interface and the ZyWALL works as a DNS relay. The DHCP server(s) may be blank. In this case, the ZyWALL can assign every IP address allowed by the interface's Subnet Mask. If this field is blank, the ...Interfaces Table 66 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION DHCP Select what type of a DHCP server for the network. DHCP Relay - ZyWALL USG 20/20W User's Guide 271 Relay Server 2 This field is a DHCP Relay. Choices are currently using.