ZYWALL USG 2000 - UTM Firewall ZYXEL - Free user manual and instructions

USER MANUAL ZYWALL USG 2000 ZYXEL

Unified Security Gateway

User's Guide

Default Login Details

Firmware Version 2.11

Edition 1, 2/2009

www.zyxel.com

ZyXEL

About This User's Guide

Intended Audience

This manual is intended for people who want to want to configure the ZyWALL using the web configurator.

How To Use This Guide

• Read Chapter 1 on page 31 chapter for an overview of features available on the ZyWALL.
• Read Chapter 3 on page 47 for web browser requirements and an introduction to the main components, icons and menus in the ZyWALL web configurator.
• Read Chapter 4 on page 59 if you're using the wizards for first time setup and you want more detailed information than what the real time online help provides.
• It is highly recommended you read Chapter 5 on page 101 for detailed information on essential terms used in the ZyWALL, what prerequisites are needed to configure a feature and how to use that feature.
• It is highly recommended you read Chapter 6 on page 119 for ZyWALL application examples.
• Subsequent chapters are arranged by menu item as defined in the web configurator. Read each chapter carefully for detailed information on that menu item.
• To find specific information in this guide, use the Contents Overview, the Table of Contents, the Index, or search the PDF file. E-mail techwriters@zyxel.com.tw if you cannot find the information you require.

Related Documentation

- Quick Start Guide

The Quick Start Guide is designed to show you how to make the ZyWALL hardware connections, rack mounting and access the web configurator wizards. (See the wizard real time help for information on configuring each screen.) It contains a connection diagram, default settings, handy checklists and information on setting up your network and configuring for Internet access.

• CLI Reference Guide

The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the ZyWALL.

Note: It is recommended you use the web configurator to configure the ZyWALL.

• Web Configurator Online Help

Click the help icon in any screen for help in configuring that screen and supplementary information.

- Support Disc

Refer to the included CD for support documents.

- ZyXEL Web Site

Please refer to www.zyxel.com for additional support documentation and product certifications.

User Guide Feedback

Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!

The Technical Writing Team,

ZyXEL Communications Corp.,

6 Innovation Road II,

Science-Based Industrial Park,

Hsinchu, 300, Taiwan.

E-mail: techwriters@zyxel.com.tw

Customer Support

In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. See http://www.zyxel.com/web/contact_us.php for contact information. Please have the following information ready when you contact an office.

• Product model and serial number.
- Warranty Information.
- Date that you received your device.
- Brief description of the problem and the steps you took to solve it.

Disclaimer

Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate.

Document Conventions

Warnings and Notes

These are how warnings and notes are shown in this User's Guide.

Warnings tell you about things that could harm you or your device.

Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.

Syntax Conventions

• The ZyWALL USG 2000 may be referred to as the "ZyWALL", the "device", the "system" or the "product" in this User's Guide.
• Product labels, screen names, field labels and field choices are all in bold font.
• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the "enter" or "return" key on your keyboard.
• "Enter" means for you to type one or more characters and then press the [ENTER] key. "Select" or "choose" means for you to use one of the predefined choices.
• A right angle bracket ( > ) within a screen name denotes a mouse click. For example, Maintenance > Log > Log Setting means you first click Maintenance in the navigation panel, then the Log sub menu and finally the Log Setting tab to get to that screen.
• Units of measurement may denote the "metric" value or the "scientific" value. For example, "k" for kilo may denote "1000" or "1024", "M" for mega may denote "1000000" or "1048576" and so on.
• "e.g.," is a shorthand for "for instance", and "i.e.," means "that is" or "in other words".

Icons Used in Figures

Figures in this User's Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.

ZyWALL	Computer-	Notebook computer-
Server	Firewall-	Telephone-
Switch-	Router

Safety Warnings

• Do NOT use this product near water, for example, in a wet basement or near a swimming pool.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT store things on the device.
• Do NOT install, use, or service this device during a thunderstorm. There is a remote risk of electric shock from lightning.
• Connect ONLY suitable accessories to the device.
• Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information.
• Make sure to connect the cables to the correct ports.
• Place connecting cables carefully so that no one will step on them or stumble over them.
  • Always disconnect all cables from this device before servicing or disassembling.
• Caution: This unit has more than one power supply cord. Disconnect two power supply cords before servicing to avoid electric shock. (has multiple power cords, e.g., chassis-based Ethernet switch. Make sure you specify the correct number of power cords in both the English and the French that follows)
• Attention: Cet appareil comporte plus d'un cordon d'alimentation. Afin de prévenir les chocs électriques, debrancher les deux cordons d'alimentation avant de faire le dépannage.
• Use ONLY an appropriate power adaptor or cord for your device. Connect it to the right supply voltage (for example, 110V AC in North America or 230V AC in Europe).
• Do NOT remove the plug and connect it to a power outlet by itself; always attach the plug to the power adaptor first before connecting it to a power outlet.
• Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord.
• Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution.
• If the power adaptor or cord is damaged, remove it from the device and the power source.
• Do NOT attempt to repair the power adaptor or cord. Contact your local vendor to order a new one.
• Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning.
• CAUTION: RISK OF EXPLOSION IF BATTERY (on the motherboard) IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Dispose them at the applicable collection point for the recycling of electrical and electronic equipment. For detailed information about recycling of this product, please contact your local city office, your household waste disposal service or the store where you purchased the product.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your device.

Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately.

Contents Overview

Getting Started 29

Introducing the ZyWALL 31

Features and Applications 39

Web Configurator 47

Wizard Setup 59

Configuration Basics 101

Tutorials 119

Status 149

Registration 165

Signature Update 171

Network 179

Interface 181

Trunks 239

Policy and Static Routes 249

Routing Protocols 263

Zones 275

DDNS 279

Virtual Servers 287

HTTP Redirect 301

ALG 305

IP/MAC Binding 313

Firewall 319

Firewall 321

VPN 337

IPSec VPN 339

SSL VPN 379

SSL User Screens 391

SSL User Application Screens 399

SSL User File Sharing 401

L2TP VPN 409

L2TP VPN Example 415

Application Patrol 443

Application Patrol 445

Anti-X 471

Anti-Virus 473

IDP 489

ADP 523

Content Filtering 543

Content Filter Reports 567

Anti-Spam 575

Device HA 591

Device HA 593

Objects 611

User/Group 613

Addresses 629

Services 635

Schedules 641

AAA Server 647

Authentication Method 659

Certificates 663

ISP Accounts 685

SSL Application 689

System 695

System 697

Maintenance, Troubleshooting, & Specifications 747

File Manager 749

Logs 761

Reports 775

Diagnostics 793

Reboot 795

Troubleshooting 797

Product Specifications 803

Appendices and Index 809

Table of Contents

About This User's Guide .... 3

Document Conventions....5

Safety Warnings....7

Contents Overview ......9

Table of Contents....11

Part I: Getting Started 29

Chapter 1 Introducing the ZyWALL ....31

1.1 Overview and Key Default Settings 31

1.2 Front Panel 32

1.2.1 Dual Personality Interfaces ...... 32

1.2.2 Front Panel LEDs 35

1.3 Management Overview ...... 36

1.4 Starting and Stopping the ZyWALL 37

Chapter 2 Features and Applications....39

2.1 Features 39

2.2 Packet Flow 41

2.2.1 Interface to Interface (Through ZyWALL) 42

2.2.2 Interface to Interface (To/From ZyWALL) 42

2.2.3 Interface to Interface (From VPN Tunnel) 42

2.2.4 Interface to Interface (To VPN Tunnel) 42

2.3 Applications 43

2.3.1 VPN Connectivity 43

2.3.2 SSL VPN Network Access 43

2.3.3 User-Aware Access Control 45

2.3.4 Multiple WAN Interfaces 45

2.3.5 Device HA 46

Chapter 3 Web Configurator......47

3.1 Web Configurator Requirements 47
3.2 Web Configurator Access 47
3.3 Web Configurator Main Screen 49

3.3.1 Title Bar 50
3.3.2 Navigation Panel 50
3.3.3 Main Window 55
3.3.4 Message Bar 55

Chapter 4

Wizard Setup 59

4.1 Wizard Setup Overview 59
4.2 Installation Setup, One ISP 60
4.3 Step 1 Internet Access 62

4.3.1 Ethernet: Auto IP Address Assignment 62
4.3.2 Ethernet: Static IP Address Assignment 63
4.3.3 Step 2 Internet Access Ethernet 64
4.3.4 PPPoE: Auto IP Address Assignment 66
4.3.5 PPPoE: Static IP Address Assignment 68
4.3.6 Step 2 Internet Access PPPoE 69
4.3.7 PPTP: Auto IP Address Assignment 71
4.3.8 PPTP: Static IP Address Assignment 74
4.3.9 Step 2 Internet Access PPTP 75
4.3.10 Step 4 Internet Access - Finish 77

4.4 Device Registration 77

4.5 Installation Setup, Two Internet Service Providers 80

4.5.1 Internet Access Wizard Setup Complete 83

4.6 VPN Setup 84

4.7 VPN Wizards 85

4.7.1 VPN Express Wizard 85

4.8 VPN Express Wizard - Scenario 86

4.8.1 VPN Express Wizard - Policy Setting 88
4.8.2 VPN Express Wizard - Summary 89
4.8.3 VPN Express Wizard - Finish 90
4.8.4 VPN Advanced Wizard 91
4.8.5 VPN Advanced Wizard - Advanced Settings 94
4.8.6 VPN Advanced Wizard - Phase 2 96
4.8.7 VPN Advanced Wizard - Summary 98
4.8.8 VPN Advanced Wizard - Finish 99

Chapter 5

Configuration Basics....101

5.1 Object-based Configuration 101
5.2 Zones, Interfaces, and Physical Ports 102

5.2.1 Interface Types 102
5.2.2 Default Interface and Zone Configuration 103

5.3 Terminology in the ZyWALL 104

5.4 Feature Configuration Overview 105

5.4.1 Feature 105

5.4.2 Interface 106

5.4.3 Trunks 106

5.4.4 IPSec VPN 107

5.4.5 SSL VPN 107

5.4.6 L2TP VPN 107

5.4.7 Zones 108

5.4.8 Device HA 108

5.4.9 DDNS 108

5.4.10 Policy Routes 108

5.4.11 Static Routes ...... 110

5.4.12 Firewall 110

5.4.13 Application Patrol 111

5.4.14 Anti-Virus 111

5.4.15 IDP 112

5.4.16 ADP 112

5.4.17 Content Filter 112

5.4.18 Anti-Spam 113

5.4.19 Virtual Server (Port Forwarding) 113

5.4.20 HTTP Redirect 114

5.4.21 ALG 115

5.5 Objects 115

5.5.1 User/Group 116

5.6 System Management and Maintenance ....116

5.6.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM .....116

5.6.2 File Manager ....117

5.6.3 Licensing Registration 117

5.6.4 Licensing Update ....118

5.6.5 Logs and Reports ...... 118

5.6.6 Diagnostics ....118

Chapter 6 Tutorials......119

6.1 How to Configure Interfaces, Port Grouping, and Zones 119

6.1.1 Configure a WAN Ethernet Interface 120

6.1.2 Configure Zones 120

6.1.3 Configure Port Grouping 121

6.2 How to Configure Load Balancing 122

6.2.1 Set Up Available Bandwidth on Ethernet Interfaces 123

6.2.2 Configure the WAN Trunk 123

6.3 How to Set Up an IPSec VPN Tunnel 124

6.3.1 Set Up the VPN Gateway 125
6.3.2 Set Up the VPN Connection 125
6.3.3 Set Up the Policy Route for the VPN Tunnel 126
6.3.4 Configure Security Policies for the VPN Tunnel 128

6.4 How to Configure User-aware Access Control 128

6.4.1 Set Up User Accounts 128
6.4.2 Set Up User Groups 129
6.4.3 Set Up User Authentication Using the RADIUS Server 129
6.4.4 Set Up Web Surfing Policies With Bandwidth Restrictions 131
6.4.5 Set Up MSN Policies 133
6.4.6 Set Up Firewall Rules 134

6.5 How to Configure Service Control 135

6.5.1 Allow HTTPS Administrator Access Only From the LAN 135

6.6 How to Allow Incoming H.323 Peer-to-peer Calls 138

6.6.1 Turn On the ALG 139
6.6.2 Set Up a Virtual Server Policy For H.323 139
6.6.3 Set Up a Firewall Rule For H.323 140

6.7 How to Use Active-Passive Device HA 141

6.7.1 Before You Start 142
6.7.2 Configure Device HA on the Master ZyWALL 143
6.7.3 Configure the Backup ZyWALL 144
6.7.4 Deploy the Backup ZyWALL 145
6.7.5 Check Your Device HA Setup 146

6.8 How to Allow Public Access to a Server 146

6.8.1 Create the Address Objects 146
6.8.2 Configure a Virtual Server 147

Chapter 7 Status....149

7.1 Overview 149

7.1.1 What You Can Do in the Status Screens 149

7.2 The Status Screen 150

7.2.1 The CPU Usage Screen 155
7.2.2 The Memory Usage Screen 156
7.2.3 The Session Usage Screen 157
7.2.4 The VPN Status Screen 158
7.2.5 The DHCP Table Screen 159
7.2.6 The Port Statistics Screen 160
7.2.7 The Port Statistics Graph Screen 161
7.2.8 The Current Users Screen 162
7.2.9 The SEM Status Detail Screen 162

Chapter 8

Registration 165

8.1 Overview ...... 165

8.1.1 What You Can Do in the Registration Screens 165
8.1.2 What you Need to Know About Service Registration 165

8.2 The Registration Screen 167

8.3 The Service Screen 169

Chapter 9

Signature Update 171

9.1 Overview ...... 171

9.1.1 What You Can Do in the Update Screens .... 171
9.1.2 What you Need to Know About Signature Updates 171

9.2 The Antivirus Update Screen 172
9.3 The IDP/AppPatrol Update Screen 173
9.4 The System Protect Update Screen 175

Part II: Network.... 179

Chapter 10

Interface 181

10.1 Interface Overview 181

10.1.1 What You Can Do in the Interface Screens .... 181
10.1.2 What You Need to Know About Interfaces 182

10.2 Interface Status Screen 185

10.3 Port Grouping 188

10.3.1 Port Grouping Overview 188
10.3.2 Port Grouping Screen 189

10.4 Ethernet Summary Screen 190

10.4.1 Ethernet Edit 191

10.5 The Static DHCP Screen 198

10.6 The PPP Interfaces 198

10.6.1 PPPoE/PPTP Overview 199
10.6.2 PPPoE/PPTP Interfaces Overview 199
10.6.3 PPP Interface Summary 200
10.6.4 PPP Interface Add/Edit 202

10.7 Cellular Configuration Screen (3G) 205

10.7.1 Cellular Add/Edit Screen 208

10.8 Cellular Status Screen 212

10.9 VLAN Interfaces 214

10.9.1 VLAN Overview 214

10.9.2 VLAN Interfaces Overview 216
10.9.3 VLAN Summary Screen 216
10.9.4 VLAN Add/Edit 217
10.10 Bridge Interfaces 222
10.10.1 Bridge Overview 222
10.10.2 Bridge Interface Overview 223
10.10.3 Bridge Summary 224
10.10.4 Bridge Add/Edit 225
10.11 Auxiliary Interface 230
10.11.1 Auxiliary Interface Overview 230
10.11.2 Auxiliary 231
10.12 Virtual Interfaces 233
10.12.1 Virtual Interfaces Add/Edit 233
10.13 Interface Technical Reference 235

Chapter 11

Trunks 239

11.1 Overview 239
11.1.1 What You Can Do in the Trunk Screens 239
11.1.2 What You Need to Know About Trunks 240
11.2 The Trunk Summary Screen 243
11.3 Configuring a Trunk 245
11.4 Trunk Technical Reference 246

Chapter 12

Policy and Static Routes 249

12.1 Policy and Static Routes Overview 249
12.1.1 What You Can Do in the Policy and Static Route Screens 250
12.1.2 What You Need to Know About Policy and Static Routing 250
12.2 Policy Route Screen 251
12.2.1 Policy Route Edit Screen 253
12.3 IP Static Route Screen 257
12.3.1 Static Route Add/Edit Screen 258
12.4 Policy Routing Technical Reference 259

Chapter 13

Routing Protocols......263

13.1 Routing Protocols Overview 263
13.1.1 What You Can Do in the RIP and OSPF Screens 263
13.1.2 What You Need to Know About Routing Protocols 263
13.2 The RIP Screen 264
13.3 The OSPF Screen 265
13.3.1 Configuring the OSPF Screen 269

13.3.2 OSPF Area Add/Edit Screen 271
13.4 Routing Protocol Technical Reference 273

Chapter 14

Zones 275

14.1 Zones Overview 275
14.1.1 What You Can Do in the Zones Screens 275
14.1.2 What You Need to Know About Zones 276
14.2 The Zone Screen 277
14.3 Zone Add/Edit 278

Chapter 15

DDNS....279

15.1 DDNS Overview 279
15.1.1 What You Can Do in the DDNS Screens 279
15.1.2 What You Need to Know About DDNS 279
15.2 The DDNS Screen 280
15.2.1 The Dynamic DNS Add/Edit Screen 282
15.3 The DDNS Status Screen 285

Chapter 16

Virtual Servers....287

16.1 Virtual Servers Overview 287
16.1.1 What You Can Do in the Virtual Server Screens 287
16.1.2 What You Need to Know About Virtual Servers 287
16.2 The Virtual Server Screen 288
16.2.1 The Virtual Server Add/Edit Screen 289
16.3 NAT 1:1 and NAT Loopback Examples ....292

Chapter 17

HTTP Redirect 301

17.1 Overview 301
17.1.1 What You Can Do in the HTTP Redirect Screens .... 301
17.1.2 What You Need to Know About HTTP Redirect 302
17.2 The HTTP Redirect Screen 303
17.2.1 The HTTP Redirect Edit Screen 304

Chapter 18

ALG 305

18.1 ALG Overview 305
18.1.1 What You Can Do in the ALG Screen 305
18.1.2 What You Need to Know About ALG 306
18.1.3 Before You Begin 308

18.2 The ALG Screen 308
18.3 ALG Technical Reference 310

Chapter 19

IP/MAC Binding 313

19.1 IP/MAC Binding Overview 313

19.1.1 What You Can Do in the IP/MAC Binding Screens 313
19.1.2 What You Need to Know About IP/MAC Binding 314

19.2 IP/MAC Binding Summary 314

19.2.1 IP/MAC Binding Edit 315
19.2.2 Static DHCP Edit 316

19.3 IP/MAC Binding Exempt List 317

19.4 IP/MAC Binding Monitor 317

Part III: Firewall 319

Chapter 20

Firewall....321

20.1 Overview ...... 321

20.1.1 What You Can Do in the Firewall Screens .... 321
20.1.2 What You Need to Know About the Firewall 322
20.1.3 Firewall Rule Example Applications 324
20.1.4 Firewall Rule Configuration Example 326

20.2 The Firewall Screen 328

20.2.1 Configuring the Firewall Screen 329
20.2.2 The Firewall Edit Screen 333

20.3 The Session Limit Screen 334

20.3.1 The Session Limit Edit Screen 336

Part IV: VPN 337

Chapter 21

IPSec VPN 339

21.1 IPSec VPN Overview 339

21.1.1 What You Can Do in the IPSec VPN Screens 340
21.1.2 What You Need to Know About IPSec VPN 340
21.1.3 Before You Begin 341

21.2 The VPN Connection Screen 341

21.2.1 The VPN Connection Add/Edit (IKE) Screen 343
21.2.2 The VPN Connection Add/Edit Manual Key Screen 350

21.3 The VPN Gateway Screen 354

21.3.1 The VPN Gateway Add/Edit Screen 355

21.4 The VPN Concentrator Screen 363

21.4.1 The VPN Concentrator Add/Edit Screen 364

21.5 The SA Monitor Screen 366

21.6 IPSec VPN Background Information 367

Chapter 22

SSL VPN 379

22.1 Overview 379

22.1.1 What You Can Do in the SSL VPN Screens 379

22.1.2 What You Need to Know About SSL VPN 379

22.2 The SSL Access Privilege Screen 381

22.2.1 The SSL Access Policy Add/Edit Screen 383

22.3 The SSL VPN Connection Monitor Screen 385

22.4 The SSL Global Setting Screen 386

22.4.1 How to Upload a Custom Logo 387

22.5 Establishing an SSL VPN Connection 388

Chapter 23

SSL User Screens 391

23.1 Overview 391

23.1.1 What You Need to Know About the SSL User Screens 391

23.2 Remote User Login 392

23.3 The SSL VPN User Screens 395

23.4 Bookmarking the ZyWALL 396

23.5 Logging Out of the SSL VPN User Screens 396

Chapter 24

SSL User Application Screens 399

24.1 SSL User Application Screens Overview 399

24.2 The Application Screen 399

Chapter 25

SSL User File Sharing 401

25.1 Overview 401

25.1.1 What You Need to Know About the SSL VPN File Sharing 401

25.2 The Main File Sharing Screen 402

25.3 Opening a File or Folder 402

25.3.1 Downloading a File 404

25.3.2 Saving a File 405

25.4 Creating a New Folder 405

25.5 Renaming a File or Folder ...... 406

25.6 Deleting a File or Folder 406

25.7 Uploading a File 407

Chapter 26

L2TP VPN 409

26.1 Overview 409

26.1.1 What You Can Do in the L2TP VPN Screens 409

26.1.2 What You Need to Know About L2TP VPN 409

26.2 L2TP VPN Screen 411

26.3 L2TP VPN Session Monitor Screen 412

Chapter 27

L2TP VPN Example 415

27.1 L2TP VPN Example 415

27.2 Configuring the Default L2TP VPN Gateway Example 416

27.3 Configuring the Default L2TP VPN Connection Example 417

27.4 Configuring the L2TP VPN Settings Example 418

27.5 Configuring the Policy Route for L2TP Example 419

27.6 Configuring L2TP VPN in Windows XP and 2000 420

27.6.1 Configuring L2TP in Windows XP 420

27.6.2 Configuring L2TP in Windows 2000 426

Part V: Application Patrol.... 443

Chapter 28

Application Patrol 445

28.1 Overview 445

28.1.1 What You Can Do in the Application Patrol Screens 445

28.1.2 What You Need to Know About Application Patrol 446

28.1.3 Application Patrol Bandwidth Management Examples 450

28.2 Application Patrol General Screen 454

28.3 Application Patrol Applications 455

28.3.1 The Application Patrol Edit Screen 456

28.3.2 The Application Patrol Policy Edit Screen 459

28.4 The Other Applications Screen 462

28.4.1 The Other Applications Add/Edit Screen 464

28.5 Application Patrol Statistics 466

28.5.1 Application Patrol Statistics: General Setup 467

28.5.2 Application Patrol Statistics: Bandwidth Statistics 468

28.5.3 Application Patrol Statistics: Protocol Statistics 469

Part VI: Anti-X 471

Chapter 29

Anti-Virus 473

29.1 Overview 473

29.1.1 What You Can Do in the Anti-Virus Screens 473
29.1.2 What You Need to Know About Anti-Virus 474
29.1.3 Before You Begin 476

29.2 Anti-Virus Summary Screen 476

29.2.1 Anti-Virus Policy Add or Edit Screen 479

29.3 Anti-Virus Black List 481
29.4 Anti-Virus Black List or White List Add/Edit 482
29.5 Anti-Virus White List 484
29.6 Signature Searching 485
29.7 Anti-Virus Technical Reference 487

Chapter 30

IDP 489

30.1 Overview 489

30.1.1 What You Can Do Using the IDP Screens 489
30.1.2 What You Need To Know About IDP 489
30.1.3 Before You Begin 490

30.2 The IDP General Screen 491

30.2.1 Configuring IDP Policies 493

30.3 Introducing IDP Profiles 494

30.3.1 Base Profiles 494

30.4 The Profile Summary Screen 495

30.5 Creating New Profiles 496

30.5.1 Procedure To Create a New Profile 496

30.6 Profiles: Packet Inspection 498

30.6.1 Policy Types .... 501
30.6.2 IDP Service Groups 502
30.6.3 Profile > Query View Screen 504
30.6.4 Query Example 505

30.7 Introducing IDP Custom Signatures 506

30.7.1 IP Packet Header 507

30.8 Configuring Custom Signatures 508

30.8.1 Creating or Editing a Custom Signature 510
30.8.2 Custom Signature Example 516
30.8.3 Applying Custom Signatures 519
30.8.4 Verifying Custom Signatures 519

30.9 IDP Technical Reference 520

Chapter 31

ADP 523

31.1 Overview 523

31.1.1 ADP and IDP Comparison 523
31.1.2 What You Can Do Using the ADP Screens 523
31.1.3 What You Need To Know About ADP 523
31.1.4 Before You Begin 524

31.2 The ADP General Screen 525

31.2.1 Configuring ADP Policies 526

31.3 The Profile Summary Screen 527

31.3.1 Base Profiles 528
31.3.2 Configuring The ADP Profile Summary Screen 528
31.3.3 Creating New ADP Profiles 529
31.3.4 Traffic Anomaly Profiles 529
31.3.5 Protocol Anomaly Profiles 532
31.3.6 Protocol Anomaly Configuration 532

31.4 Technical Reference 534

Chapter 32

Content Filtering 543

32.1 Overview 543

32.1.1 What You Can Do in the Content Filter Screens 543
32.1.2 What You Need to Know About Content Filtering 543
32.1.3 Before You Begin 545

32.2 Content Filter General Screen 546
32.3 Content Filter Policy Add or Edit Screen 549
32.4 Content Filter Profile Screen 550
32.5 Content Filter Categories Screen 550
32.6 Content Filter Customization Screen 561
32.7 Content Filter Cache Screen 563
32.8 Content Filter Technical Reference 566

Chapter 33

Content Filter Reports 567

33.1 Overview 567
33.2 Viewing Content Filter Reports 567

Chapter 34

Anti-Spam 575

34.1 Overview 575

34.1.1 What You Can Do in the Anti-Spam Screens 575
34.1.2 What You Need to Know About Anti-Spam 575

34.2 Before You Begin 578

34.3 The Anti-Spam General Screen 578

34.3.1 The Anti-Spam Policy Add or Edit Screen 579

34.4 The Anti-Spam Black List Screen 581

34.4.1 The Anti-Spam Black or White List Add/Edit Screen 583

34.4.2 Regular Expressions in Black or White List Entries 584

34.5 The Anti-Spam White List Screen 585

34.6 The DNSBL Screen 586

34.6.1 The DNSBL Add/Edit Screen 588

34.7 The Anti-Spam Status Screen 589

Part VII: Device HA.... 591

Chapter 35

Device HA 593

35.1 Overview 593

35.1.1 What You Can Do in the Device HA Screens 593

35.1.2 What You Need to Know About Device HA 593

35.1.3 Before You Begin 594

35.2 Device HA General 595

35.3 The Active-Passive Mode Screen 596

35.3.1 Configuring Active-Passive Mode Device HA 598

35.4 Configuring an Active-Passive Mode Monitored Interface 601

35.5 The Legacy Mode Screen 602

35.6 Configuring the Legacy Mode Screen 603

35.7 The Legacy Mode Add/Edit Screen 605

35.8 Device HA Technical Reference 608

Part VIII: Objects 611

Chapter 36

User/Group 613

36.1 Overview 613

36.1.1 What You Can Do Using The User/Group Screens 613

36.1.2 What You Need To Know About User/Groups 613

36.2 User Summary Screen 616

36.2.1 User Add/Edit Screen 616

36.3 User Group Summary Screen 619

36.3.1 Group Add/Edit Screen 620

36.4 Setting Screen 620

36.4.1 Force User Authentication Policy Add/Edit Screen 624

36.4.2 User Aware Login Example 625

36.5 User /Group Technical Reference 626

Chapter 37

Addresses....629

37.1 Overview 629

37.1.1 What You Can Do Using The Addresses Screens 629

37.1.2 What You Need To Know About Addresses /Groups 629

37.2 Address Summary Screen 629

37.2.1 Address Add/Edit Screen 631

37.3 Address Group Summary Screen 632

37.3.1 Address Group Add/Edit Screen 633

Chapter 38

Services 635

38.1 Overview 635

38.1.1 What You Can Do in the Services Screens 635

38.1.2 What You Need to Know About Protocols 635

38.2 The Service Summary Screen 636

38.2.1 The Service Add/Edit Screen 638

38.3 The Service Group Summary Screen 638

38.3.1 The Service Group Add/Edit Screen 640

Chapter 39

Schedules 641

39.1 Overview 641

39.1.1 What You Can Do in the Schedule Screens 641

39.1.2 What You Need to Know About Schedules 641

39.2 The Schedule Summary Screen 642

39.2.1 The One-Time Schedule Add/Edit Screen 643

39.2.2 The Recurring Schedule Add/Edit Screen 644

Chapter 40

AAA Server 647

40.1 Overview 647

40.1.1 Directory Service (AD/LDAP) Overview 647

40.1.2 RADIUS Server Overview 648

40.1.3 ASAS 648

40.1.4 What You Can Do Using The AAA Screens 648

40.1.5 What You Need To Know About AAA Servers 649

40.2 Active Directory or LDAP Default Server Screen 649

40.2.1 Configuring Active Directory or LDAP Default Server Settings 651

40.3 Active Directory or LDAP Group Summary Screen 652

40.3.1 Creating an Active Directory or LDAP Group 653

40.4 Configuring a Default RADIUS Server 654

40.5 Configuring a Group of RADIUS Servers 655

40.5.1 Adding a RADIUS Server Member 656

Chapter 41

Authentication Method 659

41.1 Overview 659

41.1.1 What You Can Do Using The Auth. Method Screens 659

41.1.2 Before You Begin 659

41.1.3 Example: Selecting a VPN Authentication Method 659

41.2 Viewing Authentication Method Objects 660

41.3 Creating an Authentication Method Object 661

Chapter 42

Certificates 663

42.1 Overview 663

42.1.1 What You Can Do in the Certificate Screens 663

42.1.2 What You Need to Know About Certificates 663

42.1.3 Verifying a Certificate 665

42.2 The My Certificates Screen 667

42.2.1 The My Certificates Add Screen 668

42.2.2 The My Certificates Edit Screen 673

42.2.3 The My Certificates Import Screen 676

42.3 The Trusted Certificates Screen 677

42.3.1 The Trusted Certificates Edit Screen 678

42.3.2 The Trusted Certificates Import Screen 682

42.4 Certificates Technical Reference 683

42.4.1 OCSP 683

Chapter 43

ISP Accounts......685

43.1 Overview 685

43.1.1 What You Can Do in the ISP Account Screens 685

43.2 ISP Account Summary 685

43.2.1 ISP Account Edit 686

Chapter 44

SSL Application 689

44.1 Overview 689

44.1.1 What You Can Do in the SSL Application Screens 689

44.1.2 What You Need to Know About SSL Application Objects 689

44.1.3 Example: Specifying a Web Site for Access 690

44.2 The SSL Application Screen 691

44.2.1 Creating/Editing a Web-based SSL Application Object 691

44.2.2 Creating/Editing a File Sharing SSL Application Object 693

Part IX: System.... 695

Chapter 45

System 697

45.1 Overview 697

45.1.1 What You Can Do In The System Screens 697

45.2 Host Name 698

45.3 Date and Time 698

45.3.1 Pre-defined NTP Time Servers List 701

45.3.2 Time Server Synchronization 702

45.4 Console Port Speed 703

45.5 DNS Overview 703

45.5.1 DNS Server Address Assignment 703

45.5.2 Configuring the DNS Screen 704

45.5.3 Address Record 706

45.5.4 PTR Record 707

45.5.5 Adding an Address/PTR Record 707

45.5.6 Domain Zone Forwarder 707

45.5.7 Adding a Domain Zone Forwarder 708

45.5.8 MX Record 709

45.5.9 Adding a MX Record 709

45.5.10 Adding a DNS Service Control Rule 709

45.6 WWW Overview 710

45.6.1 Service Access Limitations ....711

45.6.2 System Timeout ....711

45.6.3 HTTPS 711

45.6.4 Configuring WWW 712

45.6.5 Service Control Rules 716

45.6.6 Customizing the WWW Login Page 716

45.6.7 HTTPS Example 720

45.7 SSH 728

45.7.1 How SSH Works 729

45.7.2 SSH Implementation on the ZyWALL 730

45.7.3 Requirements for Using SSH 730

45.7.4 Configuring SSH 730

45.7.5 Secure Telnet Using SSH Examples 732

45.8 Telnet 734

45.8.1 Configuring Telnet 734

45.9 FTP 735

45.9.1 Configuring FTP 736

45.10 SNMP 737

45.10.1 Supported MIBs 739

45.10.2 SNMP Traps 739

45.10.3 Configuring SNMP 739

45.11 Dial-in Management 741

45.11.1 Configuring Dial-in Mgmt 742

45.12 Vantage CNM 743

45.12.1 Configuring Vantage CNM 743

45.13 Language Screen 744

Part X: Maintenance, Troubleshooting, & Specifications.... 747

Chapter 46

File Manager 749

46.1 Overview 749

46.1.1 What You Can Do in the File Manager Screens 749

46.1.2 What you Need to Know About the File Manager 749

46.2 The Configuration File Screen 752

46.3 The Firmware Package Screen 756

46.4 The Shell Script Screen 758

Chapter 47

Logs 761

47.1 Overview 761

47.2 What You Can Do In The Log Screens 761

47.3 View Log Screen 761

47.4 Log Setting Screens 764

47.4.1 Log Setting Summary 765

47.4.2 Edit System Log Settings 766

47.4.3 Edit Remote Server Log Settings 770

47.4.4 Active Log Summary Screen 771

Chapter 48

Reports 775

48.1 Overview 775

48.1.1 What You Can Do in the Report Screens 775

48.2 The Traffic Statistics Screen 775

48.3 The Session Monitor Screen 778

48.4 The Anti-Virus Report Screen 781
48.5 The IDP Report Screen 783
48.6 The Content Filter Report Screen 785
48.7 The Anti-Spam Report Screen 787
48.8 The Email Daily Report Screen 790

Chapter 49

Diagnostics....793

49.1 The Diagnostics Screen 793

Chapter 50

Reboot....795

50.1 Overview 795
50.1.1 What You Need To Know About Reboot 795
50.2 The Reboot Screen 795

Chapter 51

Troubleshooting....797

51.1 Resetting the ZyWALL 799
51.2 Changing a Power Module 800
51.3 Getting More Troubleshooting Help 802

Chapter 52

Product Specifications 803

Part XI: Appendices and Index 809

Appendix A Log Descriptions 811

Appendix B Common Services....871

Appendix C Displaying Anti-Virus Alert Messages in Windows....875

Appendix D Importing Certificates....881

Appendix E Open Software Announcements 887

Appendix F Legal Information 933

Index......937

PART I

Getting Started

Introducing the ZyWALL (31)

Features and Applications (39)

Web Configurator (47)

Configuration Basics (101)

Tutorials (119)

Status (149)

Registration (165)

Signature Update (171)

Introducing the ZyWALL

This chapter gives an overview of the ZyWALL. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ZyWALL.

1.1 Overview and Key Default Settings

The ZyWALL is a comprehensive security device designed for medium to large organizations. Its flexible configuration helps network administrators set up the network and enforce security policies efficiently. In addition, the ZyWALL provides excellent throughput, making it an ideal solution for reliable, secure service.

The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, Instant Messaging (IM) and Peer to Peer (P2P) control, NAT, port forwarding, policy routing, DHCP server and many other powerful features. Flexible configuration helps you set up the network and enforce security policies efficiently. See Chapter 2 on page 39 for a more detailed overview of the ZyWALL's features.

The front panel physical Gigabit Ethernet ports (labeled P1, P2, P3, and so on) are mapped to Gigabit Ethernet (ge) interfaces. By default P1 is mapped to ge1, P2 is mapped to ge2 and so on. By default ge1 is the LAN interface, ge2 and ge3 are combined as the WAN_TRUNC. The Ethernet management interface can only be accessed from the LAN side by default. The default LAN IP address is 192.168.1.1; the default administrator login user name and password are "admin" and "1234" respectively. P7 and P8 are GbE dual personality interfaces. A dual personality interface includes one Gigabit port and one slot for a mini-GBIC transceiver (SFP module) with one port active at a time.

1.2 Front Panel

Figure 1 ZyWALL USG 2000 Front Panel

1.2.1 Dual Personality Interfaces

The ZyWALL's dual personality interfaces are 1000Base-T/mini-GBIC combo ports. For each interface you can connect either to the 1000Base-T port or the mini-GBIC port. The mini-GBIC ports have priority over the 1000Base-T ports. This means that if a mini-GBIC port and the corresponding 1000Base-T port are connected at the same time, the 1000Base-T port will be disabled.

1.2.1.1 1000Base-T Ports

The 1000Base-T auto-negotiating, auto-crossover Ethernet ports support 100/1000 Mbps Gigabit Ethernet so the speed can be 100 Mbps or 1000 Mbps. The duplex mode can be both half or full duplex at 100 Mbps and full duplex only at 1000 Mbps.

An auto-negotiating port can detect and adjust to the optimum Ethernet speed (100/1000 Mbps) and duplex mode (full duplex or half duplex) of the connected device.

An auto-crossover (auto-MDI/MDI-X) port automatically works with a straight-through or crossover Ethernet cable.

Default Ethernet Settings

The factory default negotiation settings for the Ethernet ports on the ZyWALL are:

• Speed: Auto
• Duplex: Auto
• Flow control: On (you cannot configure the flow control setting, but the ZyWALL can negotiate with the peer and turn it off if needed)

1.2.1.2 Mini-GBIC Slots

These are slots for Small Form-Factor Pluggable (SFP) transceivers. A transceiver is a single unit that houses a transmitter and a receiver. Use a transceiver to

connect a fiber-optic cable to the ZyWALL. The ZyWALL does not come with transceivers. You must use transceivers that comply with the Small Form-Factor Pluggable (SFP) Transceiver MultiSource Agreement (MSA). See the SFF committee's INF-8074i specification Rev 1.0 for details.

You can change transceivers while the ZyWALL is operating. You can use different transceivers to connect to devices with different types of fiber-optic connectors.

• Type: SFP connection interface
• Connection speed: 1 Gigabit per second (Gbps)

To avoid possible eye injury, do not look into an operating fiber-optic module's connectors or fiber-optic cable.

Transceiver and Fiber-optic Cable Installation

Use the following steps to install a mini GBIC transceiver (SFP module).

1 Insert the transceiver into the slot with the exposed section of PCB board facing down.

Figure 2 Transceiver Installation Example

2 Press the transceiver firmly until it clicks into place.

Figure 3 Installed Transceiver

3 Push the end of the fiber-optic cable firmly into the transceiver until it locks into place. When the other end of the fiber-optic cable is connected, check the LEDs to verify the link status.

Figure 4 Installing the Fiber-optic Cable

Fiber-optic Cable and Transceiver Removal

Use the following steps to remove a mini GBIC transceiver (SFP module).

1 Press down on the top of the fiber-optic cable where it connects to the transceiver to release it. Then pull the fiber-optic cable out.

Figure 5 Removing the Fiber-optic Cable Example

2 Open the transceiver's latch (latch styles vary).

Figure 6 Opening the Transceiver's Latch Example

3 Pull the transceiver out of the slot.

Figure 7 Transceiver Removal Example

1.2.2 Front Panel LEDs

The following table describes the LEDs.

Table 1 Front Panel LEDs

1.3 Management Overview

You can use the following ways to manage the ZyWALL.

Web Configurator

The web configurator allows easy ZyWALL setup and management using an Internet browser. This User's Guide provides information about the web configurator.

Figure 8 Managing the ZyWALL: Web Configurator

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the ZyWALL. You can access it using remote management (for example, SSH or Telnet) or via the console port. See the Command Reference Guide for more information about the CLI.

Console Port

You can use the console port to manage the ZyWALL using CLI commands. See the Command Reference Guide for more information about the CLI.

The default settings for the console port are as follows.

Table 2 Console Port Default Settings

1.4 Starting and Stopping the ZyWALL

Here are some of the ways to start and stop the ZyWALL.

Table 3 Starting and Stopping the ZyWALL

Note: It is recommended you use the shutdown command before turning off the ZyWALL.

When you apply configuration files or running shell scripts, the ZyWALL does not stop or start the system processes. However, you might lose access to network

resources temporarily while the ZyWALL is applying configuration files or running shell scripts.

Features and Applications

This chapter introduces the main features and applications of the ZyWALL.

2.1 Features

The ZyWALL's security features include VPN, firewall, anti-virus, content filtering, IDP (Intrusion Detection and Prevention), ADP (Anomaly Detection and Protection), and certificates. It also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features.

The rest of this section provides more information about the features of the ZyWALL.

High Availability

To ensure the ZyWALL provides reliable, secure Internet access, set up one or more of the following:

• Multiple WAN ports and configure load balancing between these ports.
• An auxiliary (backup) Internet connection.
• A backup ZyWALL in the event the master ZyWALL fails (device HA).

Virtual Private Networks (VPN)

Use IPSec, SSL, or L2TP VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke IPSec VPN.

Flexible Security Zones

Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ZyWALL. You can create or remove zones, and you can assign each network, VLAN, or interface to any zone.

Firewall

The ZyWALL's firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.

Intrusion Detection and Prevention (IDP)

IDP (Intrusion Detection and Protection) can detect malicious or suspicious packets and respond instantaneously. It detects pattern-based attacks in order to protect against network-based intrusions. See Section 30.6.1 on page 501 for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.

Anomaly Detection and Prevention (ADP)

ADP (Anomaly Detection and Prevention) can detect malicious or suspicious packets and respond instantaneously. It can detect:

• Anomalies based on violations of protocol standards (RFCs – Requests for Comments)
• Abnormal flows such as port scans.

The ZyWALL's ADP protects against network-based intrusions. See Section 31.3.4 on page 529 and Section 31.3.5 on page 532 for more on the kinds of attacks that the ZyWALL can protect against. You can also create your own custom ADP rules.

Bandwidth Management

Bandwidth management allows you to allocate network resources according to defined policies. This policy-based bandwidth allocation helps your network to better handle applications such as Internet access, e-mail, Voice-over-IP (VoIP), video conferencing and other business-critical applications.

Content Filter

Content filtering allows schools and businesses to create and enforce Internet access policies tailored to the needs of the organization.

You can also subscribe to category-based content filtering that allows your ZyWALL to check web sites against an external database of dynamically-updated ratings of millions of web sites. You then simply select categories to block or monitor, such as pornography or racial intolerance, from a pre-defined list.

Anti-Virus Scanner

With the anti-virus packet scanner, your ZyWALL scans files transmitting through the enabled interfaces into the network. The ZyWALL helps stop threats at the network edge before they reach the local host computers.

Anti-Spam

The anti-spam feature can mark or discard spam. Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.

Application Patrol

Application patrol (App. Patrol) manages instant messenger (IM), peer-to-peer (P2P) applications like MSN and BitTorrent. You can even control the use of a particular application's individual features (like text messaging, voice, video conferencing, and file transfers). Application patrol has powerful bandwidth management including traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. You can also use an option that gives SIP priority over all other traffic. This maximizes SIP traffic throughput for improved VoIP call sound quality.

2.2 Packet Flow

This section lists the order in which the ZyWALL applies its features and checks. The following is the key used to describe the packet flow in the ZyWALL.

Table 4 Packet Flow Key

Table 4 Packet Flow Key

2.2.1 Interface to Interface (Through ZyWALL)

Ethernet -> VLAN -> Encap -> ALG -> DNAT-> Routing -> FW -> IDP -> AP-> CF -> AV -> AS -> SNAT -> BWM -> Encap -> VLAN -> Ethernet

2.2.2 Interface to Interface (To/From ZyWALL)

To: Ethernet -> VLAN -> Encap -> ALG -> DNAT -> Routing -> zFW -> ADP -> RM From: RM -> Routing -> BWM -> Encap -> VLAN -> Ethernet

2.2.3 Interface to Interface (From VPN Tunnel)

This example shows the flow from a VPN tunnel though the ZyWALL, not to the ZyWALL or to another VPN tunnel (VPN concentrator).

Ethernet -> VLAN -> Encap -> ALG -> DNAT-> Routing -> zFW -> IPSec D -> ALG -> AC -> DNAT-> Routing -> FW -> IDP -> AP -> CF -> AV -> AS -> SNAT -> BWM -> Encap -> VLAN -> Ethernet

2.2.4 Interface to Interface (To VPN Tunnel)

This example shows the flow to a VPN tunnel from a source other than the ZyWALL or another VPN tunnel (VPN concentrator).

Ethernet -> VLAN -> Encap -> ALG -> DNAT-> Routing -> FW -> IDP -> AP -> CF -> AV -> AS -> SNAT -> IPSec E -> Routing -> BWM -> Encap -> VLAN -> Ethernet

2.3 Applications

These are some example applications for your ZyWALL. See also Chapter 6 on page 119 for configuration tutorial examples.

2.3.1 VPN Connectivity

Set up VPN tunnels with other companies, branch offices, telecommuters, and business travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service.

Figure 9 Applications: VPN Connectivity

graph TD
    A["House"] --> B["Internet"]
    C["Laptop"] --> B
    D["Desktop"] --> B
    E["Building"] --> B
    F["Server"] --> B
    B --> G["Server 1"]
    B --> H["Server 2"]
    B --> I["Server 3"]
    B --> J["Server 4"]

2.3.2 SSL VPN Network Access

You can configure the ZyWALL to provide SSL VPN network access to remote users. There are two SSL VPN network access modes: reverse proxy and full tunnel.

2.3.2.1 Reverse Proxy Mode

In reverse proxy mode, the ZyWALL is a proxy that acts on behalf of the local network servers (such as your web and mail servers). As the final destination, the ZyWALL appears to be the server to remote users. This provides an added layer of protection for your internal servers.

With reverse proxy mode, remote users can easily access any web-based applications on the local network by clicking on links or entering the provided URL. You do not have to install additional client software on the remote user computers for access.

Figure 10 Network Access Mode: Reverse Proxy

graph LR
    A["User"] -->|https://| B["Internet"]
    B --> C["Server"]
    C --> D["LAN (192.168.1.x)"]
    D --> E["Web Mail"]
    D --> F["File Share"]
    E --> G["Web-based Application"]
    F --> G

2.3.2.2 Full Tunnel Mode

In full tunnel mode, a virtual connection is created for remote users with private IP addresses in the same subnet as the local network. This allows them to access network resources in the same way as if they were part of the internal network.

Figure 11 Network Access Mode: Full Tunnel Mode

graph LR
    A["User"] -->|https://| B["Internet"]
    B --> C["Server"]
    C --> D["LAN (192.168.1.x)"]
    D --> E["Web-based Application"]
    E --> F["Application Server"]
    E --> G["Web Mail"]
    E --> H["Non-Web"]
    E --> I["File Share"]
    style A fill:#f9f,stroke:#333
    style D fill:#ccf,stroke:#333

2.3.3 User-Aware Access Control

Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it.

Figure 12 Applications: User-Aware Access Control

graph TD
    A["INTERNET"] --> B["路由器"]
    B --> C["云"]
    B --> D["网"]
    C --> E["云"]
    C --> F["云"]
    C --> G["云"]
    D --> H["电脑"]
    D --> I["笔记本电脑"]
    D --> J["笔记本电脑"]
    D --> K["笔记本电脑"]

2.3.4 Multiple WAN Interfaces

Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them.

Figure 13 Applications: Multiple WAN Interfaces

2.3.5 Device HA

Set up an additional ZyWALL as a backup gateway to ensure the default gateway is always available for the network.

Figure 14 Applications: Device HA

graph TD
    A["INTERNET"] --> B["Server"]
    A --> C["Server"]
    B --> D["Router"]
    C --> D
    D --> E["master"]
    D --> F["backup"]
    E --> G["Server Rack"]
    F --> H["Server Rack"]

Web Configurator

The ZyWALL web configurator allows easy ZyWALL setup and management using an Internet browser.

3.1 Web Configurator Requirements

In order to use the web configurator, you must

• Use Internet Explorer 6.0 or later, Netscape Navigator 7.2 or later, or Firefox 1.0.7 or later
• Allow pop-up windows (blocked by default in Windows XP Service Pack 2)
• Enable JavaScripts (enabled by default)
• Enable Java permissions (enabled by default)
• Enable cookies

The recommended screen resolution is 1024 x 768 pixels.

3.2 Web Configurator Access

1 Make sure your ZyWALL hardware is properly connected. See the Quick Start Guide.

2 Open your web browser, and go to http://192.168.1.1. By default, the ZyWALL automatically routes this request to its HTTPS server, and it is recommended to keep this setting. The Login screen appears.

Figure 15 Login Screen

3 Type the user name (default: "admin") and password (default: "1234").

If your account is configured to use an ASAS authentication server, use the OTP (One-Time Password) token to generate a number. Enter it in the One-Time Password field. The number is only good for one login. You must use the token to generate a new number the next time you log in.

4 Click Login. If you logged in using the default user name and password, the Update Admin Info screen (Figure 16 on page 48) appears. Otherwise, the main screen (Figure 17 on page 49) appears.

Figure 16 Update Admin Info Screen

5 The screen above appears every time you log in using the default user name and default password. If you change the password for the default user account, this screen does not appear anymore.

Follow the directions in this screen. If you change the default password, the Login screen (Figure 15 on page 48) appears after you click Apply. If you click Ignore, the main screen appears.

Figure 17 Main Screen

3.3 Web Configurator Main Screen

As illustrated in Figure 17 on page 49, the main screen is divided into these parts:

• A - title bar

• B - navigation panel

• C - main window

• D - status bar

3.3.1 Title Bar

The title bar provides some icons in the upper right corner.

The icons provide the following functions.

Table 5 Title Bar: Web Configurator Icons

ICON	DESCRIPTION
[0&7W]	Help: Click this icon to open the help page for the current screen.
	Wizards: Click this icon to open one of the web configurator wizards.See Chapter 4 on page 59 for more information.
	Console: Click this icon to open the console in which you can use the command line interface (CLI).
	Site Map: Click this icon to display the site map for the web configurator.You can use the site map to go directly to any menu item or any tab in the web configurator.
[0W8K]	About: Click this icon to display basic information about the ZyWALL.
	Logout: Click this icon to log out of the web configurator.

3.3.2 Navigation Panel

Use the menu items on the navigation panel to open screens to configure ZyWALL features. The following tables describe each menu item.

Table 6 Navigation Panel Summary

3.3.3 Main Window

The main window shows the screen you select in the menu. It is discussed in the rest of this document.

Right after you log in, the Status screen is displayed. See Chapter 7 on page 149 for more information about the Status screen.

3.3.4 Message Bar

The message bar displays configuration status information. Check the message bar after you click Apply or OK to verify that the configuration has been updated.

Figure 18 Message Bar

3.3.4.1 Warning Messages

Click the up arrow to view the ZyWALL's current warning messages. These warning messages display in a popup window, such as the following.

Figure 19 Warning Messages

Click Refresh Now to update the screen. Close the popup window when you are done with it.

Click Clear Warning Messages to remove the current warning messages from the window.

3.3.4.2 CLI Messages

Click CLI to look at the CLI commands sent by the web configurator. These commands appear in a popup window, such as the following.

Figure 20 CLI Messages

Click Change Display Style to show or hide the index numbers for the commands (the commands are more convenient to copy and paste without the index numbers).

Click Refresh Now to update the screen. For example, if you just enabled a particular feature, you can look at the commands the web configurator generated to enable it. Close the popup window when you are done with it.

See the Command Reference Guide for information about the commands.

Wizard Setup

This chapter provides information on configuring the Wizard setup screens in the web configurator. See the feature-specific chapters in this User's Guide for background information.

4.1 Wizard Setup Overview

Note: Use the wizards only for initial configuration starting from the default configuration.

The web configurator's setup wizards help you configure Internet and VPN connection settings.

Note: Changes you make in an installation or VPN wizard may not be applied if you have already changed the ZyWALL's configuration.

In the ZyWALL web configurator, click the Wizard icon 📁 to open the Wizard Setup Welcome screen. The following summarizes the wizards you can select:

- INSTALLATION SETUP, ONE ISP

Click this link to open a wizard to set up a single Internet connection for Gigabit Ethernet port 2. This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. See Section 4.2 on page 60.

- INSTALLATION SETUP, TWO ISP

Click this link to open a wizard to set up Internet connections for Gigabit Ethernet (ge) interfaces 2 and 3. See Section 4.5 on page 80. You can connect one interface to one ISP (or network) and connect the other to a second ISP (or network). You can use the second WAN connection for load balancing to increase overall network throughput or as a backup to enhance network reliability (see Load Balancing Algorithms on page 241 for more on load balancing).

This wizard creates matching ISP account settings in the ZyWALL if you use PPPoE or PPTP. This wizard also creates a WAN trunk.

- VPN SETUP

Use VPN SETUP to configure a VPN connection. See Section 4.6 on page 84.

Figure 21 Wizard Setup Welcome

4.2 Installation Setup, One ISP

The wizard screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don't have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

Figure 22 Internet Access: Step 1

The following table describes the labels in this screen.

Table 7 Internet Access: Step 1

4.3 Step 1 Internet Access

Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.

WAN Interface: This is the interface you are configuring for Internet access.

Zone: Select the security zone to which you want this interface and Internet connection to belong.

IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address.

Select Static If the ISP assigned a fixed IP address.

4.3.1 Ethernet: Auto IP Address Assignment

If you select Auto as the IP Address Assignment in the previous screen, the following screen displays. Click Next to apply the configuration settings.

Figure 23 Ethernet Encapsulation: Auto: Finish

You have set up your ZyWALL to access the Internet.

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

4.3.2 Ethernet: Static IP Address Assignment

If you select Static as the IP Address Assignment, the following screen displays.

Figure 24 Ethernet Encapsulation: Static

The following table describes the labels in this screen.

The ZyWALL applies the configuration settings.
Table 8 Ethernet Encapsulation: Static

4.3.3 Step 2 Internet Access Ethernet

You do not configure this screen if you selected Auto as the IP Address Assignment in the previous screen.

Note: Enter the Internet access information exactly as given to you by your ISP.

WAN Interface: This is the number of the interface that will connect with your ISP.

Zone: This is the security zone to which this interface and Internet connection will belong.

IP Address: Enter your (static) public IP address.

IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.

Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway).

DNS Server: The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The ZyWALL uses

these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Figure 25 Ethernet Encapsulation: Static: Finish

You have set up your ZyWALL to access the Internet.

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

4.3.4 PPPoE: Auto IP Address Assignment

If you select Auto as the IP Address Assignment in the previous screen, the following screen displays after you click Next.

Figure 26 PPPoE Encapsulation: Auto

The following table describes the labels in this screen.

Table 9 PPPoE Encapsulation: Auto

The ZyWALL applies the configuration settings.

Figure 27 PPPoE Encapsulation: Auto: Finish

You have set up your ZyWALL to access the Internet.

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

4.3.5 PPPoE: Static IP Address Assignment

If you select Static as the IP Address Assignment, the following screen displays.

Figure 28 PPPoE Encapsulation: Static

The following table describes the labels in this screen.

Table 10 PPPoE Encapsulation: Static

4.3.6 Step 2 Internet Access PPPoE

Note: Enter the Internet access information exactly as given to you by your ISP.

4.3.6.1 ISP Parameters

Type the PPPoE Service Name from your service provider.

Type the User Name given to you by your ISP.

Type the Password associated with the user name.

Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server.

4.3.6.2 WAN IP Address Assignments

You do not configure this section if you selected Auto as the IP Address Assignment in the previous screen.

WAN Interface: This is the number of the interface that will connect with your ISP.

Zone: This is the security zone to which this interface and Internet connection will belong.

IP Address: Enter your (static) public IP address.

DNS Server: The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Figure 29 PPPoE Encapsulation: Static: Finish

You have set up your ZyWALL to access the Internet.

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

4.3.7 PPTP: Auto IP Address Assignment

If you select Auto as the IP Address Assignment in the previous screen, the following screen displays.

Figure 30 PPTP Encapsulation: Auto

The following table describes the labels in this screen.

Table 11 PPTP Encapsulation: Auto

The ZyWALL applies the configuration settings.

Figure 31 PPTP Encapsulation: Auto: Finish

You have set up your ZyWALL to access the Internet.

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

4.3.8 PPTP: Static IP Address Assignment

If you select Static as the IP Address Assignment, the following screen displays.

Figure 32 PPTP Encapsulation: Static

The following table describes the labels in this screen.

Table 12 PPTP Encapsulation: Static

4.3.9 Step 2 Internet Access PPTP

Note: Enter the Internet access information exactly as given to you by your ISP.

4.3.9.1 ISP Parameters

Type the User Name given to you by your ISP.

Type the Password associated with the user name.

Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server.

4.3.9.2 PPTP Configuration

Base Interface: This is the identity of the Ethernet interface you configure to connect with a modem or router.

Type a Base IP Address (static) assigned to you by your ISP.

Type the IP Subnet Mask assigned to you by your ISP (if given).

Server IP: Type the IP address of the PPTP server.

Type a Connection ID or connection name. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router.

4.3.9.3 WAN IP Address Assignments

You do not configure this section if you selected Auto as the IP Address Assignment in the previous screen.

WAN Interface: This is the connection type on the interface you are configuring to connect with your ISP.

Zone: This is the security zone to which this interface and Internet connection will belong.

IP Address: Enter your (static) public IP address.

DNS Server: The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The ZyWALL uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

The ZyWALL applies the configuration settings.

Figure 33 PPTP Encapsulation: Static: Finish

4.3.10 Step 4 Internet Access - Finish

You have set up your ZyWALL to access the Internet.

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

4.4 Device Registration

Use this screen to register your ZyWALL with myZXEL.com and activate trial periods of subscription security features if you have not already done so.

Note: You must be connected to the Internet to register.

This screen displays a read-only user name and password if the ZyWALL is already registered. It also shows which trial services are activated (if any). You can still

select the unchecked trial service(s) to activate it after registration. Use the Registration > Service screen to update your service subscription status.

Figure 34 Registration

The following table describes the labels in this screen.

Table 13 Registration

Figure 35 Registration: Registered Device

4.5 Installation Setup, Two Internet Service Providers

This wizard allows you to configure two interfaces for Internet access through either two different Internet Service Providers (ISPs) or two different accounts with the same ISP.

The configuration of the following screens is explained in Section 4.2 on page 60 section. Configure the First WAN Interface and click Next.

Figure 36 Internet Access: Step 1: First WAN Interface

After you configure the First WAN Interface, you can configure the Second WAN Interface. Click Next to continue.

Figure 37 Internet Access: Step 3: Second WAN Interface

After you configure the Second WAN Interface, a summary of configuration settings display for both WAN interfaces.

Figure 38 Internet Access: Finish

Note: You can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

Use the myZyXEL.com link if you do already have a myZyXEL.com account. If you already have a myZyXEL.com account, you can click Next and use the following screen to register your ZyWALL and activate service trials (see Section 4.4 on page 77).

Alternatively, click Close to exit the wizard.

4.5.1 Internet Access Wizard Setup Complete

Well done! You have successfully set up your ZyWALL to access the Internet.

4.6 VPN Setup

The VPN wizard creates corresponding VPN connection and VPN gateway settings, a policy route and address objects that you can use later in configuring more VPN connections or other features.

Click VPN SETUP in the Wizard Setup Welcome screen (Figure 21 on page 60) to open the following screen. Use it to select which type of VPN settings you want to configure.

Figure 39 VPN Wizard: Wizard Type

The following table describes the labels in this screen.

Table 14 VPN Wizard: Step 1: Wizard Type

4.7 VPN Wizards

A VPN (Virtual Private Network) tunnel is a secure connection to another computer or network.

Use the Express wizard to create a VPN connection with another ZLD-based ZyWALL using a pre-shared key and default security settings.

Use the Advanced wizard to configure detailed VPN security settings such as using certificates. The VPN connection can be to another ZLD-based ZyWALL or other IPSec devices.

4.7.1 VPN Express Wizard

Click the Express radio button as shown in Figure 39 on page 84 to display the following screen.

Figure 40 VPN Express Wizard: Step 2

The following table describes the labels in this screen.

Table 15 VPN Express Wizard: Step 2

4.8 VPN Express Wizard - Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Select the scenario that best describes your intended VPN connection.

• Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name. This ZyWALL can initiate the VPN tunnel.
• Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has a dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel.
• Remote Access (Server Role) - Choose this to allow incoming connections from IPSec VPN clients. The clients have dynamic IP addresses and are also known as dial-in users. Only the clients can initiate the VPN tunnel.

- Remote Access (Client Role) - Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel.

Figure 41 VPN Express Wizard: Step 3

The following table describes the labels in this screen.

Table 16 VPN Express Wizard: Step 3

4.8.1 VPN Express Wizard - Policy Setting

The Policy Setting specifies which devices can use the VPN tunnel. Local and remote IP addresses must be static.

Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the peer IPSec device.

Remote Policy (IP/Mask): Type the IP address of a computer behind the peer IPSec device. You can also specify a subnet. This must match the local IP address configured on the peer IPSec device.

Figure 42 VPN Express Wizard: Step 4

The following table describes the labels in this screen.

Table 17 VPN Express Wizard: Step 4

4.8.2 VPN Express Wizard - Summary

This summary of VPN tunnel settings is read-only.

Name: Identifies the VPN gateway policy.

Secure Gateway: IP address or domain name of the peer IPSec device.

Pre-Shared Key: VPN tunnel password.

Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel.

Remote Policy: IP address and subnet mask of the computers on the network behind the peer IPSec device that can use the tunnel.

You can copy and paste the Configuration for Remote Gateway commands into another ZLD-based ZyWALL's command line interface.

Figure 43 VPN Express Wizard: Step 6

Note: If you have not already done so, use the myZyXEL.com link and register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

Alternatively, click Close to exit the wizard.

4.8.3 VPN Express Wizard - Finish

Now you can use the VPN tunnel.

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

4.8.4 VPN Advanced Wizard

Click the Advanced radio button as shown in Figure 39 on page 84 to display the following screen.

Figure 44 VPN Advanced Wizard: Step 2

The following table describes the labels in this screen.

Table 18 VPN Advanced Wizard: Step 2

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).

Figure 45 VPN Advanced Wizard: Step 3

The following table describes the labels in this screen.

Table 19 VPN Advanced Wizard: Step 3

4.8.5 VPN Advanced Wizard - Advanced Settings

Phases: IKE (Internet Key Exchange) negotiation has two phases. A phase 1 exchange establishes an IKE SA (Security Association) and phase 2 (Key Exchange) uses the SA to negotiate SAs for IPSec.

Note: Multiple SAs connecting through a secure gateway must have the same negotiation mode.

Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.

Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.

Authentication Algorithm: MD5 gives minimal security. SHA-1 gives higher security.

SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. A short SA Life Time increases security, but renegotiation temporarily disconnects the VPN tunnel.

NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices).

Use Dead Peer Detection (DPD) to have the ZyWALL make sure the remote IPSec router is there before transmitting data through the IKE SA. If the remote IPSec server does not respond, the ZyWALL shuts down the IKE SA.

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 46 VPN Advanced Wizard: Step 4

The following table describes the labels in this screen.

Table 20 VPN Advanced Wizard: Step 4

4.8.6 VPN Advanced Wizard - Phase 2

Active Protocol: ESP is compatible with NAT, AH is not.

Encapsulation: Tunnel is compatible with NAT, Transport is not.

Proposal: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.

Local Policy (IP/Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the peer IPSec device.

Incoming Interface: The peer IPSec device connects to the ZyWALL via this interface.

Remote Policy (IP/Mask): Type the IP address of a computer behind the peer IPSec device. You can also specify a subnet. This must match the local IP address configured on the peer IPSec device.

Nail Up: Select this to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires.

This read-only screen shows the status of the current VPN setting. Use the summary table to check whether what you have configured is correct.

Figure 47 VPN Advanced Wizard: Step 5

The following table describes the labels in this screen.

Table 21 VPN Advanced Wizard: Step 5

4.8.7 VPN Advanced Wizard - Summary

This summary of VPN tunnel settings is read-only.

Name: Identifies the VPN connection (and the VPN gateway).

Secure Gateway: IP address or domain name of the peer IPSec device.

Pre-Shared Key: VPN tunnel password.

Local Policy: IP address and subnet mask of the computers on the network behind your ZyWALL that can use the tunnel.

Remote Policy: IP address and subnet mask of the computers on the network behind the peer IPSec device that can use the tunnel.

Copy and paste the Remote Gateway CLI commands into another ZLD-based ZyWALL's command line interface.

Click Save to save the VPN rule.

4.8.8 VPN Advanced Wizard - Finish

Now you can use the VPN tunnel.

Figure 48 VPN Wizard: Step 6: Advanced

Note: If you have not already done so, you can register your ZyWALL with myZyXEL.com and activate trials of services like IDP.

You can click Next and use the following screen to perform a basic registration (see Section 4.4 on page 77). If you want to do a more detailed registration or manage your account details, click myZyXEL.com.

Alternatively, click Close to exit the wizard.

Configuration Basics

This section provides information to help you configure the ZyWALL effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ZyWALL.

• Section 5.1 on page 101 introduces the ZyWALL's object-based configuration.
  • Section 5.2 on page 102 introduces zones, interfaces, and port groups.
• Section 5.3 on page 104 introduces some differences in terminology and organization between the ZyWALL and other routers, particularly ZyNOS routers.
• Section 5.4 on page 105 identifies the features you should configure before and after you configure the main screens for each feature. For example, if you want to configure a trunk for load-balancing, you should configure the member interfaces before you configure the trunk. After you configure the trunk, you should configure a policy route for it as well. (You might also have to configure criteria for the policy route.)
• Section 5.5 on page 115 identifies the objects that store information used by other features.
• Section 5.6 on page 116 introduces some of the tools available for system management.

5.1 Object-based Configuration

The ZyWALL stores information or settings as objects. You use these objects to configure many of the ZyWALL's features and settings. Once you configure an object, you can reuse it in configuring other features.

When you change an object's settings, the ZyWALL automatically updates all the settings or rules that use the object. For example, if you create a schedule object, you can have firewall, application patrol, content filter, and other settings use it. If you modify the schedule, all the firewall, application patrol, content filter, and other settings that use the schedule automatically apply the updated schedule.

You can create address objects based on an interface's IP address, subnet, or gateway. The ZyWALL automatically updates every rule or setting that uses these objects whenever the interface's IP address settings change. For example, if you

change ge1's IP address, the ZyWALL automatically updates the rules or settings that use the ge1 interface-based, LAN subnet address object.

You can use the Objects screens to create objects before you configure features that use them. If you are in a screen that uses objects, you can also usually select Create Object to open a screen where you can configure a new object.

For a list of common objects, see Section 5.5 on page 115.

5.2 Zones, Interfaces, and Physical Ports

Zones (groups of interfaces and VPN tunnels) simplify security settings. Here is an overview of zones, interfaces, and physical ports in the ZyWALL.

Figure 49 Zones, Interfaces, and Physical Ethernet Ports

graph TD
    A["LAN<br>ge1"] --> B["P1"]
    C["WAN<br>ge2 ge3"] --> D["P2"]
    E["DMZ<br>ge4 ge5 ge6"] --> F["P3"]
    G["ge7"] --> H["P4"]
    I["ge8"] --> J["P5"]
    K["Physical Ports"] --> L["P6"]
    M["10/100/1000"] --> N["P1"]
    O["10/100/1000"] --> P["P2"]
    Q["10/100/1000"] --> R["P3"]
    S["10/100/1000"] --> T["P4"]
    U["10/100/1000"] --> V["P5"]
    W["10/100/1000"] --> X["P6"]
    Y["10/100/1000"] --> Z["P7"]
    AA["SFP"] --> AB["LNK"]
    AA --> AC["ACT"]
    AD["L9"] --> AE["P8"]
    AF["SFP"] --> AG["LNK"]
    AF --> AH["ACT"]

Table 22 Zones, Interfaces, and Physical Ethernet Ports

5.2.1 Interface Types

There are many types of interfaces in the ZyWALL. In addition to being used in various features, interfaces also describe the network that is directly connected to the ZyWALL.

• Ethernet interfaces are the foundation for defining other interfaces and network policies. You also configure RIP and OSPF in these interfaces.
• Port groups create a hardware connection between physical ports at the layer-2 (data link, MAC address) level.
• PPPoE/PPTP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces.
• VLAN interfaces recognize tagged frames. The ZyWALL automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
• Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Then, you can configure the IP address and subnet mask of the bridge. It is also possible to configure zone-level security between the member interfaces in the bridge.
• Virtual interfaces increase the amount of routing information in the ZyWALL. There are three types: virtual Ethernet interfaces (also known as IP alias), virtual VLAN interfaces, and virtual bridge interfaces.
• The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port.

5.2.2 Default Interface and Zone Configuration

This section explains the ZyWALL's factory default zone and interface configuration. The following figure uses letters to denote public IP addresses or part of a private IP address.

Figure 50 Default Network Topology

graph TD
    A["Zyxel"] -->|GE1: 192.168.1.1| B["LAN"]
    B --> C["192.168.1.x"]
    C --> D["INTERNET WAN"]
    D --> E["GE3: e.f.g.h"]
    E --> F["SECURITY EXTENSION MODULE"]
    F --> G["HDB SLOT"]
    G --> H["CARD SLOT"]
    H --> I["USB"]
    F --> J["GE4: 192.168.2.1"]
    F --> K["GE5: 192.168.3.1"]
    F --> L["GE6: 192.168.4.1"]
    M["DMZ"] --> N["192.168.2.x"]
    M --> O["192.168.3.x"]
    M --> P["192.168.4.x"]

Table 23 Default Port, Interface, and Zone Configuration

- The LAN zone contains the ge1 interface. The LAN zone is a protected zone. The ge1 interface uses 192.168.1.1.

- The WAN zone contains the ge2 and ge3 interfaces (physical ports P2 and P3). They use public IP addresses to connect to the Internet.

- The DMZ zone contains the ge4, ge5, and ge6 interfaces (physical ports P4, P5, and P6). The DMZ zone has servers that are available to the public. These interface uses private IP addresses 192.168.2.1, 192.168.3.1, and 192.168.4.1.

- Interfaces ge7 and ge8 interfaces (physical ports P7 and P8) are not part of a zone by default. Add them to zones to apply security policies.

5.3 Terminology in the ZyWALL

This section highlights some differences in terminology or organization between the ZyWALL and other routers, particularly ZyNOS routers.

Table 24 ZyWALL Terminology That is Different Than ZyNOS

Table 25 ZyWALL Terminology That Might Be Different Than Other Products

Table 26 NAT: Differences Between the ZyWALL and ZyNOS

Table 27 Bandwidth Management: Differences Between the ZyWALL and ZyNOS

5.4 Feature Configuration Overview

This section provides information about configuring the main features in the ZyWALL. The features are listed in the same sequence as the menu item(s) in the web configurator. Each feature is organized as shown below.

5.4.1 Feature

This provides a brief description. See the appropriate chapter(s) in this User's Guide for more information about any feature.

Example: This provides a simple example to show you how to configure this feature. The example is usually based on the network topology in Figure 50 on page 103.

Note: PREQUISITES or WHERE USED does not appear if there are no prerequisites or references in other features to this one. For example, no other features reference DDNS entries, so there is no WHERE USED entry.

5.4.2 Interface

See Section 5.2 on page 102 for background information.

Note: When you create an interface, there is no security applied on it until you assign it to a zone.

Most of the features that use interfaces support Ethernet, PPPoE/PPTP, VLAN, and bridge interfaces.

Example: Interface ge1 is in the LAN zone and uses a private IP address. To configure ge1's settings, click Network > Interface > Ethernet and then ge1's Edit icon.

5.4.3 Trunks

Use trunks to set up load balancing using two or more interfaces.

Example: See Chapter 6 on page 119.

5.4.4 IPSec VPN

Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ZyWALL also offers hub-and-spoke VPN.

Example: See Chapter 6 on page 119.

5.4.5 SSL VPN

Use SSL VPN to provide secure network access to remote users.

Example: See Chapter 6 on page 119.

5.4.6 L2TP VPN

Use L2TP VPN to let remote users use the L2TP and IPSec client software included with their computers' operating systems to securely connect to the network behind the ZyWALL.

Example: See Chapter 27 on page 415.

5.4.7 Zones

See Section 5.2 on page 102 for background information. A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security settings, such as firewall rules and remote management.

Zones cannot overlap. Each interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run.

When you create a zone, the ZyWALL does not create any firewall rules, assign an IDP profile, or configure remote management for the new zone.

Example: For example, to create the DMZ-2 zone and add ge7, click Network >Zone and then the Add icon.

5.4.8 Device HA

To increase network reliability, device HA lets a backup ZyWALL automatically take over if a master ZyWALL fails.

Example: See Chapter 6 on page 119.

5.4.9 DDNS

Dynamic DNS maps a domain name to a dynamic IP address. The ZyWALL helps maintain this mapping.

5.4.10 Policy Routes

Use policy routes to control the routing of packets through the ZyWALL's interfaces, trunks, and send traffic through VPN connections. You also use policy routes for bandwidth management (out of the ZyWALL), port triggering, and

general NAT on the source address. You have to set up the criteria, next-hops, and NAT settings in other screens first.

Example: You have an FTP server connected to ge4 (in the DMZ zone). You want to limit the amount of FTP traffic that goes out from the FTP server through your WAN connection.

1 Create an address object for the FTP server (Object > Address).
2 Click Network > Routing > Policy Route to go to the policy route configuration screen. Add a policy route.
3 Name the policy route.
4 Select the interface that the traffic comes in through (ge4 in this example).
5 Select the FTP server's address as the source address.
6 You don't need to specify the destination address or the schedule.
7 For the service, select FTP.
8 For the Next Hop fields, select Interface as the Type if you have a single WAN connection or Trunk if you have multiple WAN connections.
9 Select the interface that you are using for your WAN connection (ge2 and ge3 are the default WAN interfaces). If you have multiple WAN connections, select the trunk.
10 Specify the amount of bandwidth FTP traffic can use. You may also want to set a low priority for FTP traffic.

Note: The ZyWALL checks the policy routes in the order that they are listed. So make sure that your custom policy route comes before any other routes that would also match the FTP traffic.

5.4.11 Static Routes

Use static routes to tell the ZyWALL about networks not directly connected to the ZyWALL.

5.4.12 Firewall

The firewall controls the travel of traffic between or within zones. You can also configure the firewall to control traffic for virtual server (port forwarding) and policy routes (NAT). You can configure firewall rules based on schedules, specific users (or user groups), source or destination addresses (or address groups) and services (or service groups). Each of these objects must be configured in a different screen.

To-ZyWALL firewall rules control access to the ZyWALL. Configure to-ZyWALL firewall rules for remote management. By default, the firewall allows any computer from the LAN zone to access or manage the ZyWALL. The ZyWALL drops packets from the WAN or DMZ zone to the ZyWALL itself, except for Device HA and VPN traffic.

Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls. You could configure a firewall rule to allow VoIP sessions from the SIP proxy server on DMZ to the LAN so VoIP users on the LAN can receive calls.

1 Create a VoIP service object for UDP port 5060 traffic (Object > Service).
2 Create an address object for the VoIP server (Object > Address).
3 Click Firewall to go to the firewall configuration.
4 Select from the DMZ zone to the LAN zone, and add a firewall rule using the items you have configured.

• You don't need to specify the schedule or the user.
• In the Source field, select the address object of the VoIP server.
• You don't need to specify the destination address.
• Leave the Access field set to Allow and the Log field set to No.

Note: The ZyWALL checks the firewall rules in order. Make sure each rule is in the correct place in the sequence.

5.4.13 Application Patrol

Use application patrol to control which individuals can use which services through the ZyWALL (and when they can do so). You can also specify allowed amounts of bandwidth and priorities. You must subscribe to use application patrol. You can subscribe using the Licensing > Registration screens or one of the wizards.

Example: Suppose you want to allow vice president Bob to use BitTorrent and block everyone else from using it.

1 Create a user account for Bob (User/Group).
2 Click AppPatrol > Peer to Peer to go to the application patrol configuration screen. Click the BitTorrent application patrol entry's Edit icon.

• Set the default policy's access to Drop.
• Add another policy.
• Select the user account that you created for Bob.
• You can leave the source, destination and log settings at the default.

Note: With this example, Bob would have to log in using his account. If you do not want him to have to log in, you might create an exception policy with Bob's computer IP address as the source.

5.4.14 Anti-Virus

Use anti-virus to detect and take action on viruses. You must subscribe to use anti-virus. You can subscribe using the Licensing > Registration screens or one of the wizards.

5.4.15 IDP

Use IDP to detect and take action on malicious or suspicious packets. You must subscribe to use IDP. You can subscribe using the Licensing > Registration screens or one of the wizards.

5.4.16 ADP

Use ADP to detect and take action on traffic and protocol anomalies.

Use content filtering to block or allow access to specific categories of web site content, individual web sites and web features (such as cookies). You can define which user accounts (or groups) can access what content and at what times. You must have a subscription in order to use the category-based content filtering. You can subscribe using the menu item or one of the wizards.

Example: You can configure a policy that blocks Bill's access to arts and entertainment web pages during the workday. You must have already subscribed to the content filter service.

1 Create a user account for Bill if you have not done so already (User/Group).
2 Create a schedule for the work day (Object > Schedule).
3 Click Anti-X > Content Filter > Filter Profile. Click the Add icon to go to the screen where you can configure a category-based profile.
4 Name the profile and enable it.
5 Enable the external web filter service.

6 Decide what to do for matched web sites (Block in this example), unrated web sites and what to do when the category-based content filtering service is not available.
7 Select the Arts/Entertainment category (you need to click Advanced to display it).
8 Click OK.
9 Click General to go to the content filter general configuration screen.
10 Enable the content filter.
11 Add a policy that uses the schedule, the filtering profile and the user that you created.

5.4.18 Anti-Spam

Use anti-spam to detect and take action on spam mail.

5.4.19 Virtual Server (Port Forwarding)

Use this to change the address and/or port number of packets coming in from a specified interface. This is also known as port forwarding.

The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by virtual server. It does check regular (through-ZyWALL) firewall rules.

Example: Suppose you have an FTP server with a private IP address connected to a DMZ port. You could configure a virtual server rule to forwards FTP sessions from the WAN to the DMZ.

1 Click Network > Virtual Server to configure the virtual server. Add an entry.
2 Name the entry.
3 Select the WAN interface that the FTP traffic is to come in through (in this example, ge2 or ge3.)

4 Specify the public WAN IP address where the ZyWALL will receive the FTP packets.
5 In the Mapped IP field, list the IP address of the FTP server. The ZyWALL will forward the packets received for the original IP address.
6 In Mapping Type, select Port.
7 Enter 21 in both the Original and the Mapped Port fields.

5.4.20 HTTP Redirect

Configure this feature to have the ZyWALL transparently forward HTTP (web) traffic to a proxy server. This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next time one of your users needs to access that page.

The ZyWALL does not check to-ZyWALL firewall rules for packets that are redirected by HTTP redirect. It does check regular (through-ZyWALL) firewall rules.

Example: Suppose you want HTTP requests from your LAN to go to a HTTP proxy server at IP address 192.168.3.80.

1 Click Network > HTTP Redirect.
2 Add an entry.
3 Name the entry.
4 Select the interface from which you want to redirect incoming HTTP requests (ge1).
5 Specify the IP address of the HTTP proxy server.
6 Specify the port number to use for the HTTP traffic that you forward to the proxy server.

5.4.21 ALG

The ZyWALL's Application Layer Gateway (ALG) allows VoIP and FTP applications to go through NAT on the ZyWALL. You can also specify additional signaling port numbers.

5.5 Objects

Objects store information and are referenced by other features. If you update this information in response to changes, the ZyWALL automatically propagates the change through the features that use the object.

The following table introduces the objects. You can also use this table when you want to delete an object because you have to delete references to the object first.

Table 28 Objects Overview

5.5.1 User/Group

Use these screens to configure the ZyWALL's administrator and user accounts. The ZyWALL provides the following user types.

Table 29 User Types

If you want to force users to log in to the ZyWALL before the ZyWALL routes traffic for them, you might have to configure prerequisites first.

5.6 System Management and Maintenance

This section introduces some of the management and maintenance features in the ZyWALL. Use Host Name to configure the system and domain name for the ZyWALL. Use Date/Time to configure the current date, time, and time zone in the ZyWALL. Use Console Speed to set the console speed. Use Language to select a language for the web configurator screens.

5.6.1 DNS, WWW, SSH, TELNET, FTP, SNMP, Dial-in Mgmt, Vantage CNM

Use these screens to set which services or protocols can be used to access the ZyWALL through which zone and from which addresses (address objects) the access can come. Use Dial-in Mgmt for a remote management connection through an external serial modem connected to the AUX port.

Example: Suppose you want to allow an administrator to use HTTPS to manage the ZyWALL from the WAN.

1 Create an administrator account (User/Group).
2 Create an address object for the administrator's computer (Object > Address).
3 Click System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry.
- Select the address object for the administrator's computer.
- Select the WAN zone.
- Set the action to Accept.

5.6.2 File Manager

Use these screens to upload, download, delete, or run scripts of CLI commands. You can manage

• Configuration files. Use configuration files to back up and restore the complete configuration of the ZyWALL. You can store multiple configuration files in the ZyWALL and switch between them without restarting.
• Shell scripts. Use shell scripts to run a series of CLI commands. These are useful for large, repetitive configuration changes (for example, creating a lot of VPN tunnels) and for troubleshooting.

You can edit configuration files and shell scripts in any text editor.

5.6.3 Licensing Registration

Use these screens to register your ZyWALL and subscribe to services like antivirus, IDP and application patrol, more SSL VPN tunnels, and content filtering. You must have Internet access to myZyXEL.com.

5.6.4 Licensing Update

Use these screens to update the ZyWALL's signature packages for the anti-virus, IDP and application patrol, and system protect features. You must have a valid subscription to update the anti-virus and IDP/application patrol signatures You must have Internet access to myZyXEL.com.

5.6.5 Logs and Reports

The ZyWALL provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It also provides statistical reports to track user activity, web site hits, virus traffic and intrusions and can e-mail them to you on a daily basis.

5.6.6 Diagnostics

The ZyWALL can generate a file containing the ZyWALL's configuration and diagnostic information.

Tutorials

This chapter provides some examples of using the web configurator to set up features in the ZyWALL. See also Chapter 27 on page 415 for an example of configuring L2TP.

6.1 How to Configure Interfaces, Port Grouping, and Zones

This tutorial shows how to configure Ethernet interfaces, port grouping, and zones for the following example configuration (see Section 5.2.2 on page 103 for the default configuration).

• Interface ge8 uses a static IP address of 1.2.3.4 and is in the WAN zone.
• This example uses a limited number of DMZ servers that need full wire speed communication with each other, so ports P4, P5, and P6 are combined into a ge4 interface port group. It uses IP address 192.168.2.1.

Figure 51 Ethernet Interface, Port Grouping, and Zone Configuration Example

graph TD
    A["ZyxEL<br>ZyWALL USG 2000<br>UNIFIED SECURITY GATEWAY"] -->|P1: 192.168.1.1| B["LAN"]
    B --> C["192.168.1.x"]
    B --> D["192.168.2.x"]
    A --> E["DMZ<br>192.168.2.x"]
    A --> F["INTERNET WAN"]
    F --> G["P3: e.f.g.h"]
    F --> H["P8: 1.2.3.4"]
    A --> I["SECURITY EXTENSING MODULE"]
    I --> J["10/100/000"]
    I --> K["10/100/000"]
    I --> L["10/100/000"]
    I --> M["10/100/000"]
    I --> N["10/100/000"]
    I --> O["10/100/000"]
    I --> P["10/100/000"]
    I --> Q["10/100/000"]
    I --> R["10/100/000"]
    I --> S["10/100/000"]
    I --> T["10/100/000"]
    I --> U["10/100/000"]
    I --> V["10/100/000"]
    I --> W["10/100/000"]
    I --> X["10/100/000"]
    I --> Y["10/100/000"]
    I --> Z["10/100/000"]
    I --> AA["10/100/000"]
    I --> AB["10/100/000"]
    I --> AC["10/100/000"]
    I --> AD["10/100/000"]
    I --> AE["10/100/000"]
    I --> AF["10/100/000"]
    I --> AG["10/100/000"]
    I --> AH["10/100/000"]
    I --> AI["10/100/000"]
    I --> AJ["10/100/000"]
    I --> AK["10/100/000"]
    I --> AL["10/100/000"]
    I --> AM["10/100/000"]
    I --> AN["10/100/000"]
    I --> AO["10/100/000"]
    I --> AP["10/100/000"]
    I --> AQ["10/100/000"]
    I --> AR["10/100/000"]
    I --> AS["15/168.2.x"]

6.1.1 Configure a WAN Ethernet Interface

You need to assign the ZyWALL's ge8 interface a static IP address of 1.2.3.4.

Click Network > Interface > Ethernet and the ge8 interface's Edit icon. Configure the IP address, subnet mask, and default gateway settings as follows and click OK.

Figure 52 Network > Interface > Ethernet > Edit ge8

6.1.2 Configure Zones

Do the following to add ge8 to the WAN zone.

1 Click Network > Zone and then the WAN zone Edit icon.
2 Select ge8 in the Available list and use the right arrow to move it to the Member list (as shown here). Click OK.

Figure 53 Network > Zone > WAN Edit

6.1.3 Configure Port Grouping

Here is how to combine physical ports P4, P5, and P6 into the ge4 interface port group.

1 Click Network > Interface > Port Grouping.
2 Drag physical port 5 onto representative interface ge4, as shown next.

Figure 54 Network > Interface > Port Grouping, Drag-and-Drop (P5 to ge4)

3 Drag physical port 6 onto representative interface ge4, as shown next.

Figure 55 Network > Interface > Port Grouping, Drag-and-Drop (P6 to ge4)

4 Click Apply.

5 Click Status, and look at the Interface Status Summary as shown next. Ethernet interface ge4 has a status of Port Group Up, and Ethernet interfaces ge5 and ge6 are disabled and have a Status of Port Group Inactive.

Figure 56 Status: Interface Status Summary After Port Grouping

6.2 How to Configure Load Balancing

With the topology in Figure 51 on page 119, suppose interface ge8 has a high bandwidth Internet connection (100 Mbps) while ge2 and ge3 just have 1 Mbps each. Here is how to have the ZyWALL use ge8 for most Internet traffic and only use interfaces ge2 and ge3 for any traffic that exceeds what ge8 can handle. Here is how to use load balancing to have the ZyWALL mainly use ge8 when sending traffic to the Internet.

Figure 57 Trunk Example

graph LR
    A["Router"] -->|ge2: 1 Mbps| B["INTERNET"]
    A -->|ge3: 1 Mbps| B
    A -->|ge8: 100 Mbps| B

You need to set up the outgoing bandwidth on each of the three interfaces and configure the WAN_TRUNK trunk's load balancing settings.

6.2.1 Set Up Available Bandwidth on Ethernet Interfaces

1 Click Network > Interface > Ethernet and the ge8 Edit icon. Enter the available bandwidth (100000 kbps) in the Egress Bandwidth field. Click OK.

Figure 58 Network > Interface > Ethernet > Edit (ge8)

2 Repeat the process to set the available bandwidth for ge2 and ge3 to (1000 kbps) in the Egress Bandwidth field. Click OK.

6.2.2 Configure the WAN Trunk

1 Click Network > Interface > Trunk. Click WAN_TRUNK's Edit icon.
2 In the Load Balancing Algorithm field, select Spillover. After the screen refreshes, click the Add icon at the top of the right-hand column.

Figure 59 Network > Interface > Trunk > WAN_TRUNK > Edit

3 Select ge8 in the list on the left and use the right arrow to move it to the list on the right as shown. Click OK.

Figure 60 Network > Interface > Trunk > WAN_TRUNK > Edit > Add

4 Click OK.

Figure 61 Network > Interface > Trunk > WAN_TRUNK > Edit (Done)

6.3 How to Set Up an IPSec VPN Tunnel

This example shows how to create the following VPN tunnel.

Figure 62 VPN Example

graph LR
    subgraph LAN
        A["Computer"] --> B["Switch"]
        C["Computer"] --> B
        D["Computer"] --> B
        B --> E["Router"]
        E --> F["Internet"]
        F --> G["VPN Tunnel"]
        G --> H["Router"]
        H --> I["Router"]
    end
    subgraph IP address
        J["192.168.1.0/24"] --> K["X"]
        L["192.168.1.0/24"] --> M["2.2.3.4"]
        N["192.168.1.0/24"] --> O["2.2.2.2"]
    end
    subgraph IP address
        P["192.168.1.0/24"] --> Q["X"]
        R["192.168.1.0/24"] --> S["2.2.2.2"]
        T["192.168.1.0/24"] --> U["2.2.2.2"]
    end
    subgraph IP address
        V["192.168.1.0/24"] --> W["X"]
        X["192.168.1.0/24"] --> Y["2.2.3.4"]
        Z["192.168.1.0/24"] --> AA["2.2.2.2"]
        AB["192.168.1.0/24"] --> AC["2.2.2.2"]
    end
    subgraph IP address
        AD["192.168.1.0/24"] --> AE["X"]
        AF["192.168.1.0/24"] --> AG["2.2.3.4"]
        AH["192.168.1.0/24"] --> AI["2.2.2.2"]
        AJ["192.168.1.0/24"] --> AK["2.2.2.2"]
    end
    subgraph IP address
        AL["192.168.1.0/24"] --> AM["X"]
        AN["192.168.1.0/24"] --> AO["2.2.3.4"]
        AP["192.168.1.0/24"] --> AQ["2.2.2.2"]
        AR["192.168.1.0/24"] --> AS["2.2.2.2"]
    end
    subgraph IP address
        AT["192.168.1.0/24"] --> AU["X"]
        AV["192.168.1.0/24"] --> AW["2.2.3.4"]
        AX["192.168.1.0/24"] --> AY["2.2.3.4"]
        AZ["192.168.1.0/24"] --> BA["2.2.3.4"]
        BB["192.168.1.0/24"] --> BC["2.2.3.4"]
        BD["192.168.1.0/24"] --> BE["2.2.3.4"]
    end

In this example, the ZyWALL is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between ZyWALL X's LAN subnet

(192.168.1.0/24) and the LAN subnet behind peer IPSec router Y (172.16.1.0/24).

6.3.1 Set Up the VPN Gateway

The VPN gateway manages the IKE SA. You do not have to set up any other objects before you configure the VPN gateway because this VPN tunnel does not use any certificates or extended authentication.

1 Click VPN > IPSec VPN > VPN Gateway, and then click the Add icon.
2 Give the VPN gateway a name ("VPN_GW_EXAMPLE"). For My Address, select Interface and ge8. For the Peer Gateway Address, select Static Address and enter 2.2.2.2 in field 1. For the Authentication, Select Pre-Shared Key and enter 12345678. Click OK.

Figure 63 VPN > IPSec VPN > VPN Gateway > Add

6.3.2 Set Up the VPN Connection

The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection.

1 Click Object > Address. Click the Add icon.

2 Give the new address object a name ("VPN_REMOTE_SUBNET"), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.255.255.0. Click OK.

Figure 64 Object > Address > Add

3 Click VPN > IPSec VPN > VPN Connection. Click the Add icon.
4 Give the VPN connection a name ("VPN_CONN_EXAMPLE"). Under VPN Gateway select Static Site-to-site and the VPN gateway (VPN_GW_EXAMPLE). Under Policy, select LAN_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK.

Figure 65 VPN > IPSec VPN > VPN Connection > Add

6.3.3 Set Up the Policy Route for the VPN Tunnel

Do the following to create a policy route to have the ZyWALL send traffic through the VPN tunnel.

1 Click Network > Routing > Policy Route. You want this policy route to have higher priority than the default policy route for the trunk, so click the Add icon at the top of the column, not the one next to the existing policy route.

Figure 66 Network > Routing > Policy Route

2 Configure the policy route as shown next. This policy route applies to traffic from the LAN subnet. Use the VPN connection's local and remote objects as the source address and destination address objects here. The next-hop is the VPN connection that you created. Click OK.

Figure 67 Network > Routing > Policy Route > Add

3 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel. To trigger the VPN, either try to connect to a device on the peer IPSec router's LAN or click VPN > IPSec VPN > VPN Connection and use the VPN connection screen's Connect icon.

6.3.4 Configure Security Policies for the VPN Tunnel

You configure security policies based on zones. Assign the new VPN connection to a zone to be able to apply security policies (firewall rules, IDP, and so on) to the VPN connection. Make sure all firewalls between the ZyWALL and remote IPSec router allow UDP port 500 (IKE) and IP protocol 50 (AH) or 51 (ESP). If you enable NAT traversal, all firewalls between the ZyWALL and remote IPSec router should also allow UDP port 4500.

6.4 How to Configure User-aware Access Control

You can configure many policies and security settings for specific users or groups of users. This is illustrated in the following example, where you will set up the following policies. This is a simple example that does not include priorities for different types of traffic. See Bandwidth Management on page 446 for more on bandwidth management.

Table 30 User-aware Access Control Example

The users are authenticated by an external RADIUS server at 192.168.1.200.

First, set up the user accounts and user groups in the ZyWALL. Then, set up user authentication using the RADIUS server. Finally, set up the policies in the table above.

The ZyWALL has its default settings.

6.4.1 Set Up User Accounts

Set up one user account for each user account in the RADIUS server. If it is possible to export user names from the RADIUS server to a text file, then you might create a script to create the user accounts instead. This example uses the web configurator.

1 Click Object > User/Group > User. Click the Add icon.
2 Enter the same user name that is used in the RADIUS server, and set the User Type to Ext-User because this user account is authenticated by an external server. Click OK.

Figure 68 Object > User/Group > User > Add

3 Repeat this process to set up the remaining user accounts.

6.4.2 Set Up User Groups

Set up the user groups and assign the users to the user groups.

1 Click Object > User/Group > Group. Click the Add icon.
2 Enter the name of the group that is used in Table 30 on page 128. In this example, it is "Finance". Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.

Figure 69 Object > User/Group > Group > Add

3 Repeat this process to set up the remaining user groups.

6.4.3 Set Up User Authentication Using the RADIUS Server

This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and

configure the ZyWALL to use the authentication method. Finally, force users to log in to the ZyWALL before it routes traffic for them.

1 Click Object > AAA Server > RADIUS > Default. Configure the RADIUS server, and click Apply.

Figure 70 Object > AAA Server > RADIUS > Default

2 Click Object > Auth. Method. Click the Add icon.
3 Give the new authentication method object a descriptive name, and click the Add icon. Select group radius because the ZyWALL should use the specified RADIUS server for authentication. Click OK.

Figure 71 Object > Auth. Method > Add

4 Click System > WWW. In the Authentication section, select the new authentication method in the Client Authentication Method field. Click Apply.

Figure 72 System > WWW (Authentication)

5 Click Object > User/Group > Setting. In the Force User Authentication Policy section, click the Add icon.
6 Set up a default policy that forces every user to log in to the ZyWALL before the ZyWALL routes traffic for them. Select Enable. Then, select force in the Authentication field. Keep the rest of the default settings, and click OK.

Note: The users will have to log in using the web configurator login screen before they can use HTTP or MSN.

Figure 73 Object > User/Group > Setting > Add (Force User Authentication Policy)

When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears. They have to log in using the user name and password in the RADIUS server.

6.4.4 Set Up Web Surfing Policies With Bandwidth Restrictions

Use application patrol (AppPatrol) to enforce the web surfing and MSN policies. You must have already subscribed for the application patrol service. You can subscribe using the Licensing > Registration screens or using one of the wizards.

1 Click AppPatrol. If application patrol and bandwidth management are not enabled, enable them, and click Apply.

Figure 74 AppPatrol > General

2 Click the Common tab and then the Edit icon next to the default http service.

Figure 75 AppPatrol > Common

3 Click the Default policy's Edit icon.

Figure 76 AppPatrol > Common > http

4 Change the access to Drop because you do not want anyone except authorized user groups to browse the web. Click OK.

Figure 77 AppPatrol > Common > http > Edit Default

5 Click the Add icon in the policy list. In the new policy, select one of the user groups that is allowed to browse the web and set the corresponding bandwidth restriction in the Inbound and Outbound fields. Click OK. Repeat this process to add exceptions for all the other user groups that are allowed to browse the web.

Figure 78 AppPatrol > Common> http > Edit Default

6.4.5 Set Up MSN Policies

Set up a recurring schedule object first because Sales can only use MSN during specified times on specified days.

1 Click Object > Schedule. Click the Add icon for recurring schedules.
2 Give the schedule a descriptive name. Set up the days (Monday through Friday) and the times (8:30 - 18:00) when Sales is allowed to use MSN. Click OK.

Figure 79 Object > Schedule > Add (Recurring)

3 Follow the steps in Section 6.4.4 on page 131 to set up the appropriate policies for MSN in application patrol. Make sure to specify the schedule when you configure the policy for the Sales group's MSN access.

6.4.6 Set Up Firewall Rules

Use the firewall to control access from LAN to the DMZ.

1 Click Firewall and then click the Add icon.

Figure 80 Firewall (Default)

2 Set From as LAN and To as DMZ. Change the Access field to deny, and click OK.

Figure 81 Firewall > LAN to DMZ > Add

3 Click the Add icon at the top of the rule list to create a rule for one of the user groups that is allowed to access the DMZ.

4 Set From as LAN and To as DMZ. Select one of the user groups that is allowed to access the DMZ, and click OK.

Figure 82 Firewall > Add

5 Repeat this process to set up firewall rules for the other user groups that are allowed to access the DMZ.

6.5 How to Configure Service Control

Service control lets you configure rules that control HTTP and HTTPS management access (to the web configurator) and separate rules that control HTTP and HTTPS user access (logging into SSL VPN for example). See Chapter 45 on page 697 for more on service control.

The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the ZyWALL. They do not distinguish between administrator management access and user access. If you configure service control to allow management or user HTTP or HTTPS access, make sure the firewall is not configured to block that access.

6.5.1 Allow HTTPS Administrator Access Only From the LAN

This example configures service control to block administrator HTTPS access from all zones except the LAN.

1 Click System > WWW.

2 In HTTPS Admin Service Control, click the Add icon.

Figure 83 System > WWW

3 In the Zone field select LAN and click OK.

Figure 84 System > WWW > Service Control Rule Edit

4 Click the new rule's Add icon.

Figure 85 System > WWW (First Example Admin Service Rule Configured)

5 In the Zone field select ALL and set the Action to Deny. Click OK.

Figure 86 System > WWW > Service Control Rule Edit

6 Click Apply.

Figure 87 System > WWW (Second Example Admin Service Rule Configured)

Now administrator access to the web configurator can only come from the LAN zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the ZyWALL's zones (to use SSL VPN for example).

6.6 How to Allow Incoming H.323 Peer-to-peer Calls

Suppose you have a H.323 device on the LAN for VoIP calls and you want it to be able to receive peer-to-peer calls from the WAN. Here is an example of how to configure virtual server (port forwarding) and firewall rules to have the ZyWALL

forward H.323 traffic destined for ge2 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP address 192.168.1.56.

Figure 88 WAN to LAN H.323 Peer-to-peer Calls Example

graph LR
    A["Telephone 192.168.1.56"] --> B["Switch"]
    B --> C["Internet"]

6.6.1 Turn On the ALG

Click Network > ALG. Select Enable H.323 transformations and click Apply.

Figure 89 Network > ALG

6.6.2 Set Up a Virtual Server Policy For H.323

In this example, you need a virtual server policy to forward H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56.

1 Use Object > Address > Add to create address objects for the private and public IP addresses (WAN_IP-for-H323 and LAN_H323) as shown next.

Figure 90 Create Address Objects

2 Click Network > Virtual Server > Add.
3 Configure the screen as follows and click OK.

Figure 91 Network > Virtual Server > Add

6.6.3 Set Up a Firewall Rule For H.323

Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN IP address 192.168.1.56.

1 Click Firewall. In From Zone, select WAN; in To Zone, select LAN.

2 The default rule for WAN-to-LAN traffic drops all traffic. You want to allow H.323 access through IP address 10.0.0.8, so add a rule before the default rule. Click the Add icon at the top of the column.

Figure 92 Firewall: WAN to LAN

3 Configure the screen as follows and click OK. LAN_H323 is the destination because the ZyWALL applies the virtual server to traffic before applying the firewall rule.

Figure 93 Firewall > Add

6.7 How to Use Active-Passive Device HA

Here is an example of using device HA (High Availability) to backup ZyWALL A (the master) with ZyWALL B. ZyWALL B automatically takes over all of A's functions if A fails or loses its ge1 or ge2 connection.

An Ethernet switch connects both ZyWALLs' ge1 interfaces to the LAN. Whichever ZyWALL is functioning as the master uses the default gateway IP address of the LAN computers (192.168.1.1) for its ge1 interface and the static public IP address (1.1.1.1) for its ge2 interface. If ZyWALL A recovers (has both its ge1 and ge2

interfaces connected), it resumes its role as the master and takes over all of its functions again.

Figure 94 Device HA: Master Fails and Backup Takes Over

graph TD
    subgraph LAN
        A["Computer 1"] --> R["Router"]
        B["Computer 2"] --> R
        C["Computer 3"] --> R
        D["Computer 4"] --> R
    end
    R --> E["Router"]
    E --> F["Switch"]
    F --> G["Internet"]
    style LAN fill:#f9f,stroke:#333
    style E fill:#ccf,stroke:#333
    style F fill:#cfc,stroke:#333
    style G fill:#fcc,stroke:#333

Each ZyWALL's ge1 interface also has a separate management IP address that stays the same whether the ZyWALL functions as the master or a backup. ZyWALL A's management IP address is 192.168.1.3 and ZyWALL B's is 192.168.1.5.

Figure 95 Device HA: Management IP Addresses

graph TD
    A["Server 1"] --> R["Router"]
    B["Server 2"] --> R
    C["Server 3"] --> R
    R --> D["Router"]
    E["Server 4"] --> D
    D --> F["INTERNET"]
    style R fill:#f9f,stroke:#333
    style D fill:#ccf,stroke:#333

6.7.1 Before You Start

ZyWALL A should already be configured. You will use device HA to copy ZyWALL A's settings to B later (in Section 6.7.3 on page 144). To avoid an IP address conflict, do not connect ZyWALL B to the LAN subnet until after you configure its device HA settings and the instructions tell you to deploy it (in Section 6.7.4 on page 145).

6.7.2 Configure Device HA on the Master ZyWALL

1 Log into ZyWALL A (the master) and click Device HA > Active-Passive Mode. Click ge1's Edit icon.
2 Configure 192.168.1.3 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK.

Figure 96 Device HA > Active-Passive Mode > Edit: Master ZyWALL Example

3 Set the Device Role to Master. This example focuses on the connection from the LAN (ge1) to the Internet through the ge2 interface, so turn on monitoring for the ge1 and ge2 interfaces. Enter a Synchronization Password ("mySyncPassword" in this example) and click Apply.

Figure 97 Device HA > Active-Passive Mode: Master ZyWALL Example

4 Click the General tab. Turn on device HA and click Apply.

Figure 98 Device HA > General: Master ZyWALL Example

6.7.3 Configure the Backup ZyWALL

1 Connect a computer to ZyWALL B's ge1 interface and log into its web configurator. Connect ZyWALL B to the Internet and subscribe it to the same subscription services (like content filtering and anti-virus) to which ZyWALL A is subscribed. See Chapter 8 on page 165 for more on the subscription services.
2 In ZyWALL B click Device HA > Active-Passive Mode. Click ge1's Edit icon.
3 Configure 192.168.1.5 as the Management IP and 255.255.255.0 as the Subnet Mask. Click OK.

Figure 99 Device HA > Active-Passive Mode > Edit: Backup ZyWALL Example

4 Set the Device Role to Backup. Turn on monitoring for the ge1 and ge2 interfaces. Set the Synchronization Server Address to 192.168.1.1, the Port to 21, and the Password to "mySyncPassword". Select Auto Synchronize and set the Interval to 60. Click Apply.

Figure 100 Device HA > Active-Passive Mode: Backup ZyWALL Example

5 Click the General tab. Turn on device HA and click Apply.

Figure 101 Device HA > General: Master ZyWALL Example

6.7.4 Deploy the Backup ZyWALL

Connect ZyWALL B's ge1 interface to the LAN network. Connect ZyWALL B's ge2 interface to the same router that ZyWALL A's ge2 interface uses for Internet access. ZyWALL B copies A's configuration (and re-synchronizes with A every

hour). If ZyWALL A fails or loses its ge1 or ge2 connection, ZyWALL B functions as the master.

6.7.5 Check Your Device HA Setup

1 To make sure ZyWALL B copied ZyWALL A's settings, you can log into ZyWALL B's management IP address (192.168.1.5) and check the configuration. You can use the Maintenance > File Manager > Configuration File screen to save copies of the ZyWALLs' configuration files that you can compare.
2 To test your device HA configuration, disconnect ZyWALL A's ge1 or ge2 interface. Computers on LAN should still be able to access the Internet. If they cannot, check your connections and device HA configuration.

Congratulations! Now that you have configured device HA for LAN, you can use the same process for any of the ZyWALL's other local networks. For example, enable device HA monitoring on the DMZ interfaces and use an Ethernet switch to connect both ZyWALLs' DMZ interfaces to your publicly available servers.

6.8 How to Allow Public Access to a Server

This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the ge3 interface and map it to the HTTP server's private IP address of 192.168.3.7.

Figure 102 Public Server Example Network Topology

graph LR
    A["192.168.3.7"] --> B["Router"]
    B --> C["1.1.1.2"]
    C --> D["INTERNET"]

6.8.1 Create the Address Objects

Use Object > Address > Add to create the address objects.

1 Create an address object named DMZ_HTTP for the HTTP server's private IP address of 192.168.3.7.

Figure 103 Creating the Address Object for the HTTP Server's Private IP Address

2 Create an address object named ge3_HTTP for the ge3 public IP address of 1.1.1.2.

Figure 104 Creating the Address Object for the ge3 Public IP Address

6.8.2 Configure a Virtual Server

You need a virtual server to send HTTP traffic coming to IP address 1.1.1.2 on ge3 to the HTTP server's private IP address of 192.168.3.7. In the Network > Virtual Server screen, click the + symbol and create a new virtual server entry as shown next.

• This virtual server is for traffic coming in on ge3 to IP address 1.1.1.2 (defined in the ge3_HTTP object).
• The virtual server sends this traffic to the HTTP server's private IP address of 192.168.3.7 (defined in the DMZ_HTTP object).
• HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the Port Mapping Type to Port, the Protocol Type to TCP, and the original and mapped ports to 80.
• In this example 1.1.1.2 is not the default IP address for sessions going out through ge3. Select Add corresponding Policy Route rule for NAT 1:1 mapping to send the HTTP server's outgoing sessions through ge3 and use 1.1.1.2 as the source IP address (to match the IP address for accessing it). See NAT 1:1 Example on page 292 for details.

- Select Add corresponding Policy Route rule for NAT Loopback to allow local users to use a domain name to access the HTTP server. See NAT Loopback Example on page 297 for details.

Figure 105 Creating the Virtual Server

The firewall allows traffic from the WAN zone to the DMZ zone by default so your configuration is done. Now the public can go to IP address 1.1.1.2 to access the HTTP server. If a domain name is registered for IP address 1.1.1.2, users can just go to the domain name to access the web server.

7.1 Overview

Use the Status screens to check status information about the ZyWALL.

7.1.1 What You Can Do in the Status Screens

Use the Status screens for the following.

• Use the main Status screen (see Section 7.2 on page 150) to see the ZyWALL's general device information, system status, system resource usage, licensed service status, and interface status. You can also go to the other status screens for more information.
• Use the VPN status screen (see Section 7.2.4 on page 158) to look at the VPN tunnels that are currently established.
• Use the DHCP Table screen (see Section 7.2.5 on page 159) to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses.
• Use the Port Statistics screen (see Section 7.2.6 on page 160) to look at packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen.
• Use the Port Statistics Graph screen (see Section 7.2.6 on page 160) to look at a line graph of packet statistics for each physical port.
• Use the Current Users screen (see Section 7.2.8 on page 162) to look at a list of the users currently logged into the ZyWALL.
• Use the SEM Status Detail screen (see Section 7.2.9 on page 162) to look at detailed status information for an installed SEM (Security Extension Module) card.

7.2 The Status Screen

The Status screen displays when you log into the ZyWALL or click Status. Use this screen to look at the ZyWALL's general device information, system status, system resource usage, licensed service status, and interface status.

Figure 106 Status

The following table describes the labels in this screen.

Table 31 Status

7.2.1 The CPU Usage Screen

Use this screen to look at a chart of the ZyWALL's recent CPU usage. To access this screen, click CPU Usage in the Status screen.

Figure 107 Status > CPU Usage

The following table describes the labels in this screen.

Table 32 Status > CPU Usage

7.2.2 The Memory Usage Screen

Use this screen to look at a chart of the ZyWALL's recent memory (RAM) usage. To access this screen, click Memory Usage in the Status screen.

Figure 108 Status > Memory Usage

The following table describes the labels in this screen.

Table 33 Status > Memory Usage

7.2.3 The Session Usage Screen

Use this screen to look at a chart of the ZyWALL's recent traffic session usage. To access this screen, click Session Usage in the Status screen.

Figure 109 Status > Session Usage

The following table describes the labels in this screen.

Table 34 Status > Session Usage

7.2.4 The VPN Status Screen

Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the Status screen.

Figure 110 Status > VPN Status

The following table describes the labels in this screen.

Table 35 Status > VPN Status

7.2.5 The DHCP Table Screen

Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click the icon beside DHCP Table in the Status screen.

Figure 111 Status > DHCP Table

The following table describes the labels in this screen.

Table 36 Status > DHCP Table

7.2.6 The Port Statistics Screen

Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Port Statistics in the Status screen.

Figure 112 Status > Port Statistics

The following table describes the labels in this screen.

Table 37 Status > Port Statistics

7.2.7 The Port Statistics Graph Screen

Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button.

Figure 113 Status > Port Statistics > Switch to Graphic View

The following table describes the labels in this screen.

Table 38 Status > Port Statistics > Switch to Graphic View

7.2.8 The Current Users Screen

Use this screen to look at a list of the users currently logged into the ZyWALL. To access this screen, click the Number of Login Users Detail icon in the Status screen.

Figure 114 Status > Current Users

The following table describes the labels in this screen.

Table 39 Status > Current Users

7.2.9 The SEM Status Detail Screen

Use this screen to look at detailed status information for an installed SEM (Security Extension Module) card. An SEM enhances the ZyWALL's VPN and/or

UTM performance. See the SEM User's Guide for how to install an SEM. To access this screen, click the SEM card's Detail icon in the Status screen.

Figure 115 Status > SEM Detail

The following table describes the labels in this screen.

Table 40 Status > SEM Detail

Registration

8.1 Overview

Use the Licensing > Registration screens to register your ZyWALL and manage its service subscriptions.

8.1.1 What You Can Do in the Registration Screens

• Use the Registration screen (see Section 8.2 on page 167) to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering.
• Use the Service screen (see Section 8.3 on page 169) to display the status of your service registrations and upgrade licenses.

8.1.2 What you Need to Know About Service Registration

This section introduces the topics covered in this chapter.

myZyXEL.com

myZyXEL.com is ZyXEL's online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. To update signature files or use a subscription service, you have to register the ZyWALL and activate the corresponding service at myZyXEL.com (through the ZyWALL).

Note: You need to create a myZyXEL.com account before you can register your device and activate the services at myZyXEL.com.

You can directly create a myZyXEL.com account, register your ZyWALL and activate a service using the Registration screen. Alternatively, go to http://www.myZyXEL.com with the ZyWALL's serial number and LAN MAC address to register it. Refer to the web site's on-line help for details.

Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL.

Subscription Services Available on the ZyWALL

You can have the ZyWALL use anti-virus, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), and content filtering subscription services. You can also purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels. See the respective User's Guide chapters for more information about these features.

Anti-Virus Engines

Subscribe to signature files for ZyXEL's anti-virus engine or one powered by Kaspersky.

- When using the trial, you can switch from one engine to the other in the Registration screen. There is no limit on the number of times you can change the anti-virus engine selection during the trial, but you only get a total of one anti-virus trial period (not a separate trial period for each anti-virus engine).

- After the trial expires, you need to purchase an iCard for the anti-virus engine you want to use and enter the PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. If you were already using an iCard anti-virus subscription, any remaining time on your earlier subscription is automatically added to the new subscription. Even if the earlier iCard anti-virus subscription was for a different anti-virus engine. For example, suppose you purchase a one-year Kaspersky engine anti-virus service subscription and use it for six months. Then you purchase a one-year ZyXEL engine anti-virus service subscription and enter the iCard's PIN number (license key) in the Registration > Service screen. The one-year ZyXEL engine anti-virus service subscription is automatically extended to 18 months.

8.2 The Registration Screen

Use this screen to register your ZyWALL with myZyXEL.com and activate a service, such as content filtering. Click Licensing > Registration in the navigation panel to open the screen as shown next.

Figure 116 Licensing > Registration

The following table describes the labels in this screen.

Table 41 Licensing > Registration

Note: If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status.

Figure 117 Licensing > Registration: Registered Device

8.3 The Service Screen

Use this screen to display the status of your service registrations and upgrade licenses. To activate or extend a standard service subscription, purchase an iCard and enter the iCard's PIN number (license key) in this screen. Click Licensing > Registration > Service to open the screen as shown next.

Figure 118 Licensing > Registration > Service

The following table describes the labels in this screen.

Table 42 Licensing > Registration > Service

Signature Update

9.1 Overview

This chapter shows you how to update the ZyWALL's signature packages.

9.1.1 What You Can Do in the Update Screens

• Use the Licensing > Update > Anti-virus screen (Section 9.2 on page 172) to update the anti-virus signatures. See Chapter 29 on page 473 for details on anti-virus.
• Use the Licensing > Update > IDP/AppPatrol screen (Section 9.3 on page 173) to update the signatures used for IDP and application patrol. See Chapter 30 on page 489 for details on IDP. See Chapter 28 on page 445 for details on application patrol.
• Use the Licensing > Update > System Protect screen (Section 9.4 on page 175) to update the system-protection signatures.

9.1.2 What you Need to Know About Signature Updates

• You need a valid service registration to update the anti-virus signatures and the IDP/AppPatrol signatures.
• You do not need a service registration to update the system-protection signatures.
• Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network.
• Your custom signature configurations are not over-written when you download new signatures.

Note: The ZyWALL does not have to reboot when you upload new signatures.

9.2 The Antivirus Update Screen

Click Licensing > Update > Anti-Virus to display the following screen.

Figure 119 Licensing > Update > Anti-Virus

The following table describes the labels in this screen.

9.3 The IDP/AppPatrol Update Screen

Click Licensing > Update > IDP/AppPatrol to display the following screen.

The ZyWALL comes with signatures for the IDP and application patrol features. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the ZyWALL periodically if you have subscribed for the IDP/AppPatrol signatures service.

You need to create an account at myZyXEL.com, register your ZyWALL and then subscribe for IDP service in order to be able to download new packet inspection signatures from myZyXEL.com (see the Registration screens). Use the Update IDP /AppPatrol screen to schedule or immediately download IDP signatures.

Figure 120 Licensing > Update > IDP/AppPatrol

The following table describes the fields in this screen.

Table 43 Licensing > Update > IDP/AppPatrol

Figure 121 Downloading IDP Signatures

Figure 122 Successful IDP Signature Download

9.4 The System Protect Update Screen

Click Licensing > Update > System Protect to display the following screen.

Use this screen to schedule or immediately download system-protection signatures. The ZyWALL comes with signatures that it uses to protect itself from intrusions. These signatures are continually updated as new attack types evolve. These system protection signature updates are free and can be downloaded to the ZyWALL periodically. The system-protection function is part of the IDP feature. The system-protection feature is enabled by default and can only be disabled via the commands. You do not need an IDP subscription to use the system-protection feature or to download updated system-protection signatures.

Figure 123 Licensing > Update > System Protect

The following table describes the fields in this screen.

Table 44 Licensing > Update > System Protect

Figure 124 Downloading System Protect Signatures

Figure 125 Successful System Protect Signature Download

PART II

Network

Interface (181)

Trunks (239)

Policy and Static Routes (249)

Routing Protocols (263)

Zones (275)

DDNS (279)

Virtual Servers (287)

HTTP Redirect (301)

ALG (305)

IP/MAC Binding (313)

10.1 Interface Overview

Use the Interface screens to configure the ZyWALL's interfaces. You can also create interfaces on top of other interfaces.

• Ports are the physical ports to which you connect cables.
• Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the ZyWALL. For example, You connect the LAN network to the ge1 interface.
• Zones are groups of interfaces used to ease security policy configuration.

10.1.1 What You Can Do in the Interface Screens

• Use the Interface Status screen (Section 10.2 on page 185) to see all of the ZyWALL's interfaces and their packet statistics.
• Use the Port Grouping screens (Section 10.3 on page 188) to create port groups and to assign physical ports and port groups to Ethernet interfaces.
• Use the Ethernet screens (Section 10.4 on page 190) to configure the Ethernet interfaces. Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP and OSPF are also configured in these interfaces.
• Use the PPP screens (Section 10.6 on page 198) for PPPoE or PPTP Internet connections.
• Use the Cellular screens (Section 10.7 on page 205) to configure settings for interfaces for Internet connections through an installed 3G card.
• Use the VLAN screens (Section 10.9 on page 214) to divide the physical network into multiple logical networks. VLAN interfaces receive and send tagged frames. The ZyWALL automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
• Use the Bridge screens (Section 10.10 on page 222) to combine two or more network segments into a single network.

• Use the Auxiliary screens (Section 10.11 on page 230) to configure the ZyWALL's auxiliary interface to use an external modem.

• Use the Virtual Interface screen (Section 10.12 on page 233) to create virtual interfaces on top of Ethernet interfaces to tell the ZyWALL where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.

• Use the Trunks screens (Chapter 11 on page 239) to configure load balancing.

10.1.2 What You Need to Know About Interfaces

Interface Characteristics

Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface).

• An interface is a logical entity through which (layer-3) packets pass.
• An interface is bound to a physical port or another interface.
• Many interfaces can share the same physical port.
• An interface belongs to at most one zone.
• Many interfaces can belong to the same zone.
• Layer-3 virtualization (IP alias, for example) is a kind of interface.

Types of Interfaces

You can create several types of interfaces in the ZyWALL.

• Port groups create a hardware connection between physical ports at the layer-2 (data link, MAC address) level.
• Ethernet interfaces are the foundation for defining other interfaces and network policies. RIP and OSPF are also configured in these interfaces.
• VLAN interfaces receive and send tagged frames. The ZyWALL automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
• Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage of some security features in the ZyWALL. You can also assign an IP address and subnet mask to the bridge.
• PPPoE/PPTP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces.
• Virtual interfaces provide additional routing information in the ZyWALL. There are three types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.
• The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the AUX port.
• Trunks manage load balancing between interfaces.

Port groups, trunks, and the auxiliary interface have a lot of characteristics that are specific to each type of interface. See Section 10.3 on page 188, Chapter 11 on page 239, and Section 10.11 on page 230 for details. The other types of interfaces--Ethernet, VLAN, bridge, PPPoE/PPTP, and virtual--have a lot of similar characteristics. These characteristics are listed in the following table and discussed in more detail below.

Table 45 Ethernet, VLAN, Bridge, PPPoE/PPTP, and Virtual Interfaces Characteristics

* - The format of interface names is strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, Ethernet interface names are ge1, ge2, ge3, ...; VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.

** - The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual interfaces created on Ethernet interface ge1 are called ge1:1, ge1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the web configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.

Relationships Between Interfaces

In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports or port groups. The relationships between interfaces are explained in the following table.

* - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPPoE/PPTP interface on top of it.
Table 46 Relationships Between Different Types of Interfaces

Finding Out More

• See Section 5.2 on page 102 details on the differences between physical ports, interfaces, and zones in the ZyWALL.
  • See Section 5.4.2 on page 106 for related information about the Interface screens.
  • See Section 10.13 on page 235 for background information on interfaces.
• See Section 6.1 on page 119 for an example of configuring Ethernet interfaces and port groups.
  • See Chapter 11 on page 239 to configure load balancing using trunks.

10.2 Interface Status Screen

This screen lists all of the ZyWALL's interfaces and gives packet statistics for them. Click Network > Interface to access this screen.

Figure 126 Network > Interface > Interface Status

Each field is described in the following table.

Table 47 Network > Interface > Interface Status

10.3 Port Grouping

This section introduces port groups and then explains the screen for port groups.

10.3.1 Port Grouping Overview

Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces.

Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group. Port groups have the following characteristics:

• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed throughput but no security.
• It can increase the bandwidth between the port group and other interfaces.

In the example below, you might combine physical ports 3 and 4 into port group ge3.

Figure 127 Port Grouping Example: Network

graph TD
    A["ge1"] --> B["ZyWALL"]
    C["ge2"] --> B
    D["ge3"] --> B
    E["ge5"] --> B
    B --> F["Internet"]
    style A fill:#f9f,stroke:#333
    style C fill:#f9f,stroke:#333
    style D fill:#f9f,stroke:#333
    style E fill:#f9f,stroke:#333
    style F fill:#ccf,stroke:#333

In this case, click Network > Interface > Port Grouping, and set up the screen like this.

Figure 128 Port Grouping Example: Screen

There are no ports assigned to ge4. If you do not assign any physical ports to a representative interface, you cannot use this interface to create other interfaces or create IPSec VPN tunnels. The Ethernet interface is still displayed in the screen, however, and the existing configuration remains.

10.3.2 Port Grouping Screen

Define the relationship between physical ports, port groups, and Ethernet interfaces in the Port Grouping screen. Port grouping does not apply to ports 7 and 8 (the dual-personality Ethernet port and SFP slot pairs). The are always assigned to interfaces ge7 and ge8, respectively. To access this screen, click Network > Interface > Port Grouping.

Figure 129 Network > Interface > Port Grouping

Each section in this screen is described below.

Table 48 Network > Interface > Port Grouping

10.4 Ethernet Summary Screen

This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Network > Interface.

Figure 130 Network > Interface > Ethernet

Each field is described in the following table.

Table 49 Network > Interface > Ethernet

10.4.1 Ethernet Edit

The Ethernet Edit screen lets you configure IP address assignment, interface parameters, RIP settings, OSPF settings, DHCP settings, and ping check settings. To access this screen, click an Edit icon in the Ethernet Summary screen. (See Section 10.4 on page 190.)

Figure 131 Network > Interface > Ethernet > Edit

Each field is described in the table below.

Table 50 Network > Interface > Ethernet > Edit

10.5 The Static DHCP Screen

In an interface add or edit screen, click Edit static DHCP table to open the Static DHCP screen. Use this screen to configure the list of static IP addresses the ZyWALL assigns to computers connected to the interface. If a computer's MAC address is in the interface's static DHCP table, the ZyWALL assigns the corresponding IP address. Otherwise, the ZyWALL assigns an IP address dynamically using the interface's IP Pool Start Address and Pool Size.

You must click OK in the Static DHCP screen and then click OK in the interface add or edit screen to save your changes.

Figure 132 Static DHCP

The following table describes this screen.

Table 51 Static DHCP

10.6 The PPP Interfaces

This section introduces PPPoE, PPTP, and PPPoE/PPTP interfaces and then explains the screens for PPPoE/PPTP interfaces.

10.6.1 PPPoE/PPTP Overview

Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections.

PPPoE is often used with cable modems and DSL connections. It provides the following advantages:

• The access and authentication method works with existing systems, including RADIUS.
• You can access one of several network services. This makes it easier for the service provider to offer the service
• PPPoE does not usually require any special configuration of the modem.

PPTP is used to set up virtual private networks (VPN) in unsecure TCP/IP environments. It sets up two sessions.

1 The first one runs on TCP port 1723. It is used to start and manage the second one.
2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.

PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions.

10.6.2 PPPoE/PPTP Interfaces Overview

In the ZyWALL, you may use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network.

Figure 133 Example: PPPoE/PPTP Interfaces

graph LR
    A["Router"] <--> B["INTERNET"]
    B <--> C["ISP"]

PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP interfaces and other interfaces.

1 You must set up an ISP account before you create a PPPoE/PPTP interface.

Each ISP account specifies the protocol (PPPoE or PPTP), as well as your ISP account information. If you change ISPs later, you only have to create a new ISP account, not a new PPPoE/PPTP interface. You should not have to change any network policies.

2 You do not set up the subnet mask or gateway.

PPPoE/PPTP interfaces are interfaces between the ZyWALL and only one computer. Therefore, the subnet mask is always 255.255.255.255. In addition, the ZyWALL always treats the ISP as a gateway.

At the time of writing, it is possible to set up the IP address of the gateway (ISP) using CLI commands but not in the web configurator.

10.6.3 PPP Interface Summary

Note: You have to set up an ISP account before you create a PPPoE/PPTP interface.

This screen lists every PPPoE/PPTP interface. To access this screen, click Network > Interface > PPP.

Figure 134 Network > Interface > PPP

Each field is described in the table below.

Table 52 Network > Interface > PPP

10.6.4 PPP Interface Add/Edit

Note: You have to set up an ISP account before you create a PPPoE/PPTP interface.

This screen lets you configure new or existing PPPoE/PPTP interfaces. To access this screen, click the Add icon or an Edit icon in the PPP Interface screen.

Figure 135 Network > Interface > PPP > Edit

Each field is explained in the following table.

Table 53 Network > Interface > PPP > Edit > Configuration

10.7 Cellular Configuration Screen (3G)

3G (Third Generation) is a digital, packet-switched wireless technology. Bandwidth usage is optimized as multiple users share the same channel and bandwidth is only allocated to users when they send data. It allows fast transfer of voice and non-voice data and provides broadband Internet access to mobile devices.

Note: The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider's base station, and so on.

If the signal strength of a 3G network is too low, the 3G card may switch to an available 2.5G or 2.75G network. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies.

Table 54 2G, 2.5G, 2.75G, 3G and 3.5G Wireless Technologies

To change your 3G WAN settings, click Network > Interface > Cellular.

Note: Install (or connect) a compatible 3G card to use a cellular connection. See Chapter 52 on page 803 for details.

Note: The WAN IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets.

Figure 136 Network > Interface > Cellular

The following table describes the labels in this screen.

Table 55 Network > Interface > Cellular

10.7.1 Cellular Add/Edit Screen

To change your 3G settings, click Network > Interface > Cellular > Add (or Edit). In the pop-up window that displays, select the slot that you want to configure. The following screen displays.

Figure 137 Interface > Cellular > Add

The following table describes the labels in this screen.

Table 56 Interface > Cellular > Add

10.8 Cellular Status Screen

To check your 3G connection status, click Network > Interface > Cellular > Status. The following screen displays.

Figure 138 Interface > Cellular > Status

The following table describes the labels in this screen.

Table 57 Interface > Cellular > Status

10.9 VLAN Interfaces

This section introduces VLAN and VLAN interfaces and then explains the screens for VLAN interfaces.

10.9.1 VLAN Overview

A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q.

Figure 139 Example: Before VLAN

graph TD
    A["Router"] --> B["Computer 1"]
    A --> C["Computer 2"]
    A --> D["Computer 3"]
    B --> E["Client 1"]
    B --> F["Client 2"]
    C --> G["Client 3"]
    D --> H["Client 4"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333

In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router.

Alternatively, you can divide the physical networks into three VLANs.

Figure 140 Example: After VLAN

graph TD
    A["Router"] --> B["River"]
    B --> C["Router"]
    C --> D["VLAN ID = 1"]
    C --> E["VLAN ID = 2"]
    C --> F["VLAN ID = 3"]
    B --> G["Router"]
    G --> H["VLAN ID = 1"]
    G --> I["VLAN ID = 2"]
    G --> J["VLAN ID = 3"]

Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.)

• Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network.
• Traffic between VLANs (or between a VLAN and another type of network) is layer-3 communication (network layer, IP addresses). It is handled by the router.

This approach provides a few advantages.

• Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users.
• Higher security - If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN.
• Better manageability - You can align network policies more appropriately for users. For example, you can create different content filtering rules for each VLAN (each department in the example above), and you can set different bandwidth limits for each VLAN. These rules are also independent of the physical network, so you can change the physical network without changing policies.

In this example, the new switch handles the following types of traffic:

- Inside VLAN 2.

• Between the router and VLAN 1.
• Between the router and VLAN 2.
• Between the router and VLAN 3.

10.9.2 VLAN Interfaces Overview

In the ZyWALL, each VLAN is called a VLAN interface. As a router, the ZyWALL routes traffic between VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces.

Note: Each VLAN interface is created on top of only one Ethernet interface.

Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available.

10.9.3 VLAN Summary Screen

This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. To access this screen, click Network > Interface > VLAN.

Figure 141 Network > Interface > VLAN

Each field is explained in the following table.

Table 58 Network > Interface > VLAN

10.9.4 VLAN Add/Edit

This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and ping check for each VLAN interface. To access this screen, click the Add icon at the top of the Add column or click an Edit icon next to a VLAN interface in the VLAN Summary screen. The following screen appears.

Figure 142 Network > Interface > VLAN > Edit

Each field is explained in the following table.

Table 59 Network > Interface > VLAN > Edit

10.10 Bridge Interfaces

This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces.

10.10.1 Bridge Overview

A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments.

graph TD
    A["Switch A"] -->|0A:0A:0A:0A:0A:0A| R["Router"]
    B["Switch B"] -->|0B:0B:0B:0B:0B:0B| R
    C["Switch C"] -->|1| R
    D["Switch D"] -->|2| R
    E["Switch E"] -->|3| R
    R -->|4| B
    R -->|5| A
    style R fill:#f9f,stroke:#333,stroke-width:2px

When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port. If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received).

In the example above, computer A sends a packet to computer B. Bridge X records the source address 0A:0A:0A:0A:0A:0A and port 2 in the table. It also

looks up 0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4.

Table 60 Example: Bridge Table After Computer A Sends a Packet to Computer B

If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly.

Table 61 Example: Bridge Table After Computer B Responds to Computer A

10.10.2 Bridge Interface Overview

A bridge interface creates a software bridge between the members of the bridge interface. It also becomes the ZyWALL's interface for the resulting network.

Unlike the device-wide bridge mode in ZyNOS-based ZyWALLs, this ZyWALL can bridge traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and ping check. To use the whole ZyWALL as a transparent bridge, add all of the ZyWALL's interfaces to a bridge interface.

A bridge interface may consist of the following members:

• Zero or one VLAN interfaces (and any associated virtual VLAN interfaces)
• Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces)

When you create a bridge interface, the ZyWALL removes the members' entries from the routing table and adds the bridge interface's entries to the routing table. For example, this table shows the routing table before and after you create bridge interface br0 (250.250.250.0/23) between ge1 and vlan1.

Table 62 Example: Routing Table Before and After Bridge Interface br0 Is Created

Table 62 Example: Routing Table Before and After Bridge Interface br0 Is Created

In this example, virtual Ethernet interface ge1:1 is also removed from the routing table when ge1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed.

10.10.3 Bridge Summary

This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Network > Interface > Bridge.

Figure 143 Network > Interface > Bridge

Each field is described in the following table.

Table 63 Network > Interface > Bridge

10.10.4 Bridge Add/Edit

This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and ping check for each bridge interface. To access this screen, click the Add icon at the top of the Add column in the Bridge Summary screen, or click an Edit icon in the Bridge Summary screen. The following screen appears.

Figure 144 Network > Interface > Bridge > Edit

In this example, you are creating a new bridge. If you are editing a bridge, the Interface Name field is read-only. Each field is described in the table below.

Table 64 Network > Interface > Bridge > Edit

10.11 Auxiliary Interface

This section introduces the auxiliary interface and then explains the screen for it.

10.11.1 Auxiliary Interface Overview

Use the auxiliary interface to dial out from the ZyWALL's auxiliary port. For example, you might use this interface as a backup WAN interface.

You have to connect an external modem to the ZyWALL's auxiliary port to use the auxiliary interface.

Note: You have to connect an external modem to the auxiliary port.

The ZyWALL uses the auxiliary interface to dial out in two situations.

1 You click the Connect icon on the ZyWALL Status screen.
2 The load auxiliary interface must connect to satisfy load-balancing requirements. You have to add the auxiliary interface to a trunk first.

When the ZyWALL hangs up the call, it drops the Data Terminal Ready (DTR) signal and issues the command ATH.

10.11.2 Auxiliary

Use the Auxiliary screen to configure the ZyWALL's auxiliary interface. Click Network > Interface > Auxiliary to open it.

Figure 145 Network > Interface > Auxiliary

Each field is described in the table below.

Table 65 Network > Interface > Auxiliary

10.12 Virtual Interfaces

Use virtual interfaces to tell the ZyWALL where to route packets. Virtual interfaces can also be used in VPN gateways (see Chapter 21 on page 339) and VRRP groups (see Chapter 35 on page 593).

Virtual interfaces can be created on top of Ethernet interfaces, VLAN interfaces, or bridge interfaces. Virtual VLAN interfaces recognize and use the same VLAN ID. Otherwise, there is no difference between each type of virtual interface. Network policies (for example, firewall rules) that apply to the underlying interface automatically apply to the virtual interface as well.

Like other interfaces, virtual interfaces have an IP address, subnet mask, and gateway used to make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients. Like other interfaces, you can restrict bandwidth through virtual interfaces, but you cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available.

10.12.1 Virtual Interfaces Add/Edit

This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click an Add icon next to an Ethernet interface, VLAN interface, or bridge interface in the respective interface summary screen.

Figure 146 Network > Interface > Add

Each field is described in the table below.

Table 66 Network > Interface > Add

10.13 Interface Technical Reference

Here is more detailed information about interfaces on the ZyWALL.

IP Address Assignment

Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table.

Figure 147 Example: Entry in the Routing Table Derived from Interfaces

graph LR
    subgraph Network 1
        A["Client 1"] --> B["Router"]
        C["Client 2"] --> B
        B -->|ge1 100.100.1.1/16| D["ZyWALL"]
    end
    subgraph Network 2
        E["Client 2"] --> F["Router"]
        G["Client 3"] --> F
        F -->|ge2 200.200.200.1/24| D
    end

Table 67 Example: Routing Table Entries for Interfaces

For example, if the ZyWALL gets a packet with a destination address of 100.100.25.25, it routes the packet to interface ge1. If the ZyWALL gets a packet with a destination address of 200.200.200.200, it routes the packet to interface ge2.

In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it is a point-to-point interface. For these interfaces, you can only enter the IP address.

In many interfaces, you can also let the IP address and subnet mask be assigned by an external DHCP server on the network. In this case, the interface is a DHCP client. Virtual interfaces, however, cannot be DHCP clients. You have to assign the IP address and subnet mask manually.

In general, the IP address and subnet mask of each interface should not overlap, though it is possible for this to happen with DHCP clients.

In the example above, if the ZyWALL gets a packet with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the ZyWALL should send this packet, you can specify it as a gateway in one of the interfaces. For example,

if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on ge2. In this case, the ZyWALL creates the following entry in the routing table.

Table 68 Example: Routing Table Entry for a Gateway

The gateway is an optional setting for each interface. If there is more than one gateway, the ZyWALL uses the gateway with the lowest metric, or cost. If two or more gateways have the same metric, the ZyWALL uses the one that was set up first (the first entry in the routing table). In PPPoE/PPTP interfaces, the other computer is the gateway for the interface by default. In this case, you should specify the metric.

If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any.

Interface Parameters

The ZyWALL restricts the amount of traffic into and out of the ZyWALL through each interface.

• Egress bandwidth sets the amount of traffic the ZyWALL sends out through the interface to the network.
• Ingress bandwidth sets the amount of traffic the ZyWALL allows in through the interface from the network. ^1

If you set the bandwidth restrictions very high, you effectively remove the restrictions.

The ZyWALL also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum transmission unit (MTU). If a packet is larger than the MTU, the ZyWALL divides it into smaller fragments. Each fragment is sent separately, and the original packet is re-assembled later. The smaller the MTU, the more fragments sent, and the more work required to re-assemble packets correctly. On the other hand, some communication channels, such as Ethernet over ATM, might not be able to handle large data packets.

DHCP Settings

Dynamic Host Configuration Protocol (DHCP, RFC 2131, RFC 2132) provides a way to automatically set up and maintain IP addresses, subnet masks, gateways, and some network information (such as the IP addresses of DNS servers) on

computers in the network. This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently.

In DHCP, every network has at least one DHCP server. When a computer (a DHCP client) joins the network, it submits a DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client.

In the ZyWALL, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server.

As a DHCP relay, the interface routes DHCP requests to DHCP servers on different networks. You can specify more than one DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously.

As a DHCP server, the interface provides the following information to DHCP clients.

- IP address - If the DHCP client's MAC address is in the ZyWALL's static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.

Table 69 Example: Assigning IP Addresses from a Pool

The ZyWALL cannot assign the first address (network address) or the last address (broadcast address) in the subnet defined by the interface's IP address and subnet mask. For example, in the first entry, if the subnet mask is 255.255.255.0, the ZyWALL cannot assign 50.50.50.0 or 50.50.50.255. If the subnet mask is 255.255.0.0, the ZyWALL cannot assign 50.50.0.0 or 50.50.255.255. Otherwise, it can assign every IP address in the range, except the interface's IP address.

If you do not specify the starting address or the pool size, the interface the maximum range of IP addresses allowed by the interface's IP address and subnet mask. For example, if the interface's IP address is 9.9.9.1 and subnet mask is 255.255.255.0, the starting IP address in the pool is 9.9.9.2, and the pool size is 253.

• Subnet mask - The interface provides the same subnet mask you specify for the interface. See IP Address Assignment on page 235.
• Gateway - The interface provides the same gateway you specify for the interface. See IP Address Assignment on page 235.

- DNS servers - The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients. You can specify each IP address manually (for example, a company's own DNS server), or you can refer to DNS servers that other interfaces received from DHCP servers (for example, a DNS server at an ISP). These other interfaces have to be DHCP clients.

It is not possible for an interface to be the DHCP server and a DHCP client simultaneously.

WINS

WINS (Windows Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network's computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name's IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server.

PPPoE/PPTP Overview

Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages:

• The access and authentication method works with existing systems, including RADIUS.
• You can access one of several network services. This makes it easier for the service provider to offer the service
• PPPoE does not usually require any special configuration of the modem.

PPTP is used to set up virtual private networks (VPN) in unsecure TCP/IP environments. It sets up two sessions.

1 The first one runs on TCP port 1723. It is used to start and manage the second one.
2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.

PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions.

11.1 Overview

Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links.

Maybe you have two Internet connections with different bandwidths. You could set up a trunk that uses spillover or weighted round robin load balancing so time-sensitive traffic (like video) usually goes through the higher-bandwidth interface. For other traffic, you might want to use least load first load balancing to even out the distribution of the traffic load.

Suppose ISP A has better connections to Europe while ISP B has better connections to Australia. You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B.

Or maybe one of the ZyWALL's interfaces is connected to an ISP that is also your Voice over IP (VoIP) service provider. You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP service provider set to active and another interface (connected to another ISP) set to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface's connection is up.

11.1.1 What You Can Do in the Trunk Screens

• Use the Trunk summary screen (Section 11.2 on page 243) to configure link sticking and view the list of configured trunks and which load balancing algorithm each trunk uses.
• Use the Trunk Edit screen (Section 11.3 on page 245) to configure which interfaces belong to each trunk and the load balancing algorithm each trunk uses.

11.1.2 What You Need to Know About Trunks

• Add WAN interfaces to trunks to have multiple connections share the traffic load.
• If one WAN interface's connection goes down, the ZyWALL sends traffic through another member of the trunk.
• For example, you connect one WAN interface to one ISP and connect a second WAN interface to a second ISP. The ZyWALL balances the WAN traffic load between the connections. If one interface's connection goes down, the ZyWALL can automatically send its traffic through another interface.

You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic.

- If that interface's connection goes down, the ZyWALL can still send its traffic through another interface.

- You can define multiple trunks for the same physical interfaces.

Link Sticking

You can have the ZyWALL send each local computer's traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file. If the user's subsequent sessions came from a different WAN IP address, the file server would deny the request. Here is an example.

Figure 148 Link Sticking

graph TD
    LAN -->|1| ge2["ge2"]
    ge2 -->|3| ge3["ge3"]
    ge3 -->|4| router["Router"]
    router -->|2| B["Server B"]
    B -->|2| C["Server C"]
    C -->|1| LAN
    ge2 -.->|dashed purple arrow| Internet

1 LAN user A tries to download a file from server B on the Internet. The ZyWALL uses ge2 to send the request to server B.

2 However remote server B is actually a redirect server. So server B sends a file list to LAN user A. The file list lets LAN user A's computer know that the desired file is actually on file server (C). At the same time, register server B informs file server C that a computer located at the ge2's IP address will download a file.
3 The ZyWALL is using active/active load balancing. So when LAN user A tries to retrieve the file from file server C, the request goes out through ge3.
4 File server C finds that the request comes from ge3's IP address instead of ge2's IP address and rejects the request.
5 If link sticking had been configured, the ZyWALL would have still used ge2 to send LAN user A's request to file server C and the file server would have given the file to A.

Load Balancing Algorithms

The following sections describe the load balancing algorithms the ZyWALL can use to decide which interface the traffic (from the LAN) should use for a session ^2 . The available bandwidth you configure on the ZyWALL refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using.

Least Load First

The least load first algorithm uses the current (or recent) outbound bandwidth utilization of each trunk member interface as the load balancing index(es) when making decisions about to which interface a new session is to be distributed. The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth.

Here the ZyWALL has two WAN interfaces connected to the Internet. The configured available outbound bandwidths for WAN 1 and WAN 2 are 512K and 256K respectively.

Figure 149 Least Load First Example

graph LR
    A["路由器"] -->|WAN1 512K| B["INTERNET"]
    A -->|WAN2 256K| B

The outbound bandwidth utilization is used as the load balancing index. In this example, the measured (current) outbound throughput of WAN 1 is 412K and WAN 2 is 198K. The ZyWALL calculates the load balancing index as shown in the table below.

Since WAN 2 has a smaller load balancing index (meaning that it is less utilized than WAN 1), the ZyWALL will send the subsequent new session traffic through WAN 2.

Table 70 Least Load First Example

Weighted Round Robin

The Weighted Round Robin (WRR) algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. Similar to the Round Robin (RR) algorithm (see Section 11.4 on page 246), the Weighted Round Robin (WRR) algorithm sets the ZyWALL to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more of the traffic than an interface with a smaller weight.

For example, in the figure below, the configured available bandwidth of ge2 is 1M and ge3 is 512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of ge2 and ge3 to 2 and 1 respectively. The ZyWALL assigns the traffic of two sessions to ge2 for every session's traffic assigned to ge3.

Figure 150 Weighted Round Robin Algorithm Example

graph LR
    S6 --> S4
    S5 --> S4
    S2 -->|WAN1 1M| Internet
    S3 -->|WAN2 512K| Internet
    Internet -->|WAN1 1M| Internet

Spillover

The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface's maximum allowable load is reached, then sends the excess network traffic of new sessions to the next interface in the trunk member list. This continues as long as there are more member interfaces and traffic to be sent through them.

Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage. Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface.

In this example figure, the upper threshold of the first interface is set to 800K. The ZyWALL sends network traffic of new sessions that exceed this limit to the secondary WAN interface.

Figure 151 Spillover Algorithm Example

graph LR
    A["1M"] --> B["交换机"]
    B --> C["WAN1 800K"]
    B --> D["WAN2"]
    C --> E["INTERNET"]
    D --> E

Finding Out More

• See Section 5.4.3 on page 106 for related information on the Trunk screens.
• See Section 11.4 on page 246 for more background information on trunks.
• See Section 6.2 on page 122 for an example of how to configure load balancing.

11.2 The Trunk Summary Screen

Click Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use.

Figure 152 Network > Interface > Trunk

The following table describes the items in this screen.

Table 71 Network > Interface > Trunk

11.3 Configuring a Trunk

Click Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen.

Figure 153 Network > Interface > Trunk > Add

Each field is described in the table below.

Table 72 Network > Interface > Trunk > Add

11.4 Trunk Technical Reference

Round Robin Load Balancing Algorithm

Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list. The next queue is given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the

number of queues being used. This works in a looping fashion until a queue is empty.

Policy and Static Routes

12.1 Policy and Static Routes Overview

Use policy routes and static routes to override the ZyWALL's default routing behavior in order to send packets through the appropriate the interface or VPN tunnel.

For example, the next figure shows a computer (A) connected to the ZyWALL's LAN interface. The ZyWALL routes most traffic from A to the Internet through the ZyWALL's default gateway (R1). You create one policy route to connect to services offered by your ISP behind router R2. You create another policy route to communicate with a separate network behind another router (R3) connected to the LAN.

Figure 154 Example of Policy Routing Topology

graph TD
    A["Router A"] --> LAN["LAN"]
    LAN --> WAN["WAN"]
    WAN --> R1["R1"]
    R1 --> INTERNET["INTERNET"]
    R2["R2"] --> LAN
    R3["R3"] --> LAN
    subgraph LAN
        R3
        R2
    end
    subgraph INTERNET
        R1
        R2
        R3
    end

You also use policy routes to send traffic through VPN tunnels. Using the VPN wizard automatically configures a corresponding policy route, but you must manually configure a policy route if you use the main VPN screens to configure a VPN connection.

Note: You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers.

12.1.1 What You Can Do in the Policy and Static Route Screens

• Use the Policy Route screens (see Section 12.2 on page 251) to list and configure policy routes.
• Use the Static Route screens (see Section 12.3 on page 257) to list and configure static routes.

12.1.2 What You Need to Know About Policy and Static Routing

Policy Routing

Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.

How You Can Use Policy Routing

• Source-Based Routing – Network administrators can use policy-based routing to direct traffic from different users through different connections.
• Bandwidth Shaping – You can allocate bandwidth to traffic that matches routing policies and prioritize traffic (however the application patrol's bandwidth management is more flexible and recommended for TCP and UDP traffic). Use policy routes to manage other types of traffic (like ICMP traffic) and send traffic through VPN tunnels.

Note: Bandwidth management in policy routes has priority over application patrol bandwidth management.

• Cost Savings – IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
• Load Sharing – Network administrators can use IPPR to distribute traffic among multiple paths.
• NAT - The ZyWALL performs NAT by default for traffic going to or from the WAN interfaces. A routing policy's SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.

- A NAT loopback policy route lets local users use a domain name to access a virtual server.

When creating a virtual server that local users will use a domain name to access, you can select an option to configure a NAT loopback policy route.

Static Routes

The ZyWALL usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the ZyWALL send data to devices not reachable through the default gateway, use static routes. Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Chapter 13 on page 263 for more on RIP and OSPF.

Policy Routes Versus Static Routes

• Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management.
• Policy routes are only used within the ZyWALL itself. Static routes can be propagated to other routers using RIP or OSPF.
• Policy routes take priority over static routes. If you need to use a routing policy on the ZyWALL and propagate it to other routers, you could configure a policy route and an equivalent static route.

Finding Out More

• See Section 5.4.10 on page 108 for related information on the policy route screens.
- See Section 12.4 on page 259 for more background information on policy routing.
- See Section 6.3.3 on page 126 for an example of configuring a policy route for an IPSec VPN tunnel.

12.2 Policy Route Screen

Click Network > Routing to open the Policy Route screen. Use this screen to see the configured policy routes and turn policy routing based bandwidth management on or off.

A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.

The actions that can be taken include:

• Routing the packet to a different gateway, outgoing interface, VPN tunnel, or trunk.
• Limiting the amount of bandwidth available and setting a priority for traffic.

IPPR follows the existing packet filtering facility of RAS in style and in implementation.

Figure 155 Network > Routing > Policy Route

The following table describes the labels in this screen.

Table 73 Network > Routing > Policy Route

12.2.1 Policy Route Edit Screen

Click Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route.

See NAT Loopback Example on page 297 for an example of NAT loopback.

Figure 156 Network > Routing > Policy Route > Edit

The following table describes the labels in this screen.

Table 74 Network > Routing > Policy Route > Edit

12.3 IP Static Route Screen

Click Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers.

Figure 157 Network > Routing > Static Route

The following table describes the labels in this screen.

Table 75 Network > Routing > Static Route

12.3.1 Static Route Add/Edit Screen

Select a static route index number and click Add or Edit. The screen shown next appears. Use this screen to configure the required information for a static route.

Figure 158 Network > Routing > Static Route > Add

The following table describes the labels in this screen.

Table 76 Network > Routing > Static Route > Add

12.4 Policy Routing Technical Reference

Here is more detailed information about some of the features you can configure in policy routing.

NAT and SNAT

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.

Port Triggering

Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding, you set the port(s) and IP address to forward a service (coming in from the remote server) to a client computer. The problem is that port forwarding only forwards a service to a single IP address. In order to use the same service on a different computer, you have to manually replace the client computer's IP address with another client computer's IP address.

Port triggering allows the client computer to take turns using a service dynamically. Whenever a client computer's packets match the routing policy, it can use the pre-defined port triggering setting to connect to the remote server without manually configuring a port forwarding rule for each client computer.

Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service. The ZyWALL records the IP address of a client computer that sends traffic to a remote server to request a service (incoming service). When the ZyWALL receives a new connection (trigger service) from the remote server, the ZyWALL forwards the traffic to the IP address of the client computer that sent the request.

In the following example, you configure two services for port triggering:

Incoming service: Game (UDP: 1234)

Trigger service: Game-1 (UDP: 5670-5678)

1 Computer A wants to play a multiplayer online game and tries to connect to game server 1 using port 1234. The ZyWALL records the IP address of computer A when the packets match a policy with SNAT configured.
2 Game server 1 responds using a port number ranging between 5670 - 5678. The ZyWALL allows and forwards the traffic to computer A.
3 Computer A and game server 1 are connected to each other until the connection is closed or times out. Any other computers (such as B or C) cannot connect to remote server 1 using the same port triggering rule as computer A unless they are using a different next hop (gateway, outgoing interface, VPN tunnel or trunk) from computer A or until the connection is closed or times out.

Figure 159 Trigger Port Forwarding Example

graph TD
    A["Client A"] --> R["Router"]
    B["Client B"] --> R
    C["Client C"] --> R
    R --> I["Internet"]
    I --> J["Server 1"]
    style A fill:#f9f,stroke:#333
    style B fill:#f9f,stroke:#333
    style C fill:#f9f,stroke:#333
    style I fill:#ccf,stroke:#333
    style J fill:#ccf,stroke:#333

Maximize Bandwidth Usage

The maximize bandwidth usage option allows the ZyWALL to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth.

When you enable maximize bandwidth usage, the ZyWALL first makes sure that each policy route gets up to its bandwidth allotment. Next, the ZyWALL divides up

an interface's available bandwidth (bandwidth that is unbudgeted or unused by the policy routes) depending on how many policy routes require more bandwidth and on their priority levels. When only one policy route requires more bandwidth, the ZyWALL gives the extra bandwidth to that policy route.

When multiple policy routes require more bandwidth, the ZyWALL gives the highest priority policy routes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ZyWALL distributes the available bandwidth equally among policy routes with the same priority level.

Routing Protocols

13.1 Routing Protocols Overview

Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL stores this routing information in the routing table it uses to make routing decisions. In turn, the ZyWALL can also use routing protocols to propagate routing information to other routers. See Section 5.5 on page 115 for related information on the RIP and OSPF screens.

Routing protocols are usually only used in networks using multiple routers like campuses or large enterprises.

13.1.1 What You Can Do in the RIP and OSPF Screens

• Use the RIP screen (see Section 13.2 on page 264) to configure the ZyWALL to use RIP to receive and/or send routing information.
• Use the OSPF screen (see Section 13.3 on page 265) to configure general OSPF settings and manage OSPF areas.
• Use the OSPF Area Add/Edit screen (see Section 13.3.2 on page 271) to create or edit an OSPF area.

13.1.2 What You Need to Know About Routing Protocols

The ZyWALL supports two standards, RIP and OSPF, for routing protocols. RIP and OSPF are compared here and discussed further in the rest of the chapter.

Table 77 RIP vs. OSPF

Finding Out More

See Section 13.4 on page 273 for background information on routing protocols.

13.2 The RIP Screen

RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers).

• In the ZyWALL, you can configure two sets of RIP settings before you can use it in an interface.
• First, the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent. This is discussed in more detail in Authentication Types on page 273.
• Second, the ZyWALL can also redistribute routing information from non-RIP networks, specifically OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Metric field to specify the cost in RIP terms.
• RIP uses UDP port 520.

Use the RIP screen to specify the authentication method and maintain the policies for redistribution.

To access this screen, login to the web configurator. When the main screen appears, click Network > Routing > RIP to open the following screen.

Figure 160 Network > Routing > RIP

The following table describes the labels in this screen.

Table 78 Network > Routing Protocol > RIP

13.3 The OSPF Screen

OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF offers some advantages over vector-space routing protocols like RIP.

- OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently.

• OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network.
• OSPF responds to changes in the network, such as the loss of a router, more quickly.
• OSPF considers several factors, including bandwidth, hop count, throughput, round trip time, and reliability, when it calculates the shortest path.
• OSPF converges more quickly than RIP.

Naturally, OSPF is also more complicated than RIP, so OSPF is usually more suitable for large networks.

OSPF uses IP protocol 89.

OSPF Areas

An OSPF Autonomous System (AS) is divided into one or more areas. Each area represents a group of adjacent networks and is identified by a 32-bit ID. In OSPF, this number may be expressed as an integer or as an IP address.

There are several types of areas.

• The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone.
• A normal area is a group of adjacent networks. A normal area has routing information about the OSPF AS, any networks outside the OSPF AS to which it is directly connected, and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS.
• A stub area has routing information about the OSPF AS. It does not have any routing information about any networks outside the OSPF AS, including networks to which it is directly connected. It relies on a default route to send information outside the OSPF AS.
• A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS.

Each type of area is illustrated in the following figure.

Figure 161 OSPF: Types of Areas

graph TD
    A["Router 1"] --> B["Router X"]
    C["Router 2"] --> D["Router 0"]
    E["Router 3"] --> F["Router Y"]

This OSPF AS consists of four areas, areas 0-3. Area 0 is always the backbone. In this example, areas 1, 2, and 3 are all connected to it. Area 1 is a normal area. It has routing information about the OSPF AS and networks X and Y. Area 2 is a stub area. It has routing information about the OSPF AS, but it depends on a default route to send information to networks X and Y. Area 3 is a NSSA. It has routing information about the OSPF AS and network Y but not about network X.

OSPF Routers

Every router in the same area has the same routing information. They do this by exchanging Hello messages to confirm which neighbor (layer-3) devices exist, and then they exchange database descriptions (DDs) to create a synchronized link-state database. The link-state database contains records of router IDs, their associated links and path costs. The link-state database is then constantly updated through Link State Advertisements (LSA). Each router uses the link state database and the Dijkstra algorithm to compute the least cost paths to network destinations.

Like areas, each router has a unique 32-bit ID in the OSPF AS, and there are several types of routers. Each type is really just a different role, and it is possible for one router to play multiple roles at one time.

• An internal router (IR) only exchanges routing information with other routers in the same area.
• An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them.

- An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF.

Table 79 OSPF: Redistribution from Other Sources to Each Type of Area

- A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR.

Each type of router is illustrated in the following example.

Figure 162 OSPF: Types of Routers

graph TD
    subgraph Terminal 1
        A["IR"] --> B["1"]
        B --> C["ASBR"]
        C --> D["X"]
        E["ABR"] --> F["2"]
        F --> G["IR"]
        H["0"] --> I["ABR"]
        I --> J["BR"]
        K["3"] --> L["ASBR"]
        L --> M["Y"]
    end
    subgraph Terminal 2
        N["IR"] --> O["2"]
        O --> P["ABR"]
        P --> Q["BR"]
        R["0"] --> S["ABR"]
        S --> T["BR"]
        U["3"] --> V["IR"]
        W["ASBR"] --> X["3"]
        Y["ASBR"] --> Z["Y"]

In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR). All of the routers only exchange information with the DR and the BDR, instead of exchanging information with all of the other routers in the group. The DR and BDR are selected by priority; if two routers have the same priority, the highest router ID is used.

The DR and BDR are selected in each group of routers that are directly connected to each other. If a router is directly connected to several groups, it might be a DR in one group, a BDR in another group, and neither in a third group all at the same time.

Virtual Links

In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area

to logically connect the area to the backbone. This is illustrated in the following example.

Figure 163 OSPF: Virtual Link

graph LR
    A["Router"] -->|100| B["Router"]
    B <-->|10| C["Router"]
    C -->|0| D["Router"]
    style A fill:#cce5ff,stroke:#333
    style B fill:#cce5ff,stroke:#333
    style C fill:#cce5ff,stroke:#333
    style D fill:#cce5ff,stroke:#333

In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10. The virtual link becomes the connection between area 100 and the backbone.

You cannot create a virtual link to a router in a different area.

OSPF Configuration

Follow these steps when you configure OSPF on the ZyWALL.

1 Enable OSPF.
2 Set up the OSPF areas.
3 Configure the appropriate interfaces. See Section 10.4.1 on page 191.
4 Set up virtual links, as needed.

13.3.1 Configuring the OSPF Screen

Use the first OSPF screen to specify the OSPF router the ZyWALL uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them.

To access this screen, login to the web configurator. When the main screen appears, click once on Network > Routing > OSPF to open the following screen.

Figure 164 Network > Routing > OSPF

The following table describes the labels in this screen. See Section 13.3.2 on page 271 for more information as well.

Table 80 Network > Routing Protocol > OSPF

13.3.2 OSPF Area Add/Edit Screen

The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one. To access this screen, go to the OSPF summary screen (see Section 13.3 on page 265), and click either the Add icon or an Edit icon.

Figure 165 Network > Routing > OSPF > Edit

The following table describes the labels in this screen.

Table 81 Network > Routing > OSPF > Edit

13.4 Routing Protocol Technical Reference

Here is more detailed information about RIP and OSPF.

Authentication Types

Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message. The receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it. If the received message is verified, then the receiving router accepts the updated routing information. The transmitting and receiving routers must have the same key.

The ZyWALL supports three types of authentication for RIP and OSPF routing protocols:

• None - no authentication is used.
• Text – authentication using a plain text password, and the (unencrypted) password is sent over the network. This method is usually used temporarily to prevent network problems.
• MD5 – authentication using an MD5 password and authentication ID.

MD5 is an authentication method that produces a 128-bit checksum, called a message-digest, for each packet. It also includes an authentication ID, which can be set to any value between 1 and 255. The ZyWALL only accepts packets if these conditions are satisfied.

• The packet's authentication ID is the same as the authentication ID of the interface that received it.
• The packet's message-digest is the same as the one the ZyWALL calculates using the MD5 password.

For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. For OSPF, the ZyWALL supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area. As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information.

14.1 Zones Overview

Set up zones to configure network security and network policies in the ZyWALL. A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.

Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface, auxiliary interface, and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run.

Figure 166 Example: Zones

graph TD
    subgraph LAN1
        A["VLAN 1"] --> B["Router"]
        C["VLAN 2"] --> D["Router"]
        E["Ethernet"] --> F["Router"]
    end

    subgraph LAN2
        G["VLAN 1"] --> H["ZyWALL"]
        I["VLAN 2"] --> H
        J["Ethernet"] --> H
    end

    subgraph DMZ
        K["VLAN 1"] --> L["Router"]
        M["VLAN 2"] --> N["Router"]
        O["VLAN 3"] --> P["Router"]
        Q["VLAN 4"] --> R["Router"]
    end

    subgraph WAN
        S["VAN 1"] --> T["ISP 1"]
        U["VAN 2"] --> V["ISP 2"]
        W["INTERNET"] --> X["Cloud"]
    end

    A --> H
    C --> H
    D --> H
    E --> H
    F --> H
    G --> H
    H --> L
    H --> N
    H --> P
    H --> R

14.1.1 What You Can Do in the Zones Screens

Use the Zone screens (see Section 14.2 on page 277) to view, add, and edit the ZyWALL's zones.

14.1.2 What You Need to Know About Zones

Effects of Zones on Different Types of Traffic

Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings.

Intra-zone Traffic

• Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 166 on page 275, traffic between VLAN 2 and the Ethernet is intra-zone traffic.
• In each zone, you can either allow or prohibit all intra-zone traffic. For example, in Figure 166 on page 275, you might allow intra-zone traffic in the LAN zone but prohibit it in the WAN zone.
• You can also set up firewall rules to control intra-zone traffic (for example, DMZ-to-DMZ), but many other types of zone-based security and policy settings do not affect intra-zone traffic.

Inter-zone Traffic

Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 166 on page 275, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the normal case when zone-based security and policy settings apply.

Extra-zone Traffic

• Extra-zone traffic is traffic to or from any interface or VPN tunnel that is not assigned to a zone. For example, in Figure 166 on page 275, traffic to or from computer C is extra-zone traffic.
• Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information.

Finding Out More

See Section 5.4.7 on page 108 for related information on these screens.

14.2 The Zone Screen

The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and zones. To access this screen, click Network > Zone.

Figure 167 Network > Zone

The following table describes the labels in this screen.

Table 82 Network > Zone

14.3 Zone Add/Edit

The Zone Add/Edit screen allows you to define a zone or edit an existing one. To access this screen, go to the Zone screen (see Section 14.2 on page 277), and click either the Add icon or an Edit icon.

Figure 168 Network > Zone > Edit

The following table describes the labels in this screen.

Table 83 Network > Zone > Edit

15.1 DDNS Overview

Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address.

15.1.1 What You Can Do in the DDNS Screens

• Use the DDNS screen (see Section 15.2 on page 280) to view a list of the configured DDNS domain names and their details.
• Use the DDNS Add/Edit screen (see Section 15.2.1 on page 282) to add a domain name to the ZyWALL or to edit the configuration of an existing domain name.
• Use the DDNS Status screen (see Section 15.2 on page 280) to view the status of the ZyWALL's DDNS domain names.

15.1.2 What You Need to Know About DDNS

DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.

Note: You must have a public WAN IP address to use Dynamic DNS.

You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the ZyWALL. When registration is complete, the DNS service provider gives you a password or key. At the time of

writing, the ZyWALL supports the following DNS service providers. See the listed websites for details about the DNS services offered by each.

Table 84 Network > DDNS

Note: Record your DDNS account's user name, password, and domain name to use to configure the ZyWALL.

After, you configure the ZyWALL, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly.

Finding Out More

See Section 5.4.9 on page 108 for related information on these screens.

15.2 The DDNS Screen

The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. To access this screen, login to the web configurator. When the main screen appears, click Network > DDNS. The following screen appears, providing a summary of the existing domain names.

Figure 169 Network > DDNS

The following table describes the labels in this screen.

Table 85 Network > DDNS

15.2.1 The Dynamic DNS Add/Edit Screen

The DDNS Add/Edit screen allows you to add a domain name to the ZyWALL or to edit the configuration of an existing domain name. Click Network > DDNS and then an Add or Edit icon to open this screen.

Figure 170 Network > DDNS > Add

The following table describes the labels in this screen.

Table 86 Network > DDNS > Add