User ManualTable of ContentsZyWALL USG 20/20W1About This User's Guide3Document Conventions6Safety Warnings8Contents Overview9Table of Contents11User’s Guide27Introducing the ZyWALL291.1 Overview and Key Default Settings291.2 Wall-mounting291.3 Front Panel321.3.1 Front Panel LEDs321.4 Management Overview331.5 Starting and Stopping the ZyWALL34Features and Applications372.1 Features372.2 Applications392.2.1 VPN Connectivity392.2.2 SSL VPN Network Access392.2.3 User-Aware Access Control41Web Configurator433.1 Web Configurator Requirements433.2 Web Configurator Access433.3 Web Configurator Screens Overview453.3.1 Title Bar463.3.2 Navigation Panel473.3.3 Main Window523.3.4 Tables and Lists54Installation Setup Wizard594.1 Installation Setup Wizard Screens594.1.1 Internet Access Setup - WAN Interface594.1.2 Internet Access: Ethernet604.1.3 Internet Access: PPPoE614.1.4 Internet Access: PPTP634.1.5 ISP Parameters634.1.6 Internet Access - Finish654.2 Device Registration65Quick Setup695.1 Quick Setup Overview695.2 WAN Interface Quick Setup705.2.1 Choose an Ethernet Interface705.2.2 Select WAN Type705.2.3 Configure WAN Settings715.2.4 WAN and ISP Connection Settings725.2.5 Quick Setup Interface Wizard: Summary745.3 VPN Quick Setup755.4 VPN Setup Wizard: Wizard Type765.5 VPN Express Wizard - Scenario775.5.1 VPN Express Wizard - Configuration785.5.2 VPN Express Wizard - Summary795.5.3 VPN Express Wizard - Finish805.5.4 VPN Advanced Wizard - Scenario815.5.5 VPN Advanced Wizard - Phase 1 Settings825.5.6 VPN Advanced Wizard - Phase 2835.5.7 VPN Advanced Wizard - Summary855.5.8 VPN Advanced Wizard - Finish86Configuration Basics876.1 Object-based Configuration876.2 Zones, Interfaces, and Physical Ports886.2.1 Interface Types896.2.2 Default Interface and Zone Configuration906.3 Terminology in the ZyWALL916.4 Packet Flow916.4.1 Routing Table Checking Flow926.4.2 NAT Table Checking Flow946.5 Feature Configuration Overview956.5.1 Feature956.5.2 Licensing Registration966.5.3 Interface966.5.4 Trunks966.5.5 Policy Routes966.5.6 Static Routes986.5.7 Zones986.5.8 DDNS986.5.9 NAT986.5.10 HTTP Redirect996.5.11 ALG1006.5.12 Auth. Policy1006.5.13 Firewall1006.5.14 IPSec VPN1016.5.15 SSL VPN1016.5.16 Bandwidth Management1026.5.17 ADP1026.5.18 Content Filter1026.5.19 Anti-Spam1036.6 Objects1036.6.1 User/Group1046.7 System1056.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Vantage CNM1056.7.2 Logs and Reports1056.7.3 File Manager1066.7.4 Diagnostics1066.7.5 Shutdown106Tutorials1077.1 How to Configure Interfaces, Port Roles, and Zones1077.1.1 Configure a WAN Ethernet Interface1087.1.2 Configure Port Roles1097.1.3 Configure the DMZ Interface for a Local Network1097.1.4 Configure Zones1107.2 How to Configure a Cellular Interface1117.3 How to Configure Load Balancing1137.3.1 Set Up Available Bandwidth on Ethernet Interfaces1137.3.2 Configure the WAN Trunk1147.4 How to Set Up an IPSec VPN Tunnel1167.4.1 Set Up the VPN Gateway1177.4.2 Set Up the VPN Connection1187.4.3 Configure Security Policies for the VPN Tunnel1197.5 How to Configure User-aware Access Control1207.5.1 Set Up User Accounts1207.5.2 Set Up User Groups1217.5.3 Set Up User Authentication Using the RADIUS Server1227.6 How to Use a RADIUS Server to Authenticate User Accounts based on Groups1247.7 How to Use Endpoint Security and Authentication Policies1267.7.1 Configure the Endpoint Security Objects1267.7.2 Configure the Authentication Policy1287.8 How to Configure Service Control1297.8.1 Allow HTTPS Administrator Access Only From the LAN1307.9 How to Allow Incoming H.323 Peer-to-peer Calls1327.9.1 Turn On the ALG1337.9.2 Set Up a NAT Policy For H.3231337.9.3 Set Up a Firewall Rule For H.3231357.10 How to Allow Public Access to a Web Server1367.10.1 Create the Address Objects1377.10.2 Configure NAT1377.10.3 Set Up a Firewall Rule1387.11 How to Use an IPPBX on the DMZ1397.11.1 Turn On the ALG1417.11.2 Create the Address Objects1417.11.3 Setup a NAT Policy for the IPPBX1427.11.4 Set Up a WAN to DMZ Firewall Rule for SIP1437.11.5 Set Up a DMZ to LAN Firewall Rule for SIP1447.12 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic1457.12.1 Create the Public IP Address Range Object1457.12.2 Configure the Policy Route1467.13 How to Set Up a Wireless LAN1467.13.1 Set Up User Accounts1477.13.2 Create the WLAN Interface1477.13.3 Set Up the Wireless Clients to Use the WLAN Interface150Technical Reference163Dashboard1658.1 Overview1658.1.1 What You Can Do in this Chapter1658.2 The Dashboard Screen1658.2.1 The CPU Usage Screen1718.2.2 The Memory Usage Screen1728.2.3 The Active Sessions Screen1738.2.4 The VPN Status Screen1748.2.5 The DHCP Table Screen1748.2.6 The Number of Login Users Screen175Monitor1779.1 Overview1779.1.1 What You Can Do in this Chapter1779.2 The Port Statistics Screen1789.2.1 The Port Statistics Graph Screen1809.3 Interface Status Screen1819.4 The Traffic Statistics Screen1839.5 The Session Monitor Screen1869.6 The DDNS Status Screen1899.7 IP/MAC Binding Monitor1899.8 The Login Users Screen1909.9 WLAN Status Screen1919.10 The following table describes the labels in this menu.Cellular Status Screen1929.10.1 More Information1949.11 USB Storage Screen1959.12 The IPSec Monitor Screen1969.12.1 Regular Expressions in Searching IPSec SAs1989.13 The SSL Connection Monitor Screen1989.14 The Content Filter Statistics Screen2009.15 Content Filter Cache Screen2029.16 The Anti-Spam Statistics Screen2049.17 The Anti-Spam Status Screen2069.18 Log Screen207Registration21110.1 Overview21110.1.1 What You Can Do in this Chapter21110.1.2 What you Need to Know21110.2 The Registration Screen21210.3 The Service Screen214Interfaces21711.1 Interface Overview21711.1.1 What You Can Do in this Chapter21711.1.2 What You Need to Know21811.2 Port Role22011.3 Ethernet Summary Screen22211.3.1 Ethernet Edit22311.3.2 Object References23211.4 PPP Interfaces23311.4.1 PPP Interface Summary23411.4.2 PPP Interface Add or Edit23511.5 Cellular Configuration Screen (3G)23911.5.1 Cellular Add/Edit Screen24111.6 WLAN Interface General Screen24811.6.1 WLAN Add/Edit Screen25211.6.2 WLAN Add/Edit: WEP Security25811.6.3 WLAN Add/Edit: WPA-PSK/WPA2-PSK Security25911.6.4 WLAN Add/Edit: WPA/WPA2 Security26011.7 WLAN Interface MAC Filter26211.8 VLAN Interfaces26411.8.1 VLAN Summary Screen26611.8.2 VLAN Add/Edit26711.9 Bridge Interfaces27411.9.1 Bridge Summary27611.9.2 Bridge Add/Edit27711.9.3 Virtual Interfaces Add/Edit28211.10 Interface Technical Reference284Trunks28912.1 Overview28912.1.1 What You Can Do in this Chapter28912.1.2 What You Need to Know29012.2 The Trunk Summary Screen29212.3 Configuring a Trunk29312.4 Trunk Technical Reference295Policy and Static Routes29713.1 Policy and Static Routes Overview29713.1.1 What You Can Do in this Chapter29713.1.2 What You Need to Know29813.2 Policy Route Screen30013.2.1 Policy Route Edit Screen30313.3 IP Static Route Screen30713.3.1 Static Route Add/Edit Screen30813.4 Policy Routing Technical Reference309Routing Protocols31314.1 Routing Protocols Overview31314.1.1 What You Can Do in this Chapter31314.1.2 What You Need to Know31314.2 The RIP Screen31414.3 The OSPF Screen31514.3.1 Configuring the OSPF Screen31914.3.2 OSPF Area Add/Edit Screen32214.3.3 Virtual Link Add/Edit Screen32314.4 Routing Protocol Technical Reference324Zones32715.1 Zones Overview32715.1.1 What You Can Do in this Chapter32715.1.2 What You Need to Know32815.2 The Zone Screen32915.3 Zone Edit330DDNS33116.1 DDNS Overview33116.1.1 What You Can Do in this Chapter33116.1.2 What You Need to Know33116.2 The DDNS Screen33216.2.1 The Dynamic DNS Add/Edit Screen334NAT33717.1 NAT Overview33717.1.1 What You Can Do in this Chapter33717.1.2 What You Need to Know33817.2 The NAT Screen33817.2.1 The NAT Add/Edit Screen34017.3 NAT Technical Reference343HTTP Redirect34718.1 Overview34718.1.1 What You Can Do in this Chapter34718.1.2 What You Need to Know34818.2 The HTTP Redirect Screen34918.2.1 The HTTP Redirect Edit Screen350ALG35119.1 ALG Overview35119.1.1 What You Can Do in this Chapter35119.1.2 What You Need to Know35219.1.3 Before You Begin35519.2 The ALG Screen35519.3 ALG Technical Reference357IP/MAC Binding35920.1 IP/MAC Binding Overview35920.1.1 What You Can Do in this Chapter35920.1.2 What You Need to Know36020.2 IP/MAC Binding Summary36020.2.1 IP/MAC Binding Edit36120.2.2 Static DHCP Edit36220.3 IP/MAC Binding Exempt List363Authentication Policy36521.1 Overview36521.1.1 What You Can Do in this Chapter36521.1.2 What You Need to Know36621.2 Authentication Policy Screen36621.2.1 Creating/Editing an Authentication Policy369Firewall37322.1 Overview37322.1.1 What You Can Do in this Chapter37322.1.2 What You Need to Know37422.1.3 Firewall Rule Example Applications37622.1.4 Firewall Rule Configuration Example37922.2 The Firewall Screen38122.2.1 Configuring the Firewall Screen38222.2.2 The Firewall Add/Edit Screen38522.3 The Session Limit Screen38622.3.1 The Session Limit Add/Edit Screen388IPSec VPN39123.1 IPSec VPN Overview39123.1.1 What You Can Do in this Chapter39123.1.2 What You Need to Know39223.1.3 Before You Begin39423.2 The VPN Connection Screen39423.2.1 The VPN Connection Add/Edit (IKE) Screen39623.2.2 The VPN Connection Add/Edit Manual Key Screen40323.3 The VPN Gateway Screen40623.3.1 The VPN Gateway Add/Edit Screen40723.4 IPSec VPN Background Information415SSL VPN42724.1 Overview42724.1.1 What You Can Do in this Chapter42724.1.2 What You Need to Know42724.2 The SSL Access Privilege Screen42924.2.1 The SSL Access Policy Add/Edit Screen43024.3 The SSL Global Setting Screen43324.3.1 How to Upload a Custom Logo43424.4 Establishing an SSL VPN Connection435SSL User Screens43725.1 Overview43725.1.1 What You Need to Know43725.2 Remote User Login43825.3 The SSL VPN User Screens44325.4 Bookmarking the ZyWALL44425.5 Logging Out of the SSL VPN User Screens444SSL User Application Screens44726.1 SSL User Application Screens Overview44726.2 The Application Screen447ZyWALL SecuExtender44927.1 The ZyWALL SecuExtender Icon44927.2 Statistics45027.3 View Log45127.4 Suspend and Resume the Connection45127.5 Stop the Connection45227.6 Uninstalling the ZyWALL SecuExtender452Bandwidth Management45328.1 Overview45328.1.1 What You Can Do in this Chapter45328.1.2 What You Need to Know45328.1.3 Bandwidth Management Examples45728.2 TheBandwidth Management Screen46128.2.1 The Bandwidth Management Add/Edit Screen463ADP46729.1 Overview46729.1.1 ADP46729.1.2 What You Can Do in this Chapter46729.1.3 What You Need To Know46729.1.4 Before You Begin46829.2 The ADP General Screen46929.3 The Profile Summary Screen47029.3.1 Base Profiles47129.3.2 Configuring The ADP Profile Summary Screen47129.3.3 Creating New ADP Profiles47229.3.4 Traffic Anomaly Profiles47229.3.5 Protocol Anomaly Profiles47529.3.6 Protocol Anomaly Configuration47529.4 ADP Technical Reference479Content Filtering48730.1 Overview48730.1.1 What You Can Do in this Chapter48730.1.2 What You Need to Know48730.1.3 Before You Begin48930.2 Content Filter General Screen48930.3 Content Filter Policy Add or Edit Screen49230.4 Content Filter Profile Screen49430.5 Content Filter Categories Screen49430.5.1 Content Filter Blocked and Warning Messages50830.6 Content Filter Customization Screen50830.7 Content Filter Technical Reference511Content Filter Reports51331.1 Overview51331.2 Viewing Content Filter Reports513Anti-Spam52132.1 Overview52132.1.1 What You Can Do in this Chapter52132.1.2 What You Need to Know52132.2 Before You Begin52332.3 The Anti-Spam General Screen52332.3.1 The Anti-Spam Policy Add or Edit Screen52532.4 The Anti-Spam Black List Screen52732.4.1 The Anti-Spam Black or White List Add/Edit Screen52932.4.2 Regular Expressions in Black or White List Entries53032.5 The Anti-Spam White List Screen53132.6 The DNSBL Screen53232.7 Anti-Spam Technical Reference534User/Group53933.1 Overview53933.1.1 What You Can Do in this Chapter53933.1.2 What You Need To Know53933.2 User Summary Screen54233.2.1 User Add/Edit Screen54233.3 User Group Summary Screen54533.3.1 Group Add/Edit Screen54633.4 Setting Screen54733.4.1 Default User Authentication Timeout Settings Edit Screens55033.4.2 User Aware Login Example55233.5 User /Group Technical Reference553Addresses55534.1 Overview55534.1.1 What You Can Do in this Chapter55534.1.2 What You Need To Know55534.2 Address Summary Screen55534.2.1 Address Add/Edit Screen55734.3 Address Group Summary Screen55834.3.1 Address Group Add/Edit Screen559Services56135.1 Overview56135.1.1 What You Can Do in this Chapter56135.1.2 What You Need to Know56135.2 The Service Summary Screen56235.2.1 The Service Add/Edit Screen56435.3 The Service Group Summary Screen56435.3.1 The Service Group Add/Edit Screen566Schedules56736.1 Overview56736.1.1 What You Can Do in this Chapter56736.1.2 What You Need to Know56736.2 The Schedule Summary Screen56836.2.1 The One-Time Schedule Add/Edit Screen56936.2.2 The Recurring Schedule Add/Edit Screen570AAA Server57337.1 Overview57337.1.1 Directory Service (AD/LDAP)57337.1.2 RADIUS Server57437.1.3 ASAS57437.1.4 What You Can Do in this Chapter57437.1.5 What You Need To Know57537.2 Active Directory or LDAP Server Summary57737.2.1 Adding an Active Directory or LDAP Server57737.3 RADIUS Server Summary57937.3.1 Adding a RADIUS Server581Authentication Method58338.1 Overview58338.1.1 What You Can Do in this Chapter58338.1.2 Before You Begin58338.1.3 Example: Selecting a VPN Authentication Method58338.2 Authentication Method Objects58438.2.1 Creating an Authentication Method Object585Certificates58939.1 Overview58939.1.1 What You Can Do in this Chapter58939.1.2 What You Need to Know58939.1.3 Verifying a Certificate59139.2 The My Certificates Screen59339.2.1 The My Certificates Add Screen59439.2.2 The My Certificates Edit Screen59939.2.3 The My Certificates Import Screen60239.3 The Trusted Certificates Screen60339.3.1 The Trusted Certificates Edit Screen60439.3.2 The Trusted Certificates Import Screen60839.4 Certificates Technical Reference609ISP Accounts61140.1 Overview61140.1.1 What You Can Do in this Chapter61140.2 ISP Account Summary61140.2.1 ISP Account Edit612SSL Application61541.1 Overview61541.1.1 What You Can Do in this Chapter61541.1.2 What You Need to Know61541.1.3 Example: Specifying a Web Site for Access61641.2 The SSL Application Screen61741.2.1 Creating/Editing a Web-based SSL Application Object618Endpoint Security62142.1 Overview62142.1.1 What You Can Do in this Chapter62242.1.2 What You Need to Know62242.2 Endpoint Security Screen62342.3 Endpoint Security Add/Edit624System62943.1 Overview62943.1.1 What You Can Do in this Chapter62943.2 Host Name63043.3 USB Storage63143.4 Date and Time63143.4.1 Pre-defined NTP Time Servers List63443.4.2 Time Server Synchronization63543.5 Console Port Speed63643.6 DNS Overview63643.6.1 DNS Server Address Assignment63743.6.2 Configuring the DNS Screen63743.6.3 Address Record64043.6.4 PTR Record64043.6.5 Adding an Address/PTR Record64043.6.6 Domain Zone Forwarder64143.6.7 Adding a Domain Zone Forwarder64143.6.8 MX Record64243.6.9 Adding a MX Record64343.6.10 Adding a DNS Service Control Rule64343.7 WWW Overview64443.7.1 Service Access Limitations64443.7.2 System Timeout64543.7.3 HTTPS64543.7.4 Configuring WWW Service Control64643.7.5 Service Control Rules65043.7.6 Customizing the WWW Login Page65043.7.7 HTTPS Example65443.8 SSH66143.8.1 How SSH Works66243.8.2 SSH Implementation on the ZyWALL66343.8.3 Requirements for Using SSH66343.8.4 Configuring SSH66343.8.5 Secure Telnet Using SSH Examples66543.9 Telnet66643.9.1 Configuring Telnet66743.10 FTP66843.10.1 Configuring FTP66843.11 SNMP67043.11.1 Supported MIBs67243.11.2 SNMP Traps67243.11.3 Configuring SNMP67243.12 Vantage CNM67443.12.1 Configuring Vantage CNM67543.13 Language Screen677Log and Report67944.1 Overview67944.1.1 What You Can Do In this Chapter67944.2 Email Daily Report67944.3 Log Setting Screens68144.3.1 Log Setting Summary68244.3.2 Edit System Log Settings68344.3.3 Edit Remote Server Log Settings68844.3.4 Active Log Summary Screen690File Manager69345.1 Overview69345.1.1 What You Can Do in this Chapter69345.1.2 What you Need to Know69345.2 The Configuration File Screen69645.3 The Firmware Package Screen70045.4 The Shell Script Screen702Diagnostics70546.1 Overview70546.1.1 What You Can Do in this Chapter70546.2 The Diagnostic Screen70546.2.1 The Diagnostics Files Screen70646.3 The Packet Capture Screen70746.3.1 The Packet Capture Files Screen71046.3.2 Example of Viewing a Packet Capture File71146.4 Core Dump Screen71246.4.1 Core Dump Files Screen71346.5 The System Log Screen714Packet Flow Explore71547.1 Overview71547.1.1 What You Can Do in this Chapter71547.2 The Routing Status Screen71547.3 The SNAT Status Screen719Reboot72348.1 Overview72348.1.1 What You Need To Know72348.2 The Reboot Screen723Shutdown72549.1 Overview72549.1.1 What You Need To Know72549.2 The Shutdown Screen725Troubleshooting72750.1 Resetting the ZyWALL73850.2 Getting More Troubleshooting Help739Product Specifications74151.1 Power Adaptor Specifications745Log Descriptions747Common Services799Wireless LANs803Importing Certificates819Open Software Announcements845Legal Information935Index939Size: 19.4 MBPages: 959Language: EnglishOpen manual