User Guide
Page 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ...239 ......449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
Contents Overview Contents Overview User's Guide ...31 Introducing the ZyWALL ...33 Features and Applications ...39 Web Configurator ...47 Installation Setup Wizard ...65 Quick Setup ...75 Configuration Basics ...93 Tutorials ...117 L2TP VPN Example ...185 Technical Reference ...223 Dashboard ...225 Monitor ...239 ......449 Firewall ...457 IPSec VPN ...475 SSL VPN ...517 SSL User Screens ...531 SSL User Application Screens 541 SSL User File Sharing ...543 ZyWALL SecuExtender ...551 L2TP VPN ...555 Application Patrol ...559 Anti-Virus ...585 IDP ...601 ADP ...637 ZyWALL USG 300 User's Guide 9
User Guide
Page 12
...ZyWALL USG 300 User's Guide Second WAN Interface 71 4.1.7 Internet Access - Phase 2 90 5.5.7 VPN Advanced Wizard - Scenario 83 5.5.1 VPN Express Wizard - Table of Contents 3.3.2 Navigation Panel ...51 3.3.3 Main Window ...57 3.3.4 Tables and Lists ...59 Chapter 4 Installation Setup Wizard ...65 4.1 Installation Setup Wizard Screens 65 4.1.1 Internet Access Setup - Finish 86 5.5.4 VPN...and ISP Connection Settings 78 5.2.5 Quick Setup Interface Wizard: Summary 80 5.3 VPN Quick Setup ...81 5.4 VPN Setup Wizard: Wizard Type 82 5.5 VPN Express Wizard - WAN Interface 66 4.1.2 ...
...ZyWALL USG 300 User's Guide Second WAN Interface 71 4.1.7 Internet Access - Phase 2 90 5.5.7 VPN Advanced Wizard - Scenario 83 5.5.1 VPN Express Wizard - Table of Contents 3.3.2 Navigation Panel ...51 3.3.3 Main Window ...57 3.3.4 Tables and Lists ...59 Chapter 4 Installation Setup Wizard ...65 4.1 Installation Setup Wizard Screens 65 4.1.1 Internet Access Setup - Finish 86 5.5.4 VPN...and ISP Connection Settings 78 5.2.5 Quick Setup Interface Wizard: Summary 80 5.3 VPN Quick Setup ...81 5.4 VPN Setup Wizard: Wizard Type 82 5.5 VPN Express Wizard - WAN Interface 66 4.1.2 ...
User Guide
Page 14
...Use the WLAN Interface 129 7.5 How to Set Up an IPSec VPN Tunnel 141 7.5.1 Set Up the VPN Gateway 142 7.5.2 Set Up the VPN Connection 142 7.5.3 Configure Security Policies for the VPN Tunnel 144 7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator 144 7.7 How to Configure User-aware Access Control 146 ...7.13.3 Setup a NAT Policy for the IPPBX 173 7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP 174 7.13.5 Set Up a DMZ to LAN Firewall Rule for SIP 175 7.14 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 176 14 ZyWALL USG 300 User's Guide
...Use the WLAN Interface 129 7.5 How to Set Up an IPSec VPN Tunnel 141 7.5.1 Set Up the VPN Gateway 142 7.5.2 Set Up the VPN Connection 142 7.5.3 Configure Security Policies for the VPN Tunnel 144 7.6 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator 144 7.7 How to Configure User-aware Access Control 146 ...7.13.3 Setup a NAT Policy for the IPPBX 173 7.13.4 Set Up a WAN to DMZ Firewall Rule for SIP 174 7.13.5 Set Up a DMZ to LAN Firewall Rule for SIP 175 7.14 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 176 14 ZyWALL USG 300 User's Guide
User Guide
Page 15
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
... VPN Status Screen 235 9.2.5 The DHCP Table Screen 235 9.2.6 The Number of Login Users Screen 236 Chapter 10 Monitor...239 10.1 Overview ...239 10.1.1 What You Can Do in this Chapter 239 10.2 The Port Statistics Screen 240 10.2.1 The Port Statistics Graph Screen 242 10.3 Interface Status Screen 243 ZyWALL USG 300 User...
User Guide
Page 53
.... DDNS Profile Define and manage the ZyWALL's DDNS domain names. ZyWALL USG 300 User's Guide 53 Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Service View the licensed service status...Configurator 3.3.2.3 Configuration Menu Use the configuration menu screens to define various policies. Zone Configure zones used to configure the ZyWALL's features. PPP Create and manage PPPoE and PPTP interfaces. RIP Configure device-level RIP settings. Bridge Create and...
.... DDNS Profile Define and manage the ZyWALL's DDNS domain names. ZyWALL USG 300 User's Guide 53 Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Service View the licensed service status...Configurator 3.3.2.3 Configuration Menu Use the configuration menu screens to define various policies. Zone Configure zones used to configure the ZyWALL's features. PPP Create and manage PPPoE and PPTP interfaces. RIP Configure device-level RIP settings. Bridge Create and...
User Guide
Page 67
... Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. Enter a DNS server's IP address(es). ZyWALL USG 300 User's Guide 67 The DNS server is extremely important because without it . Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as the IP Address Assignment... send traffic (the default gateway). • First / Second DNS Server: These fields display if you specify here) to an IP address and vice versa. The ZyWALL uses these (in the previous screen.
... Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. Enter a DNS server's IP address(es). ZyWALL USG 300 User's Guide 67 The DNS server is extremely important because without it . Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as the IP Address Assignment... send traffic (the default gateway). • First / Second DNS Server: These fields display if you specify here) to an IP address and vice versa. The ZyWALL uses these (in the previous screen.
User Guide
Page 69
...your (static) public IP address. If you specify here) to resolve domain names for outgoing calls. Select an authentication protocol for VPN, DDNS and the time server. Enter a DNS server's IP address(es). Leave the field as the IP Address Assignment in... static IP address assignment. Figure 32 Internet Access: PPTP Encapsulation 4.1.5 ISP Parameters • Authentication Type - Options are: ZyWALL USG 300 User's Guide 69 Chapter 4 Installation Setup Wizard 4.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of a machine in order to access it .
...your (static) public IP address. If you specify here) to resolve domain names for outgoing calls. Select an authentication protocol for VPN, DDNS and the time server. Enter a DNS server's IP address(es). Leave the field as the IP Address Assignment in... static IP address assignment. Figure 32 Internet Access: PPTP Encapsulation 4.1.5 ISP Parameters • Authentication Type - Options are: ZyWALL USG 300 User's Guide 69 Chapter 4 Installation Setup Wizard 4.1.3.2 WAN IP Address Assignments • WAN Interface: This is the name of a machine in order to access it .
User Guide
Page 70
...The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - This field can be up to ...) to an IP address and vice versa. Use up to configure DNS servers. 70 ZyWALL USG 300 User's Guide Otherwise, type the Idle Timeout in the order you selected static IP address assignment. ... Type a Base IP Address (static) assigned to you by your broadband modem or router. Chapter 4 Installation Setup Wizard • CHAP/PAP - It must know the IP address of the PPTP server. • Type ...
...The Domain Name System (DNS) maps a domain name to resolve domain names for VPN, DDNS and the time server. Your ZyWALL accepts MSCHAP only. • MSCHAP-V2 - This field can be up to ...) to an IP address and vice versa. Use up to configure DNS servers. 70 ZyWALL USG 300 User's Guide Otherwise, type the Idle Timeout in the order you selected static IP address assignment. ... Type a Base IP Address (static) assigned to you by your broadband modem or router. Chapter 4 Installation Setup Wizard • CHAP/PAP - It must know the IP address of the PPTP server. • Type ...
User Guide
Page 75
... configuring the quick setup screens in the ZyWALL if you configure Internet and VPN connection settings. CHAPTER 5 Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you use PPPoE or PPTP. See Section 5.2 on page 82. See the feature-specific chapters in this link to set up a WAN (Internet) connection. ZyWALL USG 300 User's Guide 75...
... configuring the quick setup screens in the ZyWALL if you configure Internet and VPN connection settings. CHAPTER 5 Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you use PPPoE or PPTP. See Section 5.2 on page 82. See the feature-specific chapters in this link to set up a WAN (Internet) connection. ZyWALL USG 300 User's Guide 75...
User Guide
Page 80
... IP address of a machine in order to its corresponding IP address and vice versa. Click Back to return to continue. 5.2.5 Quick Setup Interface Wizard: Summary This screen displays the WAN interface's settings. Figure 43 Interface Wizard: Summary WAN (PPTP Shown) The following table ...VPN, DDNS and the time server. The ZyWALL uses a system DNS server (in the ISP account. 80 ZyWALL USG 300 User's Guide If you do not configure a DNS server, you do not want to the right. Service Name This field only appears for an interface with a static IP address. Chapter 5 Quick Setup...
... IP address of a machine in order to its corresponding IP address and vice versa. Click Back to return to continue. 5.2.5 Quick Setup Interface Wizard: Summary This screen displays the WAN interface's settings. Figure 43 Interface Wizard: Summary WAN (PPTP Shown) The following table ...VPN, DDNS and the time server. The ZyWALL uses a system DNS server (in the ISP account. 80 ZyWALL USG 300 User's Guide If you do not configure a DNS server, you do not want to the right. Service Name This field only appears for an interface with a static IP address. Chapter 5 Quick Setup...
User Guide
Page 81
... settings and address objects that you can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout. Figure 44 VPN Quick Setup Wizard ZyWALL USG 300 User's Guide 81 IP Address Assignment This field displays whether the WAN IP address is Static, these fields display the DNS server IP address(es...
... settings and address objects that you can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout. Figure 44 VPN Quick Setup Wizard ZyWALL USG 300 User's Guide 81 IP Address Assignment This field displays whether the WAN IP address is Static, these fields display the DNS server IP address(es...
User Guide
Page 82
...: Use this wizard to another computer or network. Use this screen to select which type of VPN connection you want to another ZLD-based ZyWALL or other IPSec device. 82 ZyWALL USG 300 User's Guide The VPN connection can be to configure. Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to create...
...: Use this wizard to another computer or network. Use this screen to select which type of VPN connection you want to another ZLD-based ZyWALL or other IPSec device. 82 ZyWALL USG 300 User's Guide The VPN connection can be to configure. Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to create...
User Guide
Page 83
...31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This ZyWALL can initiate the VPN tunnel. • Remote Access (Client Role) - ZyWALL USG 300 User's Guide 83 Figure 46 VPN Express Wizard: Step 2 Rule Name: Type the name used to allow incoming connections from IPSec... to identify this to connect to display the following screen. Select the scenario that best describes your intended VPN connection. This ZyWALL is case-sensitive. Chapter 5 Quick Setup 5.5 VPN Express Wizard - Choose this VPN connection (and VPN gateway).
...31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This ZyWALL can initiate the VPN tunnel. • Remote Access (Client Role) - ZyWALL USG 300 User's Guide 83 Figure 46 VPN Express Wizard: Step 2 Rule Name: Type the name used to allow incoming connections from IPSec... to identify this to connect to display the following screen. Select the scenario that best describes your intended VPN connection. This ZyWALL is case-sensitive. Chapter 5 Quick Setup 5.5 VPN Express Wizard - Choose this VPN connection (and VPN gateway).
User Guide
Page 84
Configuration Figure 47 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. You will receive a PYLD_MALFORMED (payload ... local IP address configured on the remote IPSec device. 84 ZyWALL USG 300 User's Guide Use 8 to 31 case-sensitive ASCII characters or 8 to identify the remote IPSec router by its IP address or a domain name. Proceed a hexadecimal key with "0x". Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Both ends of the remote IPSec device (secure...
Configuration Figure 47 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. You will receive a PYLD_MALFORMED (payload ... local IP address configured on the remote IPSec device. 84 ZyWALL USG 300 User's Guide Use 8 to 31 case-sensitive ASCII characters or 8 to identify the remote IPSec router by its IP address or a domain name. Proceed a hexadecimal key with "0x". Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Both ends of the remote IPSec device (secure...
User Guide
Page 85
...the remote IPSec device that you can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. Then you can use a text editor to serve as a shell script file with a ".zysh" filename extension. ZyWALL USG 300 User's Guide 85 Summary This screen provides a read...-only summary of the computers on the commands displayed in order to configure it to save these commands as the other end of the remote IPSec device. Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - If this VPN tunnel...
...the remote IPSec device that you can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. Then you can use a text editor to serve as a shell script file with a ".zysh" filename extension. ZyWALL USG 300 User's Guide 85 Summary This screen provides a read...-only summary of the computers on the commands displayed in order to configure it to save these commands as the other end of the remote IPSec device. Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - If this VPN tunnel...
User Guide
Page 86
Figure 49 VPN Express Wizard: Step 6 Note: If you can use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. 86 ZyWALL USG 300 User's Guide Finish Now you have not already done so, use the VPN tunnel. Chapter 5 Quick Setup 5.5.3 VPN Express Wizard -
Figure 49 VPN Express Wizard: Step 6 Note: If you can use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP. Click Close to exit the wizard. 86 ZyWALL USG 300 User's Guide Finish Now you have not already done so, use the VPN tunnel. Chapter 5 Quick Setup 5.5.3 VPN Express Wizard -
User Guide
Page 87
... this if the remote IPSec device has a static IP address or a domain name. Only the remote IPSec device can initiate the VPN tunnel. ZyWALL USG 300 User's Guide 87 Choose this if the remote IPSec device has a dynamic IP address. You may use 1-31 alphanumeric characters, underscores... as shown in users. Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Figure 50 VPN Advanced Wizard: Scenario Rule Name: Type the name used to allow incoming connections from IPSec VPN clients. Choose this to identify this VPN connection (and VPN gateway). Scenario Click the Advanced radio button ...
... this if the remote IPSec device has a static IP address or a domain name. Only the remote IPSec device can initiate the VPN tunnel. ZyWALL USG 300 User's Guide 87 Choose this if the remote IPSec device has a dynamic IP address. You may use 1-31 alphanumeric characters, underscores... as shown in users. Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Figure 50 VPN Advanced Wizard: Scenario Rule Name: Type the name used to allow incoming connections from IPSec VPN clients. Choose this to identify this VPN connection (and VPN gateway). Scenario Click the Advanced radio button ...
User Guide
Page 88
Chapter 5 Quick Setup • Remote Access (Client Role) - phase 1 (Authentication) and phase 2 (Key Exchange). If this to connect to every IKE (Internet Key Exchange) negotiation - Select Aggressive to ... can be used to encrypt and decrypt the message or to use on DES 88 ZyWALL USG 300 User's Guide Note: Multiple SAs connecting through a secure gateway must know the same secret key, which can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Both sender and receiver must have the same negotiation mode. • Encryption Algorithm...
Chapter 5 Quick Setup • Remote Access (Client Role) - phase 1 (Authentication) and phase 2 (Key Exchange). If this to connect to every IKE (Internet Key Exchange) negotiation - Select Aggressive to ... can be used to encrypt and decrypt the message or to use on DES 88 ZyWALL USG 300 User's Guide Note: Multiple SAs connecting through a secure gateway must know the same secret key, which can initiate the VPN tunnel. 5.5.5 VPN Advanced Wizard - Both sender and receiver must have the same negotiation mode. • Encryption Algorithm...
User Guide
Page 89
... increased latency and decreased throughput. If it responds, the ZyWALL transmits the data. ZyWALL USG 300 User's Guide 89 DH1 (default) refers to authenticate packet data. See VPN, NAT, and NAT Traversal on page 508 for at least 15 seconds, the ZyWALL sends a message to Diffie-Hellman Group 2 a 1024 ...if the VPN tunnel must also have NAT traversal enabled. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to Diffie-Hellman Group 1 a 768 bit random number. Chapter 5 Quick Setup that uses a 168-bit key. DH5 refers to use one of the ZyWALL's certificates...
... increased latency and decreased throughput. If it responds, the ZyWALL transmits the data. ZyWALL USG 300 User's Guide 89 DH1 (default) refers to authenticate packet data. See VPN, NAT, and NAT Traversal on page 508 for at least 15 seconds, the ZyWALL sends a message to Diffie-Hellman Group 2 a 1024 ...if the VPN tunnel must also have NAT traversal enabled. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to Diffie-Hellman Group 1 a 768 bit random number. Chapter 5 Quick Setup that uses a 168-bit key. DH5 refers to use one of the ZyWALL's certificates...
User Guide
Page 108
... routes, zones, L2TP VPN Example: See Chapter 7 on the LAN can also use the Quick Setup VPN Setup wizard. MENU ITEM(S) Configuration > VPN > IPSec VPN; Make sure each rule is in the correct place in order. Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to -ZyWALL firewall, firewall 108 ZyWALL USG 300 User's Guide
... routes, zones, L2TP VPN Example: See Chapter 7 on the LAN can also use the Quick Setup VPN Setup wizard. MENU ITEM(S) Configuration > VPN > IPSec VPN; Make sure each rule is in the correct place in order. Interfaces, certificates (authentication), authentication methods PREREQUISITES (extended authentication), addresses (local network, remote network, NAT), to -ZyWALL firewall, firewall 108 ZyWALL USG 300 User's Guide