User Manual
Page 7
The ZyWALL icon is not an exact representation of your device. Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 50 User's Guide 7
The ZyWALL icon is not an exact representation of your device. Document Conventions Icons Used in Figures Figures in this User's Guide may use the following generic icons. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL USG 50 User's Guide 7
User Manual
Page 9
Contents Overview Contents Overview User's Guide ...29 Introducing the ZyWALL ...31 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...109 Technical ... Authentication Policy ...349 Firewall ...357 IPSec VPN ...375 SSL VPN ...411 SSL User Screens ...421 SSL User Application Screens 431 ZyWALL SecuExtender ...433 Application Patrol ...437 Anti-Virus ...463 IDP ...479 ADP ...513 Content Filtering ...533 Content Filter Reports ...557 Anti-Spam ...565 User/Group ...583 ZyWALL USG 50 User's Guide 9
Contents Overview Contents Overview User's Guide ...29 Introducing the ZyWALL ...31 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...109 Technical ... Authentication Policy ...349 Firewall ...357 IPSec VPN ...375 SSL VPN ...411 SSL User Screens ...421 SSL User Application Screens 431 ZyWALL SecuExtender ...433 Application Patrol ...437 Anti-Virus ...463 IDP ...479 ADP ...513 Content Filtering ...533 Content Filter Reports ...557 Anti-Spam ...565 User/Group ...583 ZyWALL USG 50 User's Guide 9
User Manual
Page 13
Policy ...100 6.5.14 Firewall ...101 6.5.15 IPSec VPN ...102 6.5.16 SSL VPN ...102 6.5.17 Application Patrol 102 6.5.18 Anti-Virus ...103 6.5.19 IDP ...103 6.5.20 ADP ...103 6.5.21 Content ... a WAN Ethernet Interface 110 7.1.2 Configure Port Roles 111 7.1.3 Configure the DMZ Interface for a Local Network 111 7.1.4 Configure Zones ...112 7.2 How to Configure a Cellular Interface 113 ZyWALL USG 50 User's Guide 13 Table of Contents 6.4 Packet Flow ...91 6.4.1 Routing Table Checking Flow 92 6.4.2 NAT Table Checking Flow 94 6.5 Feature Configuration Overview 95 6.5.1 Feature ...95...
Policy ...100 6.5.14 Firewall ...101 6.5.15 IPSec VPN ...102 6.5.16 SSL VPN ...102 6.5.17 Application Patrol 102 6.5.18 Anti-Virus ...103 6.5.19 IDP ...103 6.5.20 ADP ...103 6.5.21 Content ... a WAN Ethernet Interface 110 7.1.2 Configure Port Roles 111 7.1.3 Configure the DMZ Interface for a Local Network 111 7.1.4 Configure Zones ...112 7.2 How to Configure a Cellular Interface 113 ZyWALL USG 50 User's Guide 13 Table of Contents 6.4 Packet Flow ...91 6.4.1 Routing Table Checking Flow 92 6.4.2 NAT Table Checking Flow 94 6.5 Feature Configuration Overview 95 6.5.1 Feature ...95...
User Manual
Page 14
...Set Up User Authentication Using the RADIUS Server 124 7.5.4 Web Surfing Policies With Bandwidth Restrictions 126 7.5.5 Set Up MSN Policies 129 7.5.6 Set Up Firewall Rules 130 7.6 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 131 7.7 How to Use Endpoint Security and Authentication ... Firewall Rule for SIP 151 7.12 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 152 7.12.1 Create the Public IP Address Range Object 152 7.12.2 Configure the Policy Route 153 Part II: Technical Reference 155 Chapter 8 Dashboard ...157 14 ZyWALL USG 50 ...
...Set Up User Authentication Using the RADIUS Server 124 7.5.4 Web Surfing Policies With Bandwidth Restrictions 126 7.5.5 Set Up MSN Policies 129 7.5.6 Set Up Firewall Rules 130 7.6 How to Use a RADIUS Server to Authenticate User Accounts based on Groups 131 7.7 How to Use Endpoint Security and Authentication ... Firewall Rule for SIP 151 7.12 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic 152 7.12.1 Create the Public IP Address Range Object 152 7.12.2 Configure the Policy Route 153 Part II: Technical Reference 155 Chapter 8 Dashboard ...157 14 ZyWALL USG 50 ...
User Manual
Page 18
... Chapter 22 Firewall...357 22.1 Overview ...357 22.1.1 What You Can Do in this Chapter 357 22.1.2 What You Need to Know 358 22.1.3 Firewall Rule Example Applications 360 22.1.4 Firewall Rule Configuration Example 363 22.2 The Firewall Screen ...365 22.2.1 Configuring the Firewall Screen 366 22.2.2 The Firewall Add/Edit Screen 369 18 ZyWALL USG 50 User's Guide
... Chapter 22 Firewall...357 22.1 Overview ...357 22.1.1 What You Can Do in this Chapter 357 22.1.2 What You Need to Know 358 22.1.3 Firewall Rule Example Applications 360 22.1.4 Firewall Rule Configuration Example 363 22.2 The Firewall Screen ...365 22.2.1 Configuring the Firewall Screen 366 22.2.2 The Firewall Add/Edit Screen 369 18 ZyWALL USG 50 User's Guide
User Manual
Page 31
... publicly accessible servers. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. You can also use a 3G cellular USB (not included) for your company. See Chapter 2 on page 37 for a more detailed overview of the ZyWALL. ZyWALL USG 50 User's Guide 31...
... publicly accessible servers. The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. You can also use a 3G cellular USB (not included) for your company. See Chapter 2 on page 37 for a more detailed overview of the ZyWALL. ZyWALL USG 50 User's Guide 31...
User Manual
Page 37
... ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. ZyWALL USG 50 User's Guide 37 It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features...SSL to provide secure communication between these ports. • One or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and ...
... ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. ZyWALL USG 50 User's Guide 37 It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features...SSL to provide secure communication between these ports. • One or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and ...
User Manual
Page 38
...allowed unless it is a stateful inspection firewall. This policy-based bandwidth allocation helps your ZyWALL to category-based content filtering that the ZyWALL can also create your own custom ADP rules. For example, traffic from a pre-defined list. 38 ZyWALL USG 50 User's Guide It can detect: •...; Anomalies based on page 490 for Comments) • Abnormal flows such as port scans. The ZyWALL's ADP protects against an external database of dynamically-updated ratings of...
...allowed unless it is a stateful inspection firewall. This policy-based bandwidth allocation helps your ZyWALL to category-based content filtering that the ZyWALL can also create your own custom ADP rules. For example, traffic from a pre-defined list. 38 ZyWALL USG 50 User's Guide It can detect: •...; Anomalies based on page 490 for Comments) • Abnormal flows such as port scans. The ZyWALL's ADP protects against an external database of dynamically-updated ratings of...
User Manual
Page 49
... not apply IP/MAC binding. Exempt List Configure ranges of interfaces) for an installed 3G card. Firewall Firewall Create and manage level-3 traffic rules. ZyWALL USG 50 User's Guide 49 OSPF Configure device-level OSPF settings, including areas and virtual links. Auth. Bridge Create and manage bridges and virtual bridge interfaces. DDNS ...
... not apply IP/MAC binding. Exempt List Configure ranges of interfaces) for an installed 3G card. Firewall Firewall Create and manage level-3 traffic rules. ZyWALL USG 50 User's Guide 49 OSPF Configure device-level OSPF settings, including areas and virtual links. Auth. Bridge Create and manage bridges and virtual bridge interfaces. DDNS ...
User Manual
Page 53
Click a screen's link to go to the Web Configurator screens. Figure 17 Object Reference ZyWALL USG 50 User's Guide 53 The following example shows which configuration settings reference the object. Select the type of links to that screen. Chapter 3 Web Configurator 3.3.3.2 Site .... Figure 16 Site Map 3.3.3.3 Object Reference Click Object Reference to show which configuration settings reference the ldap-users user object (in this case the first firewall rule).
Click a screen's link to go to the Web Configurator screens. Figure 17 Object Reference ZyWALL USG 50 User's Guide 53 The following example shows which configuration settings reference the object. Select the type of links to that screen. Chapter 3 Web Configurator 3.3.3.2 Site .... Figure 16 Site Map 3.3.3.3 Object Reference Click Object Reference to show which configuration settings reference the ldap-users user object (in this case the first firewall rule).
User Manual
Page 57
...number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one list to create a new entry. In some lists ZyWALL USG 50 User's Guide 57 Move To change an entry's position in the table. For features where the entry's position in the numbered list is shown next... click Activate. See Section 11.3.2 on an entry, select it and click Inactivate. A sample is important (features where the ZyWALL applies the table's entries in order like the firewall for example), you can just click a table entry and edit it directly in a numbered list, select it and click Move...
...number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one list to create a new entry. In some lists ZyWALL USG 50 User's Guide 57 Move To change an entry's position in the table. For features where the entry's position in the numbered list is shown next... click Activate. See Section 11.3.2 on an entry, select it and click Inactivate. A sample is important (features where the ZyWALL applies the table's entries in order like the firewall for example), you can just click a table entry and edit it directly in a numbered list, select it and click Move...
User Manual
Page 87
...page 105 identifies the objects that use these objects whenever the interface's IP address settings change an object's settings, the ZyWALL automatically updates all the firewall, application patrol, content filter, and other settings use the schedule automatically apply the updated schedule. Once you configure an ... configure a trunk for load-balancing, you should configure a policy route for it as objects. For example, if you ZyWALL USG 50 User's Guide 87 After you configure the trunk, you should configure the member interfaces before and after you configure the main screens...
...page 105 identifies the objects that use these objects whenever the interface's IP address settings change an object's settings, the ZyWALL automatically updates all the firewall, application patrol, content filter, and other settings use the schedule automatically apply the updated schedule. Once you configure an ... configure a trunk for load-balancing, you should configure a policy route for it as objects. For example, if you ZyWALL USG 50 User's Guide 87 After you configure the trunk, you should configure the member interfaces before and after you configure the main screens...
User Manual
Page 88
...or settings that (layer-3) packets pass through. For a list of interfaces and VPN tunnels) simplify security settings. Use interfaces in configuring other features. 88 ZyWALL USG 50 User's Guide In configuration, you can use them. Port roles combine physical ports into interfaces. Use the Object Reference screen (Section 3.3.3.3 on page 53)... of interfaces and VPN tunnels. You can also usually select Create new Object to be able to apply security settings such as firewall, IDP, remote management, antivirus, and application patrol. If you connect a cable.
...or settings that (layer-3) packets pass through. For a list of interfaces and VPN tunnels) simplify security settings. Use interfaces in configuring other features. 88 ZyWALL USG 50 User's Guide In configuration, you can use them. Port roles combine physical ports into interfaces. Use the Object Reference screen (Section 3.3.3.3 on page 53)... of interfaces and VPN tunnels. You can also usually select Create new Object to be able to apply security settings such as firewall, IDP, remote management, antivirus, and application patrol. If you connect a cable.
User Manual
Page 91
... NAT > Routing > Stateful Firewall > ADP > Application Classification > IDP > Anti-virus > Application Patrol > Content Filter > Anti-Spam > SNAT > Bandwidth Management > Traffic Out. Traffic in the ZyWALL This section highlights some terminology or organization for ZLD-based ZyWALLs. ZyWALL USG 50 User's Guide 91 Table 15 ZLD ZyWALL Terminology FEATURE / TERM ZLD ZYWALL FEATURE / TERM IP alias...) OSI level-7 bandwidth management Application patrol General bandwidth management Policy route 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks.
... NAT > Routing > Stateful Firewall > ADP > Application Classification > IDP > Anti-virus > Application Patrol > Content Filter > Anti-Spam > SNAT > Bandwidth Management > Traffic Out. Traffic in the ZyWALL This section highlights some terminology or organization for ZLD-based ZyWALLs. ZyWALL USG 50 User's Guide 91 Table 15 ZLD ZyWALL Terminology FEATURE / TERM ZLD ZYWALL FEATURE / TERM IP alias...) OSI level-7 bandwidth management Application patrol General bandwidth management Policy route 6.4 Packet Flow Here is the order in which the ZyWALL applies its features and checks.
User Manual
Page 93
.... See Chapter 13 on page 281 for more . See Section 17.2.1 on page 324 for example the firewall check. Chapter 6 Configuration Basics of the sections, the ZyWALL stops checking the packets against the routing table and moves on to 1 NAT rules. If a private network server ... that will initiate sessions to the outside clients to send packets through the appropriate interface or VPN tunnel. ZyWALL USG 50 User's Guide 93 Figure 53 Routing Table Checking Flow 1 Direct-connected Subnets: The ZyWALL first checks to 1 NAT rules. A many 1 to 1 NAT entry works like multiple 1 to ...
.... See Chapter 13 on page 281 for more . See Section 17.2.1 on page 324 for example the firewall check. Chapter 6 Configuration Basics of the sections, the ZyWALL stops checking the packets against the routing table and moves on to 1 NAT rules. If a private network server ... that will initiate sessions to the outside clients to send packets through the appropriate interface or VPN tunnel. ZyWALL USG 50 User's Guide 93 Figure 53 Routing Table Checking Flow 1 Direct-connected Subnets: The ZyWALL first checks to 1 NAT rules. A many 1 to 1 NAT entry works like multiple 1 to ...
User Manual
Page 98
So make sure that your custom policy route comes before any firewall rules, assign an IDP profile, or configure remote management for your WAN connection (wan1 and wan2 are using for the new zone. The ZyWALL uses zones, not interfaces, in the order that you are the ...automatically assigned to create the DMZ-2 zone, click Network > Zone and then the Add icon. 98 ZyWALL USG 50 User's Guide Note: The ZyWALL checks the policy routes in many security settings, such as firewall rules and remote management. Zones cannot overlap. Chapter 6 Configuration Basics 8 For the Next Hop fields,...
So make sure that your custom policy route comes before any firewall rules, assign an IDP profile, or configure remote management for your WAN connection (wan1 and wan2 are using for the new zone. The ZyWALL uses zones, not interfaces, in the order that you are the ...automatically assigned to create the DMZ-2 zone, click Network > Zone and then the Add icon. 98 ZyWALL USG 50 User's Guide Note: The ZyWALL checks the policy routes in many security settings, such as firewall rules and remote management. Zones cannot overlap. Chapter 6 Configuration Basics 8 For the Next Hop fields,...
User Manual
Page 99
...to forwards FTP sessions from the WAN to the DMZ. 1 Click Configuration > Network > NAT to a dynamic IP address. ZyWALL USG 50 User's Guide 99 The ZyWALL only checks regular (through-ZyWALL) firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in through. 4 Specify the ...public WAN IP address where the ZyWALL will forward the packets received for packets that the FTP traffic is...
...to forwards FTP sessions from the WAN to the DMZ. 1 Click Configuration > Network > NAT to a dynamic IP address. ZyWALL USG 50 User's Guide 99 The ZyWALL only checks regular (through-ZyWALL) firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter 21 in through. 4 Specify the ...public WAN IP address where the ZyWALL will forward the packets received for packets that the FTP traffic is...
User Manual
Page 100
...ZyWALL firewall rules for the HTTP traffic that are redirected by HTTP redirect. MENU ITEM(S) Configuration > Network > ALG 6.5.13 Auth. It does check regular (through NAT on the ZyWALL. You can also specify additional signaling port numbers. Policy Addresses, services, endpoint security objects, users, authentication PREREQUISITES methods 100 ZyWALL USG 50 ... server. 6 Specify the port number to use for packets that you forward to the proxy server. 6.5.12 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through -ZyWALL) firewall rules.
...ZyWALL firewall rules for the HTTP traffic that are redirected by HTTP redirect. MENU ITEM(S) Configuration > Network > ALG 6.5.13 Auth. It does check regular (through NAT on the ZyWALL. You can also specify additional signaling port numbers. Policy Addresses, services, endpoint security objects, users, authentication PREREQUISITES methods 100 ZyWALL USG 50 ... server. 6 Specify the port number to use for packets that you forward to the proxy server. 6.5.12 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through -ZyWALL) firewall rules.
User Manual
Page 101
... VoIP users on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). Chapter 6 Configuration Basics 6.5.14 Firewall The firewall controls the travel of these objects must be configured in a different screen. ZyWALL USG 50 User's Guide 101 Each of traffic between or within zones.
... VoIP users on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). Chapter 6 Configuration Basics 6.5.14 Firewall The firewall controls the travel of these objects must be configured in a different screen. ZyWALL USG 50 User's Guide 101 Each of traffic between or within zones.
User Manual
Page 102
...extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 109. 6.5.17 Application Patrol Use application patrol to use which services through the ZyWALL (and when they can also specify allowed amounts of the ...-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 109. 6.5.16 SSL VPN Use SSL VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for Bob (User/Group). 102 ZyWALL USG 50...
...extended authentication), addresses (local network, remote network, NAT), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 109. 6.5.17 Application Patrol Use application patrol to use which services through the ZyWALL (and when they can also specify allowed amounts of the ...-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 109. 6.5.16 SSL VPN Use SSL VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for Bob (User/Group). 102 ZyWALL USG 50...