User Manual
Page 9
... ALG ...335 IP/MAC Binding ...343 Authentication Policy ...349 Firewall ...357 IPSec VPN ...375 SSL VPN ...411 SSL User Screens ...421 SSL User Application Screens 431 ZyWALL SecuExtender ...433 Application Patrol ...437 Anti-Virus ...463 IDP ...479 ADP ...513 Content Filtering ...533 Content Filter Reports ...557 Anti-Spam ...565 User/Group ...583 ZyWALL USG 50 User's Guide 9
... ALG ...335 IP/MAC Binding ...343 Authentication Policy ...349 Firewall ...357 IPSec VPN ...375 SSL VPN ...411 SSL User Screens ...421 SSL User Application Screens 431 ZyWALL SecuExtender ...433 Application Patrol ...437 Anti-Virus ...463 IDP ...479 ADP ...513 Content Filtering ...533 Content Filter Reports ...557 Anti-Spam ...565 User/Group ...583 ZyWALL USG 50 User's Guide 9
User Manual
Page 13
..., SNMP, Vantage CNM 106 6.7.2 Logs and Reports ...107 6.7.3 File Manager ...107 6.7.4 Diagnostics ...108 6.7.5 Shutdown ...108 Chapter 7 Tutorials ...109 7.1 How to Configure Interfaces, Port Roles, and Zones 109 7.1.1 Configure a WAN Ethernet Interface 110 7.1.2 Configure Port Roles 111 7.1.3 Configure the DMZ Interface for a Local Network 111 7.1.4 Configure Zones ...112 7.2 How to Configure a Cellular Interface 113 ZyWALL USG 50 User's Guide 13
..., SNMP, Vantage CNM 106 6.7.2 Logs and Reports ...107 6.7.3 File Manager ...107 6.7.4 Diagnostics ...108 6.7.5 Shutdown ...108 Chapter 7 Tutorials ...109 7.1 How to Configure Interfaces, Port Roles, and Zones 109 7.1.1 Configure a WAN Ethernet Interface 110 7.1.2 Configure Port Roles 111 7.1.3 Configure the DMZ Interface for a Local Network 111 7.1.4 Configure Zones ...112 7.2 How to Configure a Cellular Interface 113 ZyWALL USG 50 User's Guide 13
User Manual
Page 14
...115 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces 115 7.3.2 Configure the WAN Trunk 116 7.4 How to Set Up an IPSec VPN Tunnel 118 7.4.1 Set Up the VPN Gateway 119 7.4.2 Set Up the VPN Connection 120 7.4.3 Configure Security Policies for the VPN Tunnel 121 7.5 How to Configure User-aware Access Control 122 7.5.1 Set Up User Accounts ... Static Public WAN IP Addresses for LAN to WAN Traffic 152 7.12.1 Create the Public IP Address Range Object 152 7.12.2 Configure the Policy Route 153 Part II: Technical Reference 155 Chapter 8 Dashboard ...157 14 ZyWALL USG 50 User's Guide
...115 7.3.1 Set Up Available Bandwidth on Ethernet Interfaces 115 7.3.2 Configure the WAN Trunk 116 7.4 How to Set Up an IPSec VPN Tunnel 118 7.4.1 Set Up the VPN Gateway 119 7.4.2 Set Up the VPN Connection 120 7.4.3 Configure Security Policies for the VPN Tunnel 121 7.5 How to Configure User-aware Access Control 122 7.5.1 Set Up User Accounts ... Static Public WAN IP Addresses for LAN to WAN Traffic 152 7.12.1 Create the Public IP Address Range Object 152 7.12.2 Configure the Policy Route 153 Part II: Technical Reference 155 Chapter 8 Dashboard ...157 14 ZyWALL USG 50 User's Guide
User Manual
Page 37
...Multiple WAN ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. As a result, it is much simpler to set up and to change security settings in the ZyWALL. ZyWALL USG 50 User's Guide 37 ...CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL to zones. You can add interfaces and VPN tunnels to provide secure communication between...
...Multiple WAN ports and configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. As a result, it is much simpler to set up and to change security settings in the ZyWALL. ZyWALL USG 50 User's Guide 37 ...CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. Virtual Private Networks (VPN) Use IPSec, SSL to zones. You can add interfaces and VPN tunnels to provide secure communication between...
User Manual
Page 49
...Configure ranges of IP addresses to each supported interface. VPN Gateway Configure IKE tunnels. NAT Set up and manage HTTP redirection rules. HTTP Redirect Set up and manage port forwarding rules. VPN IPSec VPN VPN Connection Configure IPSec tunnels. Global Setting Configure the ZyWALL's SSL VPN.... Zone Configure zones used to all connections. ALG Configure SIP, H.323, and FTP pass-through settings. SSL VPN Access Privilege Configure SSL VPN access rights for an installed 3G card. RIP Configure device-level RIP settings. ZyWALL USG 50 User's Guide...
...Configure ranges of IP addresses to each supported interface. VPN Gateway Configure IKE tunnels. NAT Set up and manage HTTP redirection rules. HTTP Redirect Set up and manage port forwarding rules. VPN IPSec VPN VPN Connection Configure IPSec tunnels. Global Setting Configure the ZyWALL's SSL VPN.... Zone Configure zones used to all connections. ALG Configure SIP, H.323, and FTP pass-through settings. SSL VPN Access Privilege Configure SSL VPN access rights for an installed 3G card. RIP Configure device-level RIP settings. ZyWALL USG 50 User's Guide...
User Manual
Page 91
ZyWALL USG 50 User's Guide 91 Table 15 ZLD ZyWALL Terminology FEATURE / TERM ZLD ZYWALL FEATURE / TERM IP alias Virtual interface Gateway policy VPN gateway Network policy (IPSec SA) VPN connection Source NAT (SNAT) Policy route Trigger port, port triggering Policy route Address mapping Policy route Address mapping (VPN) IPSec VPN...-Spam > SNAT > Bandwidth Management > Traffic Out. Traffic in which the ZyWALL applies its features and checks. Chapter 6 Configuration Basics 6.3 Terminology in the ZyWALL This section highlights some terminology or organization for ZLD-based...
ZyWALL USG 50 User's Guide 91 Table 15 ZLD ZyWALL Terminology FEATURE / TERM ZLD ZYWALL FEATURE / TERM IP alias Virtual interface Gateway policy VPN gateway Network policy (IPSec SA) VPN connection Source NAT (SNAT) Policy route Trigger port, port triggering Policy route Address mapping Policy route Address mapping (VPN) IPSec VPN...-Spam > SNAT > Bandwidth Management > Traffic Out. Traffic in which the ZyWALL applies its features and checks. Chapter 6 Configuration Basics 6.3 Terminology in the ZyWALL This section highlights some terminology or organization for ZLD-based...
User Manual
Page 94
Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for more information. 6 Default WAN Trunk: For any traffic coming in through an internal interface, if it through RIP and OSPF. Disabling the IPSec VPN feature's Use Policy Route to bottom. As soon as ... 94 ZyWALL USG 50 User's Guide See Chapter 13 on page 281 for the VPN rules. See Section 12.2 on page 378). 5 Static and Dynamic Routes: This section contains the user-configured static routes and the dynamic routing information learned from top to control dynamic IPSec rules ...
Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for more information. 6 Default WAN Trunk: For any traffic coming in through an internal interface, if it through RIP and OSPF. Disabling the IPSec VPN feature's Use Policy Route to bottom. As soon as ... 94 ZyWALL USG 50 User's Guide See Chapter 13 on page 281 for the VPN rules. See Section 12.2 on page 378). 5 Static and Dynamic Routes: This section contains the user-configured static routes and the dynamic routing information learned from top to control dynamic IPSec rules ...
User Manual
Page 96
...ZyWALL and subscribe to services like antivirus, IDP and application patrol, more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Network > Interface (except Network > Interface > Trunk) PREREQUISITES Port groups (configured in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN... myZyXEL.com. To configure dmz's settings, click Network > Interface > Ethernet and then the dmz's Edit icon. 96 ZyWALL USG 50 User's Guide Chapter 6 Configuration Basics 6.5.2 Licensing Registration Use these screens to update the ZyWALL's signature packages for ...
...ZyWALL and subscribe to services like antivirus, IDP and application patrol, more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Network > Interface (except Network > Interface > Trunk) PREREQUISITES Port groups (configured in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN... myZyXEL.com. To configure dmz's settings, click Network > Interface > Ethernet and then the dmz's Edit icon. 96 ZyWALL USG 50 User's Guide Chapter 6 Configuration Basics 6.5.2 Licensing Registration Use these screens to update the ZyWALL's signature packages for ...
User Manual
Page 97
... for bandwidth management (out of FTP traffic that the traffic comes in through the appropriate interface or VPN tunnel. ZyWALL USG 50 User's Guide 97 MENU ITEM(S) Configuration > Network > Routing > Policy Route Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST...
... for bandwidth management (out of FTP traffic that the traffic comes in through the appropriate interface or VPN tunnel. ZyWALL USG 50 User's Guide 97 MENU ITEM(S) Configuration > Network > Routing > Policy Route Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST...
User Manual
Page 98
... Zones See Section 6.2 on which they run. The ZyWALL uses zones, not interfaces, in the order that your WAN connection (wan1 and wan2 are the default WAN interfaces). MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, IDP, remote management, anti-virus...before any firewall rules, assign an IDP profile, or configure remote management for background information. You may also want to create the DMZ-2 zone, click Network > Zone and then the Add icon. 98 ZyWALL USG 50 User's Guide Virtual interfaces are listed. When you create...
... Zones See Section 6.2 on which they run. The ZyWALL uses zones, not interfaces, in the order that your WAN connection (wan1 and wan2 are the default WAN interfaces). MENU ITEM(S) Configuration > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, IDP, remote management, anti-virus...before any firewall rules, assign an IDP profile, or configure remote management for background information. You may also want to create the DMZ-2 zone, click Network > Zone and then the Add icon. 98 ZyWALL USG 50 User's Guide Virtual interfaces are listed. When you create...
User Manual
Page 102
... uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for Bob (User/Group). 102 ZyWALL USG 50 User's Guide You must subscribe to ...also use the Quick Setup VPN Setup wizard. Chapter 6 Configuration Basics 6.5.15 IPSec VPN Use IPSec VPN to give remote users secure network access. MENU ITEM(S) Configuration > VPN > IPSec VPN; you want to allow vice president Bob to use which services through the ZyWALL (and when they can ...
... uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool for Bob (User/Group). 102 ZyWALL USG 50 User's Guide You must subscribe to ...also use the Quick Setup VPN Setup wizard. Chapter 6 Configuration Basics 6.5.15 IPSec VPN Use IPSec VPN to give remote users secure network access. MENU ITEM(S) Configuration > VPN > IPSec VPN; you want to allow vice president Bob to use which services through the ZyWALL (and when they can ...
User Manual
Page 118
Figure 66 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Figure 67 VPN Example LAN LAN 118 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 50 User's Guide Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply.
Figure 66 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 76 for details on the VPN quick setup wizard. Figure 67 VPN Example LAN LAN 118 1.2.3.4 192.168.1.0/24 2.2.2.2 172.16.1.0/24 ZyWALL USG 50 User's Guide Chapter 7 Tutorials 3 Select the trunk as the default trunk and click Apply.
User Manual
Page 119
... the LAN subnet behind peer IPSec router Y (172.16.1.0/ 24). 7.4.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. For the Authentication, Select Pre-Shared Key and enter 12345678. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in the Primary field. Figure 68 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 50 User's Guide 119
... the LAN subnet behind peer IPSec router Y (172.16.1.0/ 24). 7.4.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA. For the Authentication, Select Pre-Shared Key and enter 12345678. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in the Primary field. Figure 68 Configuration > VPN > IPSec VPN > VPN Gateway > Add ZyWALL USG 50 User's Guide 119
User Manual
Page 120
... up the Network field to 172.16.1.0 and the Netmask to SUBNET. Click the Add icon. 120 ZyWALL USG 50 User's Guide Click the Add icon. 2 Give the new address object a name ("VPN_REMOTE_SUBNET"), change the Address Type to 255.255.255.0. Figure 69 Configuration > Object > Address > Add 3 Click Configuration > VPN > IPSec VPN > VPN Connection. Click OK. Set up the...
... up the Network field to 172.16.1.0 and the Netmask to SUBNET. Click the Add icon. 120 ZyWALL USG 50 User's Guide Click the Add icon. 2 Give the new address object a name ("VPN_REMOTE_SUBNET"), change the Address Type to 255.255.255.0. Figure 69 Configuration > Object > Address > Add 3 Click Configuration > VPN > IPSec VPN > VPN Connection. Click OK. Set up the...
User Manual
Page 121
...) that apply to a device on the peer IPSec router's LAN or click Configuration > VPN > IPSec VPN > VPN Connection and use the VPN connection screen's Connect icon. 7.4.3 Configure Security Policies for the remote. Under VPN Gateway select Site-to the IPSec_VPN zone. The new VPN connection was assigned to -site and the VPN gateway (VPN_GW_EXAMPLE). ZyWALL USG 50 User's Guide 121 Make sure all firewalls...
...) that apply to a device on the peer IPSec router's LAN or click Configuration > VPN > IPSec VPN > VPN Connection and use the VPN connection screen's Connect icon. 7.4.3 Configure Security Policies for the remote. Under VPN Gateway select Site-to the IPSec_VPN zone. The new VPN connection was assigned to -site and the VPN gateway (VPN_GW_EXAMPLE). ZyWALL USG 50 User's Guide 121 Make sure all firewalls...
User Manual
Page 377
... are also known as dial-in user). This ZyWALL must have a dynamic IP address. This ZyWALL can let multiple clients connect. Chapter 23 IPSec VPN Application Scenarios The ZyWALL's application scenarios make it . Client role ZyWALLs initiate IPSec VPN connections to configure your VPN connection settings. ZyWALL USG 50 User's Guide 377 Table 111 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH...
... are also known as dial-in user). This ZyWALL must have a dynamic IP address. This ZyWALL can let multiple clients connect. Chapter 23 IPSec VPN Application Scenarios The ZyWALL's application scenarios make it . Client role ZyWALLs initiate IPSec VPN connections to configure your VPN connection settings. ZyWALL USG 50 User's Guide 377 Table 111 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH...
User Manual
Page 378
... VPN tunnels and other features. See Chapter 41 on page 633. 23.2 The VPN Connection Screen Click Configuration > VPN > IPSec VPN to authenticate each other 's certificates. You should set up the authentication method (AAA server) first. If the ZyWALL is...VPN connection (each other . The authentication method specifies how the ZyWALL authenticates the remote IPSec router. The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. Make sure the ZyWALL and the remote IPSec router will trust each IPSec 378 ZyWALL USG 50...
... VPN tunnels and other features. See Chapter 41 on page 633. 23.2 The VPN Connection Screen Click Configuration > VPN > IPSec VPN to authenticate each other 's certificates. You should set up the authentication method (AAA server) first. If the ZyWALL is...VPN connection (each other . The authentication method specifies how the ZyWALL authenticates the remote IPSec router. The VPN Connection screen lists the VPN connection policies and their associated VPN gateway(s), and various settings. Make sure the ZyWALL and the remote IPSec router will trust each IPSec 378 ZyWALL USG 50...
User Manual
Page 379
... entry's settings. To turn on an entry, select it is discussed in the following table. Chapter 23 IPSec VPN SA). To connect an IPSec SA, select it and click Inactivate. ZyWALL USG 50 User's Guide 379 Figure 229 Configuration > VPN > IPSec VPN > VPN Connection Each field is not associated with a specific connection. Double-click an entry or select it and click...
... entry's settings. To turn on an entry, select it is discussed in the following table. Chapter 23 IPSec VPN SA). To connect an IPSec SA, select it and click Inactivate. ZyWALL USG 50 User's Guide 379 Figure 229 Configuration > VPN > IPSec VPN > VPN Connection Each field is not associated with a specific connection. Double-click an entry or select it and click...
User Manual
Page 380
...IPSec VPN Table 112 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is no VPN gateway, this screen, go to select a specific VPN gateway in the VPN Gateway field before the following screen appears. 380 ZyWALL USG 50... User's Guide Name This field displays the name of the IPSec SA. To access this...
...IPSec VPN Table 112 Configuration > VPN > IPSec VPN > VPN Connection (continued) LABEL DESCRIPTION Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is no VPN gateway, this screen, go to select a specific VPN gateway in the VPN Gateway field before the following screen appears. 380 ZyWALL USG 50... User's Guide Name This field displays the name of the IPSec SA. To access this...
User Manual
Page 931
... with dynamic peer 382 static site-to-site 382 transport encapsulation 383 tunnel encapsulation 383 VPN gateway 378 IPSec SA active protocol 405 and firewall 360, 768 and to-ZyWALL firewall 768 authentication algorithms 399, 400 authentication key (manual keys) 407 destination NAT for...also IPSec see also VPN source NAT for inbound traffic 409 source NAT for outbound traffic 408 status 191 transport mode 406 tunnel mode 406 when IKE SA is disconnected 405 IPSec VPN configuration overview 102 prerequisites 100, 102 see also IPSec troubleshooting 767 tutorial 118 where used 102 ZyWALL USG 50 User...
... with dynamic peer 382 static site-to-site 382 transport encapsulation 383 tunnel encapsulation 383 VPN gateway 378 IPSec SA active protocol 405 and firewall 360, 768 and to-ZyWALL firewall 768 authentication algorithms 399, 400 authentication key (manual keys) 407 destination NAT for...also IPSec see also VPN source NAT for inbound traffic 409 source NAT for outbound traffic 408 status 191 transport mode 406 tunnel mode 406 when IKE SA is disconnected 405 IPSec VPN configuration overview 102 prerequisites 100, 102 see also IPSec troubleshooting 767 tutorial 118 where used 102 ZyWALL USG 50 User...