User Guide
Page 48
... and activate trial services. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W User's Guide SSL Lists users currently logged into the ZyWALL. Login Users Lists the users currently logged into the VPN SSL client portal. Table 6 Monitor Menu Screens Summary FOLDER OR LINK TAB FUNCTION System Status Port Statistics...
... and activate trial services. Service View the licensed service status and upgrade licensed services. 48 ZyWALL USG 20/20W User's Guide SSL Lists users currently logged into the ZyWALL. Login Users Lists the users currently logged into the VPN SSL client portal. Table 6 Monitor Menu Screens Summary FOLDER OR LINK TAB FUNCTION System Status Port Statistics...
User Guide
Page 49
...and manage IP static routing information. ZyWALL USG 20/20W User's Guide 49 Cellular Configure a cellular Internet connection for users and groups. Zone Configure zones used to force user authentication. Exempt List Configure ranges of concurrent client NAT/firewall sessions. Chapter 3 Web ...Session Limit Limit the number of IP addresses to set the ZyWALL's flexible ports as LAN1 or DMZ. VPN IPSec VPN VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. Global Setting Configure the ZyWALL's SSL VPN settings that apply to each supported interface.
...and manage IP static routing information. ZyWALL USG 20/20W User's Guide 49 Cellular Configure a cellular Internet connection for users and groups. Zone Configure zones used to force user authentication. Exempt List Configure ranges of concurrent client NAT/firewall sessions. Chapter 3 Web ...Session Limit Limit the number of IP addresses to set the ZyWALL's flexible ports as LAN1 or DMZ. VPN IPSec VPN VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. Global Setting Configure the ZyWALL's SSL VPN settings that apply to each supported interface.
User Guide
Page 77
.... • Site-to display the following screen. The figure on page 76 to -site - ZyWALL USG 20/20W User's Guide 77 Chapter 5 Quick Setup 5.5 VPN Express Wizard - This value is the client (dial-in users. Select the scenario that best describes your intended VPN connection. Choose this VPN connection (and VPN gateway). This ZyWALL is case-sensitive. Only the...
.... • Site-to display the following screen. The figure on page 76 to -site - ZyWALL USG 20/20W User's Guide 77 Chapter 5 Quick Setup 5.5 VPN Express Wizard - This value is the client (dial-in users. Select the scenario that best describes your intended VPN connection. Choose this VPN connection (and VPN gateway). This ZyWALL is case-sensitive. Only the...
User Guide
Page 81
... to display the following screen. Choose this VPN connection (and VPN gateway). The clients have dynamic IP addresses and are also known as shown in users. This ZyWALL can initiate the VPN tunnel. ZyWALL USG 20/20W User's Guide 81 Figure 44 VPN Advanced Wizard: Scenario Rule Name: Type the... name used to allow incoming connections from IPSec VPN clients. Choose this to identify this if the remote ...
... to display the following screen. Choose this VPN connection (and VPN gateway). The clients have dynamic IP addresses and are also known as shown in users. This ZyWALL can initiate the VPN tunnel. ZyWALL USG 20/20W User's Guide 81 Figure 44 VPN Advanced Wizard: Scenario Rule Name: Type the... name used to allow incoming connections from IPSec VPN clients. Choose this to identify this if the remote ...
User Guide
Page 82
... a message authentication code. Note: Multiple SAs connecting through a secure gateway must know the same secret key, which can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - If this field, it is configurable, enter the WAN IP address or domain name of the remote IPSec device (... sender and receiver must have the same negotiation mode. • Encryption Algorithm: 3DES and AES use on DES 82 ZyWALL USG 20/20W User's Guide Triple DES (3DES) is the client (dial-in this field is not configurable for identity protection. phase 1 (Authentication) and phase 2 (Key Exchange). ...
... a message authentication code. Note: Multiple SAs connecting through a secure gateway must know the same secret key, which can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - If this field, it is configurable, enter the WAN IP address or domain name of the remote IPSec device (... sender and receiver must have the same negotiation mode. • Encryption Algorithm: 3DES and AES use on DES 82 ZyWALL USG 20/20W User's Guide Triple DES (3DES) is the client (dial-in this field is not configurable for identity protection. phase 1 (Authentication) and phase 2 (Key Exchange). ...
User Guide
Page 84
...life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): ...to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide...ZyWALL renegotiates the IKE SA. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure than MD5, but is not. • Encryption Algorithm: 3DES and AES use encryption. SHA-1 gives higher security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to -site and remote access client...
...life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): ...to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide...ZyWALL renegotiates the IKE SA. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure than MD5, but is not. • Encryption Algorithm: 3DES and AES use encryption. SHA-1 gives higher security. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to -site and remote access client...
User Guide
Page 93
...on to access the server. See Section 17.2.1 on page 340 for more on page 297). 2 Policy Routes: These are the user-configured policy routes. ZyWALL USG 20/20W User's Guide 93 A many 1 to see Section 13.1 on policy routes. 3 1 to 1 and Many 1 to 1 NAT: These are ...clients, create a 1 to 1 NAT entry to have the ZyWALL check the policy routes first by enabling the policy route feature's Use Policy Route to Override Direct Route option (see if the packets are the 1 to 1 NAT and many 1 to 1 NAT entry works like multiple 1 to send packets through the appropriate interface or VPN...
...on to access the server. See Section 17.2.1 on page 340 for more on page 297). 2 Policy Routes: These are the user-configured policy routes. ZyWALL USG 20/20W User's Guide 93 A many 1 to see Section 13.1 on policy routes. 3 1 to 1 and Many 1 to 1 NAT: These are ...clients, create a 1 to 1 NAT entry to have the ZyWALL check the policy routes first by enabling the policy route feature's Use Policy Route to Override Direct Route option (see if the packets are the 1 to 1 NAT and many 1 to 1 NAT entry works like multiple 1 to send packets through the appropriate interface or VPN...
User Guide
Page 101
MENU ITEM(S) Configuration > VPN > IPSec VPN; The ZyWALL also offers hub-and-spoke VPN. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for assigning to clients, DNS and WINS server addresses), to provide secure ... Setup VPN Setup wizard. Note: The ZyWALL checks the firewall rules in the sequence. 6.5.14 IPSec VPN Use IPSec VPN to -ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to No. ZyWALL USG 20/20W ...
MENU ITEM(S) Configuration > VPN > IPSec VPN; The ZyWALL also offers hub-and-spoke VPN. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for assigning to clients, DNS and WINS server addresses), to provide secure ... Setup VPN Setup wizard. Note: The ZyWALL checks the firewall rules in the sequence. 6.5.14 IPSec VPN Use IPSec VPN to -ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to No. ZyWALL USG 20/20W ...
User Guide
Page 104
... (force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to force user authentication 104 ZyWALL USG 20/20W User's Guide The ZyWALL provides the following table introduces the objects. MENU ITEM...
... (force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to force user authentication 104 ZyWALL USG 20/20W User's Guide The ZyWALL provides the following table introduces the objects. MENU ITEM...
User Guide
Page 165
...service status, and ZyWALL USG 20/20W User's Guide 165 CHAPTER 8 Dashboard 8.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 8.1.1 What You Can Do in the navigation panel. You can also display other status screens for more information. • Use the VPN status screen (see... Section 8.2.1 on page 171) to look at the VPN tunnels that are currently established. • Use the DHCP Table screen (see Section 8.2.5 on page 175) to DHCP clients and the IP addresses reserved for the following...
...service status, and ZyWALL USG 20/20W User's Guide 165 CHAPTER 8 Dashboard 8.1 Overview Use the Dashboard screens to check status information about the ZyWALL. 8.1.1 What You Can Do in the navigation panel. You can also display other status screens for more information. • Use the VPN status screen (see... Section 8.2.1 on page 171) to look at the VPN tunnels that are currently established. • Use the DHCP Table screen (see Section 8.2.5 on page 175) to DHCP clients and the IP addresses reserved for the following...
User Guide
Page 174
...the IP addresses currently assigned to be updated automatically. To access this screen, click VPN Status in the window right away. 8.2.5 The DHCP Table Screen Use this window to DHCP clients and the IP addresses reserved for specific MAC addresses. Algorithm This field displays the... encryption and authentication algorithms used in the dashboard. To access this screen. Figure 132 Dashboard > VPN Status The following table describes the labels in this screen, click the icon beside DHCP Table in the SA. Figure 133 Dashboard > DHCP Table 174 ZyWALL USG 20/20W User's Guide
...the IP addresses currently assigned to be updated automatically. To access this screen, click VPN Status in the window right away. 8.2.5 The DHCP Table Screen Use this window to DHCP clients and the IP addresses reserved for specific MAC addresses. Algorithm This field displays the... encryption and authentication algorithms used in the dashboard. To access this screen. Figure 132 Dashboard > VPN Status The following table describes the labels in this screen, click the icon beside DHCP Table in the SA. Figure 133 Dashboard > DHCP Table 174 ZyWALL USG 20/20W User's Guide
User Guide
Page 178
... (Section 9.17 on page 206) to see Section 9.13 on page 207) to list the users currently logged into the VPN SSL client portal. Figure 135 Monitor > System Status > Port Statistics 178 ZyWALL USG 20/20W User's Guide You can also clear the log in this screen. 9.2 The Port Statistics Screen Use this screen, click...
... (Section 9.17 on page 206) to see Section 9.13 on page 207) to list the users currently logged into the VPN SSL client portal. Figure 135 Monitor > System Status > Port Statistics 178 ZyWALL USG 20/20W User's Guide You can also clear the log in this screen. 9.2 The Port Statistics Screen Use this screen, click...
User Guide
Page 198
... the VPN SSL client portal. This field displays N/A if the IPSec SA uses manual keys. For example, use a question mark or asterisk. 9.13 The SSL Connection Monitor Screen The ZyWALL keeps track of active SSL VPN connections. • Log out individual users and delete related session information. 198 ZyWALL USG 20/20W User's Guide The whole VPN connection...
... the VPN SSL client portal. This field displays N/A if the IPSec SA uses manual keys. For example, use a question mark or asterisk. 9.13 The SSL Connection Monitor Screen The ZyWALL keeps track of active SSL VPN connections. • Log out individual users and delete related session information. 198 ZyWALL USG 20/20W User's Guide The whole VPN connection...
User Guide
Page 366
... and destination IP addresses. Multiple Endpoint Security Objects You can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for an example of computers with HTTP traffic only. When a client attempts to Know Authentication Policy and VPN Authentication policies are applied based on the ZyWALL. 366 ZyWALL USG 20/20W User's Guide
... and destination IP addresses. Multiple Endpoint Security Objects You can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for an example of computers with HTTP traffic only. When a client attempts to Know Authentication Policy and VPN Authentication policies are applied based on the ZyWALL. 366 ZyWALL USG 20/20W User's Guide
User Guide
Page 373
...configure firewall rules. • Use the Session Limit screens (see Section 22.3 on page 386) to block or allow services that use . ZyWALL USG 20/20W User's Guide 373 Communications between any of the networks. Figure 225 Default Firewall Action 22.1.1 What You Can Do in action and demonstrates ... are allowed. The firewall can also limit the number of concurrent NAT/firewall sessions a client can initiate a Telnet session from the WAN or DMZ zone and destined for the LAN1 zone is blocked. The firewall allows VPN traffic between the WAN and the DMZ zones are allowed.
...configure firewall rules. • Use the Session Limit screens (see Section 22.3 on page 386) to block or allow services that use . ZyWALL USG 20/20W User's Guide 373 Communications between any of the networks. Figure 225 Default Firewall Action 22.1.1 What You Can Do in action and demonstrates ... are allowed. The firewall can also limit the number of concurrent NAT/firewall sessions a client can initiate a Telnet session from the WAN or DMZ zone and destined for the LAN1 zone is blocked. The firewall allows VPN traffic between the WAN and the DMZ zones are allowed.
User Guide
Page 393
... on page 101 for related information on these screens. The IPSec server doesn't configure this to an IPSec server. ZyWALL USG 20/20W User's Guide 393 The clients have a static IP address or a domain name. Chapter 23 IPSec VPN Application Scenarios The ZyWALL's application scenarios make it . Choose this ZyWALL has a static IP address or a domain name.
... on page 101 for related information on these screens. The IPSec server doesn't configure this to an IPSec server. ZyWALL USG 20/20W User's Guide 393 The clients have a static IP address or a domain name. Chapter 23 IPSec VPN Application Scenarios The ZyWALL's application scenarios make it . Choose this ZyWALL has a static IP address or a domain name.
User Guide
Page 398
...if the remote IPSec router has a static IP address or a domain name. It may use . 398 ZyWALL USG 20/20W User's Guide VPN Gateway Application Scenario Select the scenario that you the ZyWALL to Detection protect against Denial-of configuration fields. Choose this check box to detect and reject old or ...Choose this check box if you need to allow incoming connections from IPSec VPN clients. Create new Object Use to pass through the IPSec SA. This value is the client (dial-in user) and can initiate the VPN tunnel. NetBIOS packets are also known as dial-in order to allow ...
...if the remote IPSec router has a static IP address or a domain name. It may use . 398 ZyWALL USG 20/20W User's Guide VPN Gateway Application Scenario Select the scenario that you the ZyWALL to Detection protect against Denial-of configuration fields. Choose this check box to detect and reject old or ...Choose this check box if you need to allow incoming connections from IPSec VPN clients. Create new Object Use to pass through the IPSec SA. This value is the client (dial-in user) and can initiate the VPN tunnel. NetBIOS packets are also known as dial-in order to allow ...
User Guide
Page 427
...An SSL access policy allows the ZyWALL to perform the following tasks: ZyWALL USG 20/20W User's Guide 427 CHAPTER 24 SSL VPN 24.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 24.1.1 What You ...Can Do in this Chapter • Use the VPN > SSL VPN > Access...
...An SSL access policy allows the ZyWALL to perform the following tasks: ZyWALL USG 20/20W User's Guide 427 CHAPTER 24 SSL VPN 24.1 Overview Use SSL VPN to allow users to use a web browser for secure remote user login (the remote users do not need a VPN router or VPN client software. 24.1.1 What You ...Can Do in this Chapter • Use the VPN > SSL VPN > Access...
User Guide
Page 436
Once the connection is up for SSL VPN access, an "SSL VPN connection is not set up , you should see the client portal screen. Chapter 24 SSL VPN 2 SSL VPN connection starts. Figure 257 SSL VPN Client Portal Screen Example If the user account is not activated" message displays in again. For more information on user portal screens, refer to SSL VPN check box and try logging in the Login screen. The following shows an example. This may take several minutes depending on page 437. 436 ZyWALL USG 20/20W User's Guide Clear the Login to Chapter 25 on your network connection.
Once the connection is up for SSL VPN access, an "SSL VPN connection is not set up , you should see the client portal screen. Chapter 24 SSL VPN 2 SSL VPN connection starts. Figure 257 SSL VPN Client Portal Screen Example If the user account is not activated" message displays in again. For more information on user portal screens, refer to SSL VPN check box and try logging in the Login screen. The following shows an example. This may take several minutes depending on page 437. 436 ZyWALL USG 20/20W User's Guide Clear the Login to Chapter 25 on your network connection.
User Guide
Page 752
... %s in the list of networks has been modified in the has been changed '2nd- So %s will not be injected to an SSL VPN client. has been deleted. 752 ZyWALL USG 20/20W User's Guide Appendix A Log Descriptions Table 242 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The %s address-object is wrong type for the listed SSL...
... %s in the list of networks has been modified in the has been changed '2nd- So %s will not be injected to an SSL VPN client. has been deleted. 752 ZyWALL USG 20/20W User's Guide Appendix A Log Descriptions Table 242 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The %s address-object is wrong type for the listed SSL...