ZyXEL Communications 100 Series User Manual
Chapter 5 Configuration Basics
ZyWALL USG 100/200 Series User’s Guide
117
"
The ZyWALL checks the policy routes in the order that they are listed. So
make sure that your custom policy route comes before any other routes that
would also match the FTP traffic.
make sure that your custom policy route comes before any other routes that
would also match the FTP traffic.
5.4.11 Static Routes
Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL.
5.4.12 Firewall
The firewall controls the travel of traffic between or within zones. You can also configure the
firewall to control traffic for virtual server (port forwarding) and policy routes (NAT). You
can configure firewall rules based on schedules, specific users (or user groups), source or
destination addresses (or address groups) and services (or service groups). Each of these
objects must be configured in a different screen.
firewall to control traffic for virtual server (port forwarding) and policy routes (NAT). You
can configure firewall rules based on schedules, specific users (or user groups), source or
destination addresses (or address groups) and services (or service groups). Each of these
objects must be configured in a different screen.
To-ZyWALL firewall rules control access to the ZyWALL. Configure to-ZyWALL firewall
rules for remote management. By default, the firewall allows HTTP management access from
the LAN zone and HTTPS management access from any zone. The ZyWALL drops packets
from the WAN or DMZ zone to the ZyWALL itself, except for Device HA and VPN traffic.
rules for remote management. By default, the firewall allows HTTP management access from
the LAN zone and HTTPS management access from any zone. The ZyWALL drops packets
from the WAN or DMZ zone to the ZyWALL itself, except for Device HA and VPN traffic.
Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls.
You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ
to LAN1 so VoIP users on LAN1 can receive calls.
You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ
to LAN1 so VoIP users on LAN1 can receive calls.
1 Create a VoIP service object for UDP port 5060 traffic (Object > Service).
2 Create an address object for the VoIP server (Object > Address).
3 Click Firewall to go to the firewall configuration.
4 Select from the DMZ zone to the LAN1 zone, and add a firewall rule using the items
2 Create an address object for the VoIP server (Object > Address).
3 Click Firewall to go to the firewall configuration.
4 Select from the DMZ zone to the LAN1 zone, and add a firewall rule using the items
you have configured.
• You don’t need to specify the schedule or the user.
• In the Source field, select the address object of the VoIP server.
• You don’t need to specify the destination address.
• Leave the Access field set to Allow and the Log field set to No.
"
The ZyWALL checks the firewall rules in order. Make sure each rule is in the
correct place in the sequence.
correct place in the sequence.
MENU ITEM(S)
Network > Routing > Static Route
PREREQUISITES
Interfaces
MENU ITEM(S)
Firewall
PREREQUISITES
Zones, schedules, users, user groups, addresses (source, destination), address
groups (source, destination), services, service groups
groups (source, destination), services, service groups