User Guide
Page 9
... Redirect ...347 ALG ...351 IP/MAC Binding ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
... Redirect ...347 ALG ...351 IP/MAC Binding ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
User Guide
Page 11
... Stopping the ZyWALL 34 Chapter 2 Features and Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User...
... Stopping the ZyWALL 34 Chapter 2 Features and Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User...
User Guide
Page 13
... Balancing 113 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13 Table of Contents 6.5.1 Feature ...95 6.5.2 Licensing Registration 96...
... Balancing 113 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13 Table of Contents 6.5.1 Feature ...95 6.5.2 Licensing Registration 96...
User Guide
Page 39
ZyWALL USG 20/20W User's Guide 39 Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can also set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your ZyWALL. You can configure the ZyWALL to provide SSL VPN network access to remote users. Chapter 2 Features and Applications 2.2 Applications These are some example applications for...
ZyWALL USG 20/20W User's Guide 39 Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can also set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your ZyWALL. You can configure the ZyWALL to provide SSL VPN network access to remote users. Chapter 2 Features and Applications 2.2 Applications These are some example applications for...
User Guide
Page 49
...balancing and link High Availability (HA). VPN Gateway Configure IKE tunnels. SSL VPN Access Privilege Configure SSL VPN access rights for an installed wireless LAN card. Global Setting Configure the ZyWALL's SSL VPN settings that apply to define various policies. Cellular Configure a cellular Internet connection for devices ... rules. RIP Configure device-level RIP settings. IP/MAC Binding Summary Configure IP to MAC address bindings for an installed 3G card. ZyWALL USG 20/20W User's Guide 49 Exempt List Configure ranges of IP addresses to set the ZyWALL's flexible ports ...
...balancing and link High Availability (HA). VPN Gateway Configure IKE tunnels. SSL VPN Access Privilege Configure SSL VPN access rights for an installed wireless LAN card. Global Setting Configure the ZyWALL's SSL VPN settings that apply to define various policies. Cellular Configure a cellular Internet connection for devices ... rules. RIP Configure device-level RIP settings. IP/MAC Binding Summary Configure IP to MAC address bindings for an installed 3G card. ZyWALL USG 20/20W User's Guide 49 Exempt List Configure ranges of IP addresses to set the ZyWALL's flexible ports ...
User Guide
Page 96
... VLAN, and bridge interfaces. Most of the ZyWALL), port triggering, 96 ZyWALL USG 20/20W User's Guide MENU ITEM(S) PREREQUISITES Configuration > Network > Interface (except Network > Interface > Trunk) Port groups (configured in order to myZyXEL.com. To configure dmz's settings, click Network > Interface > ... or more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Network > Interface > Trunk PREREQUISITES Interfaces WHERE USED Policy routes Example: See Chapter 7 on page 107. 6.5.5 Policy Routes Use policy routes to override the ZyWALL's default routing...
... VLAN, and bridge interfaces. Most of the ZyWALL), port triggering, 96 ZyWALL USG 20/20W User's Guide MENU ITEM(S) PREREQUISITES Configuration > Network > Interface (except Network > Interface > Trunk) Port groups (configured in order to myZyXEL.com. To configure dmz's settings, click Network > Interface > ... or more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Network > Interface > Trunk PREREQUISITES Interfaces WHERE USED Policy routes Example: See Chapter 7 on page 107. 6.5.5 Policy Routes Use policy routes to override the ZyWALL's default routing...
User Guide
Page 97
...ZyWALL checks the policy routes in the DMZ zone). MENU ITEM(S) Configuration > Network > Routing > Policy Route Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN... (P3 in through your WAN connection. 1 Create an address object for FTP traffic. ZyWALL USG 20/20W User's Guide 97 Chapter 6 Configuration Basics and general NAT on the source address. So make sure that you have an ...
...ZyWALL checks the policy routes in the DMZ zone). MENU ITEM(S) Configuration > Network > Routing > Policy Route Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN... (P3 in through your WAN connection. 1 Create an address object for FTP traffic. ZyWALL USG 20/20W User's Guide 97 Chapter 6 Configuration Basics and general NAT on the source address. So make sure that you have an ...
User Guide
Page 98
...rules and remote management. Each interface and VPN tunnel can be assigned to a dynamic IP address. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide A zone is a group of interfaces and VPN tunnels. Virtual interfaces are redirected by NAT,... See Section 6.2 on a private network behind the ZyWALL available outside the private network. The ZyWALL only checks regular (through-ZyWALL) firewall rules for the new zone. MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, remote management, ADP Example: For...
...rules and remote management. Each interface and VPN tunnel can be assigned to a dynamic IP address. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide A zone is a group of interfaces and VPN tunnels. Virtual interfaces are redirected by NAT,... See Section 6.2 on a private network behind the ZyWALL available outside the private network. The ZyWALL only checks regular (through-ZyWALL) firewall rules for the new zone. MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, remote management, ADP Example: For...
User Guide
Page 101
... authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. ZyWALL USG 20/20W User's Guide 101 Make sure each rule is in the correct place in order. MENU ITEM(S) Configuration > VPN > IPSec VPN; MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list...
... authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. ZyWALL USG 20/20W User's Guide 101 Make sure each rule is in the correct place in order. MENU ITEM(S) Configuration > VPN > IPSec VPN; MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list...
User Guide
Page 104
.... If the type is not available, the ZyWALL applies default settings. Table 17 User Types TYPE ABILITIES admin Change ZyWALL configuration (web, CLI) limited-admin Look at ZyWALL configuration (web) user Access network services, browse user... server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to force user authentication 104 ZyWALL USG 20/20W User's Guide
.... If the type is not available, the ZyWALL applies default settings. Table 17 User Types TYPE ABILITIES admin Change ZyWALL configuration (web, CLI) limited-admin Look at ZyWALL configuration (web) user Access network services, browse user... server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to force user authentication 104 ZyWALL USG 20/20W User's Guide
User Guide
Page 130
...OK. They do not distinguish between administrator management access and user access. Figure 82 Configuration > System > WWW > Service Control Rule Edit 130 ZyWALL USG 20/20W User's Guide The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to block administrator HTTPS...configure service control to allow management or user HTTP or HTTPS access, make sure the firewall is not configured to block that access. 7.8.1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to the ZyWALL. Chapter 7 Tutorials user access (logging into SSL VPN...
...OK. They do not distinguish between administrator management access and user access. Figure 82 Configuration > System > WWW > Service Control Rule Edit 130 ZyWALL USG 20/20W User's Guide The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to block administrator HTTPS...configure service control to allow management or user HTTP or HTTPS access, make sure the firewall is not configured to block that access. 7.8.1 Allow HTTPS Administrator Access Only From the LAN This example configures service control to the ZyWALL. Chapter 7 Tutorials user access (logging into SSL VPN...
User Guide
Page 132
Here is an example of the ZyWALL's zones (to use HTTPS to log into the ZyWALL from any of how to configure NAT and the firewall to the Web Configurator can still use SSL VPN for VoIP calls and you want it to be able to receive peer-to-peer calls ... 7 Tutorials 6 Click Apply. Figure 85 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to have a H.323 device on the LAN1 for example). 7.9 How to Allow Incoming H.323 Peer-to-peer Calls Suppose you have the ZyWALL forward H.323 traffic destined 132 ZyWALL USG 20/20W User's Guide
Here is an example of the ZyWALL's zones (to use HTTPS to log into the ZyWALL from any of how to configure NAT and the firewall to the Web Configurator can still use SSL VPN for VoIP calls and you want it to be able to receive peer-to-peer calls ... 7 Tutorials 6 Click Apply. Figure 85 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to have a H.323 device on the LAN1 for example). 7.9 How to Allow Incoming H.323 Peer-to-peer Calls Suppose you have the ZyWALL forward H.323 traffic destined 132 ZyWALL USG 20/20W User's Guide
User Guide
Page 212
... as content filtering. See the respective User's Guide chapters for more SSL VPN tunnels. Figure 154 Configuration > Licensing > Registration 212 ZyWALL USG 20/20W User's Guide You can have the ZyWALL use and content filtering subscription services. Click Configuration > Licensing > Registration in the navigation panel to have the ZyWALL use more information about these features. 10.2 The Registration Screen...
... as content filtering. See the respective User's Guide chapters for more SSL VPN tunnels. Figure 154 Configuration > Licensing > Registration 212 ZyWALL USG 20/20W User's Guide You can have the ZyWALL use and content filtering subscription services. Click Configuration > Licensing > Registration in the navigation panel to have the ZyWALL use more information about these features. 10.2 The Registration Screen...
User Guide
Page 304
... first. default means traffic with the exception of 0 which is an immediate neighbor of your ZyWALL's interface(s). 304 ZyWALL USG 20/20W User's Guide Select a schedule to identify the type of your configuration here. Service Select a service or service group to control when the policy route is being ...connected to the destination. This is active at all DSCP value or no DSCP marker. any , an interface, a tunnel, an SSL VPN, or the ZyWALL itself. The number following the "af" identifies one of four classes and one of 0. UserDefined DSCP Code Schedule Use this policy...
... first. default means traffic with the exception of 0 which is an immediate neighbor of your ZyWALL's interface(s). 304 ZyWALL USG 20/20W User's Guide Select a schedule to identify the type of your configuration here. Service Select a service or service group to control when the policy route is being ...connected to the destination. This is active at all DSCP value or no DSCP marker. any , an interface, a tunnel, an SSL VPN, or the ZyWALL itself. The number following the "af" identifies one of four classes and one of 0. UserDefined DSCP Code Schedule Use this policy...
User Guide
Page 427
....2 on page 429) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on page 433) to set the IP address of the internal network. This allows them to perform the following tasks: ZyWALL USG 20/20W User's Guide 427 CHAPTER 24 SSL VPN 24.1 Overview Use SSL VPN to allow users to use...
....2 on page 429) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on page 433) to set the IP address of the internal network. This allows them to perform the following tasks: ZyWALL USG 20/20W User's Guide 427 CHAPTER 24 SSL VPN 24.1 Overview Use SSL VPN to allow users to use...
User Guide
Page 428
... IP addresses of the DNS and WINS servers that the ZyWALL sends to the VPN connection users. When you update this SSL access policy. Configure an SSL application object to access. Configure address objects for details on SSL application objects. 428 ZyWALL USG 20/20W User's Guide If you delete an SSL policy, the objects are to be able to specify...
... IP addresses of the DNS and WINS servers that the ZyWALL sends to the VPN connection users. When you update this SSL access policy. Configure an SSL application object to access. Configure address objects for details on SSL application objects. 428 ZyWALL USG 20/20W User's Guide If you delete an SSL policy, the objects are to be able to specify...
User Guide
Page 429
...configured SSL access policies. Double-click an entry or select it before doing so. The ZyWALL confirms you want to remove it and click Edit to open a screen where you want to create a new entry. In the field that shows which you can modify the entry's settings. ZyWALL USG 20...entry is active and dimmed when the entry is inactive. Chapter 24 SSL VPN 24.2 The SSL Access Privilege Screen Click VPN > SSL VPN to create a new entry after the selected entry. Table 122 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Add Edit Remove Activate Inactivate Move Object References...
...configured SSL access policies. Double-click an entry or select it before doing so. The ZyWALL confirms you want to remove it and click Edit to open a screen where you want to create a new entry. In the field that shows which you can modify the entry's settings. ZyWALL USG 20...entry is active and dimmed when the entry is inactive. Chapter 24 SSL VPN 24.2 The SSL Access Privilege Screen Click VPN > SSL VPN to create a new entry after the selected entry. Table 122 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Add Edit Remove Activate Inactivate Move Object References...
User Guide
Page 431
...user logs out. To remove a user or user group, select the name(s) in . Select this SSL access policy. Table 123 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Configuration Enable Policy Name Description Clean browser cache when user logs out User/Group Use to the Selected User... >> to add to configure any new settings objects that you have not applied an SSL access policy yet. To associate a user or user group to the values present before the user logged in the Selected User/Group Objects list and click The ZyWALL returns them to this...
...user logs out. To remove a user or user group, select the name(s) in . Select this SSL access policy. Table 123 VPN > SSL VPN > Access Privilege > Add/Edit LABEL DESCRIPTION Create new Object Configuration Enable Policy Name Description Clean browser cache when user logs out User/Group Use to the Selected User... >> to add to configure any new settings objects that you have not applied an SSL access policy yet. To associate a user or user group to the values present before the user logged in the Selected User/Group Objects list and click The ZyWALL returns them to this...
User Guide
Page 432
...name and click >> to add to the Selected Application Objects list. Chapter 24 SSL VPN Table 123 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Available EPS Objects / Selected EPS Objects Configured endpoint security objects appear on the right. To make the endpoint security check ...remove them here. When a user's computer matches an endpoint security object the ZyWALL grants access and stops checking. The Selectable Application Objects list displays the name(s) of the SSL application(s) you list them . You can select more than one network. You...
...name and click >> to add to the Selected Application Objects list. Chapter 24 SSL VPN Table 123 VPN > SSL VPN > Access Privilege > Add/Edit (continued) LABEL DESCRIPTION Available EPS Objects / Selected EPS Objects Configured endpoint security objects appear on the right. To make the endpoint security check ...remove them here. When a user's computer matches an endpoint security object the ZyWALL grants access and stops checking. The Selectable Application Objects list displays the name(s) of the SSL application(s) you list them . You can select more than one network. You...
User Guide
Page 615
... screens. Depending on the application type, remote users can configure the following SSL application on the ZyWALL. • Web-based A web-based application allows remote users to access. ZyWALL USG 20/20W User's Guide 615 Configure an SSL application object to specify the type of application and the ... more SSL application objects in the VPN > SSL VPN screen for a user account/user group. 41.1.1 What You Can Do in this Chapter • Use the SSL Application screen (Section 41.2 on page 617) to view the ZyWALL's configured SSL application objects. • Use the SSL Application Edit...
... screens. Depending on the application type, remote users can configure the following SSL application on the ZyWALL. • Web-based A web-based application allows remote users to access. ZyWALL USG 20/20W User's Guide 615 Configure an SSL application object to specify the type of application and the ... more SSL application objects in the VPN > SSL VPN screen for a user account/user group. 41.1.1 What You Can Do in this Chapter • Use the SSL Application screen (Section 41.2 on page 617) to view the ZyWALL's configured SSL application objects. • Use the SSL Application Edit...