User Guide
Page 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ...Policy ...449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ...Policy ...449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
User Guide
Page 11
... Table of Contents...11 Part I: User's Guide 31 Chapter 1 Introducing the ZyWALL ...33 1.1 Overview and Key Default Settings 33 1.2 Rack-mounted Installation 33 ...ZyWALL 37 Chapter 2 Features and Applications ...39 2.1 Features ...39 2.2 Applications ...41 2.2.1 VPN Connectivity ...42 2.2.2 SSL VPN Network Access 42 2.2.3 User-Aware Access Control 44 2.2.4 Multiple WAN Interfaces 44 2.2.5 Device HA ...45 Chapter 3 Web Configurator...47 3.1 Web Configurator Requirements 47 3.2 Web Configurator Access ...47 3.3 Web Configurator Screens Overview 49 3.3.1 Title Bar ...50 ZyWALL USG 300...
... Table of Contents...11 Part I: User's Guide 31 Chapter 1 Introducing the ZyWALL ...33 1.1 Overview and Key Default Settings 33 1.2 Rack-mounted Installation 33 ...ZyWALL 37 Chapter 2 Features and Applications ...39 2.1 Features ...39 2.2 Applications ...41 2.2.1 VPN Connectivity ...42 2.2.2 SSL VPN Network Access 42 2.2.3 User-Aware Access Control 44 2.2.4 Multiple WAN Interfaces 44 2.2.5 Device HA ...45 Chapter 3 Web Configurator...47 3.1 Web Configurator Requirements 47 3.2 Web Configurator Access ...47 3.3 Web Configurator Screens Overview 49 3.3.1 Title Bar ...50 ZyWALL USG 300...
User Guide
Page 12
... Configuration 93 6.2 Zones, Interfaces, and Physical Ports 94 6.2.1 Interface Types ...95 6.2.2 Default Interface and Zone Configuration 96 12 ZyWALL USG 300 User's Guide Second WAN Interface 71 4.1.7 Internet Access - Summary 91 5.5.8 VPN Advanced Wizard - Summary 85 5.5.3 VPN Express Wizard - WAN Interface 66 4.1.2 Internet Access: Ethernet 66 4.1.3 Internet Access: PPPoE 68 4.1.4 Internet Access: PPTP 69 4.1.5 ISP...
... Configuration 93 6.2 Zones, Interfaces, and Physical Ports 94 6.2.1 Interface Types ...95 6.2.2 Default Interface and Zone Configuration 96 12 ZyWALL USG 300 User's Guide Second WAN Interface 71 4.1.7 Internet Access - Summary 91 5.5.8 VPN Advanced Wizard - Summary 85 5.5.3 VPN Express Wizard - WAN Interface 66 4.1.2 Internet Access: Ethernet 66 4.1.3 Internet Access: PPPoE 68 4.1.4 Internet Access: PPTP 69 4.1.5 ISP...
User Guide
Page 13
... 6.5.16 SSL VPN ...108 6.5.17 L2TP VPN ...109 6.5.18 Application Patrol 109 6.5.19 Anti-Virus ...110 6.5.20 IDP ...110 6.5.21 ADP ...110 6.5.22 Content Filter ...110 6.5.23 Anti-Spam ...111 6.5.24 Device HA ...111 6.6 Objects ...112 6.6.1 User/Group ...112 6.7 System ...113 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in the ZyWALL 97 6.4 Packet... ...114 6.7.3 File Manager ...114 6.7.4 Diagnostics ...114 6.7.5 Shutdown ...114 Chapter 7 Tutorials ...117 7.1 How to Configure Interfaces, Port Grouping, and Zones 117 7.1.1 Configure a WAN Ethernet Interface 118 ZyWALL USG 300 User's Guide 13
... 6.5.16 SSL VPN ...108 6.5.17 L2TP VPN ...109 6.5.18 Application Patrol 109 6.5.19 Anti-Virus ...110 6.5.20 IDP ...110 6.5.21 ADP ...110 6.5.22 Content Filter ...110 6.5.23 Anti-Spam ...111 6.5.24 Device HA ...111 6.6 Objects ...112 6.6.1 User/Group ...112 6.7 System ...113 6.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in the ZyWALL 97 6.4 Packet... ...114 6.7.3 File Manager ...114 6.7.4 Diagnostics ...114 6.7.5 Shutdown ...114 Chapter 7 Tutorials ...117 7.1 How to Configure Interfaces, Port Grouping, and Zones 117 7.1.1 Configure a WAN Ethernet Interface 118 ZyWALL USG 300 User's Guide 13
User Guide
Page 14
... to Use the WLAN Interface 129 7.5 How to Set Up an IPSec VPN Tunnel 141 7.5.1 Set Up the VPN Gateway 142 7.5.2 Set Up the VPN Connection 142 7.5.3 Configure Security Policies for the VPN Tunnel 144 7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator 144 7.7 How to Configure User-aware Access Control 146 7.7.1 Set... a DMZ to LAN Firewall Rule for SIP 175 7.14 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 176 14 ZyWALL USG 300 User's Guide
... to Use the WLAN Interface 129 7.5 How to Set Up an IPSec VPN Tunnel 141 7.5.1 Set Up the VPN Gateway 142 7.5.2 Set Up the VPN Connection 142 7.5.3 Configure Security Policies for the VPN Tunnel 144 7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator 144 7.7 How to Configure User-aware Access Control 146 7.7.1 Set... a DMZ to LAN Firewall Rule for SIP 175 7.14 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 176 14 ZyWALL USG 300 User's Guide
User Guide
Page 15
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
User Guide
Page 20
... 24.2.2 The Firewall Add/Edit Screen 469 24.3 The Session Limit Screen 470 24.3.1 The Session Limit Add/Edit Screen 472 Chapter 25 IPSec VPN...475 25.1 IPSec VPN Overview ...475 25.1.1 What You Can Do in this Chapter 475 25.1.2 What You Need to Know 476 25.1.3 Before You Begin 478... 26.3 The SSL Global Setting Screen 524 26.3.1 How to Upload a Custom Logo 526 26.4 Establishing an SSL VPN Connection 527 Chapter 27 SSL User Screens ...531 27.1 Overview ...531 27.1.1 What You Need to Know 531 27.2 Remote User Login ...532 27.3 The SSL VPN User Screens 537 20 ZyWALL USG 300 User's Guide
... 24.2.2 The Firewall Add/Edit Screen 469 24.3 The Session Limit Screen 470 24.3.1 The Session Limit Add/Edit Screen 472 Chapter 25 IPSec VPN...475 25.1 IPSec VPN Overview ...475 25.1.1 What You Can Do in this Chapter 475 25.1.2 What You Need to Know 476 25.1.3 Before You Begin 478... 26.3 The SSL Global Setting Screen 524 26.3.1 How to Upload a Custom Logo 526 26.4 Establishing an SSL VPN Connection 527 Chapter 27 SSL User Screens ...531 27.1 Overview ...531 27.1.1 What You Need to Know 531 27.2 Remote User Login ...532 27.3 The SSL VPN User Screens 537 20 ZyWALL USG 300 User's Guide
User Guide
Page 21
... ...552 30.3 View Log ...553 30.4 Suspend and Resume the Connection 553 30.5 Stop the Connection ...554 30.6 Uninstalling the ZyWALL SecuExtender 554 Chapter 31 L2TP VPN...555 31.1 Overview ...555 31.1.1 What You Can Do in this Chapter 555 31.1.2 What You Need to Know 555 31.2 L2TP... VPN Screen ...557 Chapter 32 Application Patrol ...559 32.1 Overview ...559 32.1.1 What You Can Do in this Chapter 559 32.1.2 What You Need to Know 560 32.1.3 Application Patrol Bandwidth Management Examples 565 ZyWALL USG 300 User's Guide 21
... ...552 30.3 View Log ...553 30.4 Suspend and Resume the Connection 553 30.5 Stop the Connection ...554 30.6 Uninstalling the ZyWALL SecuExtender 554 Chapter 31 L2TP VPN...555 31.1 Overview ...555 31.1.1 What You Can Do in this Chapter 555 31.1.2 What You Need to Know 555 31.2 L2TP... VPN Screen ...557 Chapter 32 Application Patrol ...559 32.1 Overview ...559 32.1.1 What You Can Do in this Chapter 559 32.1.2 What You Need to Know 560 32.1.3 Application Patrol Bandwidth Management Examples 565 ZyWALL USG 300 User's Guide 21
User Guide
Page 26
Table of Contents 45.1.1 What You Can Do in this Chapter 775 45.1.2 Before You Begin 775 45.1.3 Example: Selecting a VPN Authentication Method 775 45.2 Authentication Method Objects 776 45.2.1 Creating an Authentication Method Object 777 Chapter 46 Certificates ...781 46.1 Overview ...781 46.1.1 What You ... Chapter 49 Endpoint Security ...815 49.1 Overview ...815 49.1.1 What You Can Do in this Chapter 816 49.1.2 What You Need to Know 816 26 ZyWALL USG 300 User's Guide
Table of Contents 45.1.1 What You Can Do in this Chapter 775 45.1.2 Before You Begin 775 45.1.3 Example: Selecting a VPN Authentication Method 775 45.2 Authentication Method Objects 776 45.2.1 Creating an Authentication Method Object 777 Chapter 46 Certificates ...781 46.1 Overview ...781 46.1.1 What You ... Chapter 49 Endpoint Security ...815 49.1 Overview ...815 49.1.1 What You Can Do in this Chapter 816 49.1.2 What You Need to Know 816 26 ZyWALL USG 300 User's Guide
User Guide
Page 33
... weight of all necessary precautions to ge2 and so on. 1.2 Rack-mounted Installation The ZyWALL can be mounted on page 39 for reliable, secure service. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly ...ZyWALL is mapped to anchor the rack securely before installing the unit. By default 1 is mapped to ge1, 2 is a comprehensive security device. Take all the equipment it an ideal solution for a more detailed overview of the ZyWALL does not make the rack unstable or top-heavy. ZyWALL USG 300...
... weight of all necessary precautions to ge2 and so on. 1.2 Rack-mounted Installation The ZyWALL can be mounted on page 39 for reliable, secure service. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly ...ZyWALL is mapped to anchor the rack securely before installing the unit. By default 1 is mapped to ge1, 2 is a comprehensive security device. Take all the equipment it an ideal solution for a more detailed overview of the ZyWALL does not make the rack unstable or top-heavy. ZyWALL USG 300...
User Guide
Page 39
...communication. As a result, it is much simpler to set up and to change security settings in the event the master ZyWALL fails (device HA). ZyWALL USG 300 User's Guide 39 It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful ...features. Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to zones. The ZyWALL also offers hub-and-spoke IPSec VPN. The rest of this ...
...communication. As a result, it is much simpler to set up and to change security settings in the event the master ZyWALL fails (device HA). ZyWALL USG 300 User's Guide 39 It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful ...features. Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to zones. The ZyWALL also offers hub-and-spoke IPSec VPN. The rest of this ...
User Guide
Page 42
... or entering the provided URL. 42 ZyWALL USG 300 User's Guide As the final destination, the ZyWALL appears to be the server to your network. With reverse proxy mode, remote users can configure the ZyWALL to provide SSL VPN network access to provide better service. Chapter 2 Features and Applications 2.2.1 VPN Connectivity Set up additional connections to the...
... or entering the provided URL. 42 ZyWALL USG 300 User's Guide As the final destination, the ZyWALL appears to be the server to your network. With reverse proxy mode, remote users can configure the ZyWALL to provide SSL VPN network access to provide better service. Chapter 2 Features and Applications 2.2.1 VPN Connectivity Set up additional connections to the...
User Guide
Page 52
...spam Black List) statistics. Log Lists log entries. 52 ZyWALL USG 300 User's Guide Interface Status Displays general interface information and packet statistics. IP/MAC Binding Lists the devices that the ZyWALL has detected. AppPatrol Statistics Displays bandwidth and protocol statistics. Anti...port. Session Monitor Displays the status of the ZyWALL's DDNS domain names. Login Users Lists the users currently logged into the VPN SSL client portal. WLAN Status Displays the connection status of the ZyWALL's wireless clients. Cellular Status Displays details about ...
...spam Black List) statistics. Log Lists log entries. 52 ZyWALL USG 300 User's Guide Interface Status Displays general interface information and packet statistics. IP/MAC Binding Lists the devices that the ZyWALL has detected. AppPatrol Statistics Displays bandwidth and protocol statistics. Anti...port. Session Monitor Displays the status of the ZyWALL's DDNS domain names. Login Users Lists the users currently logged into the VPN SSL client portal. WLAN Status Displays the connection status of the ZyWALL's wireless clients. Cellular Status Displays details about ...
User Guide
Page 53
...interfaces and virtual VLAN interfaces. Auxiliary Manage the AUX port. ZyWALL USG 300 User's Guide 53 Bridge Create and manage bridges and virtual bridge interfaces. Static Route Create and manage IP static routing information. DDNS Profile Define and manage the ZyWALL's DDNS domain names. NAT Set up and manage HTTP ... PPPoE and PPTP interfaces. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Network Interface Port Grouping Configure physical port groups.
...interfaces and virtual VLAN interfaces. Auxiliary Manage the AUX port. ZyWALL USG 300 User's Guide 53 Bridge Create and manage bridges and virtual bridge interfaces. Static Route Create and manage IP static routing information. DDNS Profile Define and manage the ZyWALL's DDNS domain names. NAT Set up and manage HTTP ... PPPoE and PPTP interfaces. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Network Interface Port Grouping Configure physical port groups.
User Guide
Page 54
...-virus black (blocked) and white (allowed) lists of IP addresses to which the ZyWALL does not apply IP/MAC binding. Signature Search for users and groups. VPN IPSec VPN VPN Connection Configure IPSec tunnels. IM Manage instant messenger traffic. Peer to Peer Manage peer-to... patterns. L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings. Black/White List Set up anti-virus policies and check the anti-virus engine type and the antivirus license and signature status. Custom Signatures Create, import, or export custom signatures. 54 ZyWALL USG 300 User's Guide...
...-virus black (blocked) and white (allowed) lists of IP addresses to which the ZyWALL does not apply IP/MAC binding. Signature Search for users and groups. VPN IPSec VPN VPN Connection Configure IPSec tunnels. IM Manage instant messenger traffic. Peer to Peer Manage peer-to... patterns. L2TP VPN L2TP VPN Configure L2TP Over IPSec VPN settings. Black/White List Set up anti-virus policies and check the anti-virus engine type and the antivirus license and signature status. Custom Signatures Create, import, or export custom signatures. 54 ZyWALL USG 300 User's Guide...
User Guide
Page 67
Enter a DNS server's IP address(es). ZyWALL USG 300 User's Guide 67 The Domain Name System (DNS) maps a domain name to ...Server: These fields display if you selected static IP address assignment. • IP Subnet Mask: Enter the subnet mask for VPN, DDNS and the time server. Leave the field as given to which this WAN connection's IP address. • Gateway...: Enter the IP address of a computer before you specify here) to an IP address and vice versa. The ZyWALL uses these (in the previous screen. Auto displays if you selected Auto as the IP Address Assignment in the order...
Enter a DNS server's IP address(es). ZyWALL USG 300 User's Guide 67 The Domain Name System (DNS) maps a domain name to ...Server: These fields display if you selected static IP address assignment. • IP Subnet Mask: Enter the subnet mask for VPN, DDNS and the time server. Leave the field as given to which this WAN connection's IP address. • Gateway...: Enter the IP address of a computer before you specify here) to an IP address and vice versa. The ZyWALL uses these (in the previous screen. Auto displays if you selected Auto as the IP Address Assignment in the order...
User Guide
Page 69
... Access: PPTP Encapsulation 4.1.5 ISP Parameters • Authentication Type - Select an authentication protocol for VPN, DDNS and the time server. Enter a DNS server's IP address(es). If you specify here) to an IP address and vice versa. Options are: ZyWALL USG 300 User's Guide 69 The Domain Name System (DNS) maps a domain name to resolve...
... Access: PPTP Encapsulation 4.1.5 ISP Parameters • Authentication Type - Select an authentication protocol for VPN, DDNS and the time server. Enter a DNS server's IP address(es). If you specify here) to an IP address and vice versa. Options are: ZyWALL USG 300 User's Guide 69 The Domain Name System (DNS) maps a domain name to resolve...
User Guide
Page 70
... blank. Chapter 4 Installation Setup Wizard • CHAP/PAP - This field is the security zone to resolve domain names for VPN, DDNS and the time server. The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you do not want ...to you by the remote node. • CHAP - Your ZyWALL accepts either CHAP or PAP when requested by your ISP. • Type the IP Subnet Mask assigned to configure DNS servers. 70 ZyWALL USG 300 User's Guide Your ZyWALL accepts PAP only. • MSCHAP -
... blank. Chapter 4 Installation Setup Wizard • CHAP/PAP - This field is the security zone to resolve domain names for VPN, DDNS and the time server. The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you do not want ...to you by the remote node. • CHAP - Your ZyWALL accepts either CHAP or PAP when requested by your ISP. • Type the IP Subnet Mask assigned to configure DNS servers. 70 ZyWALL USG 300 User's Guide Your ZyWALL accepts PAP only. • MSCHAP -
User Guide
Page 75
...) connection. See Section 5.4 on configuring the quick setup screens in the Web Configurator. See Section 5.2 on page 76. • VPN SETUP Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for background information. ZyWALL USG 300 User's Guide 75 This chapter provides information on page 82. This wizard creates matching ISP account settings in this...
...) connection. See Section 5.4 on configuring the quick setup screens in the Web Configurator. See Section 5.2 on page 76. • VPN SETUP Use VPN SETUP to configure a VPN (Virtual Private Network) tunnel for background information. ZyWALL USG 300 User's Guide 75 This chapter provides information on page 82. This wizard creates matching ISP account settings in this...
User Guide
Page 80
.... 5.2.5 Quick Setup Interface Wizard: Summary This screen displays the WAN interface's settings. Service Name This field only appears for VPN, DDNS and the time server. The ZyWALL uses a system DNS server (in this interface uses to connect to the Internet. Figure 43 Interface Wizard: Summary WAN (...This displays what encapsulation this screen. If you can access it . Enter the DNS server IP address(es) in the ISP account. 80 ZyWALL USG 300 User's Guide Back Next DNS (Domain Name System) is extremely important because without it, you must know the IP address of a machine...
.... 5.2.5 Quick Setup Interface Wizard: Summary This screen displays the WAN interface's settings. Service Name This field only appears for VPN, DDNS and the time server. The ZyWALL uses a system DNS server (in this interface uses to connect to the Internet. Figure 43 Interface Wizard: Summary WAN (...This displays what encapsulation this screen. If you can access it . Enter the DNS server IP address(es) in the ISP account. 80 ZyWALL USG 300 User's Guide Back Next DNS (Domain Name System) is extremely important because without it, you must know the IP address of a machine...