User Guide
Page 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ... Policy ...449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ... Policy ...449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
User Guide
Page 13
... Chapter 7 Tutorials ...117 7.1 How to Configure Interfaces, Port Grouping, and Zones 117 7.1.1 Configure a WAN Ethernet Interface 118 ZyWALL USG 300 User's Guide 13 Policy ...107 6.5.14 Firewall ...107 6.5.15 IPSec VPN ...108 6.5.16 SSL VPN ...108 6.5.17 L2TP VPN ...109 6.5.18 Application Patrol 109 6.5.19 Anti-Virus ...110 6.5.20 IDP ...110 6.5.21 ADP ...110 6.5.22 Content Filter...
... Chapter 7 Tutorials ...117 7.1 How to Configure Interfaces, Port Grouping, and Zones 117 7.1.1 Configure a WAN Ethernet Interface 118 ZyWALL USG 300 User's Guide 13 Policy ...107 6.5.14 Firewall ...107 6.5.15 IPSec VPN ...108 6.5.16 SSL VPN ...108 6.5.17 L2TP VPN ...109 6.5.18 Application Patrol 109 6.5.19 Anti-Virus ...110 6.5.20 IDP ...110 6.5.21 ADP ...110 6.5.22 Content Filter...
User Guide
Page 15
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
User Guide
Page 21
...Connection 553 30.5 Stop the Connection ...554 30.6 Uninstalling the ZyWALL SecuExtender 554 Chapter 31 L2TP VPN...555 31.1 Overview ...555 31.1.1 What You Can Do in this Chapter 555 31.1.2 What You Need to Know 555 31.2 L2TP VPN Screen ...557 Chapter 32 Application Patrol ...559 32.1 Overview ...559... 32.1.1 What You Can Do in this Chapter 559 32.1.2 What You Need to Know 560 32.1.3 Application Patrol Bandwidth Management Examples 565 ZyWALL USG 300 User's Guide 21
...Connection 553 30.5 Stop the Connection ...554 30.6 Uninstalling the ZyWALL SecuExtender 554 Chapter 31 L2TP VPN...555 31.1 Overview ...555 31.1.1 What You Can Do in this Chapter 555 31.1.2 What You Need to Know 555 31.2 L2TP VPN Screen ...557 Chapter 32 Application Patrol ...559 32.1 Overview ...559... 32.1.1 What You Can Do in this Chapter 559 32.1.2 What You Need to Know 560 32.1.3 Application Patrol Bandwidth Management Examples 565 ZyWALL USG 300 User's Guide 21
User Guide
Page 39
...or more information about the features of the ZyWALL. The ZyWALL also offers hub-and-spoke IPSec VPN. Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to change security settings in the event the master ZyWALL fails (device HA). It also provides bandwidth...many other powerful features. The rest of this section provides more of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. ZyWALL USG 300 User's Guide 39
...or more information about the features of the ZyWALL. The ZyWALL also offers hub-and-spoke IPSec VPN. Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to change security settings in the event the master ZyWALL fails (device HA). It also provides bandwidth...many other powerful features. The rest of this section provides more of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. ZyWALL USG 300 User's Guide 39
User Guide
Page 52
... ZyWALL. VPN Monitor IPSec Displays and manages the active IPSec SAs. AppPatrol Statistics Displays bandwidth and protocol statistics. IDP Collect and display statistics on the viruses that have received an IP address from ZyWALL interfaces using IP/MAC binding. Interface Status Displays general interface information and packet statistics. Log Lists log entries. 52 ZyWALL USG 300...
... ZyWALL. VPN Monitor IPSec Displays and manages the active IPSec SAs. AppPatrol Statistics Displays bandwidth and protocol statistics. IDP Collect and display statistics on the viruses that have received an IP address from ZyWALL interfaces using IP/MAC binding. Interface Status Displays general interface information and packet statistics. Log Lists log entries. 52 ZyWALL USG 300...
User Guide
Page 54
.... Profile Create and manage IDP profiles. VPN IPSec VPN VPN Connection Configure IPSec tunnels. Global Setting Configure the ZyWALL's SSL VPN settings that apply to -peer traffic. L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings. AppPatrol General Enable or disable traffic...and FTP pass-through settings. Concentrator Configure VPN concentrators (hub-and-spoke VPN). IDP General Display and manage IDP bindings. Custom Signatures Create, import, or export custom signatures. 54 ZyWALL USG 300 User's Guide Firewall Firewall Create and manage...
.... Profile Create and manage IDP profiles. VPN IPSec VPN VPN Connection Configure IPSec tunnels. Global Setting Configure the ZyWALL's SSL VPN settings that apply to -peer traffic. L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings. AppPatrol General Enable or disable traffic...and FTP pass-through settings. Concentrator Configure VPN concentrators (hub-and-spoke VPN). IDP General Display and manage IDP bindings. Custom Signatures Create, import, or export custom signatures. 54 ZyWALL USG 300 User's Guide Firewall Firewall Create and manage...
User Guide
Page 108
... sequence. 6.5.15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall 108 ZyWALL USG 300 User's Guide you can... addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones, L2TP VPN Example: See Chapter 7 on the LAN can also use the Quick Setup VPN Setup wizard. MENU ITEM(S) Configuration > VPN > IPSec VPN; Chapter 6 Configuration Basics Example: Suppose you have ...
... sequence. 6.5.15 IPSec VPN Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall 108 ZyWALL USG 300 User's Guide you can... addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones, L2TP VPN Example: See Chapter 7 on the LAN can also use the Quick Setup VPN Setup wizard. MENU ITEM(S) Configuration > VPN > IPSec VPN; Chapter 6 Configuration Basics Example: Suppose you have ...
User Guide
Page 109
You can also specify allowed amounts of the wizards. ZyWALL USG 300 User's Guide 109 You must subscribe to -ZyWALL firewall, firewall WHERE USED The IPSec VPN connection used for L2TP VPN can leave the source, destination and log settings at the ...Patrol Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so). MENU ITEM(S) Configuration > VPN > L2TP VPN PREREQUISITES Interfaces, IPSec VPN connection, certificates (authentication), authentication methods (extended authentication), addresses (local network, remote...
You can also specify allowed amounts of the wizards. ZyWALL USG 300 User's Guide 109 You must subscribe to -ZyWALL firewall, firewall WHERE USED The IPSec VPN connection used for L2TP VPN can leave the source, destination and log settings at the ...Patrol Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so). MENU ITEM(S) Configuration > VPN > L2TP VPN PREREQUISITES Interfaces, IPSec VPN connection, certificates (authentication), authentication methods (extended authentication), addresses (local network, remote...
User Guide
Page 112
... SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to display basic information about the object. Table 20 User Types TYPE ABILITIES admin Change ZyWALL configuration (web, CLI) limited-admin Look at ZyWALL configuration (web) user Access network services, browse user-mode commands (CLI) 112 ZyWALL USG 300 User's Guide If...
... SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to display basic information about the object. Table 20 User Types TYPE ABILITIES admin Change ZyWALL configuration (web, CLI) limited-admin Look at ZyWALL configuration (web) user Access network services, browse user-mode commands (CLI) 112 ZyWALL USG 300 User's Guide If...
User Guide
Page 117
ZyWALL USG 300 User's Guide 117 Note: The tutorials featured here require a basic understanding of connecting to and using...and P5 and need full wire speed communication with each other, so ports P4 and P5 are examples of configuring L2TP VPN. For field descriptions of individual screens, see Technical Reference on page 185 for an example of using the Web Configurator... the default configuration). • Interface ge2 uses a static IP address of 1.2.3.4 and is in the ZyWALL. CHAPTER 7 Tutorials Here are combined into a ge4 interface port group. It uses IP address 192.168.2.1.
ZyWALL USG 300 User's Guide 117 Note: The tutorials featured here require a basic understanding of connecting to and using...and P5 and need full wire speed communication with each other, so ports P4 and P5 are examples of configuring L2TP VPN. For field descriptions of individual screens, see Technical Reference on page 185 for an example of using the Web Configurator... the default configuration). • Interface ge2 uses a static IP address of 1.2.3.4 and is in the ZyWALL. CHAPTER 7 Tutorials Here are combined into a ge4 interface port group. It uses IP address 192.168.2.1.
User Guide
Page 185
....10.10 to open the screen that lists the VPN gateways. Figure 152 L2TP VPN Example 172.16.1.2 LAN_SUBNET: 192.168.1.x L2TP_POOL: 192.168.10.10~192.168.10.20 • The ZyWALL has a static IP address of 172.16.1.2 for use in creating a basic L2TP VPN tunnel. ZyWALL USG 300 User's Guide 185 Double-click the Default_L2TP_VPN_GW entry.
....10.10 to open the screen that lists the VPN gateways. Figure 152 L2TP VPN Example 172.16.1.2 LAN_SUBNET: 192.168.1.x L2TP_POOL: 192.168.10.10~192.168.10.20 • The ZyWALL has a static IP address of 172.16.1.2 for use in creating a basic L2TP VPN tunnel. ZyWALL USG 300 User's Guide 185 Double-click the Default_L2TP_VPN_GW entry.
User Guide
Page 186
...This example uses topsecret. Click OK. This example uses interface ge2 with static IP address 172.16.1.2. Chapter 8 L2TP VPN Example • Configure the My Address setting. Note: If it is possible that the remote user's public IP ... Policy Route to turn on the entry. Figure 153 Configuration > VPN > IPSec VPN > VPN Gateway > Edit 2 Select the Default_L2TP_VPN_GW entry and click Activate and click Apply to Override Direct Route. • Select Pre-Shared Key and configure a password. Figure 154 Configuration > VPN > IPSec VPN > VPN Gateway (Enable) 186 ZyWALL USG 300 User's Guide
...This example uses topsecret. Click OK. This example uses interface ge2 with static IP address 172.16.1.2. Chapter 8 L2TP VPN Example • Configure the My Address setting. Note: If it is possible that the remote user's public IP ... Policy Route to turn on the entry. Figure 153 Configuration > VPN > IPSec VPN > VPN Gateway > Edit 2 Select the Default_L2TP_VPN_GW entry and click Activate and click Apply to Override Direct Route. • Select Pre-Shared Key and configure a password. Figure 154 Configuration > VPN > IPSec VPN > VPN Gateway (Enable) 186 ZyWALL USG 300 User's Guide
User Guide
Page 187
Figure 155 Configuration > VPN > IPSec VPN > VPN Connection > Edit ZyWALL USG 300 User's Guide 187 Double-click the Default_L2TP_VPN_Connection entry. 2 Click the Show Advanced Settings button. The address object in this example uses...Server Role). • Set the Local Policy to open the screen that you configured in the Default_L2TP_VPN_GW. Chapter 8 L2TP VPN Example 8.3 Configuring the Default L2TP VPN Connection Example 1 Click Configuration > VPN > Network > IPSec VPN to use L2TP_IFACE. • Click OK. Configure and enforce the local and remote policies. • Create an ...
Figure 155 Configuration > VPN > IPSec VPN > VPN Connection > Edit ZyWALL USG 300 User's Guide 187 Double-click the Default_L2TP_VPN_Connection entry. 2 Click the Show Advanced Settings button. The address object in this example uses...Server Role). • Set the Local Policy to open the screen that you configured in the Default_L2TP_VPN_GW. Chapter 8 L2TP VPN Example 8.3 Configuring the Default L2TP VPN Connection Example 1 Click Configuration > VPN > Network > IPSec VPN to use L2TP_IFACE. • Click OK. Configure and enforce the local and remote policies. • Create an ...
User Guide
Page 188
Here a user account named L2TP-test has been created. 188 ZyWALL USG 300 User's Guide It is called L2TP_POOL here. • Enable the connection. • Set the VPN Connection to the Default_L2TP_VPN_Connection. • Set the IP Address Pool to L2TP_POOL. • This example uses the default authentication method (the ZyWALL's local user data base). • Select a user...
Here a user account named L2TP-test has been created. 188 ZyWALL USG 300 User's Guide It is called L2TP_POOL here. • Enable the connection. • Set the VPN Connection to the Default_L2TP_VPN_Connection. • Set the IP Address Pool to L2TP_POOL. • This example uses the default authentication method (the ZyWALL's local user data base). • Select a user...
User Guide
Page 189
... the following commands from the Windows command prompt to establish an L2TP VPN connection. 1 Click Start > Network > Network and Sharing Center > Set up a connection or network. Figure 157 Configuration > VPN > L2TP VPN Example 8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 The following to make ...to the defaults in this example, click Apply. Chapter 8 L2TP VPN Example • The other fields are left to configure L2TP in remote user computers using Windows Vista, XP, and 2000. Before you include the quotes. • For Windows XP. ZyWALL USG 300 User's Guide 189
... the following commands from the Windows command prompt to establish an L2TP VPN connection. 1 Click Start > Network > Network and Sharing Center > Set up a connection or network. Figure 157 Configuration > VPN > L2TP VPN Example 8.5 Configuring L2TP VPN in Windows Vista, XP, or 2000 The following to make ...to the defaults in this example, click Apply. Chapter 8 L2TP VPN Example • The other fields are left to configure L2TP in remote user computers using Windows Vista, XP, and 2000. Before you include the quotes. • For Windows XP. ZyWALL USG 300 User's Guide 189
User Guide
Page 190
Figure 158 Set up a connection or network: Chose a connection type 3 Select Use my Internet connection (VPN). Figure 159 Connect to a workplace: How do you want to a workplace and click Next. Chapter 8 L2TP VPN Example 2 Select Connect to connect? 190 ZyWALL USG 300 User's Guide
Figure 158 Set up a connection or network: Chose a connection type 3 Select Use my Internet connection (VPN). Figure 159 Connect to a workplace: How do you want to a workplace and click Next. Chapter 8 L2TP VPN Example 2 Select Connect to connect? 190 ZyWALL USG 300 User's Guide
User Guide
Page 191
... a user account that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Select Don't connect now, just set it up so I can use the L2TP VPN connection and click Next. Figure 160 Connect to a workplace: Type the Internet address to connect to a workplace: Type your user name and password ZyWALL USG 300 User's Guide 191...
... a user account that the ZyWALL is using for L2TP VPN (172.16.1.2 in this example). Select Don't connect now, just set it up so I can use the L2TP VPN connection and click Next. Figure 160 Connect to a workplace: Type the Internet address to connect to a workplace: Type your user name and password ZyWALL USG 300 User's Guide 191...
User Guide
Page 192
Right-click the L2TP VPN connection and select Properties. Figure 163 Connect L2TP to a network. Figure 162 Connect to a workplace: The connection is ready to use 7 In the Network and Sharing Center screen, click Connect to ZyWALL 192 ZyWALL USG 300 User's Guide Chapter 8 L2TP VPN Example 6 Click Close.
Right-click the L2TP VPN connection and select Properties. Figure 163 Connect L2TP to a network. Figure 162 Connect to a workplace: The connection is ready to use 7 In the Network and Sharing Center screen, click Connect to ZyWALL 192 ZyWALL USG 300 User's Guide Chapter 8 L2TP VPN Example 6 Click Close.
User Guide
Page 193
Select Unencrypted password (PAP) and clear all of the other check boxes. When you use L2TP VPN to connect to Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Figure 164 Connect L2TP to ZyWALL: Security 9 Set Data encryption to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel ZyWALL USG 300 User's Guide 193 Click OK. Figure 165 Connect ZyWALL L2TP: Security > Advanced 10 Click Yes. Chapter 8 L2TP VPN Example 8 Click Security, select Advanced (custom settings) and click Settings.
Select Unencrypted password (PAP) and clear all of the other check boxes. When you use L2TP VPN to connect to Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Figure 164 Connect L2TP to ZyWALL: Security 9 Set Data encryption to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel ZyWALL USG 300 User's Guide 193 Click OK. Figure 165 Connect ZyWALL L2TP: Security > Advanced 10 Click Yes. Chapter 8 L2TP VPN Example 8 Click Security, select Advanced (custom settings) and click Settings.