User Guide
Page 7
ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 2000 User's Guide 7 The ZyWALL icon is not an exact representation of your device. Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons.
ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 2000 User's Guide 7 The ZyWALL icon is not an exact representation of your device. Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons.
User Guide
Page 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...43 Web Configurator ...51 Installation Setup Wizard ...67 Quick Setup ...77 Configuration Basics ...95 Tutorials ...119 L2TP VPN Example ...... ...397 ALG ...401 IP/MAC Binding ...409 Authentication Policy ...415 Firewall ...423 IPSec VPN ...441 SSL VPN ...481 SSL User Screens ...493 SSL User Application Screens 503 SSL User File Sharing ...505 ZyWALL SecuExtender ...513 L2TP VPN ...517 Application Patrol ...521 Anti-Virus ...547 IDP ...563 ADP ...597 ZyWALL USG 2000 User's Guide 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...43 Web Configurator ...51 Installation Setup Wizard ...67 Quick Setup ...77 Configuration Basics ...95 Tutorials ...119 L2TP VPN Example ...... ...397 ALG ...401 IP/MAC Binding ...409 Authentication Policy ...415 Firewall ...423 IPSec VPN ...441 SSL VPN ...481 SSL User Screens ...493 SSL User Application Screens 503 SSL User File Sharing ...505 ZyWALL SecuExtender ...513 L2TP VPN ...517 Application Patrol ...521 Anti-Virus ...547 IDP ...563 ADP ...597 ZyWALL USG 2000 User's Guide 9
User Guide
Page 13
...115 6.7.2 Logs and Reports ...116 6.7.3 File Manager ...116 6.7.4 Diagnostics ...116 6.7.5 Shutdown ...116 Chapter 7 Tutorials ...119 ZyWALL USG 2000 User's Guide 13 Policy ...109 6.5.14 Firewall ...109 6.5.15 IPSec VPN ...110 6.5.16 SSL VPN ...110 6.5.17 L2TP VPN ...111 6.5.18 Application Patrol ...111 6.5.... ...113 6.6 Objects ...114 6.6.1 User/Group ...114 6.7 System ...115 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in the ZyWALL 99 6.4 Packet Flow ...100 6.4.1 ZLD 2.20 Packet Flow Enhancements 100 6.4.2 Routing Table Checking Flow Enhancements 101 6.4.3 NAT Table Checking Flow 102...
...115 6.7.2 Logs and Reports ...116 6.7.3 File Manager ...116 6.7.4 Diagnostics ...116 6.7.5 Shutdown ...116 Chapter 7 Tutorials ...119 ZyWALL USG 2000 User's Guide 13 Policy ...109 6.5.14 Firewall ...109 6.5.15 IPSec VPN ...110 6.5.16 SSL VPN ...110 6.5.17 L2TP VPN ...111 6.5.18 Application Patrol ...111 6.5.... ...113 6.6 Objects ...114 6.6.1 User/Group ...114 6.7 System ...115 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in the ZyWALL 99 6.4 Packet Flow ...100 6.4.1 ZLD 2.20 Packet Flow Enhancements 100 6.4.2 Routing Table Checking Flow Enhancements 101 6.4.3 NAT Table Checking Flow 102...
User Guide
Page 14
...Set Up User Authentication Using the RADIUS Server 135 7.6.4 Web Surfing Policies With Bandwidth Restrictions 137 7.6.5 Set Up MSN Policies 140 7.6.6 Set Up Firewall Rules 141 7.7 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 142 7.8 How to Use Endpoint Security and Authentication Policies...Firewall Rule for SIP 161 7.12.5 Set Up a DMZ to LAN Firewall Rule for SIP 162 7.13 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 163 7.13.1 Create the Public IP Address Range Object 163 7.13.2 Configure the Policy Route 164 14 ZyWALL USG 2000...
...Set Up User Authentication Using the RADIUS Server 135 7.6.4 Web Surfing Policies With Bandwidth Restrictions 137 7.6.5 Set Up MSN Policies 140 7.6.6 Set Up Firewall Rules 141 7.7 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 142 7.8 How to Use Endpoint Security and Authentication Policies...Firewall Rule for SIP 161 7.12.5 Set Up a DMZ to LAN Firewall Rule for SIP 162 7.13 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 163 7.13.1 Create the Public IP Address Range Object 163 7.13.2 Configure the Policy Route 164 14 ZyWALL USG 2000...
User Guide
Page 19
...23.1.2 What You Need to Know 416 23.2 Authentication Policy Screen 416 23.2.1 Creating/Editing an Authentication Policy 419 Chapter 24 Firewall...423 24.1 Overview ...423 24.1.1 What You Can Do in this Chapter 423 24.1.2 What You Need to Know 424 24....1.3 Firewall Rule Example Applications 426 24.1.4 Firewall Rule Configuration Example 429 24.2 The Firewall Screen ...431 24.2.1 Configuring the Firewall Screen 432 24.2.2 The Firewall Add/Edit Screen 435 24.3 The Session Limit Screen 436 24.3.1 The Session Limit Add/Edit Screen 438 Chapter 25 IPSec VPN...441 ZyWALL USG 2000 User's ...
...23.1.2 What You Need to Know 416 23.2 Authentication Policy Screen 416 23.2.1 Creating/Editing an Authentication Policy 419 Chapter 24 Firewall...423 24.1 Overview ...423 24.1.1 What You Can Do in this Chapter 423 24.1.2 What You Need to Know 424 24....1.3 Firewall Rule Example Applications 426 24.1.4 Firewall Rule Configuration Example 429 24.2 The Firewall Screen ...431 24.2.1 Configuring the Firewall Screen 432 24.2.2 The Firewall Add/Edit Screen 435 24.3 The Session Limit Screen 436 24.3.1 The Session Limit Add/Edit Screen 438 Chapter 25 IPSec VPN...441 ZyWALL USG 2000 User's ...
User Guide
Page 33
...1234" respectively. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. By default ge1 is mapped to mount your ZyWALL on page 43 ...ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is 192.168.1.1; Its flexible configuration helps network administrators set up the network and enforce security policies efficiently. CHAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyWALL's features. See Chapter 2 on a ZyWALL USG 2000...
...1234" respectively. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. By default ge1 is mapped to mount your ZyWALL on page 43 ...ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is 192.168.1.1; Its flexible configuration helps network administrators set up the network and enforce security policies efficiently. CHAPTER 1 Introducing the ZyWALL This chapter gives an overview of the ZyWALL's features. See Chapter 2 on a ZyWALL USG 2000...
User Guide
Page 43
...VPN tunnels to provide secure communication between these ports. • One or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. ... rest of this section provides more 3G (cellular) connections. • An auxiliary (backup) Internet connection. • A backup ZyWALL in the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to zones. ZyWALL USG 2000 User's Guide 43
...VPN tunnels to provide secure communication between these ports. • One or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. ... rest of this section provides more 3G (cellular) connections. • An auxiliary (backup) Internet connection. • A backup ZyWALL in the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to zones. ZyWALL USG 2000 User's Guide 43
User Guide
Page 44
... own custom IDP rules. You can also create your ZyWALL to better handle applications such as pornography or racial intolerance, from one zone is not allowed unless it is a stateful inspection firewall. See Section 35.3.4 on page 602 and Section 35...organization. It can protect against. For example, traffic from a pre-defined list. 44 ZyWALL USG 2000 User's Guide Chapter 2 Features and Applications Firewall The ZyWALL's firewall is initiated by screening data packets against defined access rules. The ZyWALL restricts access by a computer in order to defined policies.
... own custom IDP rules. You can also create your ZyWALL to better handle applications such as pornography or racial intolerance, from one zone is not allowed unless it is a stateful inspection firewall. See Section 35.3.4 on page 602 and Section 35...organization. It can protect against. For example, traffic from a pre-defined list. 44 ZyWALL USG 2000 User's Guide Chapter 2 Features and Applications Firewall The ZyWALL's firewall is initiated by screening data packets against defined access rules. The ZyWALL restricts access by a computer in order to defined policies.
User Guide
Page 57
...-through settings. Exempt List Configure ranges of concurrent client NAT/firewall sessions. SSL VPN Access Privilege Configure SSL VPN access rights for an installed 3G card. PPP Create and manage PPPoE and PPTP interfaces. Zone Configure zones used to force user authentication. ZyWALL USG 2000 User's Guide 57 Routing Policy Route Create and manage...
...-through settings. Exempt List Configure ranges of concurrent client NAT/firewall sessions. SSL VPN Access Privilege Configure SSL VPN access rights for an installed 3G card. PPP Create and manage PPPoE and PPTP interfaces. Zone Configure zones used to force user authentication. ZyWALL USG 2000 User's Guide 57 Routing Policy Route Create and manage...
User Guide
Page 62
... identifies the object for which configuration settings reference the ldap-users user object (in this case the first firewall rule). Priority If it displays here. Click the object's name to close the screen. 62 ZyWALL USG 2000 User's Guide Service This is the type of object. The following example shows which the configuration settings...
... identifies the object for which configuration settings reference the ldap-users user object (in this case the first firewall rule). Priority If it displays here. Click the object's name to close the screen. 62 ZyWALL USG 2000 User's Guide Service This is the type of object. The following example shows which the configuration settings...
User Guide
Page 66
...In some lists you can select an entry and click Add to a list of tables small red triangles display for table entries with Lists 66 ZyWALL USG 2000 User's Guide See Section 13.3.2 on an entry, select it from one . 3.3.4.3 Working with Lists When a list of available entries displays ... entry. Chapter 3 Web Configurator Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in order like the firewall for example), you can also use the [Shift] or [Ctrl] key to remove it and click Remove.
...In some lists you can select an entry and click Add to a list of tables small red triangles display for table entries with Lists 66 ZyWALL USG 2000 User's Guide See Section 13.3.2 on an entry, select it from one . 3.3.4.3 Working with Lists When a list of available entries displays ... entry. Chapter 3 Web Configurator Here are moving becomes number 6 and the previous entry 6 (if there is important (features where the ZyWALL applies the table's entries in order like the firewall for example), you can also use the [Shift] or [Ctrl] key to remove it and click Remove.
User Guide
Page 95
...of it . For example, if you want to configure many of it as objects. When you change an object's settings, the ZyWALL automatically updates all the firewall, application patrol, content filter, and other features. After you configure the trunk, you configure various features in the... or rules that use the object. Once you configure an object, you can reuse it in terminology and organization between the ZyWALL and other settings use these ZyWALL USG 2000 User's Guide 95 For example, if you create a schedule object, you are just getting started. You can have to ...
...of it . For example, if you want to configure many of it as objects. When you change an object's settings, the ZyWALL automatically updates all the firewall, application patrol, content filter, and other features. After you configure the trunk, you configure various features in the... or rules that use the object. Once you configure an object, you can reuse it in terminology and organization between the ZyWALL and other settings use these ZyWALL USG 2000 User's Guide 95 For example, if you create a schedule object, you are just getting started. You can have to ...
User Guide
Page 96
...of common objects, see Section 6.6 on page 61) to apply security settings such as firewall, IDP, remote management, antivirus, and application patrol. Use zones to see what objects are in the ZyWALL. In configuration, you connect a cable. Port groups combine physical ports into interfaces. ... in a screen that uses objects, you configure features that (layer-3) packets pass through. Use interfaces in configuring other features. 96 ZyWALL USG 2000 User's Guide Figure 62 Zones, Interfaces, and Physical Ethernet Ports Zones LAN WAN DMZ Interfaces ge1 ge2 ge3 ge4 ge5 ge6 ge7...
...of common objects, see Section 6.6 on page 61) to apply security settings such as firewall, IDP, remote management, antivirus, and application patrol. Use zones to see what objects are in the ZyWALL. In configuration, you connect a cable. Port groups combine physical ports into interfaces. ... in a screen that uses objects, you configure features that (layer-3) packets pass through. Use interfaces in configuring other features. 96 ZyWALL USG 2000 User's Guide Figure 62 Zones, Interfaces, and Physical Ethernet Ports Zones LAN WAN DMZ Interfaces ge1 ge2 ge3 ge4 ge5 ge6 ge7...
User Guide
Page 101
ZyWALL USG 2000 User's Guide 101 Then it defragments them . Figure 65 Routing Table Checking Flow Enhancements 1 Direct-connected Subnets: The ZyWALL first checks to route them and applies destination NAT. As soon as one of the ZyWALL's interfaces. Even with the earlier 2.1x firmware's routing table.The ... routing table compares with these changes, you can still use an existing configuration file from top to the other checks, for example the firewall check. Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT entries. • You can...
ZyWALL USG 2000 User's Guide 101 Then it defragments them . Figure 65 Routing Table Checking Flow Enhancements 1 Direct-connected Subnets: The ZyWALL first checks to route them and applies destination NAT. As soon as one of the ZyWALL's interfaces. Even with the earlier 2.1x firmware's routing table.The ... routing table compares with these changes, you can still use an existing configuration file from top to the other checks, for example the firewall check. Chapter 6 Configuration Basics • You do not need to set up policy routes for 1:1 NAT entries. • You can...
User Guide
Page 107
... outside the private network. Each interface and VPN tunnel can be assigned to a dynamic IP address. ZyWALL USG 2000 User's Guide 107 Virtual interfaces are automatically assigned to the ZyWALL. When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for background information. MENU ITEM(S) Configuration...
... outside the private network. Each interface and VPN tunnel can be assigned to a dynamic IP address. ZyWALL USG 2000 User's Guide 107 Virtual interfaces are automatically assigned to the ZyWALL. When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for background information. MENU ITEM(S) Configuration...
User Guide
Page 108
... > NAT to a HTTP proxy server at IP address 192.168.3.80. 1 Click Configuration > Network > HTTP Redirect. 2 Add an entry. 108 ZyWALL USG 2000 User's Guide MENU ITEM(S) Configuration > Network > HTTP Redirect PREREQUISITES Interfaces Example: Suppose you have been accessed so they are readily available the next time ...an FTP server with a private IP address connected to a proxy server. The ZyWALL does not check to -ZyWALL firewall rules. It does check regular (through . 4 Specify the public WAN IP address where the ZyWALL will receive the FTP packets. 5 In the Mapped IP field, list the...
... > NAT to a HTTP proxy server at IP address 192.168.3.80. 1 Click Configuration > Network > HTTP Redirect. 2 Add an entry. 108 ZyWALL USG 2000 User's Guide MENU ITEM(S) Configuration > Network > HTTP Redirect PREREQUISITES Interfaces Example: Suppose you have been accessed so they are readily available the next time ...an FTP server with a private IP address connected to a proxy server. The ZyWALL does not check to -ZyWALL firewall rules. It does check regular (through . 4 Specify the public WAN IP address where the ZyWALL will receive the FTP packets. 5 In the Mapped IP field, list the...
User Guide
Page 109
... destination), address groups (source, destination), services, service groups ZyWALL USG 2000 User's Guide 109 You can access the network. Configure to make sure users' computers comply with defined corporate policies before they can configure firewall rules based on the ZyWALL. Policy Use authentication policies to the ZyWALL. To-ZyWALL firewall rules control access to control who can also...
... destination), address groups (source, destination), services, service groups ZyWALL USG 2000 User's Guide 109 You can access the network. Configure to make sure users' computers comply with defined corporate policies before they can configure firewall rules based on the ZyWALL. Policy Use authentication policies to the ZyWALL. To-ZyWALL firewall rules control access to control who can also...
User Guide
Page 110
... > Object > Service). 2 Create an address object for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall 110 ZyWALL USG 2000 User's Guide Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones, L2TP VPN Example: See Chapter 7 on the LAN can also use...
... > Object > Service). 2 Create an address object for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall 110 ZyWALL USG 2000 User's Guide Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones, L2TP VPN Example: See Chapter 7 on the LAN can also use...
User Guide
Page 111
... destination). Click the BitTorrent application patrol entry's Edit icon. • Set the default policy's access to -ZyWALL firewall, firewall WHERE USED The IPSec VPN connection used for Bob. • You can do so). ZyWALL USG 2000 User's Guide 111 MENU ITEM(S) Configuration > VPN > L2TP VPN PREREQUISITES Interfaces, IPSec VPN connection, certificates (authentication...Add another policy. • Select the user account that you want to allow vice president Bob to use which services through the ZyWALL (and when they can leave the source, destination and log settings at the default.
... destination). Click the BitTorrent application patrol entry's Edit icon. • Set the default policy's access to -ZyWALL firewall, firewall WHERE USED The IPSec VPN connection used for Bob. • You can do so). ZyWALL USG 2000 User's Guide 111 MENU ITEM(S) Configuration > VPN > L2TP VPN PREREQUISITES Interfaces, IPSec VPN connection, certificates (authentication...Add another policy. • Select the user account that you want to allow vice president Bob to use which services through the ZyWALL (and when they can leave the source, destination and log settings at the default.
User Guide
Page 113
ZyWALL USG 2000 User's Guide 113 MENU ITEM(S) Configuration > Anti-X > Anti-Spam PREREQUISITES Zones 6.5.24 Device HA To increase network reliability, device HA lets a backup ZyWALL automatically take action on page 119. MENU ITEM(S) Configuration > Device HA PREREQUISITES Interfaces (with a static IP address), to-ZyWALL firewall... Example: See Chapter 7 on spam mail. Click the Add icon to go to the screen where you created. 6.5.23 Anti-Spam Use anti-spam to detect and take over if a master ZyWALL fails. Chapter 6 Configuration Basics 1...
ZyWALL USG 2000 User's Guide 113 MENU ITEM(S) Configuration > Anti-X > Anti-Spam PREREQUISITES Zones 6.5.24 Device HA To increase network reliability, device HA lets a backup ZyWALL automatically take action on page 119. MENU ITEM(S) Configuration > Device HA PREREQUISITES Interfaces (with a static IP address), to-ZyWALL firewall... Example: See Chapter 7 on spam mail. Click the Add icon to go to the screen where you created. 6.5.23 Anti-Spam Use anti-spam to detect and take over if a master ZyWALL fails. Chapter 6 Configuration Basics 1...