User Manual
Page 9
...157 Monitor ...169 Registration ...209 Interfaces ...215 Trunks ...271 Policy and Static Routes ...281 Routing Protocols ...297 Zones ...311 DDNS ...315 NAT ...321 HTTP Redirect ...331 ALG ...335 IP/MAC Binding ...343 Authentication Policy ...349 Firewall ...357 IPSec VPN ...375 SSL VPN ...411 ...SSL User Screens ...421 SSL User Application Screens 431 ZyWALL SecuExtender ...433 Application Patrol ...437 Anti-Virus ...463 IDP ...479 ADP ...513 Content Filtering ...533 Content Filter Reports ...557 Anti-Spam ...565 User/Group ...583 ZyWALL USG 50 User's Guide 9
...157 Monitor ...169 Registration ...209 Interfaces ...215 Trunks ...271 Policy and Static Routes ...281 Routing Protocols ...297 Zones ...311 DDNS ...315 NAT ...321 HTTP Redirect ...331 ALG ...335 IP/MAC Binding ...343 Authentication Policy ...349 Firewall ...357 IPSec VPN ...375 SSL VPN ...411 ...SSL User Screens ...421 SSL User Application Screens 431 ZyWALL SecuExtender ...433 Application Patrol ...437 Anti-Virus ...463 IDP ...479 ADP ...513 Content Filtering ...533 Content Filter Reports ...557 Anti-Spam ...565 User/Group ...583 ZyWALL USG 50 User's Guide 9
User Manual
Page 13
... Feature ...95 6.5.2 Licensing Registration 96 6.5.3 Licensing Update ...96 6.5.4 Interface ...96 6.5.5 Trunks ...97 6.5.6 Policy Routes ...97 6.5.7 Static Routes ...98 6.5.8 Zones ...98 6.5.9 DDNS ...99 6.5.10 NAT ...99 6.5.11 HTTP Redirect ...99 6.5.12 ALG ...100 6.5.13 Auth. Policy ...100 6.5.14 Firewall ...101 6.5.15 IPSec VPN ...102 6.5.16 SSL VPN ...102 6.5.17 Application... Interface 110 7.1.2 Configure Port Roles 111 7.1.3 Configure the DMZ Interface for a Local Network 111 7.1.4 Configure Zones ...112 7.2 How to Configure a Cellular Interface 113 ZyWALL USG 50 User's Guide 13
... Feature ...95 6.5.2 Licensing Registration 96 6.5.3 Licensing Update ...96 6.5.4 Interface ...96 6.5.5 Trunks ...97 6.5.6 Policy Routes ...97 6.5.7 Static Routes ...98 6.5.8 Zones ...98 6.5.9 DDNS ...99 6.5.10 NAT ...99 6.5.11 HTTP Redirect ...99 6.5.12 ALG ...100 6.5.13 Auth. Policy ...100 6.5.14 Firewall ...101 6.5.15 IPSec VPN ...102 6.5.16 SSL VPN ...102 6.5.17 Application... Interface 110 7.1.2 Configure Port Roles 111 7.1.3 Configure the DMZ Interface for a Local Network 111 7.1.4 Configure Zones ...112 7.2 How to Configure a Cellular Interface 113 ZyWALL USG 50 User's Guide 13
User Manual
Page 14
...the LAN 137 7.9 How to Allow Incoming H.323 Peer-to-peer Calls 139 7.9.1 Turn On the ALG ...140 7.9.2 Set Up a NAT Policy For H.323 140 7.9.3 Set Up a Firewall Rule For H.323 142 7.10 How to Allow Public Access to a Web Server ...143 7.10.1 Create the Address Objects 144 7.10.2 Configure NAT ...144 7.10.3 Set Up a Firewall Rule 145 7.11 How to Use an IPPBX on the DMZ 146 7.11.1 Turn On the ...152 7.12.2 Configure the Policy Route 153 Part II: Technical Reference 155 Chapter 8 Dashboard ...157 14 ZyWALL USG 50 User's Guide
...the LAN 137 7.9 How to Allow Incoming H.323 Peer-to-peer Calls 139 7.9.1 Turn On the ALG ...140 7.9.2 Set Up a NAT Policy For H.323 140 7.9.3 Set Up a Firewall Rule For H.323 142 7.10 How to Allow Public Access to a Web Server ...143 7.10.1 Create the Address Objects 144 7.10.2 Configure NAT ...144 7.10.3 Set Up a Firewall Rule 145 7.11 How to Use an IPPBX on the DMZ 146 7.11.1 Turn On the ...152 7.12.2 Configure the Policy Route 153 Part II: Technical Reference 155 Chapter 8 Dashboard ...157 14 ZyWALL USG 50 User's Guide
User Manual
Page 17
... Dynamic DNS Add/Edit Screen 318 Chapter 17 NAT...321 17.1 NAT Overview ...321 17.1.1 What You Can Do in this Chapter 321 17.1.2 What You Need to Know 322 17.2 The NAT Screen ...322 17.2.1 The NAT Add/Edit Screen 324 17.3 NAT Technical Reference 327 Chapter 18 HTTP Redirect ...331 ZyWALL USG 50 User's Guide 17
... Dynamic DNS Add/Edit Screen 318 Chapter 17 NAT...321 17.1 NAT Overview ...321 17.1.1 What You Can Do in this Chapter 321 17.1.2 What You Need to Know 322 17.2 The NAT Screen ...322 17.2.1 The NAT Add/Edit Screen 324 17.3 NAT Technical Reference 327 Chapter 18 HTTP Redirect ...331 ZyWALL USG 50 User's Guide 17
User Manual
Page 31
... for reliable, secure service. The ZyWALL also provides two separate LAN networks. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to Peer (P2P) control, NAT, port forwarding, policy routing, DHCP...ZyWALL. In addition, the ZyWALL provides excellent throughput, making it an ideal solution for your company. Flexible configuration helps you set up the network and enforce security policies efficiently. Its flexible configuration helps network administrators set up the network and enforce security policies efficiently. ZyWALL USG 50...
... for reliable, secure service. The ZyWALL also provides two separate LAN networks. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to Peer (P2P) control, NAT, port forwarding, policy routing, DHCP...ZyWALL. In addition, the ZyWALL provides excellent throughput, making it an ideal solution for your company. Flexible configuration helps you set up the network and enforce security policies efficiently. Its flexible configuration helps network administrators set up the network and enforce security policies efficiently. ZyWALL USG 50...
User Manual
Page 37
... It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more of the ZyWALL. Flexible Security Zones Many security ... insecure network that uses TCP/IP for communication. The rest of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. ZyWALL USG 50 User's Guide 37
... It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more of the ZyWALL. Flexible Security Zones Many security ... insecure network that uses TCP/IP for communication. The rest of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. ZyWALL USG 50 User's Guide 37
User Manual
Page 49
...for an installed 3G card. SSL VPN Access Privilege Configure SSL VPN access rights for devices connected to each supported interface. ZyWALL USG 50 User's Guide 49 RIP Configure device-level RIP settings. VPN IPSec VPN VPN Connection Configure IPSec tunnels. Chapter 3 Web...manage level-3 traffic rules. Session Limit Limit the number of concurrent client NAT/firewall sessions. Cellular Configure a cellular Internet connection for load balancing and link High Availability (HA). NAT Set up and manage HTTP redirection rules. Bridge Create and manage bridges ...
...for an installed 3G card. SSL VPN Access Privilege Configure SSL VPN access rights for devices connected to each supported interface. ZyWALL USG 50 User's Guide 49 RIP Configure device-level RIP settings. VPN IPSec VPN VPN Connection Configure IPSec tunnels. Chapter 3 Web...manage level-3 traffic rules. Session Limit Limit the number of concurrent client NAT/firewall sessions. Cellular Configure a cellular Internet connection for load balancing and link High Availability (HA). NAT Set up and manage HTTP redirection rules. Bridge Create and manage bridges ...
User Manual
Page 83
... number. It also requires more processing power, resulting in the main IPSec VPN screens or the User's Guide VPN, NAT, and NAT Traversal on page 403 for at least 15 seconds, the ZyWALL sends a message to Diffie-Hellman Group 5 a 1536 bit random number. • SA Life Time: Set how... sure the remote IPSec device is there before transmitting data through NAT (there is faster than 3DES. DH5 refers to the remote IPSec device. AES128 uses a 128-bit key and is a NAT router between the IPSec devices). ZyWALL USG 50 User's Guide 83 Chapter 5 Quick Setup that uses a 168-bit key. SHA...
... number. It also requires more processing power, resulting in the main IPSec VPN screens or the User's Guide VPN, NAT, and NAT Traversal on page 403 for at least 15 seconds, the ZyWALL sends a message to Diffie-Hellman Group 5 a 1536 bit random number. • SA Life Time: Set how... sure the remote IPSec device is there before transmitting data through NAT (there is faster than 3DES. DH5 refers to the remote IPSec device. AES128 uses a 128-bit key and is a NAT router between the IPSec devices). ZyWALL USG 50 User's Guide 83 Chapter 5 Quick Setup that uses a 168-bit key. SHA...
User Manual
Page 84
...bit (1Kb) random number. Figure 49 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is not. • Encapsulation: Tunnel is compatible with NAT, Transport is less secure. DH1 refers to authenticate packet data. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm)...VPN Advanced Wizard - The longer the AES key, the higher the security (this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 50 User's Guide This must match the local IP address configured on your network. Select DH1, DH2 or...
...bit (1Kb) random number. Figure 49 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is not. • Encapsulation: Tunnel is compatible with NAT, Transport is less secure. DH1 refers to authenticate packet data. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm)...VPN Advanced Wizard - The longer the AES key, the higher the security (this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 50 User's Guide This must match the local IP address configured on your network. Select DH1, DH2 or...
User Manual
Page 88
...objects. 6.2 Zones, Interfaces, and Physical Ports Zones (groups of zones, interfaces, and physical ports in configuring other features. 88 ZyWALL USG 50 User's Guide Figure 52 Zones, Interfaces, and Physical Ethernet Ports Zones Interfaces WAN wan1 wan2 Physical Ports LAN1 lan1 LAN2 DMZ ...VPN, zones, trunks, DDNS, policy routes, static routes, HTTP redirect, and NAT. Here is where you connect a cable. Chapter 6 Configuration Basics change an Ethernet interface's IP address, the ZyWALL automatically updates the rules or settings that uses objects, you can use the interface...
...objects. 6.2 Zones, Interfaces, and Physical Ports Zones (groups of zones, interfaces, and physical ports in configuring other features. 88 ZyWALL USG 50 User's Guide Figure 52 Zones, Interfaces, and Physical Ethernet Ports Zones Interfaces WAN wan1 wan2 Physical Ports LAN1 lan1 LAN2 DMZ ...VPN, zones, trunks, DDNS, policy routes, static routes, HTTP redirect, and NAT. Here is where you connect a cable. Chapter 6 Configuration Basics change an Ethernet interface's IP address, the ZyWALL automatically updates the rules or settings that uses objects, you can use the interface...
User Manual
Page 91
... Policy route 6.4 Packet Flow Here is the order in the ZyWALL This section highlights some terminology or organization for ZLD-based ZyWALLs. Chapter 6 Configuration Basics 6.3 Terminology in which the ZyWALL applies its features and checks. ZyWALL USG 50 User's Guide 91 Traffic in > Defragmentation > ALG > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification > IDP > Anti-virus > Application...
... Policy route 6.4 Packet Flow Here is the order in the ZyWALL This section highlights some terminology or organization for ZLD-based ZyWALLs. Chapter 6 Configuration Basics 6.3 Terminology in which the ZyWALL applies its features and checks. ZyWALL USG 50 User's Guide 91 Traffic in > Defragmentation > ALG > Destination NAT > Routing > Stateful Firewall > ADP > Application Classification > IDP > Anti-virus > Application...
User Manual
Page 92
... • Static and dynamic routes have their own category. 6.4.1 Routing Table Checking Flow When the ZyWALL receives packets it examines the packets and determines how to route them and applies destination NAT. Then it defragments them . Chapter 6 Configuration Basics Packet Flow The packet flow is dead. ...hop is as external interfaces. External interfaces include ppp and cellular interfaces as well as the packets match an entry in one 92 ZyWALL USG 50 User's Guide As soon as any Ethernet interfaces that are any Ethernet interfaces that you don't need to set up policy routes...
... • Static and dynamic routes have their own category. 6.4.1 Routing Table Checking Flow When the ZyWALL receives packets it examines the packets and determines how to route them and applies destination NAT. Then it defragments them . Chapter 6 Configuration Basics Packet Flow The packet flow is dead. ...hop is as external interfaces. External interfaces include ppp and cellular interfaces as well as the packets match an entry in one 92 ZyWALL USG 50 User's Guide As soon as any Ethernet interfaces that are any Ethernet interfaces that you don't need to set up policy routes...
User Manual
Page 93
Chapter 6 Configuration Basics of the ZyWALL's interfaces. ZyWALL USG 50 User's Guide 93 Configure policy routes to access the server. It maps a range of private network servers that will initiate sessions to the outside clients, create a 1 to 1 NAT entry to have the ZyWALL check the policy routes first by ... Routes: These are destined for an address in the same subnet as one of the sections, the ZyWALL stops checking the packets against the routing table and moves on to 1 NAT rules. A many 1 to the other checks, for more. If a private network server will initiate...
Chapter 6 Configuration Basics of the ZyWALL's interfaces. ZyWALL USG 50 User's Guide 93 Configure policy routes to access the server. It maps a range of private network servers that will initiate sessions to the outside clients, create a 1 to 1 NAT entry to have the ZyWALL check the policy routes first by ... Routes: These are destined for an address in the same subnet as one of the sections, the ZyWALL stops checking the packets against the routing table and moves on to 1 NAT rules. A many 1 to the other checks, for more. If a private network server will initiate...
User Manual
Page 94
...for any traffic that did not match any earlier routing entries. 6.4.2 NAT Table Checking Flow The checking flow is now included in the NAT table. 3 NAT loopback is from other routing entries, the ZyWALL forwards it does not match any traffic coming in through an internal ... ZyWALL stops checking the packets against the NAT table and moves on page 281 for the VPN rules. Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for more information. 6 Default WAN Trunk: For any of requiring a separate policy route. 94 ZyWALL USG 50 User...
...for any traffic that did not match any earlier routing entries. 6.4.2 NAT Table Checking Flow The checking flow is now included in the NAT table. 3 NAT loopback is from other routing entries, the ZyWALL forwards it does not match any traffic coming in through an internal ... ZyWALL stops checking the packets against the NAT table and moves on page 281 for the VPN rules. Chapter 6 Configuration Basics 4 Auto VPN Policy: The ZyWALL automatically creates these routing entries for more information. 6 Default WAN Trunk: For any of requiring a separate policy route. 94 ZyWALL USG 50 User...
User Manual
Page 95
... in the list of menu items and tabs you return to the main screen to find the main screen(s) for more information about any settings. ZyWALL USG 50 User's Guide 95 Each feature description is no other features to this . See the web help or the related User's Guide chapter for this ... example is one of the criterion. Chapter 6 Configuration Basics 4 SNAT is also now performed by default and included in the NAT table. 6.5 Feature Configuration Overview This section provides information about configuring the main features in Figure 14 on page 90. WHERE USED These are other ...
... in the list of menu items and tabs you return to the main screen to find the main screen(s) for more information about any settings. ZyWALL USG 50 User's Guide 95 Each feature description is no other features to this . See the web help or the related User's Guide chapter for this ... example is one of the criterion. Chapter 6 Configuration Basics 4 SNAT is also now performed by default and included in the NAT table. 6.5 Feature Configuration Overview This section provides information about configuring the main features in Figure 14 on page 90. WHERE USED These are other ...
User Manual
Page 96
...VPN tunnels, and content filtering. To configure dmz's settings, click Network > Interface > Ethernet and then the dmz's Edit icon. 96 ZyWALL USG 50 User's Guide You must have Internet access to myZyXEL.com. Most of the features that use interfaces support Ethernet, PPPoE/PPTP, cellular, ...groups (configured in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, NAT, application patrol Example: The dmz interface is no security applied on it until you assign it to myZyXEL.com 6.5.4 Interface See Section 6.2 on...
...VPN tunnels, and content filtering. To configure dmz's settings, click Network > Interface > Ethernet and then the dmz's Edit icon. 96 ZyWALL USG 50 User's Guide You must have Internet access to myZyXEL.com. Most of the features that use interfaces support Ethernet, PPPoE/PPTP, cellular, ...groups (configured in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, NAT, application patrol Example: The dmz interface is no security applied on it until you assign it to myZyXEL.com 6.5.4 Interface See Section 6.2 on...
User Manual
Page 97
... groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to set up the criteria, next-hops, and... server's address as the source address. 6 You don't need to specify the destination address or the schedule. 7 For the service, select FTP. ZyWALL USG 50 User's Guide 97 You can also use policy routes for the FTP server (Object > Address). 2 Click Configuration > Network > Routing > Policy Route...
... groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to set up the criteria, next-hops, and... server's address as the source address. 6 You don't need to specify the destination address or the schedule. 7 For the service, select FTP. ZyWALL USG 50 User's Guide 97 You can also use policy routes for the FTP server (Object > Address). 2 Click Configuration > Network > Routing > Policy Route...
User Manual
Page 99
... Mapped IP field, list the IP address of the web pages that page. ZyWALL USG 50 User's Guide 99 MENU ITEM(S) Configuration > Network > DDNS PREREQUISITES Interface 6.5.10 NAT Use Network Address Translation (NAT) to configure the NAT entry. The ZyWALL only checks regular (through-ZyWALL) firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter...
... Mapped IP field, list the IP address of the web pages that page. ZyWALL USG 50 User's Guide 99 MENU ITEM(S) Configuration > Network > DDNS PREREQUISITES Interface 6.5.10 NAT Use Network Address Translation (NAT) to configure the NAT entry. The ZyWALL only checks regular (through-ZyWALL) firewall rules for the original IP address. 6 In Mapping Type, select Port. 7 Enter...
User Manual
Page 100
... proxy server. 6 Specify the port number to use for packets that you forward to the proxy server. 6.5.12 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to control who can access the network. You can authenticate users ... checking to -ZyWALL firewall rules for the HTTP traffic that are redirected by HTTP redirect. It does check regular (through NAT on the ZyWALL. You can also specify additional signaling port numbers. Policy Addresses, services, endpoint security objects, users, authentication PREREQUISITES methods 100 ZyWALL USG 50 User's Guide ...
... proxy server. 6 Specify the port number to use for packets that you forward to the proxy server. 6.5.12 ALG The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to control who can access the network. You can authenticate users ... checking to -ZyWALL firewall rules for the HTTP traffic that are redirected by HTTP redirect. It does check regular (through NAT on the ZyWALL. You can also specify additional signaling port numbers. Policy Addresses, services, endpoint security objects, users, authentication PREREQUISITES methods 100 ZyWALL USG 50 User's Guide ...
User Manual
Page 101
...> Firewall to go to the DMZ zone for NAT (DNAT) and policy routes (SNAT). To-ZyWALL firewall rules control access to -ZyWALL firewall rules for remote management. Note: The ZyWALL checks the firewall rules in the sequence. Configure to the ZyWALL. You could configure a firewall rule to allow ...users on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). ZyWALL USG 50 User's Guide 101 You can also configure the firewall to No. By default, the firewall only allows management connections from the ...
...> Firewall to go to the DMZ zone for NAT (DNAT) and policy routes (SNAT). To-ZyWALL firewall rules control access to -ZyWALL firewall rules for remote management. Note: The ZyWALL checks the firewall rules in the sequence. Configure to the ZyWALL. You could configure a firewall rule to allow ...users on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). ZyWALL USG 50 User's Guide 101 You can also configure the firewall to No. By default, the firewall only allows management connections from the ...