User Guide
Page 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ...239 ......449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ...239 ......449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
User Guide
Page 11
... Table of Contents...11 Part I: User's Guide 31 Chapter 1 Introducing the ZyWALL ...33 1.1 Overview and Key Default Settings 33 1.2 Rack-mounted Installation 33 ...ZyWALL 37 Chapter 2 Features and Applications ...39 2.1 Features ...39 2.2 Applications ...41 2.2.1 VPN Connectivity ...42 2.2.2 SSL VPN Network Access 42 2.2.3 User-Aware Access Control 44 2.2.4 Multiple WAN Interfaces 44 2.2.5 Device HA ...45 Chapter 3 Web Configurator...47 3.1 Web Configurator Requirements 47 3.2 Web Configurator Access ...47 3.3 Web Configurator Screens Overview 49 3.3.1 Title Bar ...50 ZyWALL USG 300...
... Table of Contents...11 Part I: User's Guide 31 Chapter 1 Introducing the ZyWALL ...33 1.1 Overview and Key Default Settings 33 1.2 Rack-mounted Installation 33 ...ZyWALL 37 Chapter 2 Features and Applications ...39 2.1 Features ...39 2.2 Applications ...41 2.2.1 VPN Connectivity ...42 2.2.2 SSL VPN Network Access 42 2.2.3 User-Aware Access Control 44 2.2.4 Multiple WAN Interfaces 44 2.2.5 Device HA ...45 Chapter 3 Web Configurator...47 3.1 Web Configurator Requirements 47 3.2 Web Configurator Access ...47 3.3 Web Configurator Screens Overview 49 3.3.1 Title Bar ...50 ZyWALL USG 300...
User Guide
Page 12
... Wizard Screens 65 4.1.1 Internet Access Setup - Scenario 83 5.5.1 VPN Express Wizard - Finish 92 Chapter 6 Configuration Basics...93 6.1 Object-based Configuration 93 6.2 Zones, Interfaces, and Physical Ports 94 6.2.1 Interface Types ...95 6.2.2 Default Interface and Zone Configuration 96 12 ZyWALL USG 300 User's Guide Summary 91 5.5.8 VPN Advanced Wizard - Summary 85 5.5.3 VPN Express Wizard - WAN Interface 66 4.1.2 Internet Access: Ethernet 66...
... Wizard Screens 65 4.1.1 Internet Access Setup - Scenario 83 5.5.1 VPN Express Wizard - Finish 92 Chapter 6 Configuration Basics...93 6.1 Object-based Configuration 93 6.2 Zones, Interfaces, and Physical Ports 94 6.2.1 Interface Types ...95 6.2.2 Default Interface and Zone Configuration 96 12 ZyWALL USG 300 User's Guide Summary 91 5.5.8 VPN Advanced Wizard - Summary 85 5.5.3 VPN Express Wizard - WAN Interface 66 4.1.2 Internet Access: Ethernet 66...
User Guide
Page 13
... 6.7.3 File Manager ...114 6.7.4 Diagnostics ...114 6.7.5 Shutdown ...114 Chapter 7 Tutorials ...117 7.1 How to Configure Interfaces, Port Grouping, and Zones 117 7.1.1 Configure a WAN Ethernet Interface 118 ZyWALL USG 300 User's Guide 13 Policy ...107 6.5.14 Firewall ...107 6.5.15 IPSec VPN ...108 6.5.16 SSL VPN ...108 6.5.17 L2TP VPN ...109 6.5.18 Application Patrol 109 6.5.19 Anti-Virus ...110 6.5.20 IDP ...110...
... 6.7.3 File Manager ...114 6.7.4 Diagnostics ...114 6.7.5 Shutdown ...114 Chapter 7 Tutorials ...117 7.1 How to Configure Interfaces, Port Grouping, and Zones 117 7.1.1 Configure a WAN Ethernet Interface 118 ZyWALL USG 300 User's Guide 13 Policy ...107 6.5.14 Firewall ...107 6.5.15 IPSec VPN ...108 6.5.16 SSL VPN ...108 6.5.17 L2TP VPN ...109 6.5.18 Application Patrol 109 6.5.19 Anti-Virus ...110 6.5.20 IDP ...110...
User Guide
Page 14
... Set Up an IPSec VPN Tunnel 141 7.5.1 Set Up the VPN Gateway 142 7.5.2 Set Up the VPN Connection 142 7.5.3 Configure Security Policies for the VPN Tunnel 144 7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator 144 7.7 How to Configure User-aware Access Control ... H.323 166 7.12 How to Allow Public Access to a Web Server 167 7.12.1 Create the Address Objects 168 7.12.2 Configure NAT ...168 7.12.3 Set Up a Firewall Rule 169 7.13 How to Use an IPPBX on the DMZ 170 7.13.1 ... Static Public WAN IP Addresses for LAN to WAN Traffic 176 14 ZyWALL USG 300 User's Guide
... Set Up an IPSec VPN Tunnel 141 7.5.1 Set Up the VPN Gateway 142 7.5.2 Set Up the VPN Connection 142 7.5.3 Configure Security Policies for the VPN Tunnel 144 7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator 144 7.7 How to Configure User-aware Access Control ... H.323 166 7.12 How to Allow Public Access to a Web Server 167 7.12.1 Create the Address Objects 168 7.12.2 Configure NAT ...168 7.12.3 Set Up a Firewall Rule 169 7.13 How to Use an IPPBX on the DMZ 170 7.13.1 ... Static Public WAN IP Addresses for LAN to WAN Traffic 176 14 ZyWALL USG 300 User's Guide
User Guide
Page 15
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
User Guide
Page 20
... of Contents 24.1.2 What You Need to Know 458 24.1.3 Firewall Rule Example Applications 460 24.1.4 Firewall Rule Configuration Example 463 24.2 The Firewall Screen ...465 24.2.1 Configuring the Firewall Screen 466 24.2.2 The Firewall Add/Edit Screen 469 24.3 The Session Limit Screen 470 24.3.1 The...Setting Screen 524 26.3.1 How to Upload a Custom Logo 526 26.4 Establishing an SSL VPN Connection 527 Chapter 27 SSL User Screens ...531 27.1 Overview ...531 27.1.1 What You Need to Know 531 27.2 Remote User Login ...532 27.3 The SSL VPN User Screens 537 20 ZyWALL USG 300 User's Guide
... of Contents 24.1.2 What You Need to Know 458 24.1.3 Firewall Rule Example Applications 460 24.1.4 Firewall Rule Configuration Example 463 24.2 The Firewall Screen ...465 24.2.1 Configuring the Firewall Screen 466 24.2.2 The Firewall Add/Edit Screen 469 24.3 The Session Limit Screen 470 24.3.1 The...Setting Screen 524 26.3.1 How to Upload a Custom Logo 526 26.4 Establishing an SSL VPN Connection 527 Chapter 27 SSL User Screens ...531 27.1 Overview ...531 27.1.1 What You Need to Know 531 27.2 Remote User Login ...532 27.3 The SSL VPN User Screens 537 20 ZyWALL USG 300 User's Guide
User Guide
Page 33
...the rack will safely support the combined weight of the ZyWALL's features. Flexible configuration helps you set up the network and enforce security policies efficiently. ZyWALL USG 300 User's Guide 33 The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion ... methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is mapped to ge1, 2 is a comprehensive security device. Its flexible configuration helps network administrators set up the network and enforce security policies...
...the rack will safely support the combined weight of the ZyWALL's features. Flexible configuration helps you set up the network and enforce security policies efficiently. ZyWALL USG 300 User's Guide 33 The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion ... methods, and lists different ways to start or stop the ZyWALL. 1.1 Overview and Key Default Settings The ZyWALL is mapped to ge1, 2 is a comprehensive security device. Its flexible configuration helps network administrators set up the network and enforce security policies...
User Guide
Page 39
...the event the master ZyWALL fails (device HA). You can add interfaces and VPN tunnels to provide secure communication between these ports. • One or more information about the features of the following: • Multiple WAN ports and configure load balancing between ... made by zone, not by interface, port, or network. ZyWALL USG 300 User's Guide 39 Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to zones. The rest of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and...
...the event the master ZyWALL fails (device HA). You can add interfaces and VPN tunnels to provide secure communication between these ports. • One or more information about the features of the following: • Multiple WAN ports and configure load balancing between ... made by zone, not by interface, port, or network. ZyWALL USG 300 User's Guide 39 Virtual Private Networks (VPN) Use IPSec, SSL, or L2TP VPN to zones. The rest of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and...
User Guide
Page 42
... connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. As the final destination, the ZyWALL appears to be the server to remote users. With reverse proxy mode... your internal servers. There are two SSL VPN network access modes: reverse proxy and full tunnel. 2.2.2.1 Reverse Proxy Mode In reverse proxy mode, the ZyWALL is a proxy that acts on links or entering the provided URL. 42 ZyWALL USG 300 User's Guide You can easily access any...
... connections to the Internet to provide better service. Figure 5 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can configure the ZyWALL to provide SSL VPN network access to remote users. As the final destination, the ZyWALL appears to be the server to remote users. With reverse proxy mode... your internal servers. There are two SSL VPN network access modes: reverse proxy and full tunnel. 2.2.2.1 Reverse Proxy Mode In reverse proxy mode, the ZyWALL is a proxy that acts on links or entering the provided URL. 42 ZyWALL USG 300 User's Guide You can easily access any...
User Guide
Page 52
...IPSec Displays and manages the ZyWALL's connected L2TP VPN sessions. Status Displays how many mail sessions the ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics. Log Lists log entries. 52 ZyWALL USG 300 User's Guide Table 6 ...Monitor Menu Screens Summary FOLDER OR LINK TAB FUNCTION System Status Port Statistics Displays packet statistics for each physical port. AppPatrol Statistics Displays bandwidth and protocol statistics. Chapter 3 Web Configurator 3.3.2.2 Monitor Menu ...
...IPSec Displays and manages the ZyWALL's connected L2TP VPN sessions. Status Displays how many mail sessions the ZyWALL is currently checking and DNSBL (Domain Name Service-based spam Black List) statistics. Log Lists log entries. 52 ZyWALL USG 300 User's Guide Table 6 ...Monitor Menu Screens Summary FOLDER OR LINK TAB FUNCTION System Status Port Statistics Displays packet statistics for each physical port. AppPatrol Statistics Displays bandwidth and protocol statistics. Chapter 3 Web Configurator 3.3.2.2 Monitor Menu ...
User Guide
Page 53
... and virtual bridge interfaces. ZyWALL USG 300 User's Guide 53 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Chapter 3 Web Configurator 3.3.2.3 Configuration Menu Use the configuration menu screens to define various policies. OSPF Configure device-level OSPF settings, ...Configure zones used to configure the ZyWALL's features. Auxiliary Manage the AUX port. HTTP Redirect Set up and manage port forwarding rules. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN...
... and virtual bridge interfaces. ZyWALL USG 300 User's Guide 53 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Chapter 3 Web Configurator 3.3.2.3 Configuration Menu Use the configuration menu screens to define various policies. OSPF Configure device-level OSPF settings, ...Configure zones used to configure the ZyWALL's features. Auxiliary Manage the AUX port. HTTP Redirect Set up and manage port forwarding rules. Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN...
User Guide
Page 54
... by signature name or attributes and configure how the ZyWALL uses them. Black/White List Set up anti-virus policies and check the anti-virus engine type and the antivirus license and signature status. VoIP Manage VoIP traffic. Custom Signatures Create, import, or export custom signatures. 54 ZyWALL USG 300 User's Guide VPN Gateway Configure IKE tunnels.
... by signature name or attributes and configure how the ZyWALL uses them. Black/White List Set up anti-virus policies and check the anti-virus engine type and the antivirus license and signature status. VoIP Manage VoIP traffic. Custom Signatures Create, import, or export custom signatures. 54 ZyWALL USG 300 User's Guide VPN Gateway Configure IKE tunnels.
User Guide
Page 67
... mask for VPN, DDNS and the time server. ZyWALL USG 300 User's Guide 67 Enter a DNS server's IP address(es). Figure 30 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of the interface that will send traffic (the default gateway). • First / Second DNS Server: These fields display if you are configuring. •...
... mask for VPN, DDNS and the time server. ZyWALL USG 300 User's Guide 67 Enter a DNS server's IP address(es). Figure 30 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of the interface that will send traffic (the default gateway). • First / Second DNS Server: These fields display if you are configuring. •...
User Guide
Page 69
Options are: ZyWALL USG 300 User's Guide 69 The DNS server is the security zone to you by your (static) public IP address. The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you selected static IP address assignment. ...Type - The Domain Name System (DNS) maps a domain name to configure DNS servers. Enter a DNS server's IP address(es). Select an authentication protocol for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not configure a DNS server, you must know the IP address of a computer before...
Options are: ZyWALL USG 300 User's Guide 69 The DNS server is the security zone to you by your (static) public IP address. The ZyWALL uses these (in the previous screen. • First / Second DNS Server: These fields display if you selected static IP address assignment. ...Type - The Domain Name System (DNS) maps a domain name to configure DNS servers. Enter a DNS server's IP address(es). Select an authentication protocol for VPN, DDNS and the time server. Leave the field as 0.0.0.0 if you do not configure a DNS server, you must know the IP address of a computer before...
User Guide
Page 70
...8226; MSCHAP-V2 - Otherwise, type the Idle Timeout in the next field to confirm it . Your ZyWALL accepts MSCHAP-V2 only. • Type the User Name given to configure DNS servers. 70 ZyWALL USG 300 User's Guide Enter a DNS server's IP address(es). Auto displays if you selected Auto as 0.0.0.0...: These fields display if you by the remote node. • CHAP - Your ZyWALL accepts PAP only. • MSCHAP - You can use alphanumeric and _@$./ characters, and it , you configure to resolve domain names for VPN, DDNS and the time server. Re-type your (static) public IP address. This...
...8226; MSCHAP-V2 - Otherwise, type the Idle Timeout in the next field to confirm it . Your ZyWALL accepts MSCHAP-V2 only. • Type the User Name given to configure DNS servers. 70 ZyWALL USG 300 User's Guide Enter a DNS server's IP address(es). Auto displays if you selected Auto as 0.0.0.0...: These fields display if you by the remote node. • CHAP - Your ZyWALL accepts PAP only. • MSCHAP - You can use alphanumeric and _@$./ characters, and it , you configure to resolve domain names for VPN, DDNS and the time server. Re-type your (static) public IP address. This...
User Guide
Page 141
... 5.4 on page 82 for details on the VPN quick setup wizard. ZyWALL USG 300 User's Guide 141 Figure 95 Funk Odyssey Access Wireless Client Login Example 7.5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to the wireless interface. Figure 96 VPN Example LAN LAN 1.2.3.4 2.2.2.2 192.168.1.0/24...
... 5.4 on page 82 for details on the VPN quick setup wizard. ZyWALL USG 300 User's Guide 141 Figure 95 Funk Odyssey Access Wireless Client Login Example 7.5 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to the wireless interface. Figure 96 VPN Example LAN LAN 1.2.3.4 2.2.2.2 192.168.1.0/24...
User Guide
Page 189
...from the Windows command prompt to make sure the computer is running the Microsoft IPSec service. Make sure you configure the client, issue one of the following to establish an L2TP VPN connection. 1 Click Start > Network > Network and Sharing Center > Set up a connection or network. ...include the quotes. • For Windows XP. Chapter 8 L2TP VPN Example • The other fields are left to the defaults in Section 8.1 on page 185. The example settings in these sections go along with the L2TP VPN configuration example in this example, click Apply. ZyWALL USG 300 User's Guide 189
...from the Windows command prompt to make sure the computer is running the Microsoft IPSec service. Make sure you configure the client, issue one of the following to establish an L2TP VPN connection. 1 Click Start > Network > Network and Sharing Center > Set up a connection or network. ...include the quotes. • For Windows XP. Chapter 8 L2TP VPN Example • The other fields are left to the defaults in Section 8.1 on page 185. The example settings in these sections go along with the L2TP VPN configuration example in this example, click Apply. ZyWALL USG 300 User's Guide 189
User Guide
Page 807
... the intranet. Remote User Screen Links Available SSL application names are to be able to access. ZyWALL USG 300 User's Guide 807 Depending on page 812). 48.1.2 What You Need to Know Application Types You can configure the following types of the local computer, server, or web site SSL users are displayed as... also use SSL application objects in the pop-up dialog box to access. You can simply click the links or follow the steps in SSL VPN. CHAPTER 48 SSL Application 48.1 Overview You use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows ...
... the intranet. Remote User Screen Links Available SSL application names are to be able to access. ZyWALL USG 300 User's Guide 807 Depending on page 812). 48.1.2 What You Need to Know Application Types You can configure the following types of the local computer, server, or web site SSL users are displayed as... also use SSL application objects in the pop-up dialog box to access. You can simply click the links or follow the steps in SSL VPN. CHAPTER 48 SSL Application 48.1 Overview You use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows ...
User Guide
Page 1135
... 556 Default_L2TP_VPN_GW example 185 encapsulation 483 encryption 484 ESP 483 established in two phases 476 fragmentation 479 L2TP VPN 555 local network 475 local policy 483 manual key 482 NetBIOS 482 peer 475 Perfect Forward Secrecy 484 ... outbound traffic 513 status 263 transport mode 510 tunnel mode 510 when IKE SA is disconnected 510 IPSec VPN configuration overview 108 hub and spoke 144 prerequisites 107, 108 see also IPSec troubleshooting 927 tutorial 141 where used...stac compression 806 J Java 680 permissions 47 JavaScript 47 K key pairs 781 ZyWALL USG 300 User's Guide 1135
... 556 Default_L2TP_VPN_GW example 185 encapsulation 483 encryption 484 ESP 483 established in two phases 476 fragmentation 479 L2TP VPN 555 local network 475 local policy 483 manual key 482 NetBIOS 482 peer 475 Perfect Forward Secrecy 484 ... outbound traffic 513 status 263 transport mode 510 tunnel mode 510 when IKE SA is disconnected 510 IPSec VPN configuration overview 108 hub and spoke 144 prerequisites 107, 108 see also IPSec troubleshooting 927 tutorial 141 where used...stac compression 806 J Java 680 permissions 47 JavaScript 47 K key pairs 781 ZyWALL USG 300 User's Guide 1135