ZyXEL Communications USG20W-VPN VPN Firewall User Manual Book

ZyXEL Communications Corporation VPN Firewall Book

UserManual.wiki >

ZyXEL Communications >

USG20W-VPN User Manual >

Users Manual Part 5

USG20(W)-VPN Series User’s Guide537CHAPTER 30System30.1 OverviewUse the system screens to configure general USG settings. 30.1.1 What You Can Do in this Chapter•Use the System > Host Name screen (see Section 30.2 on page 538) to configure a unique name for the USG in your network.•Use the System > USB Storage screen (see Section 30.3 on page 538) to configure the settings for the connected USB devices.•Use the System > Date/Time screen (see Section 30.4 on page 539) to configure the date and time for the USG.•Use the System > Console Speed screen (see Section 30.5 on page 543) to configure the console port speed when you connect to the USG via the console port using a terminal emulation program.•Use the System > DNS screen (see Section 30.6 on page 544) to configure the DNS (Domain Name System) server used for mapping a domain name to its corresponding IP address and vice versa.•Use the System > WWW screens (see Section 30.7 on page 553) to configure settings for HTTP or HTTPS access to the USG and how the login and access user screens look. •Use the System > SSH screen (see Section 30.8 on page 569) to configure SSH (Secure SHell) used to securely access the USG’s command line interface. You can specify which zones allow SSH access and from which IP address the access can come. •Use the System > TELNET screen (see Section 30.9 on page 573) to configure Telnet to access the USG’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come.•Use the System > FTP screen (see Section 30.10 on page 575) to specify from which zones FTP can be used to access the USG. You can also specify from which IP addresses the access can come. You can upload and download the USG’s firmware and configuration files using FTP. .• Your USG can act as an SNMP agent, which allows a manager station to manage and monitor the USG through the network. Use the System > SNMP screen (see Section 30.11 on page 576) to configure SNMP settings, including from which zones SNMP can be used to access the USG. You can also specify from which IP addresses the access can come.•Use the Auth. Server screen (Section 30.12 on page 580) to configure the USG to operate as a RADIUS server.•Use the CloudCNM screen (Section 30.13 on page 582) to enable and configure management of the USG by a Central Network Management system.•Use the System > Language screen (see Section 30.14 on page 585) to set a language for the USG’s Web Configurator screens.•Use the System > IPv6 screen (see Section 30.15 on page 585) to enable or disable IPv6 support on the USG.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide538•Use the System > ZON screen (see Section 30.16 on page 586) to enable or disable the ZyXEL One Network (ZON) utility that uses ZyXEL Discovery Protocol (ZDP) for discovering and configuring ZDP-aware ZyXEL devices in the same network as the computer on which ZON is installed.Note: See each section for related background information and term definitions.30.2 Host NameA host name is the unique name by which a device is known on a network. Click Configuration > System > Host Name to open the Host Name screen.Figure 367 Configuration > System > Host NameThe following table describes the labels in this screen. 30.3 USB StorageThe USG can use a connected USB device to store the system log and other diagnostic information. Use this screen to turn on this feature and set a disk full warning limit.Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system.Click Configuration > System > USB Storage to open the screen as shown next.Table 229 Configuration > System > Host NameLABEL DESCRIPTIONSystem Name Enter a descriptive name to identify your USG device. This name can be up to 64 alphanumeric characters long. Spaces are not allowed, but dashes (-) underscores (_) and periods (.) are accepted.Domain Name Enter the domain name (if you know it) here. This name is propagated to DHCP clients connected to interfaces with the DHCP server enabled. This name can be up to 254 alphanumeric characters long. Spaces are not allowed, but dashes “-” are accepted.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide539Figure 368 Configuration > System > USB StorageThe following table describes the labels in this screen. 30.4 Date and TimeFor effective scheduling and logging, the USG system time must be accurate. The USG’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server.To change your USG’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the USG’s time and date or have the USG get the date and time from a time server.Table 230 Configuration > System > USB StorageLABEL DESCRIPTIONActivate USB storage serviceSelect this if you want to use the connected USB device(s).Disk full warning when remaining space is less thanSet a number and select a unit (MB or %) to have the USG send a warning message when the remaining USB storage space is less than the value you set here. Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide540Figure 369 Configuration > System > Date and TimeThe following table describes the labels in this screen. Table 231 Configuration > System > Date and TimeLABEL DESCRIPTIONCurrent Time and DateCurrent Time This field displays the present time of your USG.Current Date This field displays the present date of your USG. Time and Date SetupManual Select this radio button to enter the time and date manually. If you configure a new time and date, time zone and daylight saving at the same time, the time zone and daylight saving will affect the new time and date you entered. When you enter the time settings manually, the USG uses the new setting once you click Apply.New Time (hh-mm-ss)This field displays the last updated time from the time server or the last time configured manually.When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply. New Date (yyyy-mm-dd)This field displays the last updated date from the time server or the last date configured manually.When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide541Get from Time ServerSelect this radio button to have the USG get the time and date from the time server you specify below. The USG requests time and date settings from the time server under the following circumstances.• When the USG starts up.• When you click Apply or Synchronize Now in this screen.• 24-hour intervals after starting up.Time Server AddressEnter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information.Sync. Now Click this button to have the USG get the time and date from a time server (see the Time Server Address field). This also saves your changes (except the daylight saving settings).Time Zone SetupTime Zone Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Enable Daylight Saving Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.Select this option if you use Daylight Saving Time.Start Date Configure the day and time when Daylight Saving Time starts if you selected EnableDaylight Saving. The at field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time starts in most parts of the United States on the second Sunday of March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Second, Sunday, March and type 2 in the at field.Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, March. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). End Date Configure the day and time when Daylight Saving Time ends if you selected EnableDaylight Saving. The at field uses the 24 hour format. Here are a couple of examples:Daylight Saving Time ends in the United States on the first Sunday of November. Each time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So in the United States you would select First, Sunday, November and type 2 in the at field.Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 A.M. GMT or UTC). So in the European Union you would select Last, Sunday, October. The time you type in the at field depends on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Offset Specify how much the clock changes when daylight saving begins and ends. Enter a number from 1 to 5.5 (by 0.5 increments). For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 231 Configuration > System > Date and Time (continued)LABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide54230.4.1 Pre-defined NTP Time Servers ListWhen you turn on the USG for the first time, the date and time start at 2003-01-01 00:00:00. The USG then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers.The USG continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. When the USG uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the USG goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.30.4.2 Time Server SynchronizationClick the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field.When the Please Wait... screen appears, you may have to wait up to one minute.Figure 370 Synchronization in ProcessThe Current Time and Current Date fields will display the appropriate settings if the synchronization is successful.If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring the Date/Time screen.To manually set the USG date and time.1Click System > Date/Time.2Select Manual under Time and Date Setup.3Enter the USG’s time in the New Time field.4Enter the USG’s date in the New Date field.5Under Time Zone Setup, select your Time Zone from the list.6As an option you can select the Enable Daylight Saving check box to adjust the USG clock for daylight savings.Table 232 Default Time Servers0.pool.ntp.org1.pool.ntp.org2.pool.ntp.org

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide5437Click Apply.To get the USG date and time from a time server1Click System > Date/Time.2Select Get from Time Server under Time and Date Setup.3Under Time Zone Setup, select your Time Zone from the list.4As an option you can select the Enable Daylight Saving check box to adjust the USG clock for daylight savings.5Under Time and Date Setup, enter a Time Server Address (Table 232 on page 542).6Click Apply.30.5 Console Port SpeedThis section shows you how to set the console port speed when you connect to the USG via the console port using a terminal emulation program.Click Configuration > System > Console Speed to open the Console Speed screen.Figure 371 Configuration > System > Console SpeedThe following table describes the labels in this screen. Table 233 Configuration > System > Console SpeedLABEL DESCRIPTIONConsole Port Speed Use the drop-down list box to change the speed of the console port. Your USG supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port.The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the USG Web Configurator Status screen. Apply Click Apply to save your changes back to the USG. Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide545Figure 372 Configuration > System > DNSThe following table describes the labels in this screen. Table 234 Configuration > System > DNSLABEL DESCRIPTIONAddress/PTR RecordThis record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.Add Click this to create a new entry.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.#This is the index number of the address/PTR record.FQDN This is a host’s fully qualified domain name.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide546IP Address This is the IP address of a host.CNAME Record This record specifies an alias for a FQDN. Use this record to bind all subdomains with the same IP address as the FQDN without having to update each one individually, which increases chance for errors. See CNAME Record (Section 30.6.6 on page 548) for more details.Add Click this to create a new entry.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.#This is the index number of the domain zone forwarder record. The ordering of your rules is important as rules are applied in sequence. A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The USG uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records.Alias Name Enter an Alias name. Use “*.” as prefix for a wildcard domain name. For example, *.example.com.FQDN Enter the Fully Qualified Domain Name (FQDN).Domain Zone ForwarderThis specifies a DNS server’s IP address. The USG can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server.When the USG needs to resolve a domain zone, it checks it against the domain zone forwarder entries in the order that they appear in this list. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This is the index number of the domain zone forwarder record. The ordering of your rules is important as rules are applied in sequence. A hyphen (-) displays for the default domain zone forwarder record. The default record is not configurable. The USG uses this default record if the domain zone that needs to be resolved does not match any of the other domain zone forwarder records.Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.A “*” means all domain zones. Type This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined).DNS Server This is the IP address of a DNS server. This field displays N/A if you have the USG get a DNS server IP address from the ISP dynamically but the specified interface is not active.Query Via This is the interface through which the USG sends DNS queries to the entry’s DNS server. If the USG connects through a VPN tunnel, tunnel displays.MX Record (for My FQDN)A MX (Mail eXchange) record identifies a mail server that handles the mail for a particular domain.Add Click this to create a new entry.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Table 234 Configuration > System > DNS (continued)LABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide54730.6.3 Address Record An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is the top level domain. mail.myZyXEL.com.tw is also a FQDN, where “mail” is the host, “myZyXEL” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.#This is the index number of the MX record.Domain Name This is the domain name where the mail is destined for.IP/FQDN This is the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above.Security Option ControlClick Show Advanced Settings to display this part of the screen. There are two control policies: Default and Customize.Edit Click either control policy and then click this button to change allow or deny actions for Query Recursion and Additional Info from Cache.Priority The Customize control policy is checked first and if an address object match is not found, the Default control policy is checked.Name You may change the name of the Customize control policy.Address These are the object addresses used in the control policy. RFC1918 refers to private IP address ranges. It can be modified in Object > Address.Additional Info from Cache This displays if the USG is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries. Query Recursion This displays if the USG is allowed or denied to forward DNS client requests to DNS servers for resolution.Service Control This specifies from which computers and zones you can send DNS queries to the USG.Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This the index number of the service control rule. The ordering of your rules is important as rules are applied in sequence.The entry with a hyphen (-) instead of a number is the USG’s (non-configurable) default policy. The USG applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the USG will not have to use the default policy.Zone This is the zone on the USG the user is allowed or denied to access.Address This is the object name of the IP address(es) with which the computer is allowed or denied to send DNS queries.Action This displays whether the USG accepts DNS queries from the computer with the IP address specified above through the specified zone (Accept) or discards them (Deny).Table 234 Configuration > System > DNS (continued)LABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide548The USG allows you to configure address records about the USG itself or another device. This way you can keep a record of DNS names and addresses that people on your network may use frequently. If the USG receives a DNS query for an FQDN for which the USG has an address record, the USG can send the IP address in a DNS response without having to query a DNS name server.30.6.4 PTR RecordA PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name.30.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record.Figure 373 Configuration > System > DNS > Address/PTR Record EditThe following table describes the labels in this screen. 30.6.6 CNAME RecordA Canonical Name Record or CNAME record is a type of resource record in the Domain Name System (DNS) that specifies that the domain name is an alias of another, canonical domain name. This allows users to set up a record for a domain name which translates to an IP address, in other words, the domain name is an alias of another. This record also binds all the subdomains to the same IP address without having to create a record for each, so when the IP address is changed, all subdomain’s IP address is updated as well, with one edit to the record. Table 235 Configuration > System > DNS > Address/PTR Record EditLABEL DESCRIPTIONFQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed.Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com).IP Address Enter the IP address of the host in dotted decimal notation.OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide549For example, the domain name zyxel.com is hooked up to a record named A which translates it to 11.22.33.44. You also have several subdomains, like mail.zyxel.com, ftp.zyxel.com and you want this subdomain to point to your main domain zyxel.com. Edit the IP Address in record A and all subdomains will follow automatically. This eliminates chances for errors and increases efficiency in DNS management.30.6.7 Adding a CNAME RecordClick the Add icon in the CNAME Record table to add a record. Use “*.” as a prefix for a wildcard domain name. For example *.zyxel.com.Figure 374 Configuration > System > DNS > CNAME Record > AddThe following table describes the labels in this screen.30.6.8 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address. The USG can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. 30.6.9 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record.Table 236 Configuration > System > DNS > CNAME Record > AddLABEL DESCRIPTIONAlias name Enter an Alias Name. Use "*." as a prefix in the Alias name for a wildcard domain name (for example, *.example.com).FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host name and continues all the way up to the top-level domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed.Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com).OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide550Figure 375 Configuration > System > DNS > Domain Zone Forwarder AddThe following table describes the labels in this screen. 30.6.10 MX Record A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular domain, that is, controls where mail is sent for that domain. If you do not configure proper MX records for your domain or other domain, external e-mail from other mail servers will not be able to be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host.Table 237 Configuration > System > DNS > Domain Zone Forwarder AddLABEL DESCRIPTIONDomain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the USG receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address.Enter * if all domain zones are served by the specified DNS server(s). DNS Server Select DNS Server(s) from ISP if your ISP dynamically assigns DNS server information. You also need to select an interface through which the ISP provides the DNS server IP address(es). The interface should be activated and set to be a DHCP client. The fields below display the (read-only) DNS server IP address(es) that the ISP assigns. N/Adisplays for any DNS server IP address fields for which the ISP does not assign an IP address.Select Public DNS Server if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. The USG must be able to connect to the DNS server without using a VPN tunnel. The DNS server could be on the Internet or one of the USG’s local networks. You cannot use 0.0.0.0. Use the Query via field to select the interface through which the USG sends DNS queries to a DNS server. Select Private DNS Server if you have the IP address of a DNS server to which the USG connects through a VPN tunnel. Enter the DNS server's IP address in the field to the right. You cannot use 0.0.0.0.OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide55130.6.11 Adding a MX Record Click the Add icon in the MX Record table to add a MX record.Figure 376 Configuration > System > DNS > MX Record AddThe following table describes the labels in this screen. 30.6.12 Security Option ControlConfigure the Security Option Control section in the Configuration > System > DNS screen (click Show Advanced Settings to display it) if you suspect the USG is being used by hackers in a DNS amplification attack.One possible strategy would be to deny Query Recursion and Additional Info from Cache in the default policy and allow Query Recursion and Additional Info from Cache only from trusted DNS servers identified by address objects and added as members in the customized policy.30.6.13 Editing a Security Option ControlClick a control policy and then click Edit to change allow or deny actions for Query Recursion and Additional Info from Cache.Table 238 Configuration > System > DNS > MX Record AddLABEL DESCRIPTIONDomain Name Enter the domain name where the mail is destined for.IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that handles the mail for the domain specified in the field above.OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide552Figure 377 Configuration > System > DNS > Security Option Control Edit (Customize) The following table describes the labels in this screen. 30.6.14 Adding a DNS Service Control RuleClick the Add icon in the Service Control table to add a service control rule. Table 239 Configuration > System > DNS > Security Option Control Edit (Customize) LABEL DESCRIPTIONName You may change the name for the customized security option control policy. The customized security option control policy is checked first and if an address object match is not found, the Default control policy is checkedQuery Recursion Choose if the USG is allowed or denied to forward DNS client requests to DNS servers for resolution. This can apply to specific open DNS servers using the address objects in a customized rule.Additional Info from CacheChoose if the USG is allowed or denied to cache Resource Records (RR) obtained from previous DNS queries.Address List Specifiying address objects is not available in the default policy as all addresses are included.Available This box displays address objects created in Object > Address. Select one (or more), and click the > arrow to have it (them) join the Member list of address objects that will apply to this rule. For example, you could specifiy an open DNS server suspect of sending compromised resource records by adding an address object for that server to the member list.Member This box displays address objects that will apply to this rule.OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide553Figure 378 Configuration > System > DNS > Service Control Rule AddThe following table describes the labels in this screen. 30.7 WWW OverviewThe following figure shows secure and insecure management of the USG coming in from the WAN. HTTPS and SSH access are secure. HTTP and Telnet access are not secure. Note: To allow the USG to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-USG security policy rule to block that traffic. To stop a service from accessing the USG, clear Enable in the corresponding service screen. 30.7.1 Service Access LimitationsA service cannot be used to access the USG when:1You have disabled that service in the corresponding screen.2The allowed IP address (address object) in the Service Control table does not match the client IP address (the USG disallows the session).Table 240 Configuration > System > DNS > Service Control Rule AddLABEL DESCRIPTIONCreate new ObjectUse this to configure any new settings objects that you need to use in this screen.Address Object Select ALL to allow or deny any computer to send DNS queries to the USG.Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the USG.Zone Select ALL to allow or prevent DNS queries through any zones.Select a predefined zone on which a DNS query to the USG is allowed or denied.Action Select Accept to have the USG allow the DNS queries from the specified computer.Select Deny to have the USG reject the DNS queries from the specified computer.OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide5543The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. 4There is a security policy rule that blocks it.30.7.2 System TimeoutThere is a lease timeout for administrators. The USG automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. Each user is also forced to log in the USG for authentication again when the reauthentication time expires. You can change the timeout settings in the User/Group screens.30.7.3 HTTPSYou can set the USG to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come.HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot read the transferred data), authentication (one party can identify the other party) and data integrity (you know if data has been changed). It relies upon certificates, public keys, and private keys.HTTPS on the USG is used so that you can securely access the USG using the Web Configurator. The SSL protocol specifies that the HTTPS server (the USG) must always authenticate itself to the HTTPS client (the computer which requests the HTTPS connection with the USG), whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so (selectAuthenticate Client Certificates in the WWW screen). Authenticate Client Certificates is optional and if selected means the HTTPS client must send the USG a certificate. You must apply for a certificate for the browser from a CA that is a trusted CA on the USG.Please refer to the following figure.1HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the USG’s web server.2HTTP connection requests from a web browser go to port 80 (by default) on the USG’s web server.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide555Figure 379 HTTP/HTTPS ImplementationNote: If you disable HTTP in the WWW screen, then the USG blocks all HTTP connection attempts.30.7.4 Configuring WWW Service ControlClick Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the USG using HTTP or HTTPS. You can also specify which IP addresses the access can come from.Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the USG (logging into SSL VPN for example).

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide556Figure 380 Configuration > System > WWW > Service ControlThe following table describes the labels in this screen. Table 241 Configuration > System > WWW > Service ControlLABEL DESCRIPTIONHTTPSEnable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the USG Web Configurator using secure HTTPs connections.Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port to a different number on the USG, for example 8443, then you must notify people who need to access the USG Web Configurator to use “https://USG IP Address:8443” as the URL.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide557Authenticate Client CertificatesSelect Authenticate Client Certificates (optional) to require the SSL client to authenticate itself to the USG by sending the USG a certificate. To do that the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the USG (see Section 30.7.7.5 on page 564 on importing certificates for details).Server Certificate Select a certificate the HTTPS server (the USG) uses to authenticate itself to the HTTPS client. You must have certificates already configured in the My Certificates screen.Redirect HTTP to HTTPS To allow only secure Web Configurator access, select this to redirect all HTTP connection requests to the HTTPS server.Admin/User Service ControlAdmin Service Control specifies from which zones an administrator can use HTTPS to manage the USG (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the USG. User Service Control specifies from which zones a user can use HTTPS to log into the USG (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the USG. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This is the index number of the service control rule.The entry with a hyphen (-) instead of a number is the USG’s (non-configurable) default policy. The USG applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the USG will not have to use the default policy.Zone This is the zone on the USG the user is allowed or denied to access.Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.Action This displays whether the computer with the IP address specified above can access the USG zone(s) configured in the Zone field (Accept) or not (Deny).HTTPEnable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the USG Web Configurator using HTTP connections.Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the USG.Admin/User Service ControlAdmin Service Control specifies from which zones an administrator can use HTTP to manage the USG (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the USG. User Service Control specifies from which zones a user can use HTTP to log into the USG (to log into SSL VPN for example). You can also specify the IP addresses from which the users can access the USG. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.Table 241 Configuration > System > WWW > Service Control (continued)LABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide55830.7.5 Service Control RulesClick Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 381 Configuration > System > Service Control Rule > Edit The following table describes the labels in this screen. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This is the index number of the service control rule.The entry with a hyphen (-) instead of a number is the USG’s (non-configurable) default policy. The USG applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the USG will not have to use the default policy.Zone This is the zone on the USG the user is allowed or denied to access.Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.Action This displays whether the computer with the IP address specified above can access the USG zone(s) configured in the Zone field (Accept) or not (Deny).AuthenticationClient Authentication MethodSelect a method the HTTPS or HTTP server uses to authenticate a client.You must have configured the authentication methods in the Auth. method screen.Apply Click Apply to save your changes back to the USG. Reset Click Reset to return the screen to its last-saved settings. Table 241 Configuration > System > WWW > Service Control (continued)LABEL DESCRIPTIONTable 242 Configuration > System > Service Control Rule > EditLABEL DESCRIPTIONCreate new ObjectUse this to configure any new settings objects that you need to use in this screen.Address Object Select ALL to allow or deny any computer to communicate with the USG using this service.Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the USG using this service.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide55930.7.6 Customizing the WWW Login PageClick Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet.Figure 382 Configuration > System > WWW > Login PageZone Select ALL to allow or prevent any USG zones from being accessed using this service.Select a predefined USG zone on which a incoming service is allowed or denied.Action Select Accept to allow the user to access the USG from the specified computers.Select Deny to block the user’s access to the USG from the specified computers.OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without savingTable 242 Configuration > System > Service Control Rule > EditLABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide563Figure 386 Security Certificate 1 (Firefox)Figure 387 Security Certificate 2 (Firefox)30.7.7.3 Avoiding Browser Warning MessagesHere are the main reasons your browser displays warnings about the USG’s HTTPS server certificate and what you can do to avoid seeing the warnings:• The issuing certificate authority of the USG’s HTTPS server certificate is not one of the browser’s trusted certificate authorities. The issuing certificate authority of the USG's factory default certificate is the USG itself since the certificate is a self-signed certificate.• For the browser to trust a self-signed certificate, import the self-signed certificate into your operating system as a trusted certificate.• To have the browser trust the certificates issued by a certificate authority, import the certificate authority’s certificate into your operating system as a trusted certificate.30.7.7.4 Login ScreenAfter you accept the certificate, the USG login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide564Figure 388 Login Screen (Internet Explorer)30.7.7.5 Enrolling and Importing SSL Client CertificatesThe SSL client needs a certificate if Authenticate Client Certificates is selected on the USG.You must have imported at least one trusted CA to the USG in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details). Apply for a certificate from a Certification Authority (CA) that is trusted by the USG (see the USG’s Trusted CA Web Configurator screen).Figure 389 USG Trusted CA ScreenThe CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s).30.7.7.5.1 Installing the CA’s Certificate1Double click the CA’s trusted certificate to produce a screen similar to the one shown next.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide565Figure 390 CA Certificate Example2Click Install Certificate and follow the wizard as shown earlier in this appendix.30.7.7.5.2 Installing Your Personal Certificate(s)You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next1Click Next to begin the wizard.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide566Figure 391 Personal Certificate Import Wizard 12The file name and path of the certificate you double-clicked should automatically appear in the Filename text box. Click Browse if you wish to import a different certificate.Figure 392 Personal Certificate Import Wizard 23Enter the password given to you by the CA.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide567Figure 393 Personal Certificate Import Wizard 34Have the wizard determine where the certificate should be saved on your computer or select Placeall certificates in the following store and choose a different location.Figure 394 Personal Certificate Import Wizard 45Click Finish to complete the wizard and begin the import process.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide568Figure 395 Personal Certificate Import Wizard 56You should see the following screen when the certificate is correctly installed on your computer. Figure 396 Personal Certificate Import Wizard 630.7.7.6 Using a Certificate When Accessing the USG ExampleUse the following procedure to access the USG via HTTPS. 1Enter ‘https://USG IP Address/ in your browser’s web address field.Figure 397 Access the USG Via HTTPS2When Authenticate Client Certificates is selected on the USG, the following screen asks you to select a personal certificate to send to the USG. This screen displays even if you only have a single certificate as in the example.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide569Figure 398 SSL Client Authentication3You next see the Web Configurator login screen.Figure 399 Secure Web Configurator Login Screen30.8 SSHYou can use SSH (Secure SHell) to securely access the USG’s command line interface. Specify which zones allow SSH access and from which IP address the access can come. SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the USG for a management session.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide570Figure 400 SSH Communication Over the WAN Example30.8.1 How SSH WorksThe following figure is an example of how a secure connection is established between two remote hosts using SSH v1.Figure 401 How SSH v1 Works Example1Host IdentificationThe SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer.2Encryption MethodOnce the identification is verified, both the client and server must agree on the type of encryption method to use.3Authentication and Data TransmissionAfter the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide57130.8.2 SSH Implementation on the USGYour USG supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the USG for management using port 22 (by default). 30.8.3 Requirements for Using SSHYou must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the USG over SSH.30.8.4 Configuring SSHClick Configuration > System > SSH to change your USG’s Secure Shell settings. Use this screen to specify from which zones SSH can be used to manage the USG. You can also specify from which IP addresses the access can come.Figure 402 Configuration > System > SSHThe following table describes the labels in this screen. Table 244 Configuration > System > SSHLABEL DESCRIPTIONEnable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the USG CLI using this service.Version 1 Select the check box to have the USG use both SSH version 1 and version 2 protocols. If you clear the check box, the USG uses only SSH version 2 protocol.Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server CertificateSelect the certificate whose corresponding private key is to be used to identify the USG for SSH connections. You must have certificates already configured in the My Certificates screen.Service Control This specifies from which computers you can access which USG zones.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide57230.8.5 Secure Telnet Using SSH ExamplesThis section shows two examples using a command interface and a graphical interface SSH client program to remotely access the USG. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide.30.8.5.1 Example 1: Microsoft Windows This section describes how to access the USG using the Secure Shell Client program.1Launch the SSH client and specify the connection information (IP address, port number) for the USG. 2Configure the SSH client to accept connection using SSH version 1. 3A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 403 SSH Example 1: Store Host KeyEnter the password to log in to the USG. The CLI screen displays next. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 242 on page 558 for details on the screen that opens.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This the index number of the service control rule.Zone This is the zone on the USG the user is allowed or denied to access.Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.Action This displays whether the computer with the IP address specified above can access the USG zone(s) configured in the Zone field (Accept) or not (Deny).Apply Click Apply to save your changes back to the USG. Reset Click Reset to return the screen to its last-saved settings. Table 244 Configuration > System > SSH (continued)LABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide57330.8.5.2 Example 2: LinuxThis section describes how to access the USG using the OpenSSH client program that comes with most Linux distributions. 1Test whether the SSH service is available on the USG. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the USG (using the default IP address of 192.168.1.1). A message displays indicating the SSH protocol version supported by the USG. Figure 404 SSH Example 2: Test 2Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the USG using SSH version 1. If this is the first time you are connecting to the USG using SSH, a message displays prompting you to save the host information of the USG. Type “yes” and press [ENTER]. Then enter the password to log in to the USG. Figure 405 SSH Example 2: Log in3The CLI screen displays next. 30.9 Telnet You can use Telnet to access the USG’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come.30.9.1 Configuring TelnetClick Configuration > System > TELNET to configure your USG for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the USG. You can also specify from which IP addresses the access can come.$ telnet 192.168.1.1 22Trying 192.168.1.1...Connected to 192.168.1.1.Escape character is '^]'.SSH-1.5-1.0.0$ ssh –1 192.168.1.1The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.Administrator@192.168.1.1's password:

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide574Figure 406 Configuration > System > TELNETThe following table describes the labels in this screen. Table 245 Configuration > System > TELNETLABEL DESCRIPTIONEnable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the USG CLI using this service.Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Service Control This specifies from which computers you can access which USG zones.Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 242 on page 558 for details on the screen that opens. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.Move To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This the index number of the service control rule.The entry with a hyphen (-) instead of a number is the USG’s (non-configurable) default policy. The USG applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the USG will not have to use the default policy.Zone This is the zone on the USG the user is allowed or denied to access.Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.Action This displays whether the computer with the IP address specified above can access the USG zone(s) configured in the Zone field (Accept) or not (Deny).Apply Click Apply to save your changes back to the USG. Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide57530.10 FTP You can upload and download the USG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.30.10.1 Configuring FTPTo change your USG’s FTP settings, click Configuration > System > FTP tab. The screen appears as shown. Use this screen to specify from which zones FTP can be used to access the USG. You can also specify from which IP addresses the access can come.Figure 407 Configuration > System > FTPThe following table describes the labels in this screen. Table 246 Configuration > System > FTPLABEL DESCRIPTIONEnable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the USG using this service.TLS required Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication.This implements TLS as a security mechanism to secure FTP clients and/or servers.Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Server CertificateSelect the certificate whose corresponding private key is to be used to identify the USG for FTP connections. You must have certificates already configured in the My Certificates screen.Service Control This specifies from which computers you can access which USG zones.Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 242 on page 558 for details on the screen that opens.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide57630.11 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your USG supports SNMP agent functionality, which allows a manager station to manage and monitor the USG through the network. The USG supports SNMP version one (SNMPv1), version two (SNMPv2c) and version 3 (SNMPv3). The next figure illustrates an SNMP management operation. Figure 408 SNMP Management ModelMove To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This the index number of the service control rule.The entry with a hyphen (-) instead of a number is the USG’s (non-configurable) default policy. The USG applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the USG will not have to use the default policy.Zone This is the zone on the USG the user is allowed or denied to access.Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.Action This displays whether the computer with the IP address specified above can access the USG zone(s) configured in the Zone field (Accept) or not (Deny).Apply Click Apply to save your changes back to the USG. Reset Click Reset to return the screen to its last-saved settings. Table 246 Configuration > System > FTP (continued)LABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide577An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the USG). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:• Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events.30.11.1 SNMPv3 and SecuritySNMPv3 enhances security for SNMP management using authentication and encryption. SNMP managers can be required to authenticate with agents before conducting SNMP management sessions.Security can be further enhanced by encrypting the SNMP messages sent from the managers. Encryption protects the contents of the SNMP messages. When the contents of the SNMP messages are encrypted, only the intended recipients can read them. 30.11.2 Supported MIBsThe USG supports MIB II that is defined in RFC-1213 and RFC-1215. The USG also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the USG’s MIBs from www.zyxel.com.30.11.3 SNMP TrapsThe USG will send traps to the SNMP manager when any one of the following events occurs.Table 247 SNMP TrapsOBJECT LABEL OBJECT ID DESCRIPTIONCold Start 1.3.6.1.6.3.1.1.5.1 This trap is sent when the USG is turned on or an agent restarts.linkDown 1.3.6.1.6.3.1.1.5.3 This trap is sent when the Ethernet link is down.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide57830.11.4 Configuring SNMP To change your USG’s SNMP settings, click Configuration > System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the USG. You can also specify from which IP addresses the access can come.Figure 409 Configuration > System > SNMPlinkUp 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up.authenticationFailure 1.3.6.1.6.3.1.1.5.5 This trap is sent when an SNMP request comes from non-authenticated hosts.vpnTunnelDisconnected 1.3.6.1.4.1.890.1.6.22.2.3 This trap is sent when an IPSec VPN tunnel is disconnected.vpnTunnelName 1.3.6.1.4.1.890.1.6.22.2.2.1.1 This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel’s IPSec SA name.vpnIKEName 1.3.6.1.4.1.890.1.6.22.2.2.1.2 This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the disconnected tunnel’s IKE SA name.vpnTunnelSPI 1.3.6.1.4.1.890.1.6.22.2.2.1.3 This trap is sent along with the vpnTunnelDisconnected trap. This trap carries the security parameter index (SPI) of the disconnected VPN tunnel.Table 247 SNMP Traps (continued)OBJECT LABEL OBJECT ID DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide579The following table describes the labels in this screen. Table 248 Configuration > System > SNMPLABEL DESCRIPTIONEnable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the USG using this service.Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.TrapCommunity Type the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.Destination Type the IP address of the station to send your SNMP traps to.SNMPv2c Select the SNMP version for the USG. The SNMP version on the USG must match the version on the SNMP manager. Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.Set Community Enter the Set community, which is the password for incoming Set requests from the management station. The default is private and allows all requests.SNMPv3 Select the SNMP version for the USG. The SNMP version on the USG must match the version on the SNMP manager. SNMPv3 (RFCs 3413 to 3415) provides secure access by authenticating and encrypting data packets over the network. The USG uses your login password as the SNMPv3 authentication and encryption passphrase. Note: Your login password must consist of at least 8 printable characters for SNMPv3. An error message will display if your login password has fewer characters.Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entryEdit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.#This is the index number of the entry.User This displays the name of the user object to be sent to the SNMP manager along with the SNMP v3 trap.Authentication This displays the authentication algorithm used for this entry. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate SNMP data. SHA authentication is generally considered stronger than MD5, but is slower. Privacy This displays the encryption method for SNMP communication from this user. Methods available are:•DES - Data Encryption Standard is a widely used (but breakable) method of data encryption. It applies a 56-bit key to each 64-bit block of data.•AES - Advanced Encryption Standard is another method for data encryption that also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data.Privlege This displays the access rights to MIBs. •Read-Write - The associated user can create and edit the MIBs on the USG, except the user account.•Read-Only - The associated user can only collect information from the USG MIBs.Service Control This specifies from which computers you can access which USG zones.Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Refer to Table 242 on page 558 for details on the screen that opens.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide58030.12 Authentication ServerYou can set the USG to work as a RADIUS server to exchange messages with a RADIUS client, such as an AP for user authentication and authorization. Click Configuration > System > Auth. Server tab. The screen appears as shown. Use this screen to enable the authentication server feature of the USG and specify the RADIUS client’s IP address.Figure 410 Configuration > System > Auth. ServerMove To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.#This the index number of the service control rule.The entry with a hyphen (-) instead of a number is the USG’s (non-configurable) default policy. The USG applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the USG will not have to use the default policy.Zone This is the zone on the USG the user is allowed or denied to access.Address This is the object name of the IP address(es) with which the computer is allowed or denied to access.Action This displays whether the computer with the IP address specified above can access the USG zone(s) configured in the Zone field (Accept) or not (Deny).Apply Click Apply to save your changes back to the USG. Reset Click Reset to return the screen to its last-saved settings. Table 248 Configuration > System > SNMP (continued)LABEL DESCRIPTION

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide583Figure 412 CloudCNM Example Network Topology CloudCNM features include:• Batch import of managed devices at one time using one CSV file• See an overview of all managed devices and system information in one place• Monitor and manage devices• Install firmware to multiple devices of the same model at one time• Backup and restore device configuration• View the location of managed devices on a map• Receive notification for events and alarms, such as when a device goes down• Graphically monitor individual devices and see related statistics• Directly access a device for remote configuration• Create four types of administrators with different privileges• Perform Site-to-Site, Hub & Spoke, Fully-meshed and Remote Access VPN provisioning.To allow CloudCNM management of your USG:• You must have a CloudCNM license with CNM ID number or a CloudCNM URL identifying the server.• The USG must be able to communicate with the CloudCNM server.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide584You must configure Configuration > System > CloudCNM to allow the USG to find the CloudCNM server.Figure 413 Configuration > System > CloudCNMThe following table describes the labels in this screen. Note: See the CloudCNM User Guide for more information on CloudCNM.Table 251 Configuration > System > CloudCNM LABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Enable Select this to allow management of the USG by CloudCNM.Auto Select this if your CloudCNM server can access MyZyXEL.com and you have a CNM ID from the CloudCNM license. CNM ID Enter the CNM ID exactly as on the CloudCNM license.CNM URL MyZyXEL.com associates the CNM ID with the CNM URL which identifies the server on which CloudCNM is installed. Therefore you don’t need to enter the CNM URL when you select Auto.Custom Select this if your CloudCNM server cannot access MyZyXEL.com.CNM URL If your USG server cannot access MyZyXEL.com, then select Custom and enter the IPv4 IP address of the CloudCNM server followed by the port number (default 7547 for HTTPS or 7549 for HTPP) in CNM URL. For example, if you installed CloudCNM on a server with IP address 1.1.1.1, then enter 1.1.1.1:7547 or 1.1.1.1:7549 as the CNM URL.Transfer Protocol Choose the CNM URL protocol: HTTP or HTTPS. If you enter 1.1.1.1:7547 as the CNM URL, you must choose HTTPS as the Transfer Protocol, and then the whole CNM URL is https://1.1.1.1:7547. If you enter 1.1.1.1:7549 as the CNM URL, you must choose HTTP as the Transfer Protocol, and then the whole CNM URL is http://1.1.1.1:7549.Periodic Inform Enable this to have the USG inform the CloudCNM server of its presence at regular intervals.Interval Type how often the USG should inform CloudCNM server of its presence.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide58530.14 Language ScreenClick Configuration > System > Language to open the following screen. Use this screen to select a display language for the USG’s Web Configurator screens.Figure 414 Configuration > System > LanguageThe following table describes the labels in this screen. 30.15 IPv6 ScreenClick Configuration > System > IPv6 to open the following screen. Use this screen to enable IPv6 support for the USG’s Web Configurator screens.Figure 415 Configuration > System > IPv6The following table describes the labels in this screen. Table 252 Configuration > System > LanguageLABEL DESCRIPTIONLanguage Setting Select a display language for the USG’s Web Configurator screens. You also need to open a new browser session to display the screens in the new language.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 253 Configuration > System > IPv6LABEL DESCRIPTIONEnable IPv6 Select this to have the USG support IPv6 and make IPv6 settings be available on the screens that the functions support, such as the Configuration > Network > Interface > Ethernet, VLAN, and Bridge screens. The USG discards all IPv6 packets if you clear this check box.Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide58630.16 ZyXEL One Network (ZON) Utility The ZyXEL One Network (ZON) utility uses the ZyXEL Discovery Protocol (ZDP) for discovering and configuring ZDP-aware ZyXEL devices in the same broadcast domain as the computer on which ZON is installed.The ZON Utility issues requests via ZDP and in response to the query, the ZyXEL device responds with basic information including IP address, firmware version, location, system and model name. The information is then displayed in the ZON Utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it. You can download the ZON Utility at www.zyxel.com and install it on a computer.The following figure shows the ZON Utility screen.Figure 416 ZON Utility ScreenIn the ZON Utility, select a device and then use the icons to perform actions. The following table describes the icons numbered from left to right in the ZON Utility screen.Table 254 ZON Utility IconsICON DESCRIPTION1 IP configuration Change the selected device’s IP address. This is not supported by the USG at the time of writing.2 Renew IP Update a DHCP-assigned dynamic IP address. This is not supported by the USG at the time of writing.3 Reboot Device Use this icon to restart the selected device(s). This may be useful when troubleshooting or upgrading new firmware.4 Flash Locator LED Use this icon to locate the selected device by causing its Locator LED to blink. This is not available on the USG at the time of writing.5 Web GUI Use this to access the selected device web configurator from your browser. You will need a username and password to log in.6 Firmware Upgrade Use this icon to upgrade new firmware to selected device(s) of the same model. Make sure you have downloaded the firmware from the ZyXEL website to your computer and unzipped it in advance.7 Change Admin PasswordUse this icon to change the admin password of the selected device. You must know the current admin password before changing to a new one.8 ZAC Use this icon to run the ZyXEL AP Configurator of the selected AP. This is not supported by the USG at the time of writing.9 Discovery You should use this icon first to display all connected devices in the same network as your computer.10 Save Configuration Use this icon to save configuration changes to permanent memory on a selected device. This is not needed by the USG at the time of writing.11 Settings Use this icon to select a network adaptor for the computer on which the ZON utility is installed, and the utility language.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide587The following table describes the fields in the ZON Utility main screen.30.16.1 ZyXEL One Network (ZON) System ScreenEnable ZDP (ZON) and Smart Connect (Ethernet Neighbor) in the System > ZON screen.See Monitor > System Status > Ethernet Neighbor for information on using Smart Connect (Link Layer Discovery Protocol (LLDP)) for discovering and configuring LLDP-aware devices in the same broadcast domain as the USG that you’re logged into using the web configurator. The following figure shows the System > ZON screen.Figure 417 Configuration > System > ZONThe following table describes the labels in this screen. Table 255 ZON Utility FieldsLABEL DESCRIPTIONType This field displays an icon of the kind of device discovered. Model This field displays the model name of the discovered device.Firmware Version This field displays the firmware version of the discovered device.MAC Address This field displays the MAC address of the discovered device.IP Address This field displays the IP address of an internal interface on the discovered device that first received an ZDP discovery request from the ZON utility.System Name This field displays the system name of the discovered device.Location This field displays where the discovered device is.Status This field displays whether changes to the discovered device have been done successfully. As the USG does not support IP Configuration, Renew IP address and Flash Locator LED, this field displays “Update failed”, “Not support Renew IP address” and “Not support Flash Locator LED” respectively.Table 256 Configuration > System > ZONLABEL DESCRIPTIONZDP ZyXEL Discovery Protocol (ZDP) is the protocol that the ZyXEL One Network (ZON) utility uses for discovering and configuring ZDP-aware ZyXEL devices in the same broadcast domain as the computer on which ZON is installed.Enable Select to activate ZDP discovery on the USG.Smart Connect Smart Connect uses Link Layer Discovery Protocol (LLDP) for discovering and configuring LLDP-aware devices in the same broadcast domain as the USG that you’re logged into using the web configurator. Enable Select to activate LLDP discovery on the USG. See also Monitor > System Status > Ethernet Discovery.

Chapter 30 SystemUSG20(W)-VPN Series User’s Guide588Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 256 Configuration > System > ZONLABEL DESCRIPTION

USG20(W)-VPN Series User’s Guide589CHAPTER 31Log and Report31.1 OverviewUse these screens to configure daily reporting and log settings. 31.1.1 What You Can Do In this Chapter•Use the Email Daily Report screen (Section 31.2 on page 589) to configure where and how to send daily reports and what reports to send.•Use the Log Setting screens (Section 31.3 on page 591) to specify settings for recording log messages and alerts, e-mailing them, storing them on a connected USB storage device, and sending them to remote syslog servers.31.2 Email Daily ReportUse the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your USG. Note: Data collection may decrease the USG’s traffic throughput rate.Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the USG e-mail you system statistics every day.

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide590Figure 418 Configuration > Log & Report > Email Daily Report

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide591The following table describes the labels in this screen. 31.3 Log Setting Screens The Log Setting screens control log messages and alerts. A log message stores the information for viewing or regular e-mailing later, and an alert is e-mailed immediately. Usually, alerts are used for events that require more serious attention, such as system errors and attacks.The USG provides a system log and supports e-mail profiles and remote syslog servers. View the system log in the MONITOR > Log screen. Use the e-mail profiles to mail log messages to the Table 257 Configuration > Log & Report > Email Daily ReportLABEL DESCRIPTIONEnable Email Daily ReportSelect this to send reports by e-mail every day. Mail Server Type the name or IP address of the outgoing SMTP server.Mail Server Port Enter the same port number here as is on the mail server for mail traffic.TLS Security Select Transport Layer Security (TLS) if you want encrypted communications between the mail server and the USG. Authenticate Server If you choose TLS Security, you may also select this to have the USG authenticate the mail server in the TLS handshake.Mail Subject Type the subject line for outgoing e-mail from the USG. Append system name Select Append system name to add the USG’s system name to the subject. Append date time Select Append date time to add the USG’s system date and time to the subject.Mail From Type the e-mail address from which the outgoing e-mail is delivered. This address is used in replies.Mail To Type the e-mail address (or addresses) to which the outgoing e-mail is delivered.SMTP AuthenticationSelect this check box if it is necessary to provide a user name and password to the SMTP server.User Name This box is effective when you select the SMTP Authentication check box. Type the user name to provide to the SMTP server when the log is e-mailed.Password This box is effective when you select the SMTP Authentication check box. Type the password to provide to the SMTP server when the log is e-mailed.Retype to Confirm Type the password again to make sure that you have entered is correctly.Send Report Now Click this button to have the USG send the daily e-mail report immediately.Time for sending reportSelect the time of day (hours and minutes) when the log is e-mailed. Use 24-hour notation.Report Items Select the information to include in the report. Types of information include System Resource Usage, Wireless Report, Threat Report, and Interface Traffic Statistics.Select Reset counters after sending report successfully if you only want to see statistics for a 24 hour period.Reset All CountersClick this to discard all report data and start all of the counters over at zero. Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings.

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide592specific destinations. You can also have the USG store system logs on a connected USB storage device. The other four logs are stored on specified syslog servers.The Log Setting screens control what information the USG saves in each log. You can also specify which log messages to e-mail for the system log, and where and how often to e-mail them. These screens also set for which events to generate alerts and where to email the alerts.The first Log Setting screen provides a settings summary. Use the Edit screens to configure settings such as log categories, e-mail addresses, and server names for any log. Use the Log Category Settings screen to edit what information is included in the system log, USB storage, e-mail profiles, and remote servers.31.3.1 Log SettingsTo access this screen, click Configuration > Log & Report > Log Settings.Figure 419 Configuration > Log & Report > Log SettingsThe following table describes the labels in this screen. Table 258 Configuration > Log & Report > Log SettingsLABEL DESCRIPTIONEdit Double-click an entry or select it and click Edit to open a screen where you can modify it. Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.# This field is a sequential value, and it is not associated with a specific log.Name This field displays the type of log setting entry (system log, logs stored on a USB storage device connected to the USG, or one of the remote servers).

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide59331.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings screen (see Section 31.3.1 on page 592), and click the system log Edit icon.Figure 420 Configuration > Log & Report > Log Setting > Edit (System Log) Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab.VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format.CEF/Syslog - Common Event Format, syslog-compatible format.Summary This field is a summary of the settings for each log. Please see Section 31.3.2 on page 593 for more information.Log Category SettingsClick this button to open the Log Category Settings Edit screen.Apply Click this button to save your changes (activate and deactivate logs) and make them take effect.Table 258 Configuration > Log & Report > Log Settings (continued)LABEL DESCRIPTION

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide594Figure 421 Configuration > Log & Report > Log Setting > Edit (System Log)

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide595The following table describes the labels in this screen. Table 259 Configuration > Log & Report > Log Setting > Edit (System Log)LABEL DESCRIPTIONE-Mail Server 1/2Active Select this to send log messages and alerts according to the information in this section. You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Active Log and Alert section.Mail Server Type the name or IP address of the outgoing SMTP server.Mail Subject Type the subject line for the outgoing e-mail.Send From Type the e-mail address from which the outgoing e-mail is delivered. This address is used in replies.Send Log To Type the e-mail address to which the outgoing e-mail is delivered.Send Alerts To Type the e-mail address to which alerts are delivered.Sending Log Select how often log information is e-mailed. Choices are: When Full, Hourly and When Full, Daily and When Full, and Weekly and When Full.Day for Sending Log This field is available if the log is e-mailed weekly. Select the day of the week the log is e-mailed.Time for Sending Log This field is available if the log is e-mailed weekly or daily. Select the time of day (hours and minutes) when the log is e-mailed. Use 24-hour notation.SMTP Authentication Select this check box if it is necessary to provide a user name and password to the SMTP server.User Name This box is effective when you select the SMTP Authentication check box. Type the user name to provide to the SMTP server when the log is e-mailed.Password This box is effective when you select the SMTP Authentication check box. Type the password to provide to the SMTP server when the log is e-mailed.Retype to Confirm Type the password again to make sure that you have entered is correctly.Active Log and AlertSystem Log Use the System Log drop-down list to change the log settings for all of the log categories.disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.enable normal logs (green check mark) - create log messages and alerts for all categories for the system log. If e-mail server 1 or 2 also has normal logs enabled, the USG will e-mail logs to them.enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories. The USG does not e-mail debugging information, even if this setting is selected.E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories.Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings.enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1.enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 1.

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide59631.3.3 Edit Log on USB Storage Setting The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 31.3.1 on page 592), and click the USB storage Edit icon. E-mail Server 2 Use the E-Mail Server 2 drop-down list to change the settings for e-mailing logs to e-mail server 2 for all log categories.Using the System Log drop-down list to disable all logs overrides your e-mail server 2 settings.enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 2.enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 2.# This field is a sequential value, and it is not associated with a specific address.Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software.System log Select which events you want to log by Log Category. There are three choices:disable all logs (red X) - do not log any information from this categoryenable normal logs (green check mark) - create log messages and alerts from this categoryenable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information from this category; the USG does not e-mail debugging information, however, even if this setting is selected.E-mail Server 1 Select whether each category of events should be included in the log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 1. The USG does not e-mail debugging information, even if it is recorded in the System log.E-mail Server 2 Select whether each category of events should be included in log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 2. The USG does not e-mail debugging information, even if it is recorded in the System log.Log ConsolidationActive Select this to activate log consolidation. Log consolidation aggregates multiple log messages that arrive within the specified Log Consolidation Interval. In the View Log tab, the text “[count=x]”, where x is the number of original log messages, is appended at the end of the Message field, when multiple log messages were aggregated.Log Consolidation Interval Type how often, in seconds, to consolidate log information. If the same log message appears multiple times, it is aggregated into one log message with the text “[count=x]”, where x is the number of original log messages, appended at the end of the Message field.OK Click this to save your changes and return to the previous screen.Cancel Click this to return to the previous screen without saving your changes.Table 259 Configuration > Log & Report > Log Setting > Edit (System Log) (continued)LABEL DESCRIPTION

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide597Figure 422 Configuration > Log & Report > Log Setting > Edit (USB Storage)

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide598The following table describes the labels in this screen. 31.3.4 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 31.3.1 on page 592), and click a remote server Edit icon. Table 260 Configuration > Log & Report > Log Setting > Edit (USB Storage)LABEL DESCRIPTIONUSB StorageDuplicate logs to USB storage (if ready)Select this to have the USG save a copy of its system logs to a connected USB storage device. Use the Active Log section to specify what kinds of messages to include.Log Keep durationEnable log keep durationSelect this and enter the number of days you want the USG to store a log in Keep duration before deleting it forever from the USG.Active LogSelection Use the Selection drop-down list to change the log settings for all of the log categories.disable all logs (red X) - do not send the remote server logs for any log category.enable normal logs (green check mark) - send the remote server log messages and alerts for all log categories. enable normal logs and debug logs (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories. # This field is a sequential value, and it is not associated with a specific entry.Log Category This field displays each category of messages. The Default category includes debugging messages generated by open source software.Selection Select what information you want to log from each Log Category (except All Logs; see below). Choices are:disable all logs (red X) - do not log any information from this categoryenable normal logs (green check mark) - log regular information and alerts from this categoryenable normal logs and debug logs (yellow check mark) - log regular information, alerts, and debugging information from this categoryOK Click this to save your changes and return to the previous screen.Cancel Click this to return to the previous screen without saving your changes.

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide599Figure 423 Configuration > Log & Report > Log Setting > Edit (Remote Server)

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide600The following table describes the labels in this screen. 31.3.5 Log Category Settings ScreenThe Log Category Settings screen allows you to view and to edit what information is included in the system log, USB storage, e-mail profiles, and remote servers at the same time. It does not let you change other log settings (for example, where and how often log information is e-mailed or remote server names). To access this screen, go to the Log Settings screen (see Section 31.3.1 on page 592), and click the Log Category Settings button.Table 261 Configuration > Log & Report > Log Setting > Edit (Remote Server)LABEL DESCRIPTIONLog Settings for Remote ServerActive Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Active Log section.Log Format This field displays the format of the log information. It is read-only.VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format.CEF/Syslog - Common Event Format, syslog-compatible format.Server Address Type the server name or the IP address of the syslog server to which to send log information.Log Facility Select a log facility. The log facility allows you to log the messages to different files in the syslog server. Please see the documentation for your syslog program for more information.Active LogSelection Use the Selection drop-down list to change the log settings for all of the log categories.disable all logs (red X) - do not send the remote server logs for any log category.enable normal logs (green check mark) - send the remote server log messages and alerts for all log categories. enable normal logs and debug logs (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories. # This field is a sequential value, and it is not associated with a specific address.Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software.Selection Select what information you want to log from each Log Category (except All Logs; see below). Choices are:disable all logs (red X) - do not log any information from this categoryenable normal logs (green check mark) - log regular information and alerts from this categoryenable normal logs and debug logs (yellow check mark) - log regular information, alerts, and debugging information from this categoryOK Click this to save your changes and return to the previous screen.Cancel Click this to return to the previous screen without saving your changes.

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide601Figure 424 Log Category Settings AC This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 31.3.2 on page 593, where this process is discussed. (The Default category includes debugging messages generated by open source software.)The following table describes the fields in this screen. Table 262 Configuration > Log & Report > Log Setting > Log Category SettingsLABEL DESCRIPTIONSystem Log Use the System Log drop-down list to change the log settings for all of the log categories.disable all logs (red X) - do not log any information for any category for the system log or e-mail any logs to e-mail server 1 or 2.enable normal logs (green check mark) - create log messages and alerts for all categories for the system log. If e-mail server 1 or 2 also has normal logs enabled, the USG will e-mail logs to them.enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories. The USG does not e-mail debugging information, even if this setting is selected.USB Storage Use the USB Storage drop-down list to change the log settings for saving logs to a connected USB storage device.disable all logs (red X) - do not log any information for any category to a connected USB storage device.enable normal logs (green check mark) - create log messages and alerts for all categories and save them to a connected USB storage device.enable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories and save them to a connected USB storage device.

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide602E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories.Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings.enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1.enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 1.E-mail Server 2 Use the E-Mail Server 2 drop-down list to change the settings for e-mailing logs to e-mail server 2 for all log categories.Using the System Log drop-down list to disable all logs overrides your e-mail server 2 settings.enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 2.enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 2.Remote Server 1~4For each remote server, use the Selection drop-down list to change the log settings for all of the log categories.disable all logs (red X) - do not send the remote server logs for any log category.enable normal logs (green check mark) - send the remote server log messages and alerts for all log categories. enable normal logs and debug logs (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories. # This field is a sequential value, and it is not associated with a specific address.Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software.System Log Select which events you want to log by Log Category. There are three choices:disable all logs (red X) - do not log any information from this categoryenable normal logs (green check mark) - create log messages and alerts from this categoryenable normal logs and debug logs (yellow check mark) - create log messages, alerts, and debugging information from this category; the USG does not e-mail debugging information, however, even if this setting is selected.USB Storage Select which event log categories to save to a connected USB storage device. There are three choices:disable all logs (red X) - do not log any information from this categoryenable normal logs (green check mark) - save log messages and alerts from this categoryenable normal logs and debug logs (yellow check mark) - save log messages, alerts, and debugging information from this category.E-mail Server 1 E-mailSelect whether each category of events should be included in the log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 1. The USG does not e-mail debugging information, even if it is recorded in the System log.Table 262 Configuration > Log & Report > Log Setting > Log Category Settings (continued)LABEL DESCRIPTION

Chapter 31 Log and ReportUSG20(W)-VPN Series User’s Guide603E-mail Server 2 E-mailSelect whether each category of events should be included in log messages when it is e-mailed (green check mark) and/or in alerts (red exclamation point) for the e-mail settings specified in E-Mail Server 2. The USG does not e-mail debugging information, even if it is recorded in the System log.Remote Server 1~4For each remote server, select what information you want to log from each Log Category (except All Logs; see below). Choices are:disable all logs (red X) - do not log any information from this categoryenable normal logs (green check mark) - log regular information and alerts from this categoryenable normal logs and debug logs (yellow check mark) - log regular information, alerts, and debugging information from this categoryOK Click this to save your changes and return to the previous screen.Cancel Click this to return to the previous screen without saving your changes.Table 262 Configuration > Log & Report > Log Setting > Log Category Settings (continued)LABEL DESCRIPTION

USG20(W)-VPN Series User’s Guide604CHAPTER 32File Manager32.1 OverviewConfiguration files define the USG’s settings. Shell scripts are files of commands that you can store on the USG and run when you need them. You can apply a configuration file or run a shell script without the USG restarting. You can store multiple configuration files and shell script files on the USG. You can edit configuration files or shell scripts in a text editor and upload them to the USG. Configuration files use a .conf extension and shell scripts use a .zysh extension.32.1.1 What You Can Do in this Chapter•Use the Configuration File screen (see Section 32.2 on page 606) to store and name configuration files. You can also download configuration files from the USG to your computer and upload configuration files from your computer to the USG.•Use the Firmware Package screen (see Section 32.3 on page 610) to check your current firmware version and upload firmware to the USG.•Use the Shell Script screen (see Section 32.4 on page 612) to store, name, download, upload and run shell script files. 32.1.2 What you Need to Know Configuration Files and Shell ScriptsWhen you apply a configuration file, the USG uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the USG only applies the commands that it contains. Other settings do not change.

Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide605These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. While configuration files and shell scripts have the same syntax, the USG applies configuration files differently than it runs shell scripts. This is explained below.You have to run the example in Figure 425 on page 605 as a shell script because the first command is run in Privilege mode. If you remove the first command, you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode.Comments in Configuration Files or Shell ScriptsIn a configuration file or shell script, use “#” or “!” as the first character of a command line to have the USG treat the line as a comment. Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the USG exit sub command mode.Note: “exit” or “!'” must follow sub commands if it is to make the USG exit sub command mode.Figure 425 Configuration File / Shell Script: Example# enter configuration modeconfigure terminal# change administrator passwordusername admin password 4321 user-type admin# configure ge3interface ge3ip address 172.23.37.240 255.255.255.0ip gateway 172.23.37.254 metric 1exit# create address objects for remote management / to-ZyWALL firewall rules# use the address group in case we want to open up remote management lateraddress-object TW_SUBNET 172.23.37.0/24object-group address TW_TEAMaddress-object TW_SUBNETexit# enable Telnet access (not enabled by default, unlike other services)ip telnet server# open WAN-to-ZyWALL firewall for TW_TEAM for remote managementfirewall WAN ZyWALL insert 4sourceip TW_TEAMservice TELNETaction allowexitwriteTable 263 Configuration Files and Shell Scripts in the USGConfiguration Files (.conf) Shell Scripts (.zysh)• Resets to default configuration.•Goes into CLI Configuration mode.• Runs the commands in the configuration file.•Goes into CLI Privilege mode.• Runs the commands in the shell script.

Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide606Line 3 in the following example exits sub command mode.Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. Lines 1 and 2 are comments. Line 5 exits sub command mode. Errors in Configuration Files or Shell ScriptsWhen you apply a configuration file or run a shell script, the USG processes the file line-by-line. The USG checks the first line and applies the line if no errors are detected. Then it continues with the next line. If the USG finds an error, it stops applying the configuration file or shell script and generates a log. You can change the way a configuration file or shell script is applied. Include setenv stop-on-error off in the configuration file or shell script. The USG ignores any errors in the configuration file or shell script and applies all of the valid commands. The USG still generates a log for any errors. 32.2 The Configuration File ScreenClick Maintenance > File Manager > Configuration File to open the Configuration File screen. Use the Configuration File screen to store, run, and name configuration files. You can also download configuration files from the USG to your computer and upload configuration files from your computer to the USG.Once your USG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.interface ge1ip address dhcp!!interface ge1# this interface is a DHCP client!! this is from Joe# on 2008/04/05interface ge1ip address dhcp!

Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide607 Configuration File Flow at Restart• If there is not a startup-config.conf when you restart the USG (whether through a management interface or by physically turning the power off and back on), the USG uses the system-default.conf configuration file with the USG’s default settings.•If there is a startup-config.conf, the USG checks it for errors and applies it. If there are no errors, the USG uses it and copies it to the lastgood.conf configuration file as a back up file. If there is an error, the USG generates a log and copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file. If there isn’t a lastgood.conf configuration file or it also has an error, the USG applies the system-default.conf configuration file.• You can change the way the startup-config.conf file is applied. Include the setenv-startup stop-on-error off command. The USG ignores any errors in the startup-config.conf file and applies all of the valid commands. The USG still generates a log for any errors. Figure 426 Maintenance > File Manager > Configuration File Do not turn off the USG while configuration file upload is in progress.

$Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide608The following table describes the labels in this screen. Table 264 Maintenance > File Manager > Configuration FileLABEL DESCRIPTIONRename Use this button to change the label of a configuration file on the USG. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files. You cannot rename a configuration file to the name of another configuration file in the USG. Click a configuration file’s row to select it and click Rename to open the Rename File screen. Figure 427 Maintenance > File Manager > Configuration File > Rename Specify the new name for the configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.Remove Click a configuration file’s row to select it and click Remove to delete it from the USG. You can only delete manually saved configuration files. You cannot delete the system-default.conf, startup-config.conf and lastgood.conf files.A pop-up window asks you to confirm that you want to delete the configuration file. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file.Download Click a configuration file’s row to select it and click Download to save the configuration to your computer.Copy Use this button to save a duplicate of a configuration file on the USG. Click a configuration file’s row to select it and click Copy to open the Copy File screen. Figure 428 Maintenance > File Manager > Configuration File > CopySpecify a name for the duplicate configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.$

Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide609Apply Use this button to have the USG use a specific configuration file.Click a configuration file’s row to select it and click Apply to have the USG use that configuration file. The USG does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.The following screen gives you options for what the USG is to do if it encounters an error in the configuration file.Figure 429 Maintenance > File Manager > Configuration File > ApplyImmediately stop applying the configuration file - this is not recommended because it would leave the rest of the configuration blank. If the interfaces were not configured before the first error, the console port may be the only way to access the device. Immediately stop applying the configuration file and roll back to the previous configuration - this gets the USG started with a fully valid configuration file as quickly as possible.Ignore errors and finish applying the configuration file - this applies the valid parts of the configuration file and generates error logs for all of the configuration file’s errors. This lets the USG apply most of your configuration and you can refer to the logs for what to fix. Ignore errors and finish applying the configuration file and then roll back to the previous configuration - this applies the valid parts of the configuration file, generates error logs for all of the configuration file’s errors, and starts the USG with a fully valid configuration file.Click OK to have the USG start applying the configuration file or click Cancel to close the screen #This column displays the number for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space.Table 264 Maintenance > File Manager > Configuration File (continued)LABEL DESCRIPTION

Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide61032.3 The Firmware Package Screen Click Maintenance > File Manager > Firmware Package to open the Firmware Package screen. Use the Firmware Package screen to check your current firmware version and upload firmware to the USG. You can upload firmware to be the Running firmware or Standby firmware.Note: The Web Configurator is the recommended method for uploading firmware. You only need to use the command line interface if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it.Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “zywall.bin”. The firmware update can take up to five minutes. Do not turn off or reset the USG while the firmware update is in progress!File Name This column displays the label that identifies a configuration file.You cannot delete the following configuration files or change their file names. The system-default.conf file contains the USG’s default settings. Select this file and click Apply to reset all of the USG settings to the factory defaults. This configuration file is included when you upload a firmware package. The startup-config.conf file is the configuration file that the USG is currently using. If you make and save changes during your management session, the changes are applied to this configuration file. The USG applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK. It applies configuration changes made via commands when you use the write command. The lastgood.conf is the most recently used (valid) configuration file that was saved when the device last restarted. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.Size This column displays the size (in KB) of a configuration file.Last Modified This column displays the date and time that the individual configuration files were last changed or saved.Upload Configuration FileThe bottom part of the screen allows you to upload a new or previously saved configuration file from your computer to your USGYou cannot upload a configuration file named system-default.conf or lastgood.conf. If you upload startup-config.conf, it will replace the current configuration and immediately apply the new settings.File Path Type in the location of the file you want to upload in this field or click Browse ... to find it.Browse... Click Browse... to find the .conf file you want to upload. The configuration file must use a “.conf” filename extension. You will receive an error message if you try to upload a fie of a different format. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes. Table 264 Maintenance > File Manager > Configuration File (continued)LABEL DESCRIPTION

Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide611Figure 430 Maintenance > File Manager > Firmware Package The following table describes the labels in this screen. Table 265 Maintenance > File Manager > Firmware PackageLABEL DESCRIPTIONFirmware StatusReboot Now Click the Reboot Now button to restart the USG. If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot. Otherwise, the changes are lost when you reboot.If you want the Standby firmware to be the Running firmware, then select the Standbyfirmware row and click Reboot Now. Wait a few minutes until the login screen appears. If the login screen does not appear, clear your browser cache and refresh the screen or type the IP address of the USG in your Web browser again.You can also use the CLI command reboot to restart the USG.# This displays the system space (partition) index number where the firmwarm is located. The firmware can be either Standby or Running; only one firmware can be running at any one time.Status This indicates whether the firmware is Running, or not running but already uploaded to the USG and is on Standby. It displays N/A if there is no firmware uploaded to that system space.Model This is the model name of the device which the firmware is running on. Version This is the firmware version and the date created. Released Date This is the date that the version of the firmware was created. Upload FileTo upload image file in system spaceClick the To upload image file in system space pull-down menu and select 1 or 2. The default is the Standby system space, so if you want to upload new firmware to be the Running firmware, then select the correct system space.Boot Options If you upload firmware to the Running system space, the USG will reboot automatically. If you upload firmware to the Standby system space, you have the option to Reboot now or Don’t Reboot. Reboot now If you select Reboot now, then the firmware upload to Standby system space will become the Running firmware after you click Upload and the upload process completes.

Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide612After you see the Firmware Upload in Process screen, wait a few minutes before logging into the USG again.Figure 431 Firmware Upload In ProcessNote: The USG automatically reboots after a successful upload.The USG automatically restarts causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.Figure 432 Network After five minutes, log in again and check your new firmware version in the Dashboard screen.If the upload was not successful, the following message appears in the status bar at the bottom of the screen.Figure 433 Firmware Upload Error32.4 The Shell Script Screen Use shell script files to have the USG use commands that you specify. Use a text editor to create the shell script files. They must use a “.zysh” filename extension. Click Maintenance > File Manager > Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the USG at the same time. Don’t Reboot If you choose Don’t Reboot, then the firmware upload to Standby system space will be the Standby firmware after you click Upload and the upload process completes.If you want the Standby firmware to be the Running firmware, then select the Standbyfirmware row in Firmware Status and click Reboot Now.File Path Type in the location of the file you want to upload in this field or click Browse ... to find it.Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take a few minutes.Table 265 Maintenance > File Manager > Firmware Package (continued)LABEL DESCRIPTION

$Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide613Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the USG restarts. You could use multiple write commands in a long script.Figure 434 Maintenance > File Manager > Shell Script Each field is described in the following table. Table 266 Maintenance > File Manager > Shell ScriptLABEL DESCRIPTIONRename Use this button to change the label of a shell script file on the USG. You cannot rename a shell script to the name of another shell script in the USG. Click a shell script’s row to select it and click Rename to open the Rename File screen. Figure 435 Maintenance > File Manager > Shell Script > RenameSpecify the new name for the shell script file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.Remove Click a shell script file’s row to select it and click Remove to delete the shell script file from the USG. A pop-up window asks you to confirm that you want to delete the shell script file. Click OK to delete the shell script file or click Cancel to close the screen without deleting the shell script file.Download Click a shell script file’s row to select it and click Download to save the configuration to your computer.$

$Chapter 32 File ManagerUSG20(W)-VPN Series User’s Guide614Copy Use this button to save a duplicate of a shell script file on the USG. Click a shell script file’s row to select it and click Copy to open the Copy File screen. Figure 436 Maintenance > File Manager > Shell Script > CopySpecify a name for the duplicate file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file.Apply Use this button to have the USG use a specific shell script file.Click a shell script file’s row to select it and click Apply to have the USG use that shell script file. You may need to wait awhile for the USG to finish applying the commands.#This column displays the number for each shell script file entry.File Name This column displays the label that identifies a shell script file.Size This column displays the size (in KB) of a shell script file.Last Modified This column displays the date and time that the individual shell script files were last changed or saved.Upload Shell ScriptThe bottom part of the screen allows you to upload a new or previously saved shell script file from your computer to your USG.File Path Type in the location of the file you want to upload in this field or click Browse ... to find it.Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes.Table 266 Maintenance > File Manager > Shell Script (continued)LABEL DESCRIPTION$

ZyXEL Communications USG20W-VPN VPN Firewall User Manual Book

ZyXEL Communications Corporation VPN Firewall Book

Contents

Users Manual Part 5

Navigation menu

Namespaces

Views

Navigation