User ManualTable of ContentsZyWALL USG 20001About This User's Guide3Document Conventions6Safety Warnings8Contents Overview9Table of Contents11User’s Guide31Introducing the ZyWALL331.1 Overview and Key Default Settings331.2 Rack-mounted Installation331.2.1 Rack-Mounted Installation Procedure341.3 Front Panel351.3.1 Dual Personality Interfaces351.3.2 Maximizing Throughput391.3.3 Front Panel LEDs391.4 Management Overview401.5 Starting and Stopping the ZyWALL41Features and Applications432.1 Features432.2 Applications452.2.1 VPN Connectivity462.2.2 SSL VPN Network Access462.2.3 User-Aware Access Control482.2.4 Multiple WAN Interfaces482.2.5 Device HA49Web Configurator513.1 Web Configurator Requirements513.2 Web Configurator Access513.3 Web Configurator Screens Overview533.3.1 Title Bar543.3.2 Navigation Panel543.3.3 Main Window603.3.4 Tables and Lists63Installation Setup Wizard674.1 Installation Setup Wizard Screens674.1.1 Internet Access Setup - WAN Interface684.1.2 Internet Access: Ethernet684.1.3 Internet Access: PPPoE704.1.4 Internet Access: PPTP714.1.5 ISP Parameters714.1.6 Internet Access Setup - Second WAN Interface734.1.7 Internet Access - Finish734.2 Device Registration74Quick Setup775.1 Quick Setup Overview775.2 WAN Interface Quick Setup785.2.1 Choose an Ethernet Interface785.2.2 Select WAN Type785.2.3 Configure WAN Settings795.2.4 WAN and ISP Connection Settings805.2.5 Quick Setup Interface Wizard: Summary825.3 VPN Quick Setup835.4 VPN Setup Wizard: Wizard Type845.5 VPN Express Wizard - Scenario855.5.1 VPN Express Wizard - Configuration865.5.2 VPN Express Wizard - Summary875.5.3 VPN Express Wizard - Finish885.5.4 VPN Advanced Wizard - Scenario895.5.5 VPN Advanced Wizard - Phase 1 Settings905.5.6 VPN Advanced Wizard - Phase 2925.5.7 VPN Advanced Wizard - Summary935.5.8 VPN Advanced Wizard - Finish94Configuration Basics956.1 Object-based Configuration956.2 Zones, Interfaces, and Physical Ports966.2.1 Interface Types976.2.2 Default Interface and Zone Configuration986.3 Terminology in the ZyWALL996.4 Packet Flow1006.4.1 ZLD 2.20 Packet Flow Enhancements1006.4.2 Routing Table Checking Flow Enhancements1016.4.3 NAT Table Checking Flow1026.5 Feature Configuration Overview1036.5.1 Feature1046.5.2 Licensing Registration1046.5.3 Licensing Update1046.5.4 Interface1056.5.5 Trunks1056.5.6 Policy Routes1056.5.7 Static Routes1076.5.8 Zones1076.5.9 DDNS1076.5.10 NAT1076.5.11 HTTP Redirect1086.5.12 ALG1096.5.13 Auth. Policy1096.5.14 Firewall1096.5.15 IPSec VPN1106.5.16 SSL VPN1106.5.17 L2TP VPN1116.5.18 Application Patrol1116.5.19 Anti-Virus1126.5.20 IDP1126.5.21 ADP1126.5.22 Content Filter1126.5.23 Anti-Spam1136.5.24 Device HA1136.6 Objects1146.6.1 User/Group1146.7 System1156.7.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM1156.7.2 Logs and Reports1166.7.3 File Manager1166.7.4 Diagnostics1166.7.5 Shutdown116Tutorials1197.1 How to Configure Interfaces, Port Grouping, and Zones1197.1.1 Configure a WAN Ethernet Interface1207.1.2 Configure Zones1207.1.3 Configure Port Grouping1217.2 How to Configure a Cellular Interface1227.3 How to Configure Load Balancing1247.3.1 Set Up Available Bandwidth on Ethernet Interfaces1257.3.2 Configure the WAN Trunk1267.4 How to Set Up an IPSec VPN Tunnel1277.4.1 Set Up the VPN Gateway1287.4.2 Set Up the VPN Connection1297.4.3 Configure Security Policies for the VPN Tunnel1307.5 How to Configure a Hub-and-spoke IPSec VPN Without a VPN Concentrator1317.6 How to Configure User-aware Access Control1337.6.1 Set Up User Accounts1347.6.2 Set Up User Groups1347.6.3 Set Up User Authentication Using the RADIUS Server1357.6.4 Web Surfing Policies With Bandwidth Restrictions1377.6.5 Set Up MSN Policies1407.6.6 Set Up Firewall Rules1417.7 How to Use a RADIUS Server to Authenticate User Accounts based on Groups1427.8 How to Use Endpoint Security and Authentication Policies1447.8.1 Configure the Endpoint Security Objects1447.8.2 Configure the Authentication Policy1467.9 How to Configure Service Control1477.9.1 Allow HTTPS Administrator Access Only From the LAN1487.10 How to Allow Incoming H.323 Peer-to-peer Calls1507.10.1 Turn On the ALG1517.10.2 Set Up a NAT Policy For H.3231517.10.3 Set Up a Firewall Rule For H.3231537.11 How to Allow Public Access to a Web Server1547.11.1 Create the Address Objects1557.11.2 Configure NAT1557.11.3 Set Up a Firewall Rule1567.12 How to Use an IPPBX on the DMZ1577.12.1 Turn On the ALG1597.12.2 Create the Address Objects1597.12.3 Setup a NAT Policy for the IPPBX1607.12.4 Set Up a WAN to DMZ Firewall Rule for SIP1617.12.5 Set Up a DMZ to LAN Firewall Rule for SIP1627.13 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic1637.13.1 Create the Public IP Address Range Object1637.13.2 Configure the Policy Route1647.14 How to Use Active-Passive Device HA1647.14.1 Before You Start1657.14.2 Configure Device HA on the Master ZyWALL1667.14.3 Configure the Backup ZyWALL1687.14.4 Deploy the Backup ZyWALL1707.14.5 Check Your Device HA Setup170L2TP VPN Example1718.1 L2TP VPN Example1718.2 Configuring the Default L2TP VPN Gateway Example1718.3 Configuring the Default L2TP VPN Connection Example1738.4 Configuring the L2TP VPN Settings Example1748.5 Configuring L2TP VPN in Windows Vista, XP, or 20001758.5.1 Configuring L2TP in Windows Vista1758.5.2 Configuring L2TP in Windows XP1858.5.3 Configuring L2TP in Windows 2000191Technical Reference207Dashboard2099.1 Overview2099.1.1 What You Can Do in this Chapter2099.2 The Dashboard Screen2099.2.1 The CPU Usage Screen2169.2.2 The Memory Usage Screen2179.2.3 The Session Usage Screen2189.2.4 The VPN Status Screen2199.2.5 The DHCP Table Screen2199.2.6 The Number of Login Users Screen220Monitor22310.1 Overview22310.1.1 What You Can Do in this Chapter22310.2 The Port Statistics Screen22410.2.1 The Port Statistics Graph Screen22610.3 Interface Status Screen22710.4 The Traffic Statistics Screen23010.5 The Session Monitor Screen23310.6 The DDNS Status Screen23610.7 IP/MAC Binding Monitor23610.8 The Login Users Screen23810.9 Cellular Status Screen23910.10 Application Patrol Statistics24110.10.1 Application Patrol Statistics: General Setup24110.10.2 Application Patrol Statistics: Bandwidth Statistics24210.10.3 Application Patrol Statistics: Protocol Statistics24310.10.4 Application Patrol Statistics: Individual Protocol Statistics by Rule24410.11 The IPSec Monitor Screen24510.11.1 Regular Expressions in Searching IPSec SAs24710.12 The SSL Connection Monitor Screen24810.13 L2TP over IPSec Session Monitor Screen24910.14 The Anti-Virus Statistics Screen25010.15 The IDP Statistics Screen25210.16 The Content Filter Statistics Screen25410.17 Content Filter Cache Screen25510.18 The Anti-Spam Statistics Screen25810.19 The Anti-Spam Status Screen26010.20 Log Screen261Registration26511.1 Overview26511.1.1 What You Can Do in this Chapter26511.1.2 What you Need to Know26511.2 The Registration Screen26711.3 The Service Screen269Signature Update27112.1 Overview27112.1.1 What You Can Do in this Chapter27112.1.2 What you Need to Know27112.2 The Antivirus Update Screen27212.3 The IDP/AppPatrol Update Screen27312.4 The System Protect Update Screen275Interfaces27713.1 Interface Overview27713.1.1 What You Can Do in this Chapter27713.1.2 What You Need to Know27813.2 Port Grouping28013.2.1 Port Grouping Overview28113.2.2 Port Grouping Screen28113.3 Ethernet Summary Screen28213.3.1 Ethernet Edit28413.3.2 Object References29113.4 PPP Interfaces29213.4.1 PPP Interface Summary29313.4.2 PPP Interface Add or Edit29513.5 Cellular Configuration Screen (3G)29913.5.1 Cellular Add/Edit Screen30113.6 VLAN Interfaces30813.6.1 VLAN Summary Screen31013.6.2 VLAN Add/Edit31113.7 Bridge Interfaces31813.7.1 Bridge Summary32013.7.2 Bridge Add/Edit32113.8 Auxiliary Interface32713.8.1 Auxiliary Interface Overview32713.8.2 Auxiliary32713.9 Virtual Interfaces32913.9.1 Virtual Interfaces Add/Edit33013.10 Interface Technical Reference331Trunks33714.1 Overview33714.1.1 What You Can Do in this Chapter33714.1.2 What You Need to Know33814.2 The Trunk Summary Screen34214.3 Configuring a Trunk34314.4 Trunk Technical Reference345Policy and Static Routes34715.1 Policy and Static Routes Overview34715.1.1 What You Can Do in this Chapter34715.1.2 What You Need to Know34815.2 Policy Route Screen35015.2.1 Policy Route Edit Screen35315.3 IP Static Route Screen35715.3.1 Static Route Add/Edit Screen35815.4 Policy Routing Technical Reference359Routing Protocols36316.1 Routing Protocols Overview36316.1.1 What You Can Do in this Chapter36316.1.2 What You Need to Know36316.2 The RIP Screen36416.3 The OSPF Screen36516.3.1 Configuring the OSPF Screen36916.3.2 OSPF Area Add/Edit Screen37216.3.3 Virtual Link Add/Edit Screen37316.4 Routing Protocol Technical Reference374Zones37717.1 Zones Overview37717.1.1 What You Can Do in this Chapter37717.1.2 What You Need to Know37817.2 The Zone Screen37917.3 Zone Edit380DDNS38118.1 DDNS Overview38118.1.1 What You Can Do in this Chapter38118.1.2 What You Need to Know38118.2 The DDNS Screen38218.2.1 The Dynamic DNS Add/Edit Screen384NAT38719.1 NAT Overview38719.1.1 What You Can Do in this Chapter38719.1.2 What You Need to Know38819.2 The NAT Screen38819.2.1 The NAT Add/Edit Screen39019.3 NAT Technical Reference393HTTP Redirect39720.1 Overview39720.1.1 What You Can Do in this Chapter39720.1.2 What You Need to Know39820.2 The HTTP Redirect Screen39920.2.1 The HTTP Redirect Edit Screen400ALG40121.1 ALG Overview40121.1.1 What You Can Do in this Chapter40121.1.2 What You Need to Know40221.1.3 Before You Begin40521.2 The ALG Screen40521.3 ALG Technical Reference407IP/MAC Binding40922.1 IP/MAC Binding Overview40922.1.1 What You Can Do in this Chapter40922.1.2 What You Need to Know41022.2 IP/MAC Binding Summary41022.2.1 IP/MAC Binding Edit41122.2.2 Static DHCP Edit41222.3 IP/MAC Binding Exempt List413Authentication Policy41523.1 Overview41523.1.1 What You Can Do in this Chapter41523.1.2 What You Need to Know41623.2 Authentication Policy Screen41623.2.1 Creating/Editing an Authentication Policy419Firewall42324.1 Overview42324.1.1 What You Can Do in this Chapter42324.1.2 What You Need to Know42424.1.3 Firewall Rule Example Applications42624.1.4 Firewall Rule Configuration Example42924.2 The Firewall Screen43124.2.1 Configuring the Firewall Screen43224.2.2 The Firewall Add/Edit Screen43524.3 The Session Limit Screen43624.3.1 The Session Limit Add/Edit Screen438IPSec VPN44125.1 IPSec VPN Overview44125.1.1 What You Can Do in this Chapter44125.1.2 What You Need to Know44225.1.3 Before You Begin44425.2 The VPN Connection Screen44425.2.1 The VPN Connection Add/Edit (IKE) Screen44625.2.2 The VPN Connection Add/Edit Manual Key Screen45325.3 The VPN Gateway Screen45625.3.1 The VPN Gateway Add/Edit Screen45725.4 VPN Concentrator46525.4.1 IPSec VPN Concentrator Example46525.4.2 VPN Concentrator Screen46825.4.3 The VPN Concentrator Add/Edit Screen46825.5 IPSec VPN Background Information469SSL VPN48126.1 Overview48126.1.1 What You Can Do in this Chapter48126.1.2 What You Need to Know48126.2 The SSL Access Privilege Screen48426.2.1 The SSL Access Policy Add/Edit Screen48626.3 The SSL Global Setting Screen48826.3.1 How to Upload a Custom Logo49026.4 Establishing an SSL VPN Connection491SSL User Screens49327.1 Overview49327.1.1 What You Need to Know49327.2 Remote User Login49427.3 The SSL VPN User Screens49927.4 Bookmarking the ZyWALL50027.5 Logging Out of the SSL VPN User Screens500SSL User Application Screens50328.1 SSL User Application Screens Overview50328.2 The Application Screen503SSL User File Sharing50529.1 Overview50529.1.1 What You Need to Know50529.2 The Main File Sharing Screen50629.3 Opening a File or Folder50629.3.1 Downloading a File50829.3.2 Saving a File50929.4 Creating a New Folder50929.5 Renaming a File or Folder51029.6 Deleting a File or Folder51029.7 Uploading a File511ZyWALL SecuExtender51330.1 The ZyWALL SecuExtender Icon51330.2 Statistics51430.3 View Log51530.4 Suspend and Resume the Connection51530.5 Stop the Connection51630.6 Uninstalling the ZyWALL SecuExtender516L2TP VPN51731.1 Overview51731.1.1 What You Can Do in this Chapter51731.1.2 What You Need to Know51731.2 L2TP VPN Screen519Application Patrol52132.1 Overview52132.1.1 What You Can Do in this Chapter52132.1.2 What You Need to Know52232.1.3 Application Patrol Bandwidth Management Examples52732.2 Application Patrol General Screen53132.3 Application Patrol Applications53232.3.1 The Application Patrol Edit Screen53332.3.2 The Application Patrol Policy Edit Screen53732.4 The Other Applications Screen54032.4.1 The Other Applications Add/Edit Screen543Anti-Virus54733.1 Overview54733.1.1 What You Can Do in this Chapter54733.1.2 What You Need to Know54833.1.3 Before You Begin55033.2 Anti-Virus Summary Screen55033.2.1 Anti-Virus Policy Add or Edit Screen55333.3 Anti-Virus Black List55533.4 Anti-Virus Black List or White List Add/Edit55633.5 Anti-Virus White List55733.6 Signature Searching55833.7 Anti-Virus Technical Reference561IDP56334.1 Overview56334.1.1 What You Can Do in this Chapter56334.1.2 What You Need To Know56334.1.3 Before You Begin56434.2 The IDP General Screen56534.3 Introducing IDP Profiles56734.3.1 Base Profiles56834.4 The Profile Summary Screen56934.5 Creating New Profiles57034.5.1 Procedure To Create a New Profile57034.6 Profiles: Packet Inspection57134.6.1 Profile > Group View Screen57134.6.2 Policy Types57434.6.3 IDP Service Groups57534.6.4 Profile > Query View Screen57634.6.5 Query Example57934.7 Introducing IDP Custom Signatures58134.7.1 IP Packet Header58134.8 Configuring Custom Signatures58234.8.1 Creating or Editing a Custom Signature58434.8.2 Custom Signature Example59034.8.3 Applying Custom Signatures59234.8.4 Verifying Custom Signatures59334.9 IDP Technical Reference594ADP59735.1 Overview59735.1.1 ADP and IDP Comparison59735.1.2 What You Can Do in this Chapter59735.1.3 What You Need To Know59735.1.4 Before You Begin59835.2 The ADP General Screen59935.3 The Profile Summary Screen60035.3.1 Base Profiles60135.3.2 Configuring The ADP Profile Summary Screen60135.3.3 Creating New ADP Profiles60235.3.4 Traffic Anomaly Profiles60235.3.5 Protocol Anomaly Profiles60535.3.6 Protocol Anomaly Configuration60535.4 ADP Technical Reference609Content Filtering61736.1 Overview61736.1.1 What You Can Do in this Chapter61736.1.2 What You Need to Know61736.1.3 Before You Begin61936.2 Content Filter General Screen61936.3 Content Filter Policy Add or Edit Screen62236.4 Content Filter Profile Screen62436.5 Content Filter Categories Screen62436.5.1 Content Filter Blocked and Warning Messages63636.6 Content Filter Customization Screen63736.7 Content Filter Technical Reference639Content Filter Reports64137.1 Overview64137.2 Viewing Content Filter Reports641Anti-Spam64938.1 Overview64938.1.1 What You Can Do in this Chapter64938.1.2 What You Need to Know64938.2 Before You Begin65138.3 The Anti-Spam General Screen65138.3.1 The Anti-Spam Policy Add or Edit Screen65338.4 The Anti-Spam Black List Screen65538.4.1 The Anti-Spam Black or White List Add/Edit Screen65738.4.2 Regular Expressions in Black or White List Entries65838.5 The Anti-Spam White List Screen65938.6 The DNSBL Screen66038.7 Anti-Spam Technical Reference662Device HA66739.1 Overview66739.1.1 What You Can Do in this Chapter66739.1.2 What You Need to Know66739.1.3 Before You Begin66839.2 Device HA General66939.3 The Active-Passive Mode Screen67039.3.1 Configuring Active-Passive Mode Device HA67239.4 Configuring an Active-Passive Mode Monitored Interface67539.5 The Legacy Mode Screen67739.6 Configuring the Legacy Mode Screen67839.7 Device HA Technical Reference682User/Group68940.1 Overview68940.1.1 What You Can Do in this Chapter68940.1.2 What You Need To Know68940.2 User Summary Screen69240.2.1 User Add/Edit Screen69240.3 User Group Summary Screen69540.3.1 Group Add/Edit Screen69640.4 Setting Screen69740.4.1 Default User Authentication Timeout Settings Edit Screens70040.4.2 User Aware Login Example70240.5 User /Group Technical Reference703Addresses70541.1 Overview70541.1.1 What You Can Do in this Chapter70541.1.2 What You Need To Know70541.2 Address Summary Screen70541.2.1 Address Add/Edit Screen70741.3 Address Group Summary Screen70841.3.1 Address Group Add/Edit Screen709Services71142.1 Overview71142.1.1 What You Can Do in this Chapter71142.1.2 What You Need to Know71142.2 The Service Summary Screen71242.2.1 The Service Add/Edit Screen71442.3 The Service Group Summary Screen71442.3.1 The Service Group Add/Edit Screen716Schedules71743.1 Overview71743.1.1 What You Can Do in this Chapter71743.1.2 What You Need to Know71743.2 The Schedule Summary Screen71843.2.1 The One-Time Schedule Add/Edit Screen71943.2.2 The Recurring Schedule Add/Edit Screen720AAA Server72344.1 Overview72344.1.1 Directory Service (AD/LDAP)72344.1.2 RADIUS Server72444.1.3 ASAS72444.1.4 What You Can Do in this Chapter72444.1.5 What You Need To Know72544.2 Active Directory or LDAP Server Summary72744.2.1 Adding an Active Directory or LDAP Server72744.3 RADIUS Server Summary72944.3.1 Adding a RADIUS Server731Authentication Method73345.1 Overview73345.1.1 What You Can Do in this Chapter73345.1.2 Before You Begin73345.1.3 Example: Selecting a VPN Authentication Method73345.2 Authentication Method Objects73445.2.1 Creating an Authentication Method Object735Certificates73946.1 Overview73946.1.1 What You Can Do in this Chapter73946.1.2 What You Need to Know73946.1.3 Verifying a Certificate74146.2 The My Certificates Screen74346.2.1 The My Certificates Add Screen74446.2.2 The My Certificates Edit Screen74946.2.3 The My Certificates Import Screen75246.3 The Trusted Certificates Screen75346.3.1 The Trusted Certificates Edit Screen75446.3.2 The Trusted Certificates Import Screen75846.4 Certificates Technical Reference759ISP Accounts76147.1 Overview76147.1.1 What You Can Do in this Chapter76147.2 ISP Account Summary76147.2.1 ISP Account Edit762SSL Application76548.1 Overview76548.1.1 What You Can Do in this Chapter76548.1.2 What You Need to Know76548.1.3 Example: Specifying a Web Site for Access76648.2 The SSL Application Screen76748.2.1 Creating/Editing a Web-based SSL Application Object76848.2.2 Creating/Editing a File Sharing SSL Application Object770Endpoint Security77349.1 Overview77349.1.1 What You Can Do in this Chapter77449.1.2 What You Need to Know77449.2 Endpoint Security Screen77549.3 Endpoint Security Add/Edit777System78350.1 Overview78350.1.1 What You Can Do in this Chapter78350.2 Host Name78450.3 Date and Time78550.3.1 Pre-defined NTP Time Servers List78750.3.2 Time Server Synchronization78850.4 Console Port Speed78950.5 DNS Overview78950.5.1 DNS Server Address Assignment79050.5.2 Configuring the DNS Screen79050.5.3 Address Record79350.5.4 PTR Record79350.5.5 Adding an Address/PTR Record79350.5.6 Domain Zone Forwarder79450.5.7 Adding a Domain Zone Forwarder79450.5.8 MX Record79550.5.9 Adding a MX Record79650.5.10 Adding a DNS Service Control Rule79650.6 WWW Overview79750.6.1 Service Access Limitations79850.6.2 System Timeout79850.6.3 HTTPS79850.6.4 Configuring WWW Service Control79950.6.5 Service Control Rules80350.6.6 Customizing the WWW Login Page80350.6.7 HTTPS Example80750.7 SSH81450.7.1 How SSH Works81550.7.2 SSH Implementation on the ZyWALL81650.7.3 Requirements for Using SSH81650.7.4 Configuring SSH81650.7.5 Secure Telnet Using SSH Examples81850.8 Telnet81950.8.1 Configuring Telnet82050.9 FTP82150.9.1 Configuring FTP82150.10 SNMP82350.10.1 Supported MIBs82550.10.2 SNMP Traps82550.10.3 Configuring SNMP82550.11 Dial-in Management82750.11.1 Configuring Dial-in Mgmt82850.12 Vantage CNM82950.12.1 Configuring Vantage CNM83050.13 Language Screen832Log and Report83351.1 Overview83351.1.1 What You Can Do In this Chapter83351.2 Email Daily Report83351.3 Log Setting Screens83551.3.1 Log Setting Summary83651.3.2 Edit System Log Settings83751.3.3 Edit Remote Server Log Settings84251.3.4 Active Log Summary Screen844File Manager84752.1 Overview84752.1.1 What You Can Do in this Chapter84752.1.2 What you Need to Know84752.2 The Configuration File Screen85052.3 The Firmware Package Screen85452.4 The Shell Script Screen856Diagnostics85953.1 Overview85953.1.1 What You Can Do in this Chapter85953.2 The Diagnostic Screen85953.3 The Packet Capture Screen86053.3.1 The Packet Capture Files Screen86253.3.2 Example of Viewing a Packet Capture File863Reboot86554.1 Overview86554.1.1 What You Need To Know86554.2 The Reboot Screen865Shutdown86755.1 Overview86755.1.1 What You Need To Know86755.2 The Shutdown Screen867Troubleshooting86956.1 Resetting the ZyWALL88656.2 Changing a Power Module88756.3 Getting More Troubleshooting Help889Product Specifications89157.1 3G PCMCIA Card Installation897Log Descriptions899Common Services959Displaying Anti-Virus Alert Messages in Windows963Importing Certificates969Open Software Announcements995Legal Information1051Index1055Size: 25.5 MBPages: 1081Language: EnglishOpen manual