User Manual
Page 48
... the licensed service status and upgrade licensed services. System Protect Update system-protect signatures immediately or by a schedule. Network 48 ZyWALL USG 50 User's Guide SSL Lists users currently logged into the VPN SSL client portal. IDP/AppPatrol Update IDP signatures immediately or by a schedule. Anti-X Statistics Anti-Virus Collect and display statistics on the...
... the licensed service status and upgrade licensed services. System Protect Update system-protect signatures immediately or by a schedule. Network 48 ZyWALL USG 50 User's Guide SSL Lists users currently logged into the VPN SSL client portal. IDP/AppPatrol Update IDP signatures immediately or by a schedule. Anti-X Statistics Anti-Virus Collect and display statistics on the...
User Manual
Page 49
...binding. ZyWALL USG 50 User's Guide 49 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. RIP Configure device-level RIP settings. IP/MAC Binding Summary Configure IP to MAC address bindings for load balancing and link High Availability (HA). VPN Gateway ...to force user authentication. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. Trunk Create and manage trunks (groups of concurrent client NAT/firewall sessions. Zone Configure zones used to all connections. ALG Configure SIP, H.323, and FTP pass-through settings....
...binding. ZyWALL USG 50 User's Guide 49 VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. RIP Configure device-level RIP settings. IP/MAC Binding Summary Configure IP to MAC address bindings for load balancing and link High Availability (HA). VPN Gateway ...to force user authentication. Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces. Trunk Create and manage trunks (groups of concurrent client NAT/firewall sessions. Zone Configure zones used to all connections. ALG Configure SIP, H.323, and FTP pass-through settings....
User Manual
Page 77
... IPSec device has a dynamic IP address. Choose this to identify this to connect to -site - ZyWALL USG 50 User's Guide 77 Only the clients can initiate the VPN tunnel. • Remote Access (Server Role) - Chapter 5 Quick Setup 5.5 VPN Express Wizard - The clients have dynamic IP addresses and are also known as shown in users. Choose this if...
... IPSec device has a dynamic IP address. Choose this to identify this to connect to -site - ZyWALL USG 50 User's Guide 77 Only the clients can initiate the VPN tunnel. • Remote Access (Server Role) - Chapter 5 Quick Setup 5.5 VPN Express Wizard - The clients have dynamic IP addresses and are also known as shown in users. Choose this if...
User Manual
Page 81
...Name: Type the name used to allow incoming connections from IPSec VPN clients. The figure on page 76 to display the following screen. This ZyWALL can initiate the VPN tunnel. Choose this to identify this VPN connection (and VPN gateway). This value is case-sensitive. Choose this if the...static IP address or a domain name. Only the clients can initiate the VPN tunnel. • Site-to -site - Only the remote IPSec device can initiate the VPN tunnel. • Remote Access (Server Role) - ZyWALL USG 50 User's Guide 81 The clients have dynamic IP addresses and are also known as ...
...Name: Type the name used to allow incoming connections from IPSec VPN clients. The figure on page 76 to display the following screen. This ZyWALL can initiate the VPN tunnel. Choose this to identify this VPN connection (and VPN gateway). This value is case-sensitive. Choose this if the...static IP address or a domain name. Only the clients can initiate the VPN tunnel. • Site-to -site - Only the remote IPSec device can initiate the VPN tunnel. • Remote Access (Server Role) - ZyWALL USG 50 User's Guide 81 The clients have dynamic IP addresses and are also known as ...
User Manual
Page 82
phase 1 (Authentication) and phase 2 (Key Exchange). Figure 48 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: If Any displays in user) and can be used to encrypt and decrypt the message or to identify ... incoming connections from the drop-down list box to use on DES 82 ZyWALL USG 50 User's Guide The DES encryption algorithm uses a 56-bit key. Phase 1 Settings There are two phases to an IPSec server. Triple DES (3DES) is the client (dial-in this to connect to every IKE (Internet Key Exchange) negotiation...
phase 1 (Authentication) and phase 2 (Key Exchange). Figure 48 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: If Any displays in user) and can be used to encrypt and decrypt the message or to identify ... incoming connections from the drop-down list box to use on DES 82 ZyWALL USG 50 User's Guide The DES encryption algorithm uses a 56-bit key. Phase 1 Settings There are two phases to an IPSec server. Triple DES (3DES) is the client (dial-in this to connect to every IKE (Internet Key Exchange) negotiation...
User Manual
Page 84
...The longer the AES key, the higher the security (this to -site and remote access client role scenarios. The SHA1 algorithm is generally considered stronger than DH1 or DH2 (although it may affect throughput). Figure 49 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is ...Time: Set how often the ZyWALL renegotiates the IKE SA. Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for the site-to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 50 User's Guide SHA-1 gives...
...The longer the AES key, the higher the security (this to -site and remote access client role scenarios. The SHA1 algorithm is generally considered stronger than DH1 or DH2 (although it may affect throughput). Figure 49 VPN Advanced Wizard: Step 4 • Active Protocol: ESP is compatible with NAT, AH is ...Time: Set how often the ZyWALL renegotiates the IKE SA. Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for the site-to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 50 User's Guide SHA-1 gives...
User Manual
Page 93
... works like multiple 1 to 1 NAT rules. If a private network server will initiate sessions to the outside clients, create a 1 to 1 NAT entry to have the ZyWALL check the policy routes first by enabling the policy route feature's Use Policy Route to Override Direct Route option ...check. It maps a range of private network servers that the outside clients use to a range of the ZyWALL's interfaces. ZyWALL USG 50 User's Guide 93 Figure 53 Routing Table Checking Flow 1 Direct-connected Subnets: The ZyWALL first checks to send packets through the appropriate interface or VPN tunnel.
... works like multiple 1 to 1 NAT rules. If a private network server will initiate sessions to the outside clients, create a 1 to 1 NAT entry to have the ZyWALL check the policy routes first by enabling the policy route feature's Use Policy Route to Override Direct Route option ...check. It maps a range of private network servers that the outside clients use to a range of the ZyWALL's interfaces. ZyWALL USG 50 User's Guide 93 Figure 53 Routing Table Checking Flow 1 Direct-connected Subnets: The ZyWALL first checks to send packets through the appropriate interface or VPN tunnel.
User Manual
Page 102
...clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 109. 6.5.16 SSL VPN Use SSL VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for Bob (User/Group). 102 ZyWALL USG 50... User's Guide These are only used as criteria in exceptions and conditions. MENU ITEM(S) Configuration > VPN > IPSec VPN; you want to allow vice president Bob to use BitTorrent and block ...
...clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 109. 6.5.16 SSL VPN Use SSL VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for Bob (User/Group). 102 ZyWALL USG 50... User's Guide These are only used as criteria in exceptions and conditions. MENU ITEM(S) Configuration > VPN > IPSec VPN; you want to allow vice president Bob to use BitTorrent and block ...
User Manual
Page 105
..., firewall, application patrol, content filter, user settings (force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN ZyWALL USG 50 User's Guide 105 Move your cursor over a configuration object that use this information in response to...
..., firewall, application patrol, content filter, user settings (force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN ZyWALL USG 50 User's Guide 105 Move your cursor over a configuration object that use this information in response to...
User Manual
Page 157
... 8.2.1 on page 162) to look at the VPN tunnels that are currently established. • Use the DHCP Table screen (see Section 8.2.5 on page 165) to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses...following. • Use the main Dashboard screen (see the ZyWALL's general device information, system status, system resource usage, licensed service status, and interface status. The dashboard displays general device information, system status, system resource usage, licensed service status, and ZyWALL USG 50 User's Guide 157
... 8.2.1 on page 162) to look at the VPN tunnels that are currently established. • Use the DHCP Table screen (see Section 8.2.5 on page 165) to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses...following. • Use the main Dashboard screen (see the ZyWALL's general device information, system status, system resource usage, licensed service status, and interface status. The dashboard displays general device information, system status, system resource usage, licensed service status, and ZyWALL USG 50 User's Guide 157
User Manual
Page 161
... are currently logged in to the Login Users ZyWALL. The ZyWALL successfully applied the system default configuration. Fallback to lastgood configuration - The ZyWALL is the current status of users currently logged in to the ZyWALL's DHCP clients and the IP addresses reserved for the first ....conf). ZyWALL USG 50 User's Guide 161 See Chapter 35 on page 166. Boot Status This field displays details about the ZyWALL's startup state. This identifies the licensed service. This is yyyy-mm-dd hh:mm:ss. See Section 8.2.1 on . Firmware update OK - VPN Status Click...
... are currently logged in to the Login Users ZyWALL. The ZyWALL successfully applied the system default configuration. Fallback to lastgood configuration - The ZyWALL is the current status of users currently logged in to the ZyWALL's DHCP clients and the IP addresses reserved for the first ....conf). ZyWALL USG 50 User's Guide 161 See Chapter 35 on page 166. Boot Status This field displays details about the ZyWALL's startup state. This identifies the licensed service. This is yyyy-mm-dd hh:mm:ss. See Section 8.2.1 on . Firmware update OK - VPN Status Click...
User Manual
Page 165
Name This field displays the name of the IPSec SA. Refresh Interval Select how often you want this window to DHCP clients and the IP addresses reserved for specific MAC addresses. Refresh Click this to update the information in the window right away...icon beside DHCP Table in the dashboard. Figure 119 Dashboard > DHCP Table ZyWALL USG 50 User's Guide 165 Chapter 8 Dashboard 8.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. Table 23 Dashboard > VPN Status LABEL DESCRIPTION # This field is a sequential value, and it is...
Name This field displays the name of the IPSec SA. Refresh Interval Select how often you want this window to DHCP clients and the IP addresses reserved for specific MAC addresses. Refresh Click this to update the information in the window right away...icon beside DHCP Table in the dashboard. Figure 119 Dashboard > DHCP Table ZyWALL USG 50 User's Guide 165 Chapter 8 Dashboard 8.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. Table 23 Dashboard > VPN Status LABEL DESCRIPTION # This field is a sequential value, and it is...
User Manual
Page 169
...packet statistics for each physical port. • Use the System Status > Interface Status screen (Section 9.3 on page 173) to see all of the ZyWALL's interfaces and their packet statistics. • Use the System Status > Traffic Statistics screen (see Section 9.4 on page 175) to start or stop ... on page 191) to display and manage active IPSec SAs. • Use the VPN Monitor > SSL screen (see Section 9.12 on page 193) to list the users currently logged into the VPN SSL client portal. ZyWALL USG 50 User's Guide 169 You can also log out individual users and delete related session information...
...packet statistics for each physical port. • Use the System Status > Interface Status screen (Section 9.3 on page 173) to see all of the ZyWALL's interfaces and their packet statistics. • Use the System Status > Traffic Statistics screen (see Section 9.4 on page 175) to start or stop ... on page 191) to display and manage active IPSec SAs. • Use the VPN Monitor > SSL screen (see Section 9.12 on page 193) to list the users currently logged into the VPN SSL client portal. ZyWALL USG 50 User's Guide 169 You can also log out individual users and delete related session information...
User Manual
Page 191
...'s traffic the ZyWALL has discarded and notified the client that matched this screen. Outbound Kbps This is how much of the service's application patrol rules. # This field is a sequential value, and it matched a policy set to "reject". Figure 135 Monitor > VPN Monitor > IPSec ZyWALL USG 50 User's Guide... the heading cell again to sort the table entries by that the ZyWALL sends to the WAN, the traffic sent from the initiator of the application's traffic the ZyWALL has discarded without notifying the client (in kilobytes). So for a connection initiated from the LAN to ...
...'s traffic the ZyWALL has discarded and notified the client that matched this screen. Outbound Kbps This is how much of the service's application patrol rules. # This field is a sequential value, and it matched a policy set to "reject". Figure 135 Monitor > VPN Monitor > IPSec ZyWALL USG 50 User's Guide... the heading cell again to sort the table entries by that the ZyWALL sends to the WAN, the traffic sent from the initiator of the application's traffic the ZyWALL has discarded without notifying the client (in kilobytes). So for a connection initiated from the LAN to ...
User Manual
Page 193
... entry is removed from the ZyWALL. # This field displays the index number. ZyWALL USG 50 User's Guide 193 There could be any number (of any VPN connection or policy name that ends with "abc" and ending in "123" matches, no matter how many characters are currently logged into the VPN SSL client portal. A * in this screen. Table...
... entry is removed from the ZyWALL. # This field displays the index number. ZyWALL USG 50 User's Guide 193 There could be any number (of any VPN connection or policy name that ends with "abc" and ending in "123" matches, no matter how many characters are currently logged into the VPN SSL client portal. A * in this screen. Table...
User Manual
Page 377
.... Only this to a server role ZyWALL. ZyWALL USG 50 User's Guide 377 This ZyWALL must have dynamic IP addresses and are also known as dial-in user). The clients have a static IP address or a domain name. Only the clients can initiate the VPN tunnel. This ZyWALL is the client (dial-in users. Table 111 IPSec VPN Application Scenarios SITE-TO-SITE...
.... Only this to a server role ZyWALL. ZyWALL USG 50 User's Guide 377 This ZyWALL must have dynamic IP addresses and are also known as dial-in user). The clients have a static IP address or a domain name. Only the clients can initiate the VPN tunnel. This ZyWALL is the client (dial-in users. Table 111 IPSec VPN Application Scenarios SITE-TO-SITE...
User Manual
Page 382
...IP address or a domain name. Nailed-Up Select this to connect to pass through the IPSec SA. VPN Gateway Remote Access (Client Role) - Choose this if you want the ZyWALL to use . 382 ZyWALL USG 50 User's Guide Create new Object Use to configure any new settings objects that you the... ZyWALL to send NetBIOS (Network Basic Input/Output System) packets through IPSec SAs in the following table. ...
...IP address or a domain name. Nailed-Up Select this to connect to pass through the IPSec SA. VPN Gateway Remote Access (Client Role) - Choose this if you want the ZyWALL to use . 382 ZyWALL USG 50 User's Guide Create new Object Use to configure any new settings objects that you the... ZyWALL to send NetBIOS (Network Basic Input/Output System) packets through IPSec SAs in the following table. ...
User Manual
Page 411
...a VPN router or VPN client software. 24.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 24.2 on page 413) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on page 416) to set the IP address of the ZyWALL... is created for remote users with private IP addresses in the same way as the local network. This allows them to perform the following tasks: ZyWALL USG 50 User's Guide 411 Figure 240 Network Access Mode: Full Tunnel Mode SSL Access Policy An SSL access policy allows the...
...a VPN router or VPN client software. 24.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 24.2 on page 413) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on page 416) to set the IP address of the ZyWALL... is created for remote users with private IP addresses in the same way as the local network. This allows them to perform the following tasks: ZyWALL USG 50 User's Guide 411 Figure 240 Network Access Mode: Full Tunnel Mode SSL Access Policy An SSL access policy allows the...
User Manual
Page 420
Clear the Login to Chapter 25 on page 421. 420 ZyWALL USG 50 User's Guide The following shows an example. Figure 246 SSL VPN Client Portal Screen Example If the user account is not activated" message displays in again. For more information on your network connection. This may take several minutes depending on user portal screens, refer to SSL VPN check box and try logging in the Login screen. Once the connection is up for SSL VPN access, an "SSL VPN connection is not set up , you should see the client portal screen. Chapter 24 SSL VPN 2 SSL VPN connection starts.
Clear the Login to Chapter 25 on page 421. 420 ZyWALL USG 50 User's Guide The following shows an example. Figure 246 SSL VPN Client Portal Screen Example If the user account is not activated" message displays in again. For more information on your network connection. This may take several minutes depending on user portal screens, refer to SSL VPN check box and try logging in the Login screen. Once the connection is up for SSL VPN access, an "SSL VPN connection is not set up , you should see the client portal screen. Chapter 24 SSL VPN 2 SSL VPN connection starts.
User Manual
Page 788
... %s). of networks has been modified in the has been changed '2nd- SSL VPN policy rule %s The listed SSL VPN policy (%s) has been added to an SSL VPN client. changed '1st- has been deleted. 788 ZyWALL USG 50 User's Guide Appendix A Log Descriptions Table 254 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The %s address-object is wrong type for...
... %s). of networks has been modified in the has been changed '2nd- SSL VPN policy rule %s The listed SSL VPN policy (%s) has been added to an SSL VPN client. changed '1st- has been deleted. 788 ZyWALL USG 50 User's Guide Appendix A Log Descriptions Table 254 SSL VPN Logs (continued) LOG MESSAGE DESCRIPTION The %s address-object is wrong type for...