ZyXEL Communications USG20W-VPN VPN Firewall User Manual Book

ZyXEL Communications Corporation VPN Firewall Book

UserManual.wiki >

ZyXEL Communications >

USG20W-VPN User Manual >

Users Manual Part 5 HTML Version

Users Manual Part 5

USG20(W)-VPN Series User’s Guide

537

CHAPTER 30

System

30.1 Overview

Use the system screens to configure general USG settings.

30.1.1 What You Can Do in this Chapter

•Use the System > Host Name screen (see Section 30.2 on page 538) to configure a unique

name for the USG in your network.

•Use the System > USB Storage screen (see Section 30.3 on page 538) to configure the

settings for the connected USB devices.

•Use the System > Date/Time screen (see Section 30.4 on page 539) to configure the date and

time for the USG.

•Use the System > Console Speed screen (see Section 30.5 on page 543) to configure the

console port speed when you connect to the USG via the console port using a terminal emulation

program.

•Use the System > DNS screen (see Section 30.6 on page 544) to configure the DNS (Domain

Name System) server used for mapping a domain name to its corresponding IP address and vice

versa.

•Use the System > WWW screens (see Section 30.7 on page 553) to configure settings for HTTP

or HTTPS access to the USG and how the login and access user screens look.

•Use the System > SSH screen (see Section 30.8 on page 569) to configure SSH (Secure SHell)

used to securely access the USG’s command line interface. You can specify which zones allow

SSH access and from which IP address the access can come.

•Use the System > TELNET screen (see Section 30.9 on page 573) to configure Telnet to access

the USG’s command line interface. Specify which zones allow Telnet access and from which IP

address the access can come.

•Use the System > FTP screen (see Section 30.10 on page 575) to specify from which zones FTP

can be used to access the USG. You can also specify from which IP addresses the access can

come. You can upload and download the USG’s firmware and configuration files using FTP. .

• Your USG can act as an SNMP agent, which allows a manager station to manage and monitor the

USG through the network. Use the System > SNMP screen (see Section 30.11 on page 576) to

configure SNMP settings, including from which zones SNMP can be used to access the USG. You

can also specify from which IP addresses the access can come.

•Use the Auth. Server screen (Section 30.12 on page 580) to configure the USG to operate as a

RADIUS server.

•Use the CloudCNM screen (Section 30.13 on page 582) to enable and configure management of

the USG by a Central Network Management system.

•Use the System > Language screen (see Section 30.14 on page 585) to set a language for the

USG’s Web Configurator screens.

•Use the System > IPv6 screen (see Section 30.15 on page 585) to enable or disable IPv6

support on the USG.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

538

•Use the System > ZON screen (see Section 30.16 on page 586) to enable or disable the ZyXEL

One Network (ZON) utility that uses ZyXEL Discovery Protocol (ZDP) for discovering and

configuring ZDP-aware ZyXEL devices in the same network as the computer on which ZON is

installed.

Note: See each section for related background information and term definitions.

30.2 Host Name

A host name is the unique name by which a device is known on a network. Click Configuration >

System > Host Name to open the Host Name screen.

Figure 367 Configuration > System > Host Name

The following table describes the labels in this screen.

30.3 USB Storage

The USG can use a connected USB device to store the system log and other diagnostic information.

Use this screen to turn on this feature and set a disk full warning limit.

Note: Only connect one USB device. It must allow writing (it cannot be read-only) and

use the FAT16, FAT32, EXT2, or EXT3 file system.

Click Configuration > System > USB Storage to open the screen as shown next.

Table 229 Configuration > System > Host Name

LABEL DESCRIPTION

System Name Enter a descriptive name to identify your USG device. This name can be up to 64

alphanumeric characters long. Spaces are not allowed, but dashes (-) underscores (_) and

periods (.) are accepted.

Domain Name Enter the domain name (if you know it) here. This name is propagated to DHCP clients

connected to interfaces with the DHCP server enabled. This name can be up to 254

alphanumeric characters long. Spaces are not allowed, but dashes “-” are accepted.

Apply Click Apply to save your changes back to the USG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

539

Figure 368 Configuration > System > USB Storage

The following table describes the labels in this screen.

30.4 Date and Time

For effective scheduling and logging, the USG system time must be accurate. The USG’s Real Time

Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time

manually or get the current time and date from an external server.

To change your USG’s time based on your local time zone and date, click Configuration > System

> Date/Time. The screen displays as shown. You can manually set the USG’s time and date or

have the USG get the date and time from a time server.

Table 230 Configuration > System > USB Storage

LABEL DESCRIPTION

Activate USB

storage service

Select this if you want to use the connected USB device(s).

Disk full warning

when remaining

space is less

than

Set a number and select a unit (MB or %) to have the USG send a warning message when

the remaining USB storage space is less than the value you set here.

Apply Click Apply to save your changes back to the USG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

540

Figure 369 Configuration > System > Date and Time

The following table describes the labels in this screen.

Table 231 Configuration > System > Date and Time

LABEL DESCRIPTION

Current Time and

Date

Current Time This field displays the present time of your USG.

Current Date This field displays the present date of your USG.

Time and Date

Setup

Manual Select this radio button to enter the time and date manually. If you configure a new time

and date, time zone and daylight saving at the same time, the time zone and daylight

saving will affect the new time and date you entered. When you enter the time settings

manually, the USG uses the new setting once you click Apply.

New Time (hh-mm-

ss)

This field displays the last updated time from the time server or the last time configured

manually.

When you set Time and Date Setup to Manual, enter the new time in this field and

then click Apply.

New Date

(yyyy-mm-dd)

This field displays the last updated date from the time server or the last date configured

manually.

When you set Time and Date Setup to Manual, enter the new date in this field and

then click Apply.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

541

Get from Time

Server

Select this radio button to have the USG get the time and date from the time server you

specify below. The USG requests time and date settings from the time server under the

following circumstances.

• When the USG starts up.

• When you click Apply or Synchronize Now in this screen.

• 24-hour intervals after starting up.

Time Server

Address

Enter the IP address or URL of your time server. Check with your ISP/network

administrator if you are unsure of this information.

Sync. Now Click this button to have the USG get the time and date from a time server (see the

Time Server Address field). This also saves your changes (except the daylight saving

settings).

Time Zone Setup

Time Zone Choose the time zone of your location. This will set the time difference between your

time zone and Greenwich Mean Time (GMT).

Enable Daylight

Saving

Daylight saving is a period from late spring to early fall when many countries set their

clocks ahead of normal local time by one hour to give more daytime light in the evening.

Select this option if you use Daylight Saving Time.

Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable

Daylight Saving. The at field uses the 24 hour format. Here are a couple of examples:

Daylight Saving Time starts in most parts of the United States on the second Sunday of

March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M.

local time. So in the United States you would select Second, Sunday, March and type

2 in the at field.

Daylight Saving Time starts in the European Union on the last Sunday of March. All of

the time zones in the European Union start using Daylight Saving Time at the same

moment (1 A.M. GMT or UTC). So in the European Union you would select Last,

Sunday, March. The time you type in the at field depends on your time zone. In

Germany for instance, you would type 2 because Germany's time zone is one hour

ahead of GMT or UTC (GMT+1).

End Date Configure the day and time when Daylight Saving Time ends if you selected Enable

Daylight Saving. The at field uses the 24 hour format. Here are a couple of examples:

Daylight Saving Time ends in the United States on the first Sunday of November. Each

time zone in the United States stops using Daylight Saving Time at 2 A.M. local time. So

in the United States you would select First, Sunday, November and type 2 in the at

field.

Daylight Saving Time ends in the European Union on the last Sunday of October. All of

the time zones in the European Union stop using Daylight Saving Time at the same

moment (1 A.M. GMT or UTC). So in the European Union you would select Last,

Sunday, October. The time you type in the at field depends on your time zone. In

Germany for instance, you would type 2 because Germany's time zone is one hour

ahead of GMT or UTC (GMT+1).

Offset Specify how much the clock changes when daylight saving begins and ends.

Enter a number from 1 to 5.5 (by 0.5 increments).

For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will

appear as if it had occurred at 10:30 P.M.

Apply Click Apply to save your changes back to the USG.

Reset Click Reset to return the screen to its last-saved settings.

Table 231 Configuration > System > Date and Time (continued)

LABEL DESCRIPTION

Chapter 30 System

USG20(W)-VPN Series User’s Guide

542

30.4.1 Pre-defined NTP Time Servers List

When you turn on the USG for the first time, the date and time start at 2003-01-01 00:00:00. The

USG then attempts to synchronize with one of the following pre-defined list of Network Time

Protocol (NTP) time servers.

The USG continues to use the following pre-defined list of NTP time servers if you do not specify a

time server or it cannot synchronize with the time server you specified.

When the USG uses the pre-defined list of NTP time servers, it randomly selects one server and

tries to synchronize with it. If the synchronization fails, then the USG goes through the rest of the

list in order from the first one tried until either it is successful or all the pre-defined NTP time

servers have been tried.

30.4.2 Time Server Synchronization

Click the Synchronize Now button to get the time and date from the time server you specified in

the Time Server Address field.

When the Please Wait... screen appears, you may have to wait up to one minute.

Figure 370 Synchronization in Process

The Current Time and Current Date fields will display the appropriate settings if the

synchronization is successful.

If the synchronization was not successful, a log displays in the View Log screen. Try re-configuring

the Date/Time screen.

To manually set the USG date and time.

1Click System > Date/Time.

2Select Manual under Time and Date Setup.

3Enter the USG’s time in the New Time field.

4Enter the USG’s date in the New Date field.

5Under Time Zone Setup, select your Time Zone from the list.

6As an option you can select the Enable Daylight Saving check box to adjust the USG clock for

daylight savings.

Table 232 Default Time Servers

0.pool.ntp.org

1.pool.ntp.org

2.pool.ntp.org

Chapter 30 System

USG20(W)-VPN Series User’s Guide

543

7Click Apply.

To get the USG date and time from a time server

1Click System > Date/Time.

2Select Get from Time Server under Time and Date Setup.

3Under Time Zone Setup, select your Time Zone from the list.

4As an option you can select the Enable Daylight Saving check box to adjust the USG clock for

daylight savings.

5Under Time and Date Setup, enter a Time Server Address (Table 232 on page 542).

6Click Apply.

30.5 Console Port Speed

This section shows you how to set the console port speed when you connect to the USG via the

console port using a terminal emulation program.

Click Configuration > System > Console Speed to open the Console Speed screen.

Figure 371 Configuration > System > Console Speed

The following table describes the labels in this screen.

Table 233 Configuration > System > Console Speed

LABEL DESCRIPTION

Console Port Speed Use the drop-down list box to change the speed of the console port. Your USG supports

9600, 19200, 38400, 57600, and 115200 bps (default) for the console port.

The Console Port Speed applies to a console port connection using terminal emulation

software and NOT the Console in the USG Web Configurator Status screen.

Apply Click Apply to save your changes back to the USG.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

544

30.6 DNS Overview

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and

vice versa. The DNS server is extremely important because without it, you must know the IP

address of a machine before you can access it.

30.6.1 DNS Server Address Assignment

The USG can get the DNS server addresses in the following ways.

• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when

you sign up. If your ISP gives you DNS server addresses, manually enter them in the DNS server

fields.

• If your ISP dynamically assigns the DNS server IP addresses (along with the USG’s WAN IP

address), set the DNS server fields to get the DNS server address from the ISP.

• You can manually enter the IP addresses of other DNS servers.

30.6.2 Configuring the DNS Screen

Click Configuration > System > DNS to change your USG’s DNS settings. Use the DNS screen to

configure the USG to use a DNS server to resolve domain names for USG system features like VPN,

DDNS and the time server. You can also configure the USG to accept or discard DNS queries. Use

the Network > Interface screens to configure the DNS server information that the USG sends to

the specified DHCP client devices.

A name query begins at a client computer and is passed to a resolver, a DNS client service, for

resolution. The USG can be a DNS client service. The USG can resolve a DNS query locally using

cached Resource Records (RR) obtained from a previous query (and kept for a period of time). If

the USG does not have the requested information, it can forward the request to DNS servers. This

is known as recursion.

The USG can ask a DNS server to use recursion to resolve its DNS client requests. If recursion on

the USG or a DNS server is disabled, they cannot forward DNS requests for resolution.

A Domain Name Server (DNS) amplification attack is a kind of Distributed Denial of Service (DDoS)

attack that uses publicly accessible open DNS servers to flood a victim with DNS response traffic.

An open DNS server is a DNS server which is willing to resolve recursive DNS queries from anyone

on the Internet.

In a DNS amplification attack, an attacker sends a DNS name lookup request to an open DNS

server with the source address spoofed as the victim’s address. When the DNS server sends the

DNS record response, it is sent to the victim. Attackers can request as much information as possible

to maximize the amplification effect.

Configure the Security Option Control section in the Configuration > System > DNS screen

(click Show Advanced Settings to display it) if you suspect the USG is being used (either by

hackers or by a corrupted open DNS server) in a DNS amplification attack.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

545

Figure 372 Configuration > System > DNS

The following table describes the labels in this screen.

Table 234 Configuration > System > DNS

LABEL DESCRIPTION

Address/PTR

Record

This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP

address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw

is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level

domain, “com” is the second-level domain, and “tw” is the top level domain.

Add Click this to create a new entry.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it

before doing so. Note that subsequent entries move up by one when you take this action.

#This is the index number of the address/PTR record.

FQDN This is a host’s fully qualified domain name.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

546

IP Address This is the IP address of a host.

CNAME Record This record specifies an alias for a FQDN. Use this record to bind all subdomains with the

same IP address as the FQDN without having to update each one individually, which

increases chance for errors. See CNAME Record (Section 30.6.6 on page 548) for more

details.

Add Click this to create a new entry.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it

before doing so. Note that subsequent entries move up by one when you take this action.

#This is the index number of the domain zone forwarder record. The ordering of your rules

is important as rules are applied in sequence.

A hyphen (-) displays for the default domain zone forwarder record. The default record is

not configurable. The USG uses this default record if the domain zone that needs to be

resolved does not match any of the other domain zone forwarder records.

Alias Name Enter an Alias name. Use “*.” as prefix for a wildcard domain name. For example,

*.example.com.

FQDN Enter the Fully Qualified Domain Name (FQDN).

Domain Zone

Forwarder

This specifies a DNS server’s IP address. The USG can query the DNS server to resolve

domain zones for features like VPN, DDNS and the time server.

When the USG needs to resolve a domain zone, it checks it against the domain zone

forwarder entries in the order that they appear in this list.

Add Click this to create a new entry. Select an entry and click Add to create a new entry after

the selected entry.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it

before doing so. Note that subsequent entries move up by one when you take this action.

Move To change an entry’s position in the numbered list, select the method and click Move to

display a field to type a number for where you want to put it and press [ENTER] to move

the rule to the number that you typed.

#This is the index number of the domain zone forwarder record. The ordering of your rules

is important as rules are applied in sequence.

A hyphen (-) displays for the default domain zone forwarder record. The default record is

not configurable. The USG uses this default record if the domain zone that needs to be

resolved does not match any of the other domain zone forwarder records.

Domain Zone A domain zone is a fully qualified domain name without the host. For example,

zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.

A “*” means all domain zones.

Type This displays whether the DNS server IP address is assigned by the ISP dynamically

through a specified interface or configured manually (User-Defined).

DNS Server This is the IP address of a DNS server. This field displays N/A if you have the USG get a

DNS server IP address from the ISP dynamically but the specified interface is not active.

Query Via This is the interface through which the USG sends DNS queries to the entry’s DNS server.

If the USG connects through a VPN tunnel, tunnel displays.

MX Record (for My

FQDN)

A MX (Mail eXchange) record identifies a mail server that handles the mail for a

particular domain.

Add Click this to create a new entry.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Table 234 Configuration > System > DNS (continued)

LABEL DESCRIPTION

Chapter 30 System

USG20(W)-VPN Series User’s Guide

547

30.6.3 Address Record

An address record contains the mapping of a Fully-Qualified Domain Name (FQDN) to an IP

address. An FQDN consists of a host and domain name. For example, www.zyxel.com is a fully

qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com” is

the top level domain. mail.myZyXEL.com.tw is also a FQDN, where “mail” is the host, “myZyXEL” is

the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.

Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it

before doing so. Note that subsequent entries move up by one when you take this action.

#This is the index number of the MX record.

Domain Name This is the domain name where the mail is destined for.

IP/FQDN This is the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that

handles the mail for the domain specified in the field above.

Security Option

Control

Click Show Advanced Settings to display this part of the screen. There are two control

policies: Default and Customize.

Edit Click either control policy and then click this button to change allow or deny actions for

Query Recursion and Additional Info from Cache.

Priority The Customize control policy is checked first and if an address object match is not

found, the Default control policy is checked.

Name You may change the name of the Customize control policy.

Address These are the object addresses used in the control policy. RFC1918 refers to private IP

address ranges. It can be modified in Object > Address.

Additional Info

from Cache This displays if the USG is allowed or denied to cache Resource Records (RR) obtained

from previous DNS queries.

Query

Recursion This displays if the USG is allowed or denied to forward DNS client requests to DNS

servers for resolution.

Service Control This specifies from which computers and zones you can send DNS queries to the USG.

Add Click this to create a new entry. Select an entry and click Add to create a new entry after

the selected entry.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it

before doing so. Note that subsequent entries move up by one when you take this action.

Move To change an entry’s position in the numbered list, select the method and click Move to

display a field to type a number for where you want to put it and press [ENTER] to move

the rule to the number that you typed.

#This the index number of the service control rule. The ordering of your rules is important

as rules are applied in sequence.

The entry with a hyphen (-) instead of a number is the USG’s (non-configurable) default

policy. The USG applies this to traffic that does not match any other configured rule. It is

not an editable rule. To apply other behavior, configure a rule that traffic will match so

the USG will not have to use the default policy.

Zone This is the zone on the USG the user is allowed or denied to access.

Address This is the object name of the IP address(es) with which the computer is allowed or

denied to send DNS queries.

Action This displays whether the USG accepts DNS queries from the computer with the IP

address specified above through the specified zone (Accept) or discards them (Deny).

Table 234 Configuration > System > DNS (continued)

LABEL DESCRIPTION

Chapter 30 System

USG20(W)-VPN Series User’s Guide

548

The USG allows you to configure address records about the USG itself or another device. This way

you can keep a record of DNS names and addresses that people on your network may use

frequently. If the USG receives a DNS query for an FQDN for which the USG has an address record,

the USG can send the IP address in a DNS response without having to query a DNS name server.

30.6.4 PTR Record

A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of

an IP address to a domain name.

30.6.5 Adding an Address/PTR Record

Click the Add icon in the Address/PTR Record table to add an address/PTR record.

Figure 373 Configuration > System > DNS > Address/PTR Record Edit

The following table describes the labels in this screen.

30.6.6 CNAME Record

A Canonical Name Record or CNAME record is a type of resource record in the Domain Name

System (DNS) that specifies that the domain name is an alias of another, canonical domain name.

This allows users to set up a record for a domain name which translates to an IP address, in other

words, the domain name is an alias of another. This record also binds all the subdomains to the

same IP address without having to create a record for each, so when the IP address is changed, all

subdomain’s IP address is updated as well, with one edit to the record.

Table 235 Configuration > System > DNS > Address/PTR Record Edit

LABEL DESCRIPTION

FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a host

name and continues all the way up to the top-level domain name. For example,

www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is

the third-level domain, “com” is the second-level domain, and “tw” is the top level

domain. Underscores are not allowed.

Use "*." as a prefix in the FQDN for a wildcard domain name (for example,

*.example.com).

IP Address Enter the IP address of the host in dotted decimal notation.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving

Chapter 30 System

USG20(W)-VPN Series User’s Guide

549

For example, the domain name zyxel.com is hooked up to a record named A which translates it to

11.22.33.44. You also have several subdomains, like mail.zyxel.com, ftp.zyxel.com and you want

this subdomain to point to your main domain zyxel.com. Edit the IP Address in record A and all

subdomains will follow automatically. This eliminates chances for errors and increases efficiency in

DNS management.

30.6.7 Adding a CNAME Record

Click the Add icon in the CNAME Record table to add a record. Use “*.” as a prefix for a wildcard

domain name. For example *.zyxel.com.

Figure 374 Configuration > System > DNS > CNAME Record > Add

The following table describes the labels in this screen.

30.6.8 Domain Zone Forwarder

A domain zone forwarder contains a DNS server’s IP address. The USG can query the DNS server to

resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully

qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the

www.zyxel.com.tw fully qualified domain name.

30.6.9 Adding a Domain Zone Forwarder

Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record.

Table 236 Configuration > System > DNS > CNAME Record > Add

LABEL DESCRIPTION

Alias name Enter an Alias Name. Use "*." as a prefix in the Alias name for a wildcard domain

name (for example, *.example.com).

FQDN Type a Fully-Qualified Domain Name (FQDN) of a server. An FQDN starts with a

host name and continues all the way up to the top-level domain name. For

example, www.zyxel.com.tw is a fully qualified domain name, where “www” is

the host, “zyxel” is the third-level domain, “com” is the second-level domain,

and “tw” is the top level domain. Underscores are not allowed.

Use "*." as a prefix in the FQDN for a wildcard domain name (for example,

*.example.com).

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

550

Figure 375 Configuration > System > DNS > Domain Zone Forwarder Add

The following table describes the labels in this screen.

30.6.10 MX Record

A MX (Mail eXchange) record indicates which host is responsible for the mail for a particular

domain, that is, controls where mail is sent for that domain. If you do not configure proper MX

records for your domain or other domain, external e-mail from other mail servers will not be able to

be delivered to your mail server and vice versa. Each host or domain can have only one MX record,

that is, one domain is mapping to one host.

Table 237 Configuration > System > DNS > Domain Zone Forwarder Add

LABEL DESCRIPTION

Domain Zone A domain zone is a fully qualified domain name without the host. For example,

zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.

For example, whenever the USG receives needs to resolve a zyxel.com.tw domain name,

it can send a query to the recorded name server IP address.

Enter * if all domain zones are served by the specified DNS server(s).

DNS Server Select DNS Server(s) from ISP if your ISP dynamically assigns DNS server

information. You also need to select an interface through which the ISP provides the DNS

server IP address(es). The interface should be activated and set to be a DHCP client. The

fields below display the (read-only) DNS server IP address(es) that the ISP assigns. N/A

displays for any DNS server IP address fields for which the ISP does not assign an IP

address.

Select Public DNS Server if you have the IP address of a DNS server. Enter the DNS

server's IP address in the field to the right. The USG must be able to connect to the DNS

server without using a VPN tunnel. The DNS server could be on the Internet or one of the

USG’s local networks. You cannot use 0.0.0.0. Use the Query via field to select the

interface through which the USG sends DNS queries to a DNS server.

Select Private DNS Server if you have the IP address of a DNS server to which the USG

connects through a VPN tunnel. Enter the DNS server's IP address in the field to the

right. You cannot use 0.0.0.0.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving

Chapter 30 System

USG20(W)-VPN Series User’s Guide

551

30.6.11 Adding a MX Record

Click the Add icon in the MX Record table to add a MX record.

Figure 376 Configuration > System > DNS > MX Record Add

The following table describes the labels in this screen.

30.6.12 Security Option Control

Configure the Security Option Control section in the Configuration > System > DNS screen

(click Show Advanced Settings to display it) if you suspect the USG is being used by hackers in a

DNS amplification attack.

One possible strategy would be to deny Query Recursion and Additional Info from Cache in the

default policy and allow Query Recursion and Additional Info from Cache only from trusted

DNS servers identified by address objects and added as members in the customized policy.

30.6.13 Editing a Security Option Control

Click a control policy and then click Edit to change allow or deny actions for Query Recursion

and Additional Info from Cache.

Table 238 Configuration > System > DNS > MX Record Add

LABEL DESCRIPTION

Domain Name Enter the domain name where the mail is destined for.

IP Address/FQDN Enter the IP address or Fully-Qualified Domain Name (FQDN) of a mail server that

handles the mail for the domain specified in the field above.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving

Chapter 30 System

USG20(W)-VPN Series User’s Guide

552

Figure 377 Configuration > System > DNS > Security Option Control Edit (Customize)

The following table describes the labels in this screen.

30.6.14 Adding a DNS Service Control Rule

Click the Add icon in the Service Control table to add a service control rule.

Table 239 Configuration > System > DNS > Security Option Control Edit (Customize)

LABEL DESCRIPTION

Name You may change the name for the customized security option control policy. The

customized security option control policy is checked first and if an address object match is

not found, the Default control policy is checked

Query Recursion Choose if the USG is allowed or denied to forward DNS client requests to DNS servers for

resolution. This can apply to specific open DNS servers using the address objects in a

customized rule.

Additional Info

from Cache

Choose if the USG is allowed or denied to cache Resource Records (RR) obtained from

previous DNS queries.

Address List Specifiying address objects is not available in the default policy as all addresses are

included.

Available This box displays address objects created in Object > Address. Select one (or more),

and click the > arrow to have it (them) join the Member list of address objects that will

apply to this rule. For example, you could specifiy an open DNS server suspect of sending

compromised resource records by adding an address object for that server to the

member list.

Member This box displays address objects that will apply to this rule.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving

Chapter 30 System

USG20(W)-VPN Series User’s Guide

553

Figure 378 Configuration > System > DNS > Service Control Rule Add

The following table describes the labels in this screen.

30.7 WWW Overview

The following figure shows secure and insecure management of the USG coming in from the WAN.

HTTPS and SSH access are secure. HTTP and Telnet access are not secure.

Note: To allow the USG to be accessed from a specified computer using a service, make

sure you do not have a service control rule or to-USG security policy rule to block

that traffic.

To stop a service from accessing the USG, clear Enable in the corresponding service screen.

30.7.1 Service Access Limitations

A service cannot be used to access the USG when:

1You have disabled that service in the corresponding screen.

2The allowed IP address (address object) in the Service Control table does not match the client IP

address (the USG disallows the session).

Table 240 Configuration > System > DNS > Service Control Rule Add

LABEL DESCRIPTION

Create new

Object

Use this to configure any new settings objects that you need to use in this screen.

Address Object Select ALL to allow or deny any computer to send DNS queries to the USG.

Select a predefined address object to just allow or deny the computer with the IP address

that you specified to send DNS queries to the USG.

Zone Select ALL to allow or prevent DNS queries through any zones.

Select a predefined zone on which a DNS query to the USG is allowed or denied.

Action Select Accept to have the USG allow the DNS queries from the specified computer.

Select Deny to have the USG reject the DNS queries from the specified computer.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving

Chapter 30 System

USG20(W)-VPN Series User’s Guide

554

3The IP address (address object) in the Service Control table is not in the allowed zone or the

action is set to Deny.

4There is a security policy rule that blocks it.

30.7.2 System Timeout

There is a lease timeout for administrators. The USG automatically logs you out if the management

session remains idle for longer than this timeout period. The management session does not time

out when a statistics screen is polling.

Each user is also forced to log in the USG for authentication again when the reauthentication time

expires.

You can change the timeout settings in the User/Group screens.

30.7.3 HTTPS

You can set the USG to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions.

Specify which zones allow Web Configurator access and from which IP address the access can

come.

HTTPS (HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a web protocol

that encrypts and decrypts web pages. Secure Socket Layer (SSL) is an application-level protocol

that enables secure transactions of data by ensuring confidentiality (an unauthorized party cannot

read the transferred data), authentication (one party can identify the other party) and data

integrity (you know if data has been changed).

It relies upon certificates, public keys, and private keys.

HTTPS on the USG is used so that you can securely access the USG using the Web Configurator. The

SSL protocol specifies that the HTTPS server (the USG) must always authenticate itself to the

HTTPS client (the computer which requests the HTTPS connection with the USG), whereas the

HTTPS client only should authenticate itself when the HTTPS server requires it to do so (select

Authenticate Client Certificates in the WWW screen). Authenticate Client Certificates is

optional and if selected means the HTTPS client must send the USG a certificate. You must apply for

a certificate for the browser from a CA that is a trusted CA on the USG.

Please refer to the following figure.

1HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the

USG’s web server.

2HTTP connection requests from a web browser go to port 80 (by default) on the USG’s web server.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

555

Figure 379 HTTP/HTTPS Implementation

Note: If you disable HTTP in the WWW screen, then the USG blocks all HTTP connection

attempts.

30.7.4 Configuring WWW Service Control

Click Configuration > System > WWW to open the WWW screen. Use this screen to specify

from which zones you can access the USG using HTTP or HTTPS. You can also specify which IP

addresses the access can come from.

Note: Admin Service Control deals with management access (to the Web Configurator).

User Service Control deals with user access to the USG (logging into SSL VPN for

example).

Chapter 30 System

USG20(W)-VPN Series User’s Guide

556

Figure 380 Configuration > System > WWW > Service Control

The following table describes the labels in this screen.

Table 241 Configuration > System > WWW > Service Control

LABEL DESCRIPTION

HTTPS

Enable Select the check box to allow or disallow the computer with the IP address that

matches the IP address(es) in the Service Control table to access the USG Web

Configurator using secure HTTPs connections.

Server Port The HTTPS server listens on port 443 by default. If you change the HTTPS server port

to a different number on the USG, for example 8443, then you must notify people

who need to access the USG Web Configurator to use “https://USG IP Address:8443”

as the URL.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

557

Authenticate Client

Certificates

Select Authenticate Client Certificates (optional) to require the SSL client to

authenticate itself to the USG by sending the USG a certificate. To do that the SSL

client must have a CA-signed certificate from a CA that has been imported as a

trusted CA on the USG (see Section 30.7.7.5 on page 564 on importing certificates

for details).

Server Certificate Select a certificate the HTTPS server (the USG) uses to authenticate itself to the

HTTPS client. You must have certificates already configured in the My Certificates

screen.

Redirect HTTP to

HTTPS

To allow only secure Web Configurator access, select this to redirect all HTTP

connection requests to the HTTPS server.

Admin/User Service

Control

Admin Service Control specifies from which zones an administrator can use HTTPS

to manage the USG (using the Web Configurator). You can also specify the IP

addresses from which the administrators can manage the USG.

User Service Control specifies from which zones a user can use HTTPS to log into

the USG (to log into SSL VPN for example). You can also specify the IP addresses

from which the users can access the USG.

Add Click this to create a new entry. Select an entry and click Add to create a new entry

after the selected entry.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s

settings.

Remove To remove an entry, select it and click Remove. The USG confirms you want to

remove it before doing so. Note that subsequent entries move up by one when you

take this action.

Move To change an entry’s position in the numbered list, select the method and click Move

to display a field to type a number for where you want to put it and press [ENTER] to

move the rule to the number that you typed.

#This is the index number of the service control rule.

The entry with a hyphen (-) instead of a number is the USG’s (non-configurable)

default policy. The USG applies this to traffic that does not match any other

configured rule. It is not an editable rule. To apply other behavior, configure a rule

that traffic will match so the USG will not have to use the default policy.

Zone This is the zone on the USG the user is allowed or denied to access.

Address This is the object name of the IP address(es) with which the computer is allowed or

denied to access.

Action This displays whether the computer with the IP address specified above can access

the USG zone(s) configured in the Zone field (Accept) or not (Deny).

HTTP

Enable Select the check box to allow or disallow the computer with the IP address that

matches the IP address(es) in the Service Control table to access the USG Web

Configurator using HTTP connections.

Server Port You may change the server port number for a service if needed, however you must

use the same port number in order to use that service to access the USG.

Admin/User Service

Control

Admin Service Control specifies from which zones an administrator can use HTTP to

manage the USG (using the Web Configurator). You can also specify the IP addresses

from which the administrators can manage the USG.

User Service Control specifies from which zones a user can use HTTP to log into the

USG (to log into SSL VPN for example). You can also specify the IP addresses from

which the users can access the USG.

Add Click this to create a new entry. Select an entry and click Add to create a new entry

after the selected entry.

Table 241 Configuration > System > WWW > Service Control (continued)

LABEL DESCRIPTION

Chapter 30 System

USG20(W)-VPN Series User’s Guide

558

30.7.5 Service Control Rules

Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to

add a service control rule.

Figure 381 Configuration > System > Service Control Rule > Edit

The following table describes the labels in this screen.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s

settings.

Remove To remove an entry, select it and click Remove. The USG confirms you want to

remove it before doing so. Note that subsequent entries move up by one when you

take this action.

Move To change an entry’s position in the numbered list, select the method and click Move

to display a field to type a number for where you want to put it and press [ENTER] to

move the rule to the number that you typed.

#This is the index number of the service control rule.

The entry with a hyphen (-) instead of a number is the USG’s (non-configurable)

default policy. The USG applies this to traffic that does not match any other

configured rule. It is not an editable rule. To apply other behavior, configure a rule

that traffic will match so the USG will not have to use the default policy.

Zone This is the zone on the USG the user is allowed or denied to access.

Address This is the object name of the IP address(es) with which the computer is allowed or

denied to access.

Action This displays whether the computer with the IP address specified above can access

the USG zone(s) configured in the Zone field (Accept) or not (Deny).

Authentication

Client Authentication

Method

Select a method the HTTPS or HTTP server uses to authenticate a client.

You must have configured the authentication methods in the Auth. method screen.

Apply Click Apply to save your changes back to the USG.

Reset Click Reset to return the screen to its last-saved settings.

Table 241 Configuration > System > WWW > Service Control (continued)

LABEL DESCRIPTION

Table 242 Configuration > System > Service Control Rule > Edit

LABEL DESCRIPTION

Create new

Object

Use this to configure any new settings objects that you need to use in this screen.

Address Object Select ALL to allow or deny any computer to communicate with the USG using this service.

Select a predefined address object to just allow or deny the computer with the IP address

that you specified to access the USG using this service.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

559

30.7.6 Customizing the WWW Login Page

Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this

screen to customize the Web Configurator login screen. You can also customize the page that

displays after an access user logs into the Web Configurator to access network services like the

Internet.

Figure 382 Configuration > System > WWW > Login Page

Zone Select ALL to allow or prevent any USG zones from being accessed using this service.

Select a predefined USG zone on which a incoming service is allowed or denied.

Action Select Accept to allow the user to access the USG from the specified computers.

Select Deny to block the user’s access to the USG from the specified computers.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving

Table 242 Configuration > System > Service Control Rule > Edit

LABEL DESCRIPTION

Chapter 30 System

USG20(W)-VPN Series User’s Guide

560

The following figures identify the parts you can customize in the login and access pages.

Figure 383 Login Page Customization

Figure 384 Access Page Customization

You can specify colors in one of the following ways:

• Click Color to display a screen of web-safe colors from which to choose.

Logo Title

Message

Note Message

Background

(last line of text)

(color of all text)

Logo Title

Message

Note Message

Window

(last line of text)

(color of all text)

Background

Chapter 30 System

USG20(W)-VPN Series User’s Guide

561

• Enter the name of the desired color.

• Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired

color. For example, use “#000000” for black.

• Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For

example, use “rgb(0,0,0)” for black.

Your desired color should display in the preview screen on the right after you click in another field,

click Apply, or press [ENTER]. If your desired color does not display, your browser may not support

it. Try selecting another color.

The following table describes the labels in the screen.

Table 243 Configuration > System > WWW > Login Page

LABEL DESCRIPTION

Select Type Select whether the Web Configurator uses the default login screen or one that you

customize in the rest of this screen.

Logo File You can upload a graphic logo to be displayed on the upper left corner of the Web

Configurator login screen and access page.

Specify the location and file name of the logo graphic or click Browse to locate it.

Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.

Click Upload to transfer the specified graphic file from your computer to the USG.

Customized

Use this section to set how the Web Configurator login screen looks.

Title Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces

are allowed.

Title Color Specify the color of the screen’s title text.

Message Color Specify the color of the screen’s text.

Note Message Enter a note to display at the bottom of the screen. Use up to 64 printable ASCII

characters. Spaces are allowed.

Background Set how the screen background looks.

To use a graphic, select Picture and upload a graphic. Specify the location and file name of

the logo graphic or click Browse to locate it. The picture’s size cannot be over 438 x 337

pixels.

Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.

To use a color, select Color and specify the color.

Customized

Access Page

Use this section to customize the page that displays after an access user logs into the Web

Configurator to access network services like the Internet.

Title Enter the title for the top of the screen. Use up to 64 printable ASCII characters. Spaces

are allowed.

Message Color Specify the color of the screen’s text.

Note Message Enter a note to display below the title. Use up to 64 printable ASCII characters. Spaces are

allowed.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

562

30.7.7 HTTPS Example

If you haven’t changed the default HTTPS port on the USG, then in your browser enter “https://

USG IP Address/” as the web site address where “USG IP Address” is the IP address or domain

name of the USG you wish to access.

30.7.7.1 Internet Explorer Warning Messages

When you attempt to access the USG HTTPS server, you will see the error message shown in the

following screen.

Figure 385 Security Alert Dialog Box (Internet Explorer)

Select Continue to this website to proceed to the Web Configurator login screen. Otherwise,

select Click here to close this webpage to block the access.

30.7.7.2 Mozilla Firefox Warning Messages

When you attempt to access the USG HTTPS server, a The Connection is Untrusted screen

appears as shown in the following screen. Click Technical Details if you want to verify more

information about the certificate from the USG.

Select I Understand the Risks and then click Add Exception to add the USG to the security

exception list. Click Confirm Security Exception.

Background Set how the window’s background looks.

To use a graphic, select Picture and upload a graphic. Specify the location and file name of

the logo graphic or click Browse to locate it. The picture’s size cannot be over 438 x 337

pixels.

Note: Use a GIF, JPG, or PNG of 100 kilobytes or less.

To use a color, select Color and specify the color.

Apply Click Apply to save your changes back to the USG.

Reset Click Reset to return the screen to its last-saved settings.

Table 243 Configuration > System > WWW > Login Page

LABEL DESCRIPTION

Chapter 30 System

USG20(W)-VPN Series User’s Guide

563

Figure 386 Security Certificate 1 (Firefox)

Figure 387 Security Certificate 2 (Firefox)

30.7.7.3 Avoiding Browser Warning Messages

Here are the main reasons your browser displays warnings about the USG’s HTTPS server certificate

and what you can do to avoid seeing the warnings:

• The issuing certificate authority of the USG’s HTTPS server certificate is not one of the browser’s

trusted certificate authorities. The issuing certificate authority of the USG's factory default

certificate is the USG itself since the certificate is a self-signed certificate.

• For the browser to trust a self-signed certificate, import the self-signed certificate into your

operating system as a trusted certificate.

• To have the browser trust the certificates issued by a certificate authority, import the certificate

authority’s certificate into your operating system as a trusted certificate.

30.7.7.4 Login Screen

After you accept the certificate, the USG login screen appears. The lock displayed in the bottom of

the browser status bar denotes a secure connection.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

564

Figure 388 Login Screen (Internet Explorer)

30.7.7.5 Enrolling and Importing SSL Client Certificates

The SSL client needs a certificate if Authenticate Client Certificates is selected on the USG.

You must have imported at least one trusted CA to the USG in order for the Authenticate Client

Certificates to be active (see the Certificates chapter for details).

Apply for a certificate from a Certification Authority (CA) that is trusted by the USG (see the USG’s

Trusted CA Web Configurator screen).

Figure 389 USG Trusted CA Screen

The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s)

and a password to install the personal certificate(s).

30.7.7.5.1 Installing the CA’s Certificate

1Double click the CA’s trusted certificate to produce a screen similar to the one shown next.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

565

Figure 390 CA Certificate Example

2Click Install Certificate and follow the wizard as shown earlier in this appendix.

30.7.7.5.2 Installing Your Personal Certificate(s)

You need a password in advance. The CA may issue the password or you may have to specify it

during the enrollment. Double-click the personal certificate given to you by the CA to produce a

screen similar to the one shown next

1Click Next to begin the wizard.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

566

Figure 391 Personal Certificate Import Wizard 1

2The file name and path of the certificate you double-clicked should automatically appear in the File

name text box. Click Browse if you wish to import a different certificate.

Figure 392 Personal Certificate Import Wizard 2

3Enter the password given to you by the CA.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

567

Figure 393 Personal Certificate Import Wizard 3

4Have the wizard determine where the certificate should be saved on your computer or select Place

all certificates in the following store and choose a different location.

Figure 394 Personal Certificate Import Wizard 4

5Click Finish to complete the wizard and begin the import process.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

568

Figure 395 Personal Certificate Import Wizard 5

6You should see the following screen when the certificate is correctly installed on your computer.

Figure 396 Personal Certificate Import Wizard 6

30.7.7.6 Using a Certificate When Accessing the USG Example

Use the following procedure to access the USG via HTTPS.

1Enter ‘https://USG IP Address/ in your browser’s web address field.

Figure 397 Access the USG Via HTTPS

2When Authenticate Client Certificates is selected on the USG, the following screen asks you to

select a personal certificate to send to the USG. This screen displays even if you only have a single

certificate as in the example.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

569

Figure 398 SSL Client Authentication

3You next see the Web Configurator login screen.

Figure 399 Secure Web Configurator Login Screen

30.8 SSH

You can use SSH (Secure SHell) to securely access the USG’s command line interface. Specify

which zones allow SSH access and from which IP address the access can come.

SSH is a secure communication protocol that combines authentication and data encryption to

provide secure encrypted communication between two hosts over an unsecured network. In the

following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the

USG for a management session.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

570

Figure 400 SSH Communication Over the WAN Example

30.8.1 How SSH Works

The following figure is an example of how a secure connection is established between two remote

hosts using SSH v1.

Figure 401 How SSH v1 Works Example

1Host Identification

The SSH client sends a connection request to the SSH server. The server identifies itself with a host

key. The client encrypts a randomly generated session key with the host key and server key and

sends the result back to the server.

The client automatically saves any new server public keys. In subsequent connections, the server

public key is checked against the saved version on the client computer.

2Encryption Method

Once the identification is verified, both the client and server must agree on the type of encryption

method to use.

3Authentication and Data Transmission

After the identification is verified and data encryption activated, a secure tunnel is established

between the client and the server. The client then sends its authentication information (user name

and password) to the server to log in to the server.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

571

30.8.2 SSH Implementation on the USG

Your USG supports SSH versions 1 and 2 using RSA authentication and four encryption methods

(AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the USG for management

using port 22 (by default).

30.8.3 Requirements for Using SSH

You must install an SSH client program on a client computer (Windows or Linux operating system)

that is used to connect to the USG over SSH.

30.8.4 Configuring SSH

Click Configuration > System > SSH to change your USG’s Secure Shell settings. Use this screen

to specify from which zones SSH can be used to manage the USG. You can also specify from which

IP addresses the access can come.

Figure 402 Configuration > System > SSH

The following table describes the labels in this screen.

Table 244 Configuration > System > SSH

LABEL DESCRIPTION

Enable Select the check box to allow or disallow the computer with the IP address that matches

the IP address(es) in the Service Control table to access the USG CLI using this service.

Version 1 Select the check box to have the USG use both SSH version 1 and version 2 protocols. If

you clear the check box, the USG uses only SSH version 2 protocol.

Server Port You may change the server port number for a service if needed, however you must use the

same port number in order to use that service for remote management.

Server

Certificate

Select the certificate whose corresponding private key is to be used to identify the USG for

SSH connections. You must have certificates already configured in the My Certificates

screen.

Service Control This specifies from which computers you can access which USG zones.

Chapter 30 System

USG20(W)-VPN Series User’s Guide

572

30.8.5 Secure Telnet Using SSH Examples

This section shows two examples using a command interface and a graphical interface SSH client

program to remotely access the USG. The configuration and connection steps are similar for most

SSH client programs. Refer to your SSH client program user’s guide.

30.8.5.1 Example 1: Microsoft Windows

This section describes how to access the USG using the Secure Shell Client program.

1Launch the SSH client and specify the connection information (IP address, port number) for the

USG.

2Configure the SSH client to accept connection using SSH version 1.

3A window displays prompting you to store the host key in you computer. Click Yes to continue.

Figure 403 SSH Example 1: Store Host Key

Enter the password to log in to the USG. The CLI screen displays next.

Add Click this to create a new entry. Select an entry and click Add to create a new entry after

the selected entry. Refer to Table 242 on page 558 for details on the screen that opens.

Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it

before doing so. Note that subsequent entries move up by one when you take this action.

Move To change an entry’s position in the numbered list, select the method and click Move to

display a field to type a number for where you want to put it and press [ENTER] to move

the rule to the number that you typed.

#This the index number of the service control rule.

Zone This is the zone on the USG the user is allowed or denied to access.

Address This is the object name of the IP address(es) with which the computer is allowed or denied

to access.

Action This displays whether the computer with the IP address specified above can access the

USG zone(s) configured in the Zone field (Accept) or not (Deny).

Apply Click Apply to save your changes back to the USG.

Reset Click Reset to return the screen to its last-saved settings.

Table 244 Configuration > System > SSH (continued)

LABEL DESCRIPTION

Chapter 30 System

USG20(W)-VPN Series User’s Guide

573

30.8.5.2 Example 2: Linux

This section describes how to access the USG using the OpenSSH client program that comes with

most Linux distributions.

1Test whether the SSH service is available on the USG.

Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER]. The computer

attempts to connect to port 22 on the USG (using the default IP address of 192.168.1.1).

A message displays indicating the SSH protocol version supported by the USG.

Figure 404 SSH Example 2: Test

2Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the USG using

SSH version 1. If this is the first time you are connecting to the USG using SSH, a message displays

prompting you to save the host information of the USG. Type “yes” and press [ENTER].

Then enter the password to log in to the USG.

Figure 405 SSH Example 2: Log in

3The CLI screen displays next.

30.9 Telnet

You can use Telnet to access the USG’s command line interface. Specify which zones allow Telnet

access and from which IP address the access can come.

30.9.1 Configuring Telnet

Click Configuration > System > TELNET to configure your USG for remote Telnet access. Use

this screen to specify from which zones Telnet can be used to manage the USG. You can also specify

from which IP addresses the access can come.

$ telnet 192.168.1.1 22

Trying 192.168.1.1...

Connected to 192.168.1.1.

Escape character is '^]'.

SSH-1.5-1.0.0

$ ssh –1 192.168.1.1

The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.

RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.

Administrator@192.168.1.1's password:

Chapter 30 System

USG20(W)-VPN Series User’s Guide

574

Figure 406 Configuration > System > TELNET

The following table describes the labels in this screen.

Table 245 Configuration > System > TELNET