Zyxel Zywall Usg 50 Users Manual User’s Guide

2014-12-11

: Zyxel Zyxel-Zywall-Usg-50-Users-Manual-121988 zyxel-zywall-usg-50-users-manual-121988 zyxel pdf

Open the PDF directly: View PDF .
Page Count: 970 [warning: Documents this large are best viewed by clicking the View PDF Link!]

ZyWALL USG 50
User’s Guide
Technical Reference

www.zyxel.com

ZyWALL USG 50

Unified Security Gateway

ZyXEL Communications Corporation

Version 2.21

Edition 4, 4/2011

Default Login Details

LAN Port P3, P4

IP Address https://192.168.1.1

User Name admin

Password 1234

About This User's Guide

ZyWALL USG 50 User’s Guide 3

About This User's Guide

Intended Audience

This manual is intended for people who want to want to configure the ZyWALL

using the Web Configurator.

How To Use This Guide

•Read Chapter 1 on page 31 chapter for an overview of features available on the

ZyWALL.

•Read Chapter 3 on page 45 for web browser requirements and an introduction

to the main components, icons and menus in the ZyWALL Web Configurator.

•Read Chapter 4 on page 61 if you’re using the installation wizard for first time

setup and you want more detailed information than what the real time online

help provides.

•Read Chapter 5 on page 71 if you’re using the quick setup wizards and you want

more detailed information than what the real time online help provides.

• It is highly recommended you read Chapter 6 on page 89 for detailed

information on essential terms used in the ZyWALL, what prerequisites are

needed to configure a feature and how to use that feature.

• It is highly recommended you read Chapter 7 on page 111 for ZyWALL

application examples.

• Subsequent chapters are arranged by menu item as defined in the Web

Configurator. Read each chapter carefully for detailed information on that menu

item.

• To find specific information in this guide, use the Contents Overview, the

Table of Contents, the Index, or search the PDF file. E-mail

techwriters@zyxel.com.tw if you cannot find the information you require.

more on logs.

Force User

Authentication

This field is available for user-configured policies that require

authentication. Select this to have the ZyWALL automatically display the

traffic.

Endpoint

Security (EPS)

These fields display when you set the Authentication field to required.

Use these fields to make sure users’ computers meet an endpoint

security object’s Operating System (OS) and security requirements

before granting access. These fields are available for user-configured

policies that require authentication.

Enable EPS

Checking

Select this to have the ZyWALL check that users’ computers meet the

Operating System (OS) and security requirements of one of the policy’s

selected endpoint security objects before granting access.

Periodical

checking time

Select this and specify a number of minutes to have the ZyWALL repeat

the endpoint security check at a regular interval.

Available EPS

Object /

Selected EPS

Object

Configured endpoint security objects appear on the left. Select the

endpoint security objects to use for this policy and click the right arrow

button to add them to the selected list on the right. Use the [Shift] and/

or [Ctrl] key to select multiple objects. Select any endpoint security

objects that you want to remove from the selected list and click the left

arrow button to remove them.

The ZyWALL checks authenticated users’ computers against the policy’s

selected endpoint security objects in the order you list them here. When

a user’s computer matches an endpoint security object the ZyWALL

grants access and stops checking. Select an endpoint security object and

use the up and down arrows to change it’s position in the list. To make

the endpoint security check as efficient as possible, arrange the endpoint

security objects in order with the one that the most users should match

first and the one that the least user’s should match last.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this screen without saving.

Table 103 Configuration > Auth. Policy > Add (continued)

LABEL DESCRIPTION

Chapter 21 Authentication Policy

ZyWALL USG 50 User’s Guide

362

ZyWALL USG 50 User’s Guide 363

CHAPTER 22

Firewall

22.1 Overview

Use the firewall to block or allow services that use static port numbers. Use

application patrol (see Chapter 28 on page 443) to control services using flexible/

dynamic port numbers. The firewall can also limit the number of user sessions.

This figure shows the ZyWALL’s default firewall rules in action and demonstrates

how stateful inspection works. User 1 can initiate a Telnet session from within the

LAN1 zone and responses to this request are allowed. However, other Telnet traffic

initiated from the WAN or DMZ zone and destined for the LAN1 zone is blocked.

Communications between the WAN and the DMZ zones are allowed. The firewall

allows VPN traffic between any of the networks.

Figure 217 Default Firewall Action

22.1.1 What You Can Do in this Chapter

•Use the Firewall screens (Section 22.2 on page 371) to enable or disable the

firewall and asymmetrical routes, and manage and configure firewall rules.

•Use the Session Limit screens (see Section 22.3 on page 376) to limit the

number of concurrent NAT/firewall sessions a client can use.

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

364

22.1.2 What You Need to Know

Stateful Inspection

The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by

screening data packets against defined access rules. It also inspects sessions. For

example, traffic from one zone is not allowed unless it is initiated by a computer in

another zone first.

Zones

A zone is a group of interfaces or VPN tunnels. Group the ZyWALL’s interfaces into

different zones based on your needs. You can configure firewall rules for data

passing between zones or even between interfaces and/or VPN tunnels in a zone.

Default Firewall Behavior

Firewall rules are grouped based on the direction of travel of packets to which they

apply. Here is the default firewall behavior for traffic going through the ZyWALL in

various directions.

To-ZyWALL Rules

Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By

default:

• The firewall allows only LAN, or WAN computers to access or manage the

ZyWALL.

Table 104 Default Firewall Behavior

FROM ZONE TO ZONE BEHAVIOR

From WAN to ZyWALL Traffic from the WAN to the ZyWALL itself is allowed for certain

default services described in To-ZyWALL Rules on page 364. All

other WAN to ZyWALL traffic is dropped.

From WAN to any (other

than the ZyWALL)

Traffic from the WAN to any of the networks behind the

ZyWALL is dropped.

From DMZ to ZyWALL Traffic from the DMZ to the ZyWALL itself is allowed for certain

default services described in To-ZyWALL Rules on page 364. All

other DMZ to ZyWALL traffic is dropped.

From DMZ to any (other

than the ZyWALL)

Traffic from the DMZ to any of the networks behind the

ZyWALL is dropped.

From ANY to ANY Traffic that does not match any firewall rule is allowed. So for

example, LAN to WAN, LAN to DMZ traffic is allowed. This also

includes traffic to or from interfaces or VPN tunnels that are

not assigned to a zone (extra-zone traffic).

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 365

• The ZyWALL drops most packets from the WAN zone to the ZyWALL itself,

except for ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a

log.

• The ZyWALL drops most packets from the DMZ zone to the ZyWALL itself,

except for DNS and NetBIOS traffic, and generates a log.

When you configure a firewall rule for packets destined for the ZyWALL itself,

make sure it does not conflict with your service control rule. See Chapter 45 on

page 681 for more information about service control (remote management). The

ZyWALL checks the firewall rules before the service control rules for traffic

destined for the ZyWALL.

You can configure a To-ZyWALL firewall rule (with From Any To ZyWALL

direction) for traffic from an interface which is not in a zone.

Global Firewall Rules

Firewall rules with from any and/or to any as the packet direction are called

global firewall rules. The global firewall rules are the only firewall rules that apply

to an interface or VPN tunnel that is not included in a zone. The from any rules

apply to traffic coming from the interface and the to any rules apply to traffic

going to the interface.

Firewall Rule Criteria

The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL),

source IP address, destination IP address and IP protocol type of network traffic

against the firewall rules (in the order you list them). When the traffic matches a

rule, the ZyWALL takes the action specified in the rule.

User Specific Firewall Rules

You can specify users or user groups in firewall rules. For example, to allow a

specific user from any computer to access a zone by logging in to the ZyWALL, you

can set up a rule based on the user name only. If you also apply a schedule to the

firewall rule, the user can only access the network at the scheduled time. A user-

aware firewall rule is activated whenever the user logs in to the ZyWALL and will

be disabled after the user logs out of the ZyWALL.

Firewall and Application Patrol

To use a service, make sure both the firewall and application patrol allow the

service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules

before the application patrol rules for traffic going through the ZyWALL.

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

366

Firewall and VPN Traffic

After you create a VPN tunnel and add it to a zone, you can set the firewall rules

applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone

for example), you can configure a new LAN1 to LAN1 firewall rule or use intra-

zone traffic blocking to allow or block VPN traffic transmitting between the VPN

tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new

zone (the VPN zone for example), you can configure rules for VPN traffic between

the VPN zone and other zones or From VPN To-ZyWALL rules for VPN traffic

destined for the ZyWALL.

Session Limits

Accessing the ZyWALL or network resources through the ZyWALL requires a NAT

session and corresponding firewall session. Peer to peer applications, such as file

sharing applications, may use a large number of NAT sessions. A single client

could use all of the available NAT sessions and prevent others from connecting to

or through the ZyWALL. The ZyWALL lets you limit the number of concurrent NAT/

firewall sessions a client can use.

Finding Out More

• See Section 6.5.14 on page 103 for related information on the Firewall

screens.

• See Section 7.8 on page 138 for an example of creating firewall rules as part of

configuring user-aware access control (Section 7.5 on page 124).

• See Section 7.9.3 on page 144 for an example of creating a firewall rule to allow

H.323 traffic from the WAN to the LAN.

• See Section 7.10.3 on page 147 for an example of creating a firewall rule to

allow web traffic from the WAN to a server on the DMZ.

• See Section 7.11.4 on page 152 for an example of creating firewall rules to

allow SIP traffic for an IPPBX or SIP server on the DMZ.

22.1.3 Firewall Rule Example Applications

Suppose that your company decides to block all of the LAN users from using IRC

(Internet Relay Chat) through the Internet. To do this, you would configure a LAN

to WAN firewall rule that blocks IRC traffic from any source IP address from going

to any destination address. You do not need to specify a schedule since you need

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 367

the firewall rule to always be in effect. The following figure shows the results of

this rule.

Figure 218 Blocking All LAN to WAN IRC Traffic Example

Your firewall would have the following rules.

• The first row blocks LAN access to the IRC service on the WAN.

• The second row is the firewall’s default policy that allows all LAN1 to WAN traffic.

The ZyWALL applies the firewall rules in order. So for this example, when the

ZyWALL receives traffic from the LAN, it checks it against the first rule. If the

traffic matches (if it is IRC traffic) the firewall takes the action in the rule (drop)

and stops checking the firewall rules. Any traffic that does not match the first

firewall rule will match the second rule and the ZyWALL forwards it.

Now suppose that your company wants to let the CEO use IRC. You can configure

a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the

CEO’s computer. You can also configure a LAN to WAN rule that allows IRC traffic

from any computer through which the CEO logs into the ZyWALL with his/her user

name. In order to make sure that the CEO’s computer always uses the same IP

address, make sure it either:

• Has a static IP address,

• You configure a static DHCP entry for it so the ZyWALL always assigns it the

same IP address (see DHCP Settings on page 274 for information on DHCP).

Table 105 Blocking All LAN to WAN IRC Traffic Example

#USER SOURCE DESTINATION SCHEDULE SERVICE ACTION

1 Any Any Any Any IRC Deny

2 Any Any Any Any Any Allow

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

368

Now you configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP

address of the CEO’s computer (192.168.1.7 for example) to go to any destination

address. You do not need to specify a schedule since you want the firewall rule to

always be in effect. The following figure shows the results of your two custom

rules.

Figure 219 Limited LAN to WAN IRC Traffic Example

Your firewall would have the following configuration.

• The first row allows the LAN1 computer at IP address 192.168.1.7 to access the

IRC service on the WAN.

• The second row blocks LAN1 access to the IRC service on the WAN.

• The third row is the firewall’s default policy of allowing all traffic from the LAN1

to go to the WAN.

Alternatively, you configure a LAN1 to WAN rule with the CEO’s user name (say

CEO) to allow IRC traffic from any source IP address to go to any destination

address.

Your firewall would have the following configuration.

Table 106 Limited LAN1 to WAN IRC Traffic Example 1

#USER SOURCE DESTINATION SCHEDULE SERVICE ACTION

1 Any 192.168.1.7 Any Any IRC Allow

2 Any Any Any Any IRC Deny

3 Any Any Any Any Any Allow

Table 107 Limited LAN1 to WAN IRC Traffic Example 2

#USER SOURCE DESTINATION SCHEDULE SERVICE ACTION

1 CEO Any Any Any IRC Allow

2 Any Any Any Any IRC Deny

3 Any Any Any Any Any Allow

LAN1

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 369

• The first row allows any LAN1 computer to access the IRC service on the WAN

by logging into the ZyWALL with the CEO’s user name.

• The second row blocks LAN1 access to the IRC service on the WAN.

• The third row is the firewall’s default policy of allowing all traffic from the LAN1

to go to the WAN.

The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC

traffic. If the rule that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC

traffic would match that rule and the ZyWALL would drop it and not check any

other firewall rules.

22.1.4 Firewall Rule Configuration Example

The following Internet firewall rule example allows Doom players from the WAN to

IP addresses 192.168.1.10 through 192.168.1.15 (Dest_1) on the LAN1.

1Click Configuration > Firewall. In the summary of firewall rules click Add in the

heading row to configure a new first entry. Remember the sequence (priority) of

the rules is important since they are applied in order.

Figure 220 Firewall Example: Firewall Screen

2At the top of the screen, click Create new Object > Address.

3The screen for configuring an address object opens. Configure it as follows and

click OK.

Figure 221 Firewall Example: Create an Address Object

4Click Create new Object > Service.

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

370

5The screen for configuring a service object opens. Configure it as follows and click

OK.

Figure 222 Firewall Example: Create a Service Object

6Select From WAN and To LAN1.

7Enter the name of the firewall rule.

8Select Dest_1 is selected for the Destination and Doom is selected as the

Service. Enter a description and configure the rest of the screen as follows. Click

OK when you are done.

Figure 223 Firewall Example: Edit a Firewall Rule

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 371

9The firewall rule appears in the firewall rule summary.

Figure 224 Firewall Example: Doom Rule in Summary

22.2 The Firewall Screen

Asymmetrical Routes

If an alternate gateway on the LAN has an IP address in the same subnet as the

ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is

called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the

connection, as the connection has not been acknowledged.

You can have the ZyWALL permit the use of asymmetrical route topology on the

network (not reset the connection). However, allowing asymmetrical routes may

let traffic from the WAN go directly to the LAN without passing through the

ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the

backup gateway on separate subnets. Virtual interfaces allow you to partition your

network into logical sections over the same interface. See the chapter about

interfaces for more information.

By putting LAN 1 and the alternate gateway (A in the figure) in different subnets,

all returning network traffic must pass through the ZyWALL to the LAN. The

following steps and figure describe such a scenario.

1A computer on the LAN1 initiates a connection by sending a SYN packet to a

receiving server on the WAN.

2The ZyWALL reroutes the packet to gateway A, which is in Subnet 2.

3The reply from the WAN goes to the ZyWALL.

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

372

4The ZyWALL then sends it to the computer on the LAN1 in Subnet 1.

Figure 225 Using Virtual Interfaces to Avoid Asymmetrical Routes

22.2.1 Configuring the Firewall Screen

Click Configuration > Firewall to open the Firewall screen. Use this screen to

enable or disable the firewall and asymmetrical routes, set a maximum number of

sessions per host, and display the configured firewall rules. Specify from which

zone packets come and to which zone packets travel to display only the rules

specific to the selected direction. Note the following.

• If you enable intra-zone traffic blocking (see the chapter about zones), the

firewall automatically creates (implicit) rules to deny packet passage between

the interfaces in the specified zone.

• Besides configuring the firewall, you also need to configure NAT rules to allow

computers on the WAN to access LAN devices. See Chapter 17 on page 327 for

more information.

• The ZyWALL applies NAT (Destination NAT) settings before applying the firewall

rules. So for example, if you configure a NAT entry that sends WAN traffic to a

LAN IP address, when you configure a corresponding firewall rule to allow the

traffic, you need to set the LAN IP address as the destination. See Section 7.9

on page 141 for an example.

LAN1

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 373

• The ordering of your rules is very important as rules are applied in sequence.

Figure 226 Configuration > Firewall

The following table describes the labels in this screen.

Table 108 Configuration > Firewall

LABEL DESCRIPTION

General

Settings

Enable

Firewall

Select this check box to activate the firewall. The ZyWALL performs

access control when the firewall is activated.

Allow

Asymmetrical

Route

If an alternate gateway on the LAN has an IP address in the same subnet

as the ZyWALL’s LAN IP address, return traffic may not go through the

ZyWALL. This is called an asymmetrical or “triangle” route. This causes

the ZyWALL to reset the connection, as the connection has not been

acknowledged.

Select this check box to have the ZyWALL permit the use of asymmetrical

route topology on the network (not reset the connection).

Note: Allowing asymmetrical routes may let traffic from the WAN go

directly to the LAN without passing through the ZyWALL. A

better solution is to use virtual interfaces to put the ZyWALL

and the backup gateway on separate subnets.

Firewall Rule Summary

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

374

From Zone /

To Zone

This is the direction of travel of packets. Select from which zone the

packets come and to which zone they go.

Firewall rules are grouped based on the direction of travel of packets to

which they apply. For example, from LAN1 to LAN1 means packets

traveling from a computer or subnet on the LAN to either another

computer or subnet on the LAN1.

From any displays all the firewall rules for traffic going to the selected To

Zone.

To any displays all the firewall rules for traffic coming from the selected

From Zone.

From any to any displays all of the firewall rules.

To ZyWALL rules are for traffic that is destined for the ZyWALL and

control which computers can manage the ZyWALL.

Add Click this to create a new entry. Select an entry and click Add to create a

new entry after the selected entry.

Edit Double-click an entry or select it and click Edit to open a screen where

you can modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms

you want to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To change a rule’s position in the numbered list, select the rule and click

Move to display a field to type a number for where you want to put that

rule and press [ENTER] to move the rule to the number that you typed.

The ordering of your rules is important as they are applied in order of

their numbering.

The following read-only fields summarize the rules you have created that apply to traffic

traveling in the selected packet direction.

Status This icon is lit when the entry is active and dimmed when the entry is

inactive.

Priority This is the position of your firewall rule in the global rule list (including all

through-ZyWALL and to-ZyWALL rules). The ordering of your rules is

important as rules are applied in sequence. Default displays for the

default firewall behavior that the ZyWALL performs on traffic that does

not match any other firewall rule.

From

This is the direction of travel of packets to which the firewall rule applies.

Schedule This field tells you the schedule object that the rule uses. none means

the rule is active at all times if enabled.

User This is the user name or user group name to which this firewall rule

applies.

Source This displays the source address object to which this firewall rule applies.

Destination This displays the destination address object to which this firewall rule

applies.

Table 108 Configuration > Firewall (continued)

LABEL DESCRIPTION

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 375

22.2.2 The Firewall Add/Edit Screen

In the Firewall screen, click the Edit or Add icon to display the Firewall Rule

Edit screen.

Figure 227 Configuration > Firewall > Add

The following table describes the labels in this screen.

Service This displays the service object to which this firewall rule applies.

Access This field displays whether the firewall silently discards packets (deny),

discards packets and sends a TCP reset packet to the sender (reject) or

permits the passage of packets (allow).

Log This field shows you whether a log (and alert) is created when packets

match this rule or not.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Table 108 Configuration > Firewall (continued)

LABEL DESCRIPTION

Table 109 Configuration > Firewall > Add

LABEL DESCRIPTION

Create new

Object

Use to configure any new settings objects that you need to use in this

screen.

Enable Select this check box to activate the firewall rule.

From

For through-ZyWALL rules, select the direction of travel of packets to

which the rule applies.

any means all interfaces or VPN tunnels.

ZyWALL means packets destined for the ZyWALL itself.

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

376

22.3 The Session Limit Screen

Click Configuration > Firewall > Session Limit to display the Firewall

Session Limit screen. Use this screen to limit the number of concurrent NAT/

firewall sessions a client can use. You can apply a default limit for all users and

Description Enter a descriptive name of up to 60 printable ASCII characters for the

firewall rule. Spaces are allowed.

Schedule Select a schedule that defines when the rule applies. Otherwise, select

none and the rule is always effective.

User This field is not available when you are configuring a to-ZyWALL rule.

Select a user name or user group to which to apply the rule. The firewall

rule is activated only when the specified user logs into the system and

the rule will be disabled when the user logs out.

Otherwise, select any and there is no need for user logging.

Note: If you specified a source IP address (group) instead of any in

the field below, the user’s IP address should be within the IP

address range.

Source Select a source address or address group for whom this rule applies.

Select any if the policy is effective for every source.

Destination Select a destination address or address group for whom this rule

applies. Select any if the policy is effective for every destination.

Service Select a service or service group from the drop-down list box.

Access Use the drop-down list box to select what the firewall is to do with

packets that match this rule.

Select deny to silently discard the packets without sending a TCP reset

packet or an ICMP destination-unreachable message to the sender.

Select reject to deny the packets and send a TCP reset packet to the

sender. Any UDP packets are dropped without sending a response

packet.

Select allow to permit the passage of the packets.

Log Select whether to have the ZyWALL generate a log (log), log and alert

(log alert) or not (no) when the rule is matched. See Chapter 46 on

page 731 for more on logs.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving.

Table 109 Configuration > Firewall > Add (continued)

LABEL DESCRIPTION

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 377

individual limits for specific users, addresses, or both. The individual limit takes

priority if you apply both.

Figure 228 Configuration > Firewall > Session Limit

The following table describes the labels in this screen.

Table 110 Configuration > Firewall > Session Limit

LABEL DESCRIPTION

General

Settings

Enable Session

limit

Select this check box to control the number of concurrent sessions hosts

can have.

Default Session

per Host

Use this field to set a common limit to the number of concurrent NAT/

firewall sessions each client computer can have.

If only a few clients use peer to peer applications, you can raise this

number to improve their performance. With heavy peer to peer

application use, lower this number to ensure no single client uses too

many of the available NAT sessions.

Create rules below to apply other limits for specific users or addresses.

Rule Summary This table lists the rules for limiting the number of concurrent sessions

hosts can have.

Add Click this to create a new entry. Select an entry and click Add to create

a new entry after the selected entry.

Edit Double-click an entry or select it and click Edit to open a screen where

you can modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms

you want to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To change a rule’s position in the numbered list, select the rule and click

Move to display a field to type a number for where you want to put that

rule and press [ENTER] to move the rule to the number that you typed.

The ordering of your rules is important as they are applied in order of

their numbering.

Status This icon is lit when the entry is active and dimmed when the entry is

inactive.

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

378

22.3.1 The Session Limit Add/Edit Screen

Click Configuration > Firewall > Session Limit and the Add or Edit icon to

display the Firewall Session Limit Edit screen. Use this screen to configure

rules that define a session limit for specific users or addresses.

Figure 229 Configuration > Firewall > Session Limit > Edit

The following table describes the labels in this screen.

# This is the index number of a session limit rule. It is not associated with

a specific rule.

User This is the user name or user group name to which this session limit rule

applies.

Address This is the address object to which this session limit rule applies.

Limit This is how many concurrent sessions this user or address is allowed to

have.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Table 110 Configuration > Firewall > Session Limit (continued)

LABEL DESCRIPTION

Table 111 Configuration > Firewall > Session Limit > Edit

LABEL DESCRIPTION

Create new

Object

Use to configure any new settings objects that you need to use in this

screen.

Enable Rule Select this check box to turn on this session limit rule.

Description Enter information to help you identify this rule. Use up to 64 printable

ASCII characters. Spaces are allowed.

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide 379

User Select a user name or user group to which to apply the rule. The rule is

activated only when the specified user logs into the system and the rule

will be disabled when the user logs out.

Otherwise, select any and there is no need for user logging.

Note: If you specified an IP address (or address group) instead of

any in the field below, the user’s IP address should be within

the IP address range.

Address Select a source address or address group for whom this rule applies.

Select any if the policy is effective for every source address.

Session Limit

per Host

Use this field to set a limit to the number of concurrent NAT/firewall

sessions this rule’s users or addresses can have.

For this rule’s users and addresses, this setting overrides the Default

Session per Host setting in the general Firewall Session Limit

screen.

OK Click OK to save your customized settings and exit this screen.

Cancel Click Cancel to exit this screen without saving.

Table 111 Configuration > Firewall > Session Limit > Edit (continued)

LABEL DESCRIPTION

Chapter 22 Firewall

ZyWALL USG 50 User’s Guide

380

ZyWALL USG 50 User’s Guide 381

CHAPTER 23

IPSec VPN

23.1 IPSec VPN Overview

A virtual private network (VPN) provides secure communications between sites

without the expense of leased site-to-site lines. A secure VPN is a combination of

tunneling, encryption, authentication, access control and auditing. It is used to

transport traffic over the Internet or any insecure network that uses TCP/IP for

communication.

Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible

solutions for secure data communications across a public network like the

Internet. IPSec is built around a number of standardized cryptographic techniques

to provide confidentiality, data integrity and authentication at the IP layer. The

following figure is an example of an IPSec VPN tunnel.

Figure 230 IPSec VPN Example

The VPN tunnel connects the ZyWALL (X) and the remote (peer) IPSec router (Y).

These routers then connect the local network (A) and remote network (B).

23.1.1 What You Can Do in this Chapter

•Use the VPN Connection screens (see Section 23.2 on page 384) to specify

which VPN gateway a VPN connection policy uses and which devices (behind the

IPSec routers) can use the VPN tunnel and the IPSec SA settings (phase 2

settings). You can also activate / deactivate and connect / disconnect each VPN

connection (each IPSec SA).

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

382

•Use the VPN Gateway screens (see Section 23.2.1 on page 386) to manage

the ZyWALL’s VPN gateways. A VPN gateway specifies the IPSec routers at

either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can

also activate and deactivate each VPN gateway.

23.1.2 What You Need to Know

An IPSec VPN tunnel is usually established in two phases. Each phase establishes

a security association (SA), a contract indicating what security parameters the

ZyWALL and the remote IPSec router will use. The first phase establishes an

Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.

The second phase uses the IKE SA to securely establish an IPSec SA through

which the ZyWALL and remote IPSec router can send data between computers on

the local network and remote network. This is illustrated in the following figure.

Figure 231 VPN: IKE SA and IPSec SA

In this example, a computer in network A is exchanging data with a computer in

network B. Inside networks A and B, the data is transmitted the same way data is

normally transmitted in the networks. Between routers X and Y, the data is

protected by tunneling, encryption, authentication, and other security features of

the IPSec SA. The IPSec SA is secure because routers X and Y established the IKE

SA first.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 383

Application Scenarios

The ZyWALL’s application scenarios make it easier to configure your VPN

connection settings.

Finding Out More

• See Section 6.5.15 on page 104 for related information on these screens.

Table 112 IPSec VPN Application Scenarios

SITE-TO-SITE SITE-TO-SITE WITH

DYNAMIC PEER REMOTE ACCESS

(SERVER ROLE) REMOTE ACCESS

(CLIENT ROLE)

Choose this if the

remote IPSec router

has a static IP

address or a domain

name.

This ZyWALL can

initiate the VPN

tunnel.

The remote IPSec

router can also

initiate the VPN

tunnel if this ZyWALL

has a static IP

address or a domain

name.

Choose this if the

remote IPSec router

has a dynamic IP

address.

You don’t specify the

remote IPSec

router’s address, but

you specify the

remote policy (the

addresses of the

devices behind the

remote IPSec

router).

This ZyWALL must

have a static IP

address or a domain

name.

Only the remote

IPSec router can

initiate the VPN

tunnel.

Choose this to allow

incoming

connections from

IPSec VPN clients.

The clients have

dynamic IP

addresses and are

also known as dial-in

users.

You don’t specify the

addresses of the

client IPSec routers

or the remote policy.

This creates a

dynamic IPSec VPN

rule that can let

multiple clients

connect.

Only the clients can

initiate the VPN

tunnel.

Choose this to

connect to an IPSec

server.

This ZyWALL is the

client (dial-in user).

Client role ZyWALLs

initiate IPSec VPN

connections to a

server role ZyWALL.

This ZyWALL can

have a dynamic IP

address.

The IPSec server

doesn’t configure

this ZyWALL’s IP

address or the

addresses of the

devices behind it.

Only this ZyWALL

can initiate the VPN

tunnel.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

384

• See Section 23.4 on page 405 for IPSec VPN background information.

• See Section 5.4 on page 78 for the IPSec VPN quick setup wizard.

• See Section 7.4 on page 120 for an example of configuring IPSec VPN.

23.1.3 Before You Begin

This section briefly explains the relationship between VPN tunnels and other

features. It also gives some basic suggestions for troubleshooting.

You should set up the following features before you set up the VPN tunnel.

• In any VPN connection, you have to select address objects to specify the local

policy and remote policy. You should set up the address objects first.

• In a VPN gateway, you can select an Ethernet interface, virtual Ethernet

interface, VLAN interface, or virtual VLAN interface to specify what address the

ZyWALL uses as its IP address when it establishes the IKE SA. You should set up

the interface first. See Chapter 11 on page 221.

• In a VPN gateway, you can enable extended authentication. If the ZyWALL is in

server mode, you should set up the authentication method (AAA server) first.

The authentication method specifies how the ZyWALL authenticates the remote

IPSec router. See Chapter 39 on page 625.

• In a VPN gateway, the ZyWALL and remote IPSec router can use certificates to

authenticate each other. Make sure the ZyWALL and the remote IPSec router

will trust each other’s certificates. See Chapter 41 on page 641.

23.2 The VPN Connection Screen

Click Configuration > VPN > IPSec VPN to open the VPN Connection screen.

The VPN Connection screen lists the VPN connection policies and their

associated VPN gateway(s), and various settings. In addition, it also lets you

activate / deactivate and connect / disconnect each VPN connection (each IPSec

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 385

SA). Click a column’s heading cell to sort the table entries by that column’s

criteria. Click the heading cell again to reverse the sort order.

Figure 232 Configuration > VPN > IPSec VPN > VPN Connection

Each field is discussed in the following table. See Section 23.2.2 on page 393 and

Section 23.2.1 on page 386 for more information.

Table 113 Configuration > VPN > IPSec VPN > VPN Connection

LABEL DESCRIPTION

Use Policy

Route to

control

dynamic

IPSec rules

Select this to be able to use policy routes to manually specify the

destination addresses of dynamic IPSec rules. You must manually create

these policy routes. The ZyWALL automatically obtains source and

destination addresses for dynamic IPSec rules that do not match any of

the policy routes.

Clear this to have the ZyWALL automatically obtain source and

destination addresses for all dynamic IPSec rules.

See Section 6.4.1 on page 95 for how this option affects the routing table.

Add Click this to create a new entry.

Edit Double-click an entry or select it and click Edit to open a screen where

you can modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms

you want to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Connect To connect an IPSec SA, select it and click Connect.

Disconnect To disconnect an IPSec SA, select it and click Disconnect.

# This field is a sequential value, and it is not associated with a specific

connection.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

386

23.2.1 The VPN Connection Add/Edit (IKE) Screen

The VPN Connection Add/Edit Gateway screen allows you to create a new VPN

connection policy or edit an existing one. To access this screen, go to the

Configuration > VPN Connection screen (see Section 23.2 on page 384), and

click either the Add icon or an Edit icon. If you click the Add icon, you have to

select a specific VPN gateway in the VPN Gateway field before the following

screen appears.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

The connect icon is lit when the interface is connected and dimmed when

it is disconnected.

Name This field displays the name of the IPSec SA.

VPN Gateway This field displays the associated VPN gateway(s). If there is no VPN

gateway, this field displays “manual key”.

Encapsulation This field displays what encapsulation the IPSec SA uses.

Algorithm This field displays what encryption and authentication methods,

respectively, the IPSec SA uses.

Policy This field displays the local policy and the remote policy, respectively.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Table 113 Configuration > VPN > IPSec VPN > VPN Connection (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 387

Figure 233 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE)

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

388

Each field is described in the following table.

Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Edit

LABEL DESCRIPTION

Show Advance

Settings / Hide

Advance Settings

Click this button to display a greater or lesser number of

configuration fields.

Create new

Object

Use to configure any new settings objects that you need to use in this

screen.

General Settings

Enable Select this check box to activate this VPN connection.

Connection

Name Type the name used to identify this IPSec SA. You may use 1-31

alphanumeric characters, underscores(_), or dashes (-), but the first

character cannot be a number. This value is case-sensitive.

Nailed-Up Select this if you want the ZyWALL to automatically renegotiate the

IPSec SA when the SA life time expires.

Enable Replay

Detection Select this check box to detect and reject old or duplicate packets to

protect against Denial-of-Service attacks.

Enable

NetBIOS

Broadcast over

IPSec

Select this check box if you the ZyWALL to send NetBIOS (Network

Basic Input/Output System) packets through the IPSec SA.

NetBIOS packets are TCP or UDP packets that enable a computer to

connect to and communicate with a LAN. It may sometimes be

necessary to allow NetBIOS packets to pass through IPSec SAs in

order to allow local computers to find computers on the remote

network and vice versa.

VPN Gateway

Application

Scenario Select the scenario that best describes your intended VPN connection.

Site-to-site - Choose this if the remote IPSec router has a static IP

address or a domain name. This ZyWALL can initiate the VPN tunnel.

Site-to-site with Dynamic Peer - Choose this if the remote IPSec

router has a dynamic IP address. Only the remote IPSec router can

initiate the VPN tunnel.

Remote Access (Server Role) - Choose this to allow incoming

connections from IPSec VPN clients. The clients have dynamic IP

addresses and are also known as dial-in users. Only the clients can

initiate the VPN tunnel.

Remote Access (Client Role) - Choose this to connect to an IPSec

server. This ZyWALL is the client (dial-in user) and can initiate the

VPN tunnel.

VPN Gateway Select the VPN gateway this VPN connection is to use or select

Create Object to add another VPN gateway for this VPN connection

to use.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 389

Manual Key Select this option to configure a VPN connection policy that uses a

manual key instead of IKE key management. This may be useful if

you have problems with IKE key management. See Section 23.2.2 on

page 393 for how to configure the manual key fields.

Note: Only use manual key as a temporary solution, because it is

not as secure as a regular IPSec SA.

Policy

Local Policy Select the address corresponding to the local network. Use Create

new Object if you need to configure a new one.

Remote Policy Select the address corresponding to the remote network. Use Create

new Object if you need to configure a new one.

Policy

Enforcement Clear this to allow traffic with source and destination IP addresses

that do not match the local and remote policy to use the VPN tunnel.

Leave this cleared for free access between the local and remote

networks.

Selecting this restricts who can use the VPN tunnel. The ZyWALL

drops traffic with source and destination IP addresses that do not

match the local and remote policy.

Phase 2 Settings

SA Life Time Type the maximum number of seconds the IPSec SA can last. Shorter

life times provide better security. The ZyWALL automatically

negotiates a new IPSec SA before the current one expires, if there are

users who are accessing remote resources.

Active Protocol Select which protocol you want to use in the IPSec SA. Choices are:

AH (RFC 2402) - provides integrity, authentication, sequence

integrity (replay resistance), and non-repudiation but not encryption.

If you select AH, you must select an Authentication algorithm.

ESP (RFC 2406) - provides encryption and the same services offered

by AH, but its authentication is weaker. If you select ESP, you must

select an Encryption algorithm and Authentication algorithm.

Both AH and ESP increase processing requirements and latency

(delay).

The ZyWALL and remote IPSec router must use the same active

protocol.

Encapsulation Select which type of encapsulation the IPSec SA uses. Choices are

Tunnel - this mode encrypts the IP header information and the data.

Transport - this mode only encrypts the data.

The ZyWALL and remote IPSec router must use the same

encapsulation.

Proposal

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

390

Remove Select an entry and click this to delete it.

# This field is a sequential value, and it is not associated with a specific

proposal. The sequence of proposals should not affect performance

significantly.

Encryption This field is applicable when the Active Protocol is ESP. Select which

key size and encryption algorithm to use in the IPSec SA. Choices

are:

NULL - no encryption key or algorithm

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

AES128 - a 128-bit key with the AES encryption algorithm

AES192 - a 192-bit key with the AES encryption algorithm

AES256 - a 256-bit key with the AES encryption algorithm

The ZyWALL and the remote IPSec router must both have at least one

proposal that uses use the same encryption and the same key.

Longer keys are more secure, but require more processing power,

resulting in increased latency and decreased throughput.

Authentication Select which hash algorithm to use to authenticate packet data in the

IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered

stronger than MD5, but it is also slower.

The ZyWALL and the remote IPSec router must both have a proposal

that uses the same authentication algorithm.

Perfect

Forward

Secrecy (PFS)

Select whether or not you want to enable Perfect Forward Secrecy

(PFS) and, if you do, which Diffie-Hellman key group to use for

encryption. Choices are:

none - disable PFS

DH1 - enable PFS and use a 768-bit random number

DH2 - enable PFS and use a 1024-bit random number

DH5 - enable PFS and use a 1536-bit random number

PFS changes the root key that is used to generate encryption keys for

each IPSec SA. The longer the key, the more secure the encryption,

but also the longer it takes to encrypt and decrypt information. Both

routers must use the same DH key group.

Related Settings

Add this VPN

connection to

IPSec_VPN zone.

Select this check box to add the VPN connection policy to the IPSec_VPN

security zone. Any security rules or settings configured for the IPSec_VPN

security zone will also apply to this VPN connection policy.

Connectivity

Check

The ZyWALL can regularly check the VPN connection to the gateway

you specified to make sure it is still available.

Enable

Connectivity

Check

Select this to turn on the VPN connection check.

Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 391

Check Method Select how the ZyWALL checks the connection. The peer must be

configured to respond to the method you select.

Select icmp to have the ZyWALL regularly ping the address you

specify to make sure traffic can still go through the connection. You

may need to configure the peer to respond to pings.

Select tcp to have the ZyWALL regularly perform a TCP handshake

with the address you specify to make sure traffic can still go through

the connection. You may need to configure the peer to accept the TCP

connection.

Check Port This field displays when you set the Check Method to tcp. Specify

the port number to use for a TCP connectivity check.

Check Period Enter the number of seconds between connection check attempts.

Check Timeout Enter the number of seconds to wait for a response before the

attempt is a failure.

Check Fail

Toleran ce Enter the number of consecutive failures allowed before the ZyWALL

disconnects the VPN tunnel. The ZyWALL resumes using the first peer

gateway address when the VPN connection passes the connectivity

check.

Check this

Address Select this to specify a domain name or IP address for the

connectivity check. Enter that domain name or IP address in the field

next to it.

Check the First

and Last IP

Address in the

Remote Policy

Select this to have the ZyWALL check the connection to the first and

last IP addresses in the connection’s remote policy. Make sure one of

these is the peer gateway’s LAN IP address.

Log Select this to have the ZyWALL generate a log every time it checks

this VPN connection.

Inbound/

Outbound traffic

NAT

Outbound Traffic

Source NAT This translation hides the source address of computers in the local

network. It may also be necessary if you want the ZyWALL to route

packets from computers outside the local network through the IPSec

SA.

Source Select the address object that represents the original source address

(or select Create Object to configure a new one). This is the address

object for the computer or network outside the local network. The

size of the original source address range (Source) must be equal to

the size of the translated source address range (SNAT).

Destination Select the address object that represents the original destination

address (or select Create Object to configure a new one). This is the

address object for the remote network.

SNAT Select the address object that represents the translated source

address (or select Create Object to configure a new one). This is the

address object for the local network. The size of the original source

address range (Source) must be equal to the size of the translated

source address range (SNAT).

Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

392

Inbound Traffic

Source NAT This translation hides the source address of computers in the remote

network.

Source Select the address object that represents the original source address

(or select Create Object to configure a new one). This is the address

object for the remote network. The size of the original source address

range (Source) must be equal to the size of the translated source

address range (SNAT).

Destination Select the address object that represents the original destination

address (or select Create Object to configure a new one). This is the

address object for the local network.

SNAT Select the address object that represents the translated source

address (or select Create Object to configure a new one). This is the

address that hides the original source address. The size of the original

source address range (Source) must be equal to the size of the

translated source address range (SNAT).

Destination

NAT This translation forwards packets (for example, mail) from the remote

network to a specific computer (for example, the mail server) in the

local network.

Add Click this to create a new entry. Select an entry and click Add to

create a new entry after the selected entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Move To change an entry’s position in the numbered list, select it and click

Move to display a field to type a number for where you want to put

that entry and press [ENTER] to move the entry to the number that

you typed.

# This field is a sequential value, and it is not associated with a specific

NAT record. However, the order of records is the sequence in which

conditions are checked and executed.

Original IP Select the address object that represents the original destination

address. This is the address object for the remote network.

Mapped IP Select the address object that represents the desired destination

address. For example, this is the address object for the mail server.

Protocol Select the protocol required to use this translation. Choices are: TCP,

UDP, or All.

Original Port

Start / Original

Port End

These fields are available if the protocol is TCP or UDP. Enter the

original destination port or range of original destination ports. The

size of the original port range must be the same size as the size of

the mapped port range.

Mapped Port

Start / Mapped

Port End

These fields are available if the protocol is TCP or UDP. Enter the

translated destination port or range of translated destination ports.

The size of the original port range must be the same size as the size

of the mapped port range.

OK Click OK to save the changes.

Cancel Click Cancel to discard all changes and return to the main VPN

screen.

Table 114 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 393

23.2.2 The VPN Connection Add/Edit Manual Key Screen

The VPN Connection Add/Edit Manual Key screen allows you to create a new

VPN connection or edit an existing one using a manual key. This is useful if you

have problems with IKE key management. To access this screen, go to the VPN

Connection summary screen (see Section 23.2 on page 384), and click either

the Add icon or an existing manual key entry’s Edit icon. In the VPN Gateway

section of the screen, select Manual Key.

Note: Only use manual key as a temporary solution, because it is not as secure as a

regular IPSec SA.

Figure 234 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual

Key

This table describes labels specific to manual key configuration. See Section 23.2

on page 384 for descriptions of the other fields.

Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual

Key

LABEL DESCRIPTION

Manual Key

My Address Type the IP address of the ZyWALL in the IPSec SA. 0.0.0.0 is invalid.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

394

Secure

Gateway

Address

Type the IP address of the remote IPSec router in the IPSec SA.

SPI Type a unique SPI (Security Parameter Index) between 256 and 4095.

The SPI is used to identify the ZyWALL during authentication.

The ZyWALL and remote IPSec router must use the same SPI.

Encapsulation

Mode Select which type of encapsulation the IPSec SA uses. Choices are

Tunnel - this mode encrypts the IP header information and the data

Transport - this mode only encrypts the data. You should only select

this if the IPSec SA is used for communication between the ZyWALL

and remote IPSec router.

If you select Transport mode, the ZyWALL automatically switches to

Tunnel mode if the IPSec SA is not used for communication between

the ZyWALL and remote IPSec router. In this case, the ZyWALL

generates a log message for this change.

The ZyWALL and remote IPSec router must use the same

encapsulation.

Active Protocol Select which protocol you want to use in the IPSec SA. Choices are:

AH (RFC 2402) - provides integrity, authentication, sequence integrity

(replay resistance), and non-repudiation but not encryption. If you

select AH, you must select an Authentication Algorithm.

ESP (RFC 2406) - provides encryption and the same services offered

by AH, but its authentication is weaker. If you select ESP, you must

select an Encryption Algorithm and Authentication Algorithm.

The ZyWALL and remote IPSec router must use the same protocol.

Encryption

Algorithm This field is applicable when the Active Protocol is ESP. Select which

key size and encryption algorithm to use in the IPSec SA. Choices are:

NULL - no encryption key or algorithm

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

AES128 - a 128-bit key with the AES encryption algorithm

AES192 - a 192-bit key with the AES encryption algorithm

AES256 - a 256-bit key with the AES encryption algorithm

The ZyWALL and the remote IPSec router must use the same

algorithm and key. Longer keys require more processing power,

resulting in increased latency and decreased throughput.

Authentication

Algorithm Select which hash algorithm to use to authenticate packet data in the

IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered

stronger than MD5, but it is also slower.

The ZyWALL and remote IPSec router must use the same algorithm.

Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual

Key (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 395

Encryption Key This field is applicable when you select an Encryption Algorithm.

Enter the encryption key, which depends on the encryption algorithm.

DES - type a unique key 8-32 characters long

3DES - type a unique key 24-32 characters long

AES128 - type a unique key 16-32 characters long

AES192 - type a unique key 24-32 characters long

AES256 - type a unique key 32 characters long

You can use any alphanumeric characters or

,;|`~!@#$%^&*()_+\{}':./<>=-".

If you want to enter the key in hexadecimal, type “0x” at the beginning

of the key. For example, "0x0123456789ABCDEF" is in hexadecimal

format; in “0123456789ABCDEF” is in ASCII format. If you use

hexadecimal, you must enter twice as many characters as listed

above.

The remote IPSec router must have the same encryption key.

The ZyWALL ignores any characters above the minimum number of

characters required by the algorithm. For example, if you enter

1234567890XYZ for a DES encryption key, the ZyWALL only uses

12345678. The ZyWALL still stores the longer key.

Authentication

Key Enter the authentication key, which depends on the authentication

algorithm.

MD5 - type a unique key 16-20 characters long

SHA1 - type a unique key 20 characters long

You can use any alphanumeric characters or

,;|`~!@#$%^&*()_+\{}':./<>=-". If you want to enter the key in

hexadecimal, type “0x” at the beginning of the key. For example,

"0x0123456789ABCDEF" is in hexadecimal format; in

“0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you

must enter twice as many characters as listed above.

The remote IPSec router must have the same authentication key.

The ZyWALL ignores any characters above the minimum number of

characters required by the algorithm. For example, if you enter

12345678901234567890 for a MD5 authentication key, the ZyWALL

only uses 1234567890123456. The ZyWALL still stores the longer key.

OK Click OK to save your settings and exit this screen.

Cancel Click Cancel to exit this screen without saving.

Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual

Key (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

396

23.3 The VPN Gateway Screen

The VPN Gateway summary screen displays the IPSec VPN gateway policies in

the ZyWALL, as well as the ZyWALL’s address, remote IPSec router’s address, and

associated VPN connections for each one. In addition, it also lets you activate and

deactivate each VPN gateway.

To access this screen, click Configuration > VPN > Network > IPSec VPN >

VPN Gateway. The following screen appears.

Figure 235 Configuration > VPN > IPSec VPN > VPN Gateway

Each field is discussed in the following table. See Section 23.3.1 on page 397 for

more information.

Table 116 Configuration > VPN > IPSec VPN > VPN Gateway

LABEL DESCRIPTION

Add Click this to create a new entry.

Edit Double-click an entry or select it and click Edit to open a screen where

you can modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms

you want to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Object

References

Select an entry and click Object References to open a screen that

shows which settings use the entry. See Section 11.3.2 on page 236

for an example.

# This field is a sequential value, and it is not associated with a specific

VPN gateway.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Name This field displays the name of the VPN gateway

My address This field displays the interface or a domain name the ZyWALL uses for

the VPN gateway.

Secure Gateway This field displays the IP address(es) of the remote IPSec routers.

VPN Connection This field displays VPN connections that use this VPN gateway.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 397

23.3.1 The VPN Gateway Add/Edit Screen

The VPN Gateway Add/Edit screen allows you to create a new VPN gateway

policy or edit an existing one. To access this screen, go to the VPN Gateway

summary screen (see Section 23.3 on page 396), and click either the Add icon or

an Edit icon.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Table 116 Configuration > VPN > IPSec VPN > VPN Gateway (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

398

Figure 236 Configuration > VPN > IPSec VPN > VPN Gateway > Edit

Each field is described in the following table.

Table 117 Configuration > VPN > IPSec VPN > VPN Gateway > Edit

LABEL DESCRIPTION

Show Advance

Settings / Hide

Advance Settings

Click this button to display a greater or lesser number of

configuration fields.

General Settings

VPN Gateway

Name Type the name used to identify this VPN gateway. You may use 1-31

alphanumeric characters, underscores(_), or dashes (-), but the first

character cannot be a number. This value is case-sensitive.

Gateway Settings

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 399

My Address Select how the IP address of the ZyWALL in the IKE SA is defined.

If you select Interface, select the Ethernet interface, VLAN

interface, virtual Ethernet interface, virtual VLAN interface or PPPoE/

PPTP interface. The IP address of the ZyWALL in the IKE SA is the IP

address of the interface.

If you select Domain Name / IP, enter the domain name or the IP

address of the ZyWALL. The IP address of the ZyWALL in the IKE SA

is the specified IP address or the IP address corresponding to the

domain name. 0.0.0.0 is invalid.

Peer Gateway

Address Select how the IP address of the remote IPSec router in the IKE SA is

defined.

Select Static Address to enter the domain name or the IP address

of the remote IPSec router. You can provide a second IP address or

domain name for the ZyWALL to try if it cannot establish an IKE SA

with the first one.

Select Dynamic Address if the remote IPSec router has a dynamic

IP address (and does not use DDNS).

Authentication Note: The ZyWALL and remote IPSec router must use the

same authentication method to establish the IKE SA.

Pre-Shared

Key Select this to have the ZyWALL and remote IPSec router use a pre-

shared key (password) to identify each other when they negotiate

the IKE SA. Type the pre-shared key in the field to the right. The pre-

shared key can be

• 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}':./

<>=-".

• 8 - 32 pairs of hexadecimal (0-9, A-F) characters, preceded by

“0x”.

If you want to enter the key in hexadecimal, type “0x” at the

beginning of the key. For example, "0x0123456789ABCDEF" is in

hexadecimal format; in “0123456789ABCDEF” is in ASCII format. If

you use hexadecimal, you must enter twice as many characters since

you need to enter pairs.

The ZyWALL and remote IPSec router must use the same pre-shared

key.

Table 117 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

400

Certificate Select this to have the ZyWALL and remote IPSec router use

certificates to authenticate each other when they negotiate the IKE

SA. Then select the certificate the ZyWALL uses to identify itself to

the remote IPsec router.

This certificate is one of the certificates in My Certificates. If this

certificate is self-signed, import it into the remote IPsec router. If

this certificate is signed by a CA, the remote IPsec router must trust

that CA.

Note: The IPSec routers must trust each other’s certificates.

The ZyWALL uses one of its Trusted Certificates to authenticate

the remote IPSec router’s certificate. The trusted certificate can be a

self-signed certificate or that of a trusted CA that signed the remote

IPSec router’s certificate.

Local ID Type This field is read-only if the ZyWALL and remote IPSec router use

certificates to identify each other. Select which type of identification

is used to identify the ZyWALL during authentication. Choices are:

IP - the ZyWALL is identified by an IP address

DNS - the ZyWALL is identified by a domain name

E-mail - the ZyWALL is identified by an e-mail address

Content This field is read-only if the ZyWALL and remote IPSec router use

certificates to identify each other. Type the identity of the ZyWALL

during authentication. The identity depends on the Local ID Type.

IP - type an IP address; if you type 0.0.0.0, the ZyWALL uses the IP

address specified in the My Address field. This is not recommended

in the following situations:

• There is a NAT router between the ZyWALL and remote IPSec

router.

• You want the remote IPSec router to be able to distinguish

between IPSec SA requests that come from IPSec routers with

dynamic WAN IP addresses.

In these situations, use a different IP address, or use a different

Local ID Type.

DNS - type the domain name; you can use up to 31 ASCII

characters including spaces, although trailing spaces are truncated.

This value is only used for identification and can be any string.

E-mail - the ZyWALL is identified by an e-mail address; you can use

up to 31 ASCII characters including spaces, although trailing spaces

are truncated. This value is only used for identification and can be

any string.

Table 117 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 401

Peer ID Type Select which type of identification is used to identify the remote

IPSec router during authentication. Choices are:

IP - the remote IPSec router is identified by an IP address

DNS - the remote IPSec router is identified by a domain name

E-mail - the remote IPSec router is identified by an e-mail address

Any - the ZyWALL does not check the identity of the remote IPSec

router

If the ZyWALL and remote IPSec router use certificates, there is one

more choice.

Subject Name - the remote IPSec router is identified by the subject

name in the certificate

Table 117 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

402

Content This field is disabled if the Peer ID Type is Any. Type the identity of

the remote IPSec router during authentication. The identity depends

on the Peer ID Type.

If the ZyWALL and remote IPSec router do not use certificates,

IP - type an IP address; see the note at the end of this description.

DNS - type the domain name; you can use up to 31 ASCII

characters including spaces, although trailing spaces are truncated.

This value is only used for identification and can be any string.

E-mail - the ZyWALL is identified by an e-mail address; you can use

up to 31 ASCII characters including spaces, although trailing spaces

are truncated. This value is only used for identification and can be

any string.

If the ZyWALL and remote IPSec router use certificates, type the

following fields from the certificate used by the remote IPSec router.

IP - subject alternative name field; see the note at the end of this

description.

DNS - subject alternative name field

E-mail - subject alternative name field

Subject Name - subject name (maximum 255 ASCII characters,

including spaces)

Note: If Peer ID Type is IP, please read the rest of this section.

If you type 0.0.0.0, the ZyWALL uses the IP address specified in the

Secure Gateway Address field. This is not recommended in the

following situations:

• There is a NAT router between the ZyWALL and remote IPSec

router.

• You want the remote IPSec router to be able to distinguish

between IPSec SA requests that come from IPSec routers with

dynamic WAN IP addresses.

In these situations, use a different IP address, or use a different

Peer ID Type.

Phase 1 Settings

SA Life Time

(Seconds) Type the maximum number of seconds the IKE SA can last. When

this time has passed, the ZyWALL and remote IPSec router have to

update the encryption and authentication keys and re-negotiate the

IKE SA. This does not affect any existing IPSec SAs, however.

Table 117 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 403

Negotiation

Mode Select the negotiation mode to use to negotiate the IKE SA. Choices

are

Main - this encrypts the ZyWALL’s and remote IPSec router’s

identities but takes more time to establish the IKE SA

Aggressive - this is faster but does not encrypt the identities

The ZyWALL and the remote IPSec router must use the same

negotiation mode.

Proposal

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

# This field is a sequential value, and it is not associated with a specific

proposal. The sequence of proposals should not affect performance

significantly.

Encryption Select which key size and encryption algorithm to use in the IKE SA.

Choices are:

DES - a 56-bit key with the DES encryption algorithm

3DES - a 168-bit key with the DES encryption algorithm

AES128 - a 128-bit key with the AES encryption algorithm

AES192 - a 192-bit key with the AES encryption algorithm

AES256 - a 256-bit key with the AES encryption algorithm

The ZyWALL and the remote IPSec router must use the same key

size and encryption algorithm. Longer keys require more processing

power, resulting in increased latency and decreased throughput.

Authentication Select which hash algorithm to use to authenticate packet data in

the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally

considered stronger than MD5, but it is also slower.

The remote IPSec router must use the same authentication

algorithm.

Key Group Select which Diffie-Hellman key group (DHx) you want to use for

encryption keys. Choices are:

DH1 - use a 768-bit random number

DH2 - use a 1024-bit random number

DH5 - use a 1536-bit random number

The longer the key, the more secure the encryption, but also the

longer it takes to encrypt and decrypt information. Both routers

must use the same DH key group.

Table 117 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

404

NAT Traversal Select this if any of these conditions are satisfied.

• This IKE SA might be used to negotiate IPSec SAs that use ESP as

the active protocol.

• There are one or more NAT routers between the ZyWALL and

remote IPSec router, and these routers do not support IPSec

pass-thru or a similar feature.

The remote IPSec router must also enable NAT traversal, and the

NAT routers have to forward packets with UDP port 500 and UDP

4500 headers unchanged.

Dead Peer

Detection

(DPD)

Select this check box if you want the ZyWALL to make sure the

remote IPSec router is there before it transmits data through the IKE

SA. The remote IPSec router must support DPD. If there has been no

traffic for at least 15 seconds, the ZyWALL sends a message to the

remote IPSec router. If the remote IPSec router responds, the

ZyWALL transmits the data. If the remote IPSec router does not

respond, the ZyWALL shuts down the IKE SA.

If the remote IPSec router does not support DPD, see if you can use

the VPN connection connectivity check (see Section 23.2.1 on page

386).

More Settings/

Less Settings

Click this button to show or hide the Extended Authentication

fields.

Extended

Authentication

When multiple IPSec routers use the same VPN tunnel to connect to

a single VPN tunnel (telecommuters sharing a tunnel for example),

use extended authentication to enforce a user name and password

check. This way even though they all know the VPN tunnel’s security

settings, each still has to provide a unique user name and password.

Enable Extended

Authentication

Select this if one of the routers (the ZyWALL or the remote IPSec

router) verifies a user name and password from the other router

using the local user database and/or an external server.

Server Mode Select this if the ZyWALL authenticates the user name and password

from the remote IPSec router. You also have to select the

authentication method, which specifies how the ZyWALL

authenticates this information.

Client Mode Select this radio button if the ZyWALL provides a username and

password to the remote IPSec router for authentication. You also

have to provide the User Name and the Password.

User Name This field is required if the ZyWALL is in Client Mode for extended

authentication. Type the user name the ZyWALL sends to the remote

IPSec router. The user name can be 1-31 ASCII characters. It is

case-sensitive, but spaces are not allowed.

Password This field is required if the ZyWALL is in Client Mode for extended

authentication. Type the password the ZyWALL sends to the remote

IPSec router. The password can be 1-31 ASCII characters. It is case-

sensitive, but spaces are not allowed.

OK Click OK to save your settings and exit this screen.

Cancel Click Cancel to exit this screen without saving.

Table 117 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)

LABEL DESCRIPTION

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 405

23.4 IPSec VPN Background Information

Here is some more detailed IPSec VPN background information.

IKE SA Overview

The IKE SA provides a secure connection between the ZyWALL and remote IPSec

router.

It takes several steps to establish an IKE SA. The negotiation mode determines

how many. There are two negotiation modes--main mode and aggressive mode.

Main mode provides better security, while aggressive mode is faster.

Note: Both routers must use the same negotiation mode.

These modes are discussed in more detail in Negotiation Mode on page 409. Main

mode is used in various examples in the rest of this section.

IP Addresses of the ZyWALL and Remote IPSec Router

To set up an IKE SA, you have to specify the IP addresses of the ZyWALL and

remote IPSec router. You can usually enter a static IP address or a domain name

for either or both IP addresses. Sometimes, your ZyWALL might offer another

alternative, such as using the IP address of a port or interface, as well.

You can also specify the IP address of the remote IPSec router as 0.0.0.0. This

means that the remote IPSec router can have any IP address. In this case, only

the remote IPSec router can initiate an IKE SA because the ZyWALL does not

know the IP address of the remote IPSec router. This is often used for

telecommuters.

IKE SA Proposal

The IKE SA proposal is used to identify the encryption algorithm, authentication

algorithm, and Diffie-Hellman (DH) key group that the ZyWALL and remote IPSec

router use in the IKE SA. In main mode, this is done in steps 1 and 2, as

illustrated next.

Figure 237 IKE SA: Main Negotiation Mode, Steps 1 - 2: IKE SA Proposal

One or more proposals, each one consisting of:

- encryption algorithm

- authentication algorithm

- Diffie-Hellman key group

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

406

The ZyWALL sends one or more proposals to the remote IPSec router. (In some

devices, you can only set up one proposal.) Each proposal consists of an

encryption algorithm, authentication algorithm, and DH key group that the

ZyWALL wants to use in the IKE SA. The remote IPSec router selects an

acceptable proposal and sends the accepted proposal back to the ZyWALL. If the

remote IPSec router rejects all of the proposals, the ZyWALL and remote IPSec

router cannot establish an IKE SA.

Note: Both routers must use the same encryption algorithm, authentication algorithm,

and DH key group.

In most ZyWALLs, you can select one of the following encryption algorithms for

each proposal. The algorithms are listed in order from weakest to strongest.

• Data Encryption Standard (DES) is a widely used method of data encryption. It

applies a 56-bit key to each 64-bit block of data.

• Triple DES (3DES) is a variant of DES. It iterates three times with three separate

keys, effectively tripling the strength of DES.

• Advanced Encryption Standard (AES) is a newer method of data encryption that

also uses a secret key. AES applies a 128-bit key to 128-bit blocks of data. It is

faster than 3DES.

Some ZyWALLs also offer stronger forms of AES that apply 192-bit or 256-bit keys

to 128-bit blocks of data.

In most ZyWALLs, you can select one of the following authentication algorithms

for each proposal. The algorithms are listed in order from weakest to strongest.

• MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data.

• SHA1 (Secure Hash Algorithm) produces a 160-bit digest to authenticate packet

data.

See Diffie-Hellman (DH) Key Exchange on page 406 for more information about

DH key groups.

Diffie-Hellman (DH) Key Exchange

The ZyWALL and the remote IPSec router use DH public-key cryptography to

establish a shared secret. The shared secret is then used to generate encryption

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 407

keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as

illustrated next.

Figure 238 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange

DH public-key cryptography is based on DH key groups. Each key group is a fixed

number of bits long. The longer the key, the more secure the encryption, but also

the longer it takes to encrypt and decrypt information. For example, DH2 keys

(1024 bits) are more secure than DH1 keys (768 bits), but DH2 keys take longer

to encrypt and decrypt.

Authentication

Before the ZyWALL and remote IPSec router establish an IKE SA, they have to

verify each other’s identity. This process is based on pre-shared keys and router

identities.

In main mode, the ZyWALL and remote IPSec router authenticate each other in

steps 5 and 6, as illustrated below. The identities are also encrypted using the

encryption algorithm and encryption key the ZyWALL and remote IPSec router

selected in previous steps.

Figure 239 IKE SA: Main Negotiation Mode, Steps 5 - 6: Authentication (continued)

You have to create (and distribute) a pre-shared key. The ZyWALL and remote

IPSec router use it in the authentication process, though it is not actually

transmitted or exchanged.

Note: The ZyWALL and the remote IPSec router must use the same pre-shared key.

Diffie-Hellman key exchange

Step 5:

pre-shared key

ZyWALL identity, consisting of

- ID type

- content

Step 6:

pre-shared key

Remote IPSec router identity, consisting of

- ID type

- content

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

408

Router identity consists of ID type and content. The ID type can be domain name,

IP address, or e-mail address, and the content is a (properly-formatted) domain

name, IP address, or e-mail address. The content is only used for identification.

Any domain name or e-mail address that you enter does not have to actually

exist. Similarly, any domain name or IP address that you enter does not have to

correspond to the ZyWALL’s or remote IPSec router’s properties.

The ZyWALL and the remote IPSec router have their own identities, so both of

them must store two sets of information, one for themselves and one for the other

router. Local ID type and content refers to the ID type and content that applies to

the router itself, and peer ID type and content refers to the ID type and content

that applies to the other router.

Note: The ZyWALL’s local and peer ID type and content must match the remote

IPSec router’s peer and local ID type and content, respectively.

For example, in Table 118 on page 408, the ZyWALL and the remote IPSec router

authenticate each other successfully. In contrast, in Table 119 on page 408, the

ZyWALL and the remote IPSec router cannot authenticate each other and,

therefore, cannot establish an IKE SA.

It is also possible to configure the ZyWALL to ignore the identity of the remote

IPSec router. In this case, you usually set the peer ID type to Any. This is less

secure, so you should only use this if your ZyWALL provides another way to check

Table 118 VPN Example: Matching ID Type and Content

ZYWALL REMOTE IPSEC ROUTER

Local ID type: E-mail Local ID type: IP

Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2

Peer ID type: IP Peer ID type: E-mail

Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com

Table 119 VPN Example: Mismatching ID Type and Content

ZYWALL REMOTE IPSEC ROUTER

Local ID type: E-mail Local ID type: IP

Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2

Peer ID type: IP Peer ID type: E-mail

Peer ID content: 1.1.1.20 Peer ID content: tom@yourcompany.com

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 409

the identity of the remote IPSec router (for example, extended authentication) or

if you are troubleshooting a VPN tunnel.

Additional Topics for IKE SA

This section provides more information about IKE SA.

Negotiation Mode

There are two negotiation modes--main mode and aggressive mode. Main mode

provides better security, while aggressive mode is faster.

Main mode takes six steps to establish an IKE SA.

Steps 1 - 2: The ZyWALL sends its proposals to the remote IPSec router. The

remote IPSec router selects an acceptable proposal and sends it back to the

ZyWALL.

Steps 3 - 4: The ZyWALL and the remote IPSec router exchange pre-shared keys

for authentication and participate in a Diffie-Hellman key exchange, based on the

accepted DH key group, to establish a shared secret.

Steps 5 - 6: Finally, the ZyWALL and the remote IPSec router generate an

encryption key (from the shared secret), encrypt their identities, and exchange

their encrypted identity information for authentication.

In contrast, aggressive mode only takes three steps to establish an IKE SA.

Aggressive mode does not provide as much security because the identity of the

ZyWALL and the identity of the remote IPSec router are not encrypted. It is

usually used in remote-access situations, where the address of the initiator is not

known by the responder and both parties want to use pre-shared keys for

authentication. For example, the remote IPSec router may be a telecommuter who

does not have a static IP address.

VPN, NAT, and NAT Traversal

In the following example, there is another router (A) between router X and router

Figure 240 VPN/NAT Example

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

410

If router A does NAT, it might change the IP addresses, port numbers, or both. If

router X and router Y try to establish a VPN tunnel, the authentication fails

because it depends on this information. The routers cannot establish a VPN tunnel.

Most routers like router A now have an IPSec pass-thru feature. This feature helps

router A recognize VPN packets and route them appropriately. If router A has this

feature, router X and router Y can establish a VPN tunnel as long as the active

protocol is ESP. (See Active Protocol on page 411 for more information about

active protocols.)

If router A does not have an IPSec pass-thru or if the active protocol is AH, you

can solve this problem by enabling NAT traversal. In NAT traversal, router X and

router Y add an extra header to the IKE SA and IPSec SA packets. If you configure

router A to forward these packets unchanged, router X and router Y can establish

a VPN tunnel.

You have to do the following things to set up NAT traversal.

• Enable NAT traversal on the ZyWALL and remote IPSec router.

• Configure the NAT router to forward packets with the extra header unchanged.

(See the field description for detailed information about the extra header.)

The extra header may be UDP port 500 or UDP port 4500, depending on the

standard(s) the ZyWALL and remote IPSec router support.

Extended Authentication

Extended authentication is often used when multiple IPSec routers use the same

VPN tunnel to connect to a single IPSec router. For example, this might be used

with telecommuters.

In extended authentication, one of the routers (the ZyWALL or the remote IPSec

router) provides a user name and password to the other router, which uses a local

user database and/or an external server to verify the user name and password. If

the user name or password is wrong, the routers do not establish an IKE SA.

You can set up the ZyWALL to provide a user name and password to the remote

IPSec router, or you can set up the ZyWALL to check a user name and password

that is provided by the remote IPSec router.

If you use extended authentication, it takes four more steps to establish an IKE

SA. These steps occur at the end, regardless of the negotiation mode (steps 7-10

in main mode, steps 4-7 in aggressive mode).

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 411

Certificates

It is possible for the ZyWALL and remote IPSec router to authenticate each other

with certificates. In this case, you do not have to set up the pre-shared key, local

identity, or remote identity because the certificates provide this information

instead.

• Instead of using the pre-shared key, the ZyWALL and remote IPSec router check

the signatures on each other’s certificates. Unlike pre-shared keys, the

signatures do not have to match.

• The local and peer ID type and content come from the certificates.

Note: You must set up the certificates for the ZyWALL and remote IPSec router first.

IPSec SA Overview

Once the ZyWALL and remote IPSec router have established the IKE SA, they can

securely negotiate an IPSec SA through which to send data between computers on

the networks.

Note: The IPSec SA stays connected even if the underlying IKE SA is not available

anymore.

This section introduces the key components of an IPSec SA.

Local Network and Remote Network

In an IPSec SA, the local network, the one(s) connected to the ZyWALL, may be

called the local policy. Similarly, the remote network, the one(s) connected to the

remote IPSec router, may be called the remote policy.

Active Protocol

The active protocol controls the format of each packet. It also specifies how much

of each packet is protected by the encryption and authentication algorithms. IPSec

VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP

(Encapsulating Security Payload, RFC 2406).

Note: The ZyWALL and remote IPSec router must use the same active protocol.

Usually, you should select ESP. AH does not support encryption, and ESP is more

suitable with NAT.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

412

Encapsulation

There are two ways to encapsulate packets. Usually, you should use tunnel mode

because it is more secure. Transport mode is only used when the IPSec SA is used

for communication between the ZyWALL and remote IPSec router (for example,

for remote management), not between computers on the local and remote

networks.

Note: The ZyWALL and remote IPSec router must use the same encapsulation.

These modes are illustrated below.

In tunnel mode, the ZyWALL uses the active protocol to encapsulate the entire IP

packet. As a result, there are two IP headers:

• Outside header: The outside IP header contains the IP address of the ZyWALL or

remote IPSec router, whichever is the destination.

• Inside header: The inside IP header contains the IP address of the computer

behind the ZyWALL or remote IPSec router. The header for the active protocol

(AH or ESP) appears between the IP headers.

In transport mode, the encapsulation depends on the active protocol. With AH, the

ZyWALL includes part of the original IP header when it encapsulates the packet.

With ESP, however, the ZyWALL does not include the IP header when it

encapsulates the packet, so it is not possible to verify the integrity of the source IP

address.

IPSec SA Proposal and Perfect Forward Secrecy

An IPSec SA proposal is similar to an IKE SA proposal (see IKE SA Proposal on

page 405), except that you also have the choice whether or not the ZyWALL and

remote IPSec router perform a new DH key exchange every time an IPSec SA is

established. This is called Perfect Forward Secrecy (PFS).

Figure 241 VPN: Transport and Tunnel Mode Encapsulation

Original Packet IP Header TCP

Header

Data

Transport Mode Packet IP Header AH/ESP

Header

TCP

Header

Data

Tunnel Mode Packet IP Header AH/ESP

Header

IP Header TCP

Header

Data

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 413

If you enable PFS, the ZyWALL and remote IPSec router perform a DH key

exchange every time an IPSec SA is established, changing the root key from which

encryption keys are generated. As a result, if one encryption key is compromised,

other encryption keys remain secure.

If you do not enable PFS, the ZyWALL and remote IPSec router use the same root

key that was generated when the IKE SA was established to generate encryption

keys.

The DH key exchange is time-consuming and may be unnecessary for data that

does not require such security.

Additional Topics for IPSec SA

This section provides more information about IPSec SA in your ZyWALL.

IPSec SA using Manual Keys

You might set up an IPSec SA using manual keys when you want to establish a

VPN tunnel quickly, for example, for troubleshooting. You should only do this as a

temporary solution, however, because it is not as secure as a regular IPSec SA.

In IPSec SAs using manual keys, the ZyWALL and remote IPSec router do not

establish an IKE SA. They only establish an IPSec SA. As a result, an IPSec SA

using manual keys has some characteristics of IKE SA and some characteristics of

IPSec SA. There are also some differences between IPSec SA using manual keys

and other types of SA.

IPSec SA Proposal using Manual Keys

In an IPSec SA using manual keys, you can only specify one encryption algorithm

and one authentication algorithm. You cannot specify several proposals. There is

no DH key exchange, so you have to provide the encryption key and the

authentication key the ZyWALL and remote IPSec router use.

Note: The ZyWALL and remote IPSec router must use the same encryption key and

authentication key.

Authentication and the Security Parameter Index (SPI)

For authentication, the ZyWALL and remote IPSec router use the SPI, instead of

pre-shared keys, ID type and content. The SPI is an identification number.

Note: The ZyWALL and remote IPSec router must use the same SPI.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

414

NAT for Inbound and Outbound Traffic

The ZyWALL can translate the following types of network addresses in IPSec SA.

• Source address in outbound packets - this translation is necessary if you want

the ZyWALL to route packets from computers outside the local network through

the IPSec SA.

• Source address in inbound packets - this translation hides the source address of

computers in the remote network.

• Destination address in inbound packets - this translation is used if you want to

forward packets (for example, mail) from the remote network to a specific

computer (like the mail server) in the local network.

Each kind of translation is explained below. The following example is used to help

explain each one.

Figure 242 VPN Example: NAT for Inbound and Outbound Traffic

Source Address in Outbound Packets (Outbound Traffic, Source NAT)

This translation lets the ZyWALL route packets from computers that are not part of

the specified local network (local policy) through the IPSec SA. For example, in

Figure 242 on page 414, you have to configure this kind of translation if you want

computer M to establish a connection with any computer in the remote network

(B). If you do not configure it, the remote IPSec router may not route messages

for computer M through the IPSec SA because computer M’s IP address is not part

of its local policy.

To set up this NAT, you have to specify the following information:

• Source - the original source address; most likely, computer M’s network.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide 415

• Destination - the original destination address; the remote network (B).

• SNAT - the translated source address; the local network (A).

Source Address in Inbound Packets (Inbound Traffic, Source NAT)

You can set up this translation if you want to change the source address of

computers in the remote network. To set up this NAT, you have to specify the

following information:

• Source - the original source address; the remote network (B).

• Destination - the original destination address; the local network (A).

• SNAT - the translated source address; a different IP address (range of

addresses) to hide the original source address.

Destination Address in Inbound Packets (Inbound Traffic, Destination

NAT)

You can set up this translation if you want the ZyWALL to forward some packets

from the remote network to a specific computer in the local network. For example,

in Figure 242 on page 414, you can configure this kind of translation if you want to

forward mail from the remote network to the mail server in the local network (A).

You have to specify one or more rules when you set up this kind of NAT. The

ZyWALL checks these rules similar to the way it checks rules for a firewall. The

first part of these rules define the conditions in which the rule apply.

• Original IP - the original destination address; the remote network (B).

• Protocol - the protocol [TCP, UDP, or both] used by the service requesting the

connection.

• Original Port - the original destination port or range of destination ports; in

Figure 242 on page 414, it might be port 25 for SMTP.

The second part of these rules controls the translation when the condition is

satisfied.

• Mapped IP - the translated destination address; in Figure 242 on page 414, the

IP address of the mail server in the local network (A).

• Mapped Port - the translated destination port or range of destination ports.

The original port range and the mapped port range must be the same size.

Chapter 23 IPSec VPN

ZyWALL USG 50 User’s Guide

416

ZyWALL USG 50 User’s Guide 417

CHAPTER 24

SSL VPN

24.1 Overview

Use SSL VPN to allow users to use a web browser for secure remote user login

(the remote users do not need a VPN router or VPN client software.

24.1.1 What You Can Do in this Chapter

•Use the VPN > SSL VPN > Access Privilege screens (see Section 24.2 on

page 419) to configure SSL access policies.

•Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on

page 423) to set the IP address of the ZyWALL (or a gateway device) on your

network for full tunnel mode access, enter access messages or upload a custom

logo to be displayed on the remote user screen.

24.1.2 What You Need to Know

Full Tunnel Mode

In full tunnel mode, a virtual connection is created for remote users with private

IP addresses in the same subnet as the local network. This allows them to access

network resources in the same way as if they were part of the internal network.

Figure 243 Network Access Mode: Full Tunnel Mode

SSL Access Policy

An SSL access policy allows the ZyWALL to perform the following tasks:

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide

418

• apply Endpoint Security (EPS) checking to require users’ computers to comply

with defined corporate policies before they can access the SSL VPN tunnel.

• limit user access to specific applications or files on the network.

• allow user access to specific networks.

• assign private IP addresses and provide DNS/WINS server information to

remote users to access internal networks.

SSL Access Policy Objects

The SSL access policies reference the following objects. If you update this

information, in response to changes, the ZyWALL automatically propagates the

changes through the SSL policies that use the object(s). When you delete an SSL

policy, the objects are not removed.

You cannot delete an object that is referenced by an SSL access policy. To delete

the object, you must first unassociate the object from the SSL access policy.

Finding Out More

• See Section 6.5.16 on page 104 for related information on these screens.

• See Section 24.4 on page 425 for how to establish an SSL VPN connection to the

ZyWALL (after you have configured the SSL VPN settings on the ZyWALL).

• See Chapter 44 on page 673 for details on endpoint security objects.

• See Chapter 43 on page 667 for details on SSL application objects.

Table 120 Objects

OBJECT

TYPE OBJECT

SCREEN DESCRIPTION

User Accounts User

Account/

User Group

Configure a user account or user group to which you want

to apply this SSL access policy.

Endpoint

Security

Endpoint

Security

Endpoint Security (EPS) checking makes sure users’

computers comply with defined corporate policies before

they can access the SSL VPN tunnel.

Application SSL

Application

Configure an SSL application object to specify the type of

application and the address of the local computer, server,

or web site SSL users are to be able to access.

IP Pool Address Configure an address object that defines a range of

private IP addresses to assign to user computers so they

can access the internal network through a VPN

connection.

Server

Addresses

Address Configure address objects for the IP addresses of the DNS

and WINS servers that the ZyWALL sends to the VPN

connection users.

VPN Network Address Configure an address object to specify which network

segment users are allowed to access through a VPN

connection.

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide 419

24.2 The SSL Access Privilege Screen

Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the

configured SSL access policies.

Figure 244 VPN > SSL VPN > Access Privilege

The following table describes the labels in this screen.

Table 121 VPN > SSL VPN > Access Privilege

LABEL DESCRIPTION

Add Click this to create a new entry. Select an entry and click Add to create

a new entry after the selected entry.

Edit Double-click an entry or select it and click Edit to open a screen where

you can modify the entry’s settings.

Remove To remove an entry, select it and click Remove. The ZyWALL confirms

you want to remove it before doing so.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To move an entry to a different number in the list, click the Move icon.

In the field that appears, specify the number to which you want to move

the interface.

Object

References

Select an entry and click Object References to open a screen that

shows which settings use the entry. See Section 11.3.2 on page 236 for

an example.

# This field displays the index number of the entry.

Status This icon is lit when the entry is active and dimmed when the entry is

inactive.

Name This field displays the descriptive name of the SSL access policy for

identification purposes.

User/Group This field displays the user account or user group name(s) associated to

an SSL access policy.

This field displays up to three names.

Access Policy

Summary

This field displays details about the SSL application object this policy

uses including its name, type, and address.

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide

420

24.2.1 The SSL Access Policy Add/Edit Screen

To create a new or edit an existing SSL access policy, click the Add or Edit icon in

the Access Privilege screen.

Figure 245 VPN > SSL VPN > Access Privilege > Add/Edit

Apply Click Apply to save the settings.

Reset Click Reset to discard all changes.

Table 121 VPN > SSL VPN > Access Privilege

LABEL DESCRIPTION

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide 421

The following table describes the labels in this screen.

Table 122 VPN > SSL VPN > Access Privilege > Add/Edit

LABEL DESCRIPTION

Create new

Object

Use to configure any new settings objects that you need to use in this

screen.

Configuration

Enable Policy Select this option to activate this SSL access policy.

Name Enter a descriptive name to identify this policy. You can enter up to 15

characters (“a-z”, A-Z”, “0-9”) with no spaces allowed.

Description Enter additional information about this SSL access policy. You can enter

up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”).

Clean browser

cache when

user logs out

Select this to clean the cookie, history, and temporary Internet files in

the user’s browser’s cache when the user logs out. The ZyWALL returns

them to the values present before the user logged in.

User/Group The Selectable User/Group Objects list displays the name(s) of the

user account and/or user group(s) to which you have not applied an SSL

access policy yet.

To associate a user or user group to this SSL access policy, select a user

account or user group and click >> to add to the Selected User/

Group Objects list. You can select more than one name.

To remove a user or user group, select the name(s) in the Selected

User/Group Objects list and click <<.

Note: Although you can select admin and limited-admin accounts in

this screen, they are reserved for device configuration only.

You cannot use them to access the SSL VPN portal.

Endpoint

Security (EPS)

Use these fields to make sure users’ computers meet an endpoint

security object’s Operating System (OS) and security requirements

before granting access.

Enable EPS

Checking

Select this to have the ZyWALL check that users’ computers meet the

Operating System (OS) and security requirements of one of the SSL

access policy’s selected endpoint security objects before granting

access.

Periodical

checking time

Select this and specify a number of minutes to have the ZyWALL repeat

the endpoint security check at a regular interval.

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide

422

Available EPS

Objects /

Selected EPS

Objects

Configured endpoint security objects appear on the left. Select the

endpoint security objects to use for this SSL access policy and click the

right arrow button to add them to the selected list on the right. Use the

[Shift] and/or [Ctrl] key to select multiple objects. Select any endpoint

security objects that you want to remove from the selected list and click

the left arrow button to remove them.

The ZyWALL checks authenticated users’ computers against the SSL

access policy’s selected endpoint security objects in the order you list

them here. When a user’s computer matches an endpoint security

object the ZyWALL grants access and stops checking. Select an

endpoint security object and use the up and down arrows to change it’s

position in the list. To make the endpoint security check as efficient as

possible, arrange the endpoint security objects in order with the one

that the most users should match first and the one that the least users

should match last.

SSL Application

List (Optional)

The Selectable Application Objects list displays the name(s) of the

SSL application(s) you can select for this SSL access policy.

To associate an SSL application to this SSL access policy, select a name

and click >> to add to the Selected Application Objects list. You can

select more than one application.

To remove an SSL application, select the name(s) in the Selected

Application Objects list and click <<.

Network Extension (Optional)

Enable Network

Extension

Select this option to create a VPN tunnel between the authenticated

users and the internal network. This allows the users to access the

resources on the network as if they were on the same local network.

Clear this option to disable this feature. Users can only access the

applications as defined by the selected SSL application settings and the

remote user computers are not made to be a part of the local network.

Assign IP Pool Define a separate pool of IP addresses to assign to the SSL users. Select

it here.

The SSL VPN IP pool cannot overlap with IP addresses on the ZyWALL's

local networks (LAN and DMZ for example), the SSL user's network, or

the networks you specify in the SSL VPN Network List.

DNS/WINS

Server 1..2

Select the name of the DNS or WINS server whose information the

ZyWALL sends to the remote users. This allows them to access devices

on the local network using domain names instead of IP addresses.

Network List To allow user access to local network(s), select a network name in the

Selectable Address Objects list and click >> to add to the Selected

Address Objects list. You can select more than one network.

To block access to a network, select the network name in the Selected

Address Objects list and click <<.

OK Click Ok to save the changes and return to the main Access Privilege

screen.

Cancel Click Cancel to discard all changes and return to the main Access

Privilege screen.

Table 122 VPN > SSL VPN > Access Privilege > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide 423

24.3 The SSL Global Setting Screen

Click VPN > SSL VPN and click the Global Setting tab to display the following

screen. Use this screen to set the IP address of the ZyWALL (or a gateway device)

on your network for full tunnel mode access, enter access messages or upload a

custom logo to be displayed on the remote user screen.

Figure 246 VPN > SSL VPN > Global Setting

The following table describes the labels in this screen.

Table 123 VPN > SSL VPN > Global Setting

LABEL DESCRIPTION

Global Setting

Network

Extension Local

Specify the IP address of the ZyWALL (or a gateway device) for full

tunnel mode SSL VPN access.

Leave this field to the default settings unless it conflicts with another

interface.

SSL VPN Login

Domain Name

SSL VPN Login

Domain Name

1/2

Specify a domain name for users to use for SSL VPN login. The domain

name must be registered to one of the ZyWALL’s IP addresses or be one

of the ZyWALL’s DDNS entries. You can specify up to two domain names

so you could use one domain name for each of two WAN ports. Do not

include the host. For example, www.zyxel.com is a fully qualified

domain name where “www” is the host; so you would just use

“zyxel.com”.

The ZyWALL displays the normal login screen without the button for

logging into the Web Configurator.

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide

424

24.3.1 How to Upload a Custom Logo

Follow the steps below to upload a custom logo to display on the remote user SSL

VPN screens.

1Click VPN > SSL VPN and click the Global Setting tab to display the

configuration screen.

2Click Browse to locate the logo graphic. Make sure the file is in GIF, JPG, or PNG

format.

3Click Apply to start the file transfer process.

4Log in as a user to verify that the new logo displays properly.

Message

SSL VPN connection is established successfully. You can enter up to 60

characters (“a-z”, A-Z”, “0-9”) with spaces allowed.

Logout Message Specify a message to display on the screen when a user logs out and

the SSL VPN connection is terminated successfully. You can enter up to

60 characters (“a-z”, A-Z”, “0-9”) with spaces allowed.

Update Client

Virtual Desktop

Logo

You can upload a graphic logo to be displayed on the web browser on

the remote user computer. The ZyXEL company logo is the default logo.

Specify the location and file name of the logo graphic or click Browse to

locate it.

Note: The logo graphic must be GIF, JPG, or PNG format. The

graphic should use a resolution of 127 x 57 pixels to avoid

distortion when displayed. The ZyWALL automatically resizes

a graphic of a different resolution to 127 x 57 pixels. The file

size must be 100 kilobytes or less. Transparent background

is recommended.

Browse Click Browse to locate the graphic file on your computer.

Upload Click Upload to transfer the specified graphic file from your computer to

the ZyWALL.

Reset Logo to

Default

Click Reset Logo to Default to display the ZyXEL company logo on the

remote user’s web browser.

Apply Click Apply to save the changes and/or start the logo file upload

process.

Reset Click Reset to return the screen to its last-saved settings.

Table 123 VPN > SSL VPN > Global Setting (continued)

LABEL DESCRIPTION

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide 425

The following shows an example logo on the remote user screen.

Figure 247 Example Logo Graphic Display

24.4 Establishing an SSL VPN Connection

After you have configured the SSL VPN settings on the ZyWALL, use the ZyWALL

Guide Section 25.2 on page 428 for details.

1Display the ZyWALL’s login screen and enter your user account information (the

user name and password). Click SSL VPN.

Figure 248 Login Screen

Chapter 24 SSL VPN

ZyWALL USG 50 User’s Guide

426

2SSL VPN connection starts. This may take several minutes depending on your

network connection. Once the connection is up, you should see the client portal

screen. The following shows an example.

Figure 249 SSL VPN Client Portal Screen Example

If the user account is not set up for SSL VPN access, an “SSL VPN connection is

not activated” message displays in the Login screen. Clear the Login to SSL VPN

check box and try logging in again.

For more information on user portal screens, refer to Chapter 25 on page 427.

ZyWALL USG 50 User’s Guide 427

CHAPTER 25

SSL User Screens

25.1 Overview

This chapter introduces the remote user SSL VPN screens. The following figure

shows a network example where a remote user (A) logs into the ZyWALL from the

Internet to access the web server (WWW) on the local network.

Figure 250 Network Example

25.1.1 What You Need to Know

The ZyWALL can use SSL VPN to provide secure connections to network resources

such as applications, files, intranet sites or e-mail through a web-based interface

and using Microsoft Outlook Web Access (OWA).

Network Resource Access Methods

As a remote user, you can access resources on the local network using one of the

following methods.

• Using a supported web browser

Once you have successfully logged in through the ZyWALL, you can access

intranet sites, web-based applications, or web-based e-mails using one of the

supported web browsers.

• Using the ZyWALL SecuExtender client

Once you have successfully logged into the ZyWALL, the ZyWALL automatically

loads the ZyWALL SecuExtender client program to your computer. With the

ZyWALL SecuExtender, you can access network resources, remote desktops and

manage files as if you were on the local network. See Chapter 27 on page 439

for more on the ZyWALL SecuExtender.

WWW

Internet

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide

428

System Requirements

Here are the browser and computer system requirements for remote user access.

• Windows 7 (32 or 64-bit), Vista (32 or 64-bit), 2003 (32-bit), XP (32-bit), or

2000 (32-bit)

• Internet Explorer 7 and above or Firefox 1.5 and above

• Using RDP requires Internet Explorer

• Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a

minimum version of 1.6.

Required Information

A remote user needs the following information from the network administrator to

• the domain name or IP address of the ZyWALL

• the login account user name and password

• if also required, the user name and/or password to access the network resource

Certificates

The remote user’s computer establishes an HTTPS connection to the ZyWALL to

access the login screen. If instructed by your network administrator, you must

install or import a certificate (provided by the ZyWALL or your network

administrator). Refer to Appendix D on page 871 for more information.

Finding Out More

See Chapter 24 on page 417 for how to configure SSL VPN on the ZyWALL.

25.2 Remote User Login

This section shows you how to access and log into the network through the

ZyWALL. Example screens for Internet Explorer are shown.

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide 429

1Open a web browser and enter the web site address or IP address of the ZyWALL.

For example, “http://sslvpn.mycompany.com”.

Figure 251 Enter the Address in a Web Browser

2Click OK or Yes if a security screen displays.

Figure 252 Login Security Screen

3A login screen displays. Enter the user name and password of your login account.

If a token password is also required, enter it in the One-Time Password field.

4Click SSL VPN to log in and establish an SSL VPN connection to the network to

access network resources.

Figure 253 Login Screen

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide

430

5Your computer starts establishing a secure connection to the ZyWALL after a

successful login. This may take up to two minutes. If you get a message about

needing Java, download and install it and restart your browser and re-login. If a

certificate warning screen displays, click OK, Yes or Continue.

Figure 254 Java Needed Message

6The ZyWALL tries to install the SecuExtender client. As shown next, you may have

to click some pop-ups to get your browser to allow the installation.

Figure 255 ActiveX Object Installation Blocked by Browser

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide 431

7The ZyWALL tries to install the SecuExtender client. You may need to click a pop-

up to get your browser to allow this. In Internet Explorer, click Install.

Figure 256 SecuExtender Blocked by Internet Explorer

8The ZyWALL tries to run the “ssltun” application. You may need to click something

to get your browser to allow this. In Internet Explorer, click Run.

Figure 257 SecuExtender Progress

9Click Next to use the setup wizard to install the SecuExtender client on your

computer.

Figure 258 SecuExtender Progress

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide

432

10 If a screen like the following displays, click Continue Anyway to finish installing

the SecuExtender client on your computer.

Figure 259 Hardware Installation Warning

11 The Application screen displays showing the list of resources available to you.

See Figure 260 on page 433 for a screen example.

Note: Available resource links vary depending on the configuration your network

administrator made.

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide 433

25.3 The SSL VPN User Screens

This section describes the main elements in the remote user screens.

Figure 260 Remote User Screen

The following table describes the various parts of a remote user screen.

Table 124 Remote User Screen Overview

#DESCRIPTION

1 Click on a menu tab to go to the Application screen.

2 Click this icon to log out and terminate the secure connection.

3 Click this icon to create a bookmark to the SSL VPN user screen in your web

browser.

4 Click this icon to display the on-line help window.

5 Select your preferred language for the interface.

6 This part of the screen displays a list of the resources available to you.

In the Application screen, click on a link to access or display the access method.

234

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide

434

25.4 Bookmarking the ZyWALL

You can create a bookmark of the ZyWALL by clicking the Add to Favorite icon.

This allows you to access the ZyWALL using the bookmark without having to enter

the address every time.

1In any remote user screen, click the Add to Favorite icon.

2A screen displays. Accept the default name in the Name field or enter a

descriptive name to identify this link.

3Click OK to create a bookmark in your web browser.

Figure 261 Add Favorite

25.5 Logging Out of the SSL VPN User Screens

To properly terminate a connection, click on the Logout icon in any remote user

screen.

1Click the Logout icon in any remote user screen.

2A prompt window displays. Click OK to continue.

Figure 262 Logout: Prompt

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide 435

3An information screen displays to indicate that the SSL VPN connection is about to

terminate.

Figure 263 Logout: Connection Termination Progress

Chapter 25 SSL User Screens

ZyWALL USG 50 User’s Guide

436

ZyWALL USG 50 User’s Guide 437

CHAPTER 26

SSL User Application Screens

26.1 SSL User Application Screens Overview

Use the Application screen to access web-based applications (such as web sites

and e-mail) on the network through the SSL VPN connection. Which applications

you can access depends on the ZyWALL’s configuration.

26.2 The Application Screen

Click the Application tab to display the screen. The Name field displays the

descriptive name for an application. The Type field displays whether the

application supports Virtual Network Computing (VNC) or Remote Desktop

Protocol (RDP).

To access a web-based application, simply click a link in the Application screen to

display the web screen in a separate browser window.

Figure 264 Application

Chapter 26 SSL User Application Screens

ZyWALL USG 50 User’s Guide

438

ZyWALL USG 50 User’s Guide 439

CHAPTER 27

ZyWALL SecuExtender

The ZyWALL automatically loads the ZyWALL SecuExtender client program to your

computer after a successful login. The ZyWALL SecuExtender lets you:

• Access servers, remote desktops and manage files as if you were on the local

network.

• Use applications like e-mail, file transfer, and remote desktop programs directly

without using a browser. For example, you can use Outlook for e-mail instead of

the ZyWALL’s web-based e-mail.

• Use applications, even proprietary applications, for which the ZyWALL does not

offer SSL application objects.

The applications must be installed on your computer. For example, to use the VNC

remote desktop program, you must have the VNC client installed on your

computer.

27.1 The ZyWALL SecuExtender Icon

The ZyWALL SecuExtender icon color indicates the SSL VPN tunnel’s connection

status.

Figure 265 ZyWALL SecuExtender Icon

• Red: the SSL VPN tunnel is not connected. You cannot connect to the SSL

application and network resources.

• Green: the SSL VPN tunnel is connected. You can connect to the SSL application

and network resources.You can also use another application to access resources

behind the ZyWALL.

• Gray: the SSL VPN tunnel’s connection is suspended. This means the SSL VPN

tunnel is connected, but the ZyWALL SecuExtender will not send any traffic

through it until you right-click the icon and resume the connection.

Chapter 27 ZyWALL SecuExtender

ZyWALL USG 50 User’s Guide

440

27.2 Statistics

Right-click the ZyWALL SecuExtender icon in the system tray and select Status to

open the Status screen. Use this screen to view the ZyWALL SecuExtender’s

statistics.

Figure 266 ZyWALL SecuExtender Status

The following table describes the labels in this screen.

Table 125 ZyWALL SecuExtender Statistics

LABEL DESCRIPTION

Connection

Status

SecuExtender IP

Address

This is the IP address the ZyWALL assigned to this remote user

computer for an SSL VPN connection.

DNS Server 1/2 These are the IP addresses of the DNS server and backup DNS server

for the SSL VPN connection.

DNS (Domain Name System) maps a domain name to its corresponding

IP address and vice versa. The DNS server is extremely important

because without it, you must know the IP address of a computer before

you can access it. Your computer uses the DNS server specified here to

resolve domain names for resources you access through the SSL VPN

connection.

WINS Server 1/

These are the IP addresses of the WINS (Windows Internet Naming

Service) and backup WINS servers for the SSL VPN connection. The

WINS server keeps a mapping table of the computer names on your

network and the IP addresses that they are currently using.

Network 1~4 These are the networks (including netmask) that you can access

through the SSL VPN connection.

Activity

Connected Time This is how long the computer has been connected to the SSL VPN

tunnel.

Chapter 27 ZyWALL SecuExtender

ZyWALL USG 50 User’s Guide 441

27.3 View Log

If you have problems with the ZyWALL SecuExtender, customer support may

request you to provide information from the log. Right-click the ZyWALL

SecuExtender icon in the system tray and select Log to open a notepad file of the

ZyWALL SecuExtender’s log.

Figure 267 ZyWALL SecuExtender Log Example

27.4 Suspend and Resume the Connection

When the ZyWALL SecuExtender icon in the system tray is green, you can right-

click the icon and select Suspend Connection to keep the SSL VPN tunnel

Transmitted This is how many bytes and packets the computer has sent through the

SSL VPN connection.

Received This is how many bytes and packets the computer has received through

the SSL VPN connection.

Table 125 ZyWALL SecuExtender Statistics

LABEL DESCRIPTION

###########################################################################

#####################

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24

2009/10:25:07

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk:

C:\Documents and Settings\11746\rasphone.pbk

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log:

C:\Documents and Settings\11746\SecuExtender.log

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Connect to

172.23.31.19:443/10444

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Parameter is OK

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Checking System

status...

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Checking service

(first) ...

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] SecuExtender Helper is

running

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] System is OK

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] Connect to 2887196435/

443

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Handshake LoopCounter:

[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] 611 bytes of handshake

data received

Chapter 27 ZyWALL SecuExtender

ZyWALL USG 50 User’s Guide

442

connected but not send any traffic through it until you right-click the icon and

resume the connection.

27.5 Stop the Connection

Right-click the icon and select Stop Connection to disconnect the SSL VPN

tunnel.

27.6 Uninstalling the ZyWALL SecuExtender

Do the following if you need to remove the ZyWALL SecuExtender.

1Click start > All Programs > ZyXEL > ZyWALL SecuExtender > Uninstall.

2In the confirmation screen, click Yes.

Figure 268 Uninstalling the ZyWALL SecuExtender Confirmation

3Windows uninstalls the ZyWALL SecuExtender.

Figure 269 ZyWALL SecuExtender Uninstallation

ZyWALL USG 50 User’s Guide 443

CHAPTER 28

Application Patrol

28.1 Overview

Application patrol provides a convenient way to manage the use of various

applications on the network. It manages general protocols (for example, HTTP and

FTP) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and

streaming (RSTP) applications. You can even control the use of a particular

application’s individual features (like text messaging, voice, video conferencing,

and file transfers). Application patrol also has powerful bandwidth management

including traffic prioritization to enhance the performance of delay-sensitive

applications like voice and video.

There is also an option that gives SIP traffic priority over all other traffic going

through the ZyWALL. This maximizes SIP traffic throughput for improved VoIP call

sound quality.

28.1.1 What You Can Do in this Chapter

•Use the General summary screen (see Section 28.2 on page 453) to enable and

disable application patrol.

•Use the Common, Instant Messenger, Peer to Peer, VoIP, and Streaming

(see Section 28.3 on page 454) screens to look at the applications the ZyWALL

can recognize, and review the settings for each one. You can also enable and

disable the rules for each application and specify the default and custom policies

for each application.

•Use the Application Patrol Edit screen (see Section 28.3.1 on page 455) to

edit the settings for an application.

•Use the Application Policy Edit screen (see Section 28.3.2 on page 459) to

edit a group of settings for an application.

•Use the Other screens (see Section 28.4 on page 462) to control what the

ZyWALL does when it does not recognize the application, and it identifies the

conditions that refine this. It also lets you open the Other Configuration Add/

Edit screen to create new conditions or edit existing ones.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

444

28.1.2 What You Need to Know

If you want to use a service, make sure both the firewall and application patrol

allow the service’s packets to go through the ZyWALL.

Note: The ZyWALL checks firewall rules before it checks application patrol rules for

traffic going through the ZyWALL.

Application patrol examines every TCP and UDP connection passing through the

ZyWALL and identifies what application is using the connection. Then, you can

specify, by application, whether or not the ZyWALL continues to route the

connection.

Configurable Application Policies

The ZyWALL has policies for individual applications. For each policy, you can

specify the default action the ZyWALL takes once it identifies one of the service’s

connections.

You can also specify custom policies that have the ZyWALL forward, drop, or reject

a service’s connections based on criteria that you specify (like the source zone,

destination zone, original destination port of the connection, schedule, user,

source, and destination information). Your custom policies take priority over the

policy’s default settings.

Classification of Applications

There are two ways the ZyWALL can identify the application. The first is called

auto. The ZyWALL looks at the IP payload (OSI level-7 inspection) and attempts to

match it with known patterns for specific applications. Usually, this occurs at the

beginning of a connection, when the payload is more consistent across

connections, and the ZyWALL examines several packets to make sure the match is

correct.

Note: The ZyWALL allows the first eight packets to go through the firewall, regardless

of the application patrol policy for the application. The ZyWALL examines these

first eight packets to identify the application.

The second approach is called service ports. The ZyWALL uses only OSI level-4

information, such as ports, to identify what application is using the connection.

This approach is available in case the ZyWALL identifies a lot of “false positives”

for a particular application.

Custom Ports for SIP and the SIP ALG

Configuring application patrol to use custom port numbers for SIP traffic also

configures the SIP ALG (see Chapter 19 on page 341) to use the same port

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 445

numbers for SIP traffic. Likewise, configuring the SIP ALG to use custom port

numbers for SIP traffic also configures application patrol to use the same port

numbers for SIP traffic.

DiffServ and DSCP Marking

QoS is used to prioritize source-to-destination traffic flows. All packets in the same

flow are given the same priority. CoS (class of service) is a way of managing traffic

in a network by grouping similar types of traffic together and treating each type as

a class. You can use CoS to give different priorities to different packet types.

DiffServ (Differentiated Services) is a class of service (CoS) model that marks

packets so that they receive specific per-hop treatment at DiffServ-compliant

network devices along the route based on the application types and traffic flow.

Packets are marked with DiffServ Code Points (DSCPs) indicating the level of

service desired. This allows the intermediary DiffServ-compliant network devices

to handle the packets differently depending on the code points without the need to

negotiate paths or remember state information for every flow. In addition,

applications do not have to request a particular service or give advanced notice of

where the traffic is going.

Use application patrol to set a DSCP value for an application’s traffic that the

ZyWALL sends out.

Bandwidth Management

When you allow an application, you can restrict the bandwidth it uses or even the

bandwidth that particular features in the application (like voice, video, or file

sharing) use. This restriction may be ineffective in certain cases, however, such as

using MSN to send files via P2P.

The application patrol bandwidth management is more flexible and powerful than

the bandwidth management in policy routes. Application patrol controls TCP and

UDP traffic. Use policy routes to manage other types of traffic (like ICMP).

Note: Bandwidth management in policy routes has priority over application patrol

bandwidth management. It is recommended to use application patrol instead of

policy routes to manage the bandwidth of TCP and UDP traffic.

Connection and Packet Directions

Application patrol looks at the connection direction, that is from which zone the

connection was initiated and to which zone the connection is going.

A connection has outbound and inbound packet flows. The ZyWALL controls the

bandwidth of traffic of each flow as it is going out through an interface or VPN

tunnel.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

446

• The outbound traffic flows from the connection initiator to the connection

responder.

• The inbound traffic flows from the connection responder to the connection

initiator.

For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the

WAN.

• Outbound traffic goes from a LAN1 zone device to a WAN zone device.

Bandwidth management is applied before sending the packets out a WAN zone

interface on the ZyWALL.

• Inbound traffic comes back from the WAN zone device to the LAN1 zone device.

Bandwidth management is applied before sending the traffic out a LAN1 zone

interface.

Figure 270 LAN1 to WAN Connection and Packet Directions

Outbound and Inbound Bandwidth Limits

You can limit an application’s outbound or inbound bandwidth. This limit keeps the

traffic from using up too much of the out-going interface’s bandwidth. This way

you can make sure there is bandwidth for other applications. When you apply a

bandwidth limit to outbound or inbound traffic, each member of the out-going

zone can send up to the limit. Take a LAN1 to WAN policy for example.

• Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN1

so outbound means the traffic traveling from the LAN1 to the WAN. Each of the

WAN zone’s two interfaces can send the limit of 200 kbps of traffic.

Connection

BWM

Outbound

Inbound

LAN1

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 447

• Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so

inbound means the traffic traveling from the WAN to the LAN1.

Figure 271 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps

Bandwidth Management Priority

• The ZyWALL gives bandwidth to higher-priority traffic first, until it reaches its

configured bandwidth rate.

• Then lower-priority traffic gets bandwidth.

• The ZyWALL uses a fairness-based (round-robin) scheduler to divide bandwidth

among traffic flows with the same priority.

• The ZyWALL automatically treats traffic with bandwidth management disabled

as priority 7 (the lowest priority).

Maximize Bandwidth Usage

Maximize bandwidth usage allows applications with maximize bandwidth usage

enabled to “borrow” any unused bandwidth on the out-going interface.

After each application gets its configured bandwidth rate, the ZyWALL uses the

fairness- based scheduler to divide any unused bandwidth on the out-going

interface amongst applications that need more bandwidth and have maximize

bandwidth usage enabled.

Unused bandwidth is divided equally. Higher priority traffic does not get a larger

portion of the unused bandwidth.

Bandwidth Management Behavior

The following sections show how bandwidth management behaves with various

settings. For example, you configure DMZ to WAN policies for FTP servers A and

B. Each server tries to send 1000 kbps, but the WAN is set to a maximum

Inbound

Outbound

Outbound 500 kbps

200 kbps 200 kbps

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

448

outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and

policy B for server B’s traffic.

Figure 272 Bandwidth Management Behavior

Configured Rate Effect

In the following table the configured rates total less than the available bandwidth

and maximize bandwidth usage is disabled, both servers get their configured rate.

Priority Effect

Here the configured rates total more than the available bandwidth. Because server

A has higher priority, it gets up to it’s configured rate (800 kbps), leaving only 200

kbps for server B.

Maximize Bandwidth Usage Effect

With maximize bandwidth usage enabled, after each server gets its configured

rate, the rest of the available bandwidth is divided equally between the two. So

server A gets its configured rate of 300 kbps and server B gets its configured rate

of 200 kbps. Then the ZyWALL divides the remaining bandwidth (1000 - 500 =

500) equally between the two (500 / 2 = 250 kbps for each). The priority has no

effect on how much of the unused bandwidth each server gets.

Table 126 Configured Rate Effect

POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE

A 300 kbps No 1 300 kbps

B 200 kbps No 1 200 kbps

Table 127 Priority Effect

POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE

A 800 kbps Yes 1 800 kbps

B 1000 kbps Yes 2 200 kbps

1000 kbps

BWM

1000 kbps

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 449

So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550

kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of

450 kbps.

Priority and Over Allotment of Bandwidth Effect

Server A has a configured rate that equals the total amount of available

bandwidth and a higher priority. You should regard extreme over allotment of

traffic with different priorities (as shown here) as a configuration error. Even

though the ZyWALL still attempts to let all traffic get through and not be lost,

regardless of its priority, server B gets almost no bandwidth with this

configuration.

Finding Out More

• See Section 6.5.17 on page 104 for related information on these screens.

• See Section 7.5 on page 124 for an example of how to set up web surfing

policies with bandwidth restrictions.

• See DSCP Marking and Per-Hop Behavior on page 289 for a description of DSCP

marking.

28.1.3 Application Patrol Bandwidth Management Examples

Bandwidth management is very useful when applications are competing for limited

bandwidth. For example, say you have a WAN zone interface connected to an

ADSL device with a 8 Mbps downstream and 1 Mbps upstream ADSL connection.

The following sections give some simplified examples of using application patrol

policies to manage applications competing for that 1 Mbps of upstream bandwidth.

Here is an overview of what the rules need to accomplish. See the following

sections for more details.

• SIP traffic from VIP users must get through with the least possible delay

regardless of if it is an outgoing call or an incoming call. The VIP users must be

able to make and receive SIP calls no matter which interface they are connected

to.

Table 128 Maximize Bandwidth Usage Effect

POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE

A 300 kbps Yes 1 550 kbps

B 200 kbps Yes 2 450 kbps

Table 129 Priority and Over Allotment of Bandwidth Effect

POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE

A 1000 kbps Yes 1 999 kbps

B 1000 kbps Yes 2 1 kbps

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

450

• HTTP traffic needs to be given priority over FTP traffic.

• FTP traffic from the WAN to the DMZ must be limited so it does not interfere

with SIP and HTTP traffic.

• FTP traffic from the LAN1 to the DMZ can use more bandwidth since the

interfaces support up to 1 Gbps connections, but it must be the lowest priority

and limited so it does not interfere with SIP and HTTP traffic.

Figure 273 Application Patrol Bandwidth Management Example

28.1.3.1 Setting the Interface’s Bandwidth

Use the interface screens to set the WAN zone interface’s upstream bandwidth to

be equal to (or slightly less than) what the connected device can support. This

example uses 1000 Kbps.

28.1.3.2 SIP Any to WAN Bandwidth Management Example

• Manage SIP traffic going to the WAN zone from a VIP user on the LAN or DMZ.

• Outbound traffic (to the WAN from the LAN and DMZ) is limited to 200 kbps. The

ZyWALL applies this limit before sending the traffic to the WAN.

• Inbound traffic (to the LAN and DMZ from the WAN) is also limited to 200 kbps.

The ZyWALL applies this limit before sending the traffic to LAN or DMZ.

• Highest priority (1). Set policies for other applications to lower priorities so the

SIP traffic always gets the best treatment.

ADSL

Up: 1 Mbps

Down 8 Mbps

SIP: Any to WAN

Outbound: 200 Kbps

Inbound: 200 Kbps

Priority: 1

Max. B. U.

HTTP: Any to WAN

Outbound: 100 Kbps

Inbound: 500 Kbps

Priority: 2

Max. B. U.

FTP: WAN to DMZ

Outbound: 100 Kbps

Inbound: 300 Kbps

Priority: 3

No Max. B. U.

SIP: WAN to Any

Outbound: 200 Kbps

Inbound: 200 Kbps

Priority: 1

Max. B. U.

FTP: LAN1 to DMZ

Outbound: 50 Mbps

Inbound: 50 Mbps

Priority: 4

No Max. B. U.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 451

• Enable maximize bandwidth usage so the SIP traffic can borrow unused

bandwidth.

Figure 274 SIP Any to WAN Bandwidth Management Example

28.1.3.3 SIP WAN to Any Bandwidth Management Example

You also create a policy for calls coming in from the SIP server on the WAN. It is

the same as the SIP Any to WAN policy, but with the directions reversed (WAN to

Any instead of Any to WAN).

28.1.3.4 HTTP Any to WAN Bandwidth Management Example

• Inbound traffic gets more bandwidth as the local users will probably download

more than they upload (and the ADSL connection supports this).

• Second highest priority (2). Set policies for other applications (except SIP) to

lower priorities so the local users’ HTTP traffic gets sent before non-SIP traffic.

• Enable maximize bandwidth usage so the HTTP traffic can borrow unused

bandwidth.

Figure 275 HTTP Any to WAN Bandwidth Management Example

Inbound: 200 kbps

Outbound: 200 kbps

BWM

Inbound: 500 kbps

Outbound: 200 kbps

BWM

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

452

28.1.3.5 FTP WAN to DMZ Bandwidth Management Example

• ADSL supports more downstream than upstream so you allow remote users 300

kbps for uploads to the DMZ FTP server (outbound) but only 100 kbps for

downloads (inbound).

• Third highest priority (3).

• Disable maximize bandwidth usage since you do not want to give FTP more

bandwidth.

Figure 276 FTP WAN to DMZ Bandwidth Management Example

28.1.3.6 FTP LAN to DMZ Bandwidth Management Example

• The LAN and DMZ zone interfaces are connected to Ethernet networks (not an

ADSL device) so you limit both outbound and inbound traffic to 50 Mbps.

• Fourth highest priority (4).

• Disable maximize bandwidth usage since you do not want to give FTP more

bandwidth.

Figure 277 FTP LAN to DMZ Bandwidth Management Example

Inbound: 100 kbps

Outbound: 300 kbps

BWM

Outbound: 50 Mbps

BWM

Inbound: 50 Mbps

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 453

28.2 Application Patrol General Screen

Use this screen to enable and disable application patrol. It also lists the

registration status and details about the signature set the ZyWALL is using.

Note: You must register for the IDP/AppPatrol signature service (at least the trial)

before you can use it.

See Section 10.1 on page 213 for how to register.

Click Configuration > App Patrol to open the following screen.

Figure 278 Configuration > App Patrol > General

The following table describes the labels in this screen. See Section 28.3.1 on page

455 for more information as well.

Table 130 Configuration > App Patrol > General

LABEL DESCRIPTION

Enable

Application

Patrol

Select this check box to turn on application patrol.

Enable BWM This is a global setting for enabling or disabling bandwidth management

on the ZyWALL. You must enable this setting to have individual policy

routes or application patrol policies apply bandwidth management.

This same setting also appears in the Network > Routing > Policy

Route screen. Enabling or disabling it in one screen also enables or

disables it in the other screen.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

454

28.3 Application Patrol Applications

Use the application patrol Common, Instant Messenger, Peer to Peer, VoIP,

or Streaming screen to manage traffic of individual applications.

Use the Common screen (shown here as an example) to manage traffic of the

most commonly used web, file transfer and e-mail protocols.

Enable

Highest

Bandwidth

Priority for

SIP Traffic

Select this to maximize the throughput of SIP traffic to improve SIP-

based VoIP call sound quality. This has the ZyWALL immediately send

SIP traffic upon identifying it. When this option is enabled the ZyWALL

ignores any other application patrol rules for SIP traffic (so there is no

bandwidth control for SIP traffic) and does not record SIP traffic

bandwidth usage statistics.

Registration The following fields display information about the current state of your

subscription for IDP/application patrol signatures.

Registration

Status This field displays whether a service is activated (Licensed) or not (Not

Licensed) or expired (Expired).

Registration

Type This field displays whether you applied for a trial application (Trial) or

registered a service with your iCard’s PIN number (Standard). None

displays when the service is not activated.

Apply new

Registration This link appears if you have not registered for the service or only have

the trial registration. Click this link to go to the screen where you can

Signature

Information

The following fields display information on the current signature set that

the ZyWALL is using.

Current

Version This field displays the IDP signature and anomaly rule set version

number. This number gets larger as the set is enhanced.

Released

Date This field displays the date and time the set was released.

Update

Signatures Click this link to go to the screen you can use to download signatures

from the update server.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Table 130 Configuration > App Patrol > General (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 455

Click Configuration > App Patrol > Common to open the following screen.

Figure 279 Configuration > App Patrol > Common

The following table describes the labels in this screen. See Section 28.3.1 on page

455 for more information as well.

28.3.1 The Application Patrol Edit Screen

Use this screen to edit the settings for an application. To access this screen, go to

the application patrol Common, Instant Messenger, Peer to Peer, VoIP, or

Table 131 Configuration > App Patrol > Common

LABEL DESCRIPTION

Edit Double-click an entry or select it and click Edit to open a screen where

you can modify the entry’s settings.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

# This field is a sequential value, and it is not associated with a specific

application.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Service This field displays the name of the application.

Default Access This field displays what the ZyWALL does with packets for this

application. Choices are: forward, drop, and reject.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

456

Streaming screen and click an application’s Edit icon. The screen displayed here

is for the MSN instant messenger service.

Figure 280 Application Edit

The following table describes the labels in this screen.

Table 132 Application Edit

LABEL DESCRIPTION

Service

Enable

Service Select this check box to turn on patrol for this application.

Service

Identification

Name This field displays the name of the application.

Classification Specify how the ZyWALL should identify this application. Choices are:

Auto - the ZyWALL identifies this application by matching the IP

payload with the application’s pattern(s).

Service Ports - the ZyWALL identifies this application by looking at the

destination port in the IP header.

Service Port This is available if the Classification is Service Ports. You can view

and edit the list of ports used to identify this application.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 457

# This field is a sequential value, and it is not associated with a specific

entry.

Note: The ZyWALL checks ports in the order they appear in the list.

While this sequence does not affect the functionality, you

might improve the performance of the ZyWALL by putting

more commonly used ports at the top of the list.

Service Port This column lists port numbers the ZyWALL uses to identify this

application.

Policy

Add Click this to create a new entry. Select an entry and click Add to create

a new entry after the selected entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To change an entry’s position in the numbered list, select it and click

Move to display a field to type a number for where you want to put that

entry and press [ENTER] to move the entry to the number that you

typed.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

# This field is a sequential value, and it is not associated with a specific

condition.

Note: The ZyWALL checks conditions in the order they appear in

the list. While this sequence does not affect the functionality,

you might improve the performance of the ZyWALL by

putting more common conditions at the top of the list.

Port This field displays the specific port number to which this policy applies.

Schedule This is the schedule that defines when the policy applies. any means

the policy is active at all times if enabled.

User This is the user name or user group to which the policy applies. If any

displays, the policy applies to all users.

From This is the source zone of the traffic to which this policy applies.

To This is the destination zone of the traffic to which this policy applies.

Source This is the source address or address group for whom this policy

applies. If any displays, the policy is effective for every source.

Destination This is the destination address or address group for whom this policy

applies. If any displays, the policy is effective for every destination.

Table 132 Application Edit (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

458

Access This field displays what the ZyWALL does with packets for this

application that match this policy.

forward - the ZyWALL routes the packets for this application.

Drop - the ZyWALL does not route the packets for this application and

does not notify the client of its decision.

Reject - the ZyWALL does not route the packets for this application

and notifies the client of its decision.

DSCP Marking This is how the ZyWALL handles the DSCP value of the outgoing

packets that match this policy.

In - Inbound, the traffic the ZyWALL sends to a connection’s initiator.

Out - Outbound, the traffic the ZyWALL sends out from a connection’s

initiator.

If this field displays a DSCP value, the ZyWALL applies that DSCP value

to the route’s outgoing packets.

preserve means the ZyWALL does not modify the DSCP value of the

route’s outgoing packets.

default means the ZyWALL sets the DSCP value of the route’s outgoing

packets to 0.

The “af” choices stand for Assured Forwarding. The number following

the “af” identifies one of four classes and one of three drop

preferences. See Assured Forwarding (AF) PHB for DiffServ on page

299 for more details.

BWM These fields show the amount of bandwidth the application’s traffic that

matches the policy can use. These fields only apply when Access is set

to forward.

In - This is how much inbound bandwidth, in kilobits per second, this

policy allows the application to use. Inbound refers to the traffic the

ZyWALL sends to a connection’s initiator. If no displays here, this policy

does not apply bandwidth management for the application’s incoming

traffic.

Out - This is how much outbound bandwidth, in kilobits per second,

this policy allows the application to use. Outbound refers to the traffic

the ZyWALL sends out from a connection’s initiator. If no displays here,

this policy does not apply bandwidth management for the application’s

outgoing traffic.

Pri - This is the priority for this application’s traffic that matches this

policy. The smaller the number, the higher the priority. The traffic of an

application with higher priority is given bandwidth before traffic of an

application with lower priority. The ZyWALL ignores this number if the

incoming and outgoing limits are both set to 0. In this case the traffic is

automatically treated as being set to the lowest priority (7) regardless

of this field’s configuration.

Log This field shows whether the ZyWALL generates a log (log), a log and

alert (log alert) or neither (no) when the application’s traffic matches

this policy.

Table 132 Application Edit (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 459

28.3.2 The Application Patrol Policy Edit Screen

The Application Policy Edit screen allows you to edit a group of settings for an

application. To access this screen, go to the application patrol Common, Instant

Messenger, Peer to Peer, VoIP, or Streaming screen and click an application’s

Edit icon. Then click the Add icon or an Edit icon in the Policy table. The screen

displayed here is for the MSN instant messenger service.

Figure 281 Application Policy Edit

The following table describes the labels in this screen.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this screen without saving your changes.

Table 132 Application Edit (continued)

LABEL DESCRIPTION

Table 133 Application Policy Edit

LABEL DESCRIPTION

Create new

Object

Use to configure any new settings objects that you need to use in this

screen.

Enable Policy Select this check box to turn on this policy for the application.

Port Use this field to specify a specific port number to which to apply this

policy. Type zero, if this policy applies for every port number.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

460

Schedule Select a schedule that defines when the policy applies or select Create

Object to configure a new one (see Chapter 38 on page 619 for details).

Otherwise, select none to make the policy always effective.

User Select a user name or user group to which to apply the policy. Use

Create new Object if you need to configure a new user account (see

Section 35.2.1 on page 594 for details). Select any to apply the policy

for every user.

From Select the source zone of the traffic to which this policy applies.

To Select the destination zone of the traffic to which this policy applies.

Source Select a source address or address group for whom this policy applies.

Use Create new Object if you need to configure a new one. Select any

if the policy is effective for every source.

Destination Select a destination address or address group for whom this policy

applies. Use Create new Object if you need to configure a new one.

Select any if the policy is effective for every destination.

Access This field controls what the ZyWALL does with packets for this

application that match this policy. Choices are:

forward - the ZyWALL routes the packets for this application.

Drop - the ZyWALL does not route the packets for this application and

does not notify the client of its decision.

Reject - the ZyWALL does not route the packets for this application and

notifies the client of its decision.

DSCP Marking Set how the ZyWALL handles the DSCP value of the outgoing packets

that match this policy. Inbound refers to the traffic the ZyWALL sends to

a connection’s initiator. Outbound refers to the traffic the ZyWALL sends

out from a connection’s initiator.

Select one of the pre-defined DSCP values to apply or select User

Defined to specify another DSCP value. The “af” choices stand for

Assured Forwarding. The number following the “af” identifies one of four

classes and one of three drop preferences. See Assured Forwarding (AF)

PHB for DiffServ on page 299 for more details.

Select preserve to have the ZyWALL keep the packets’ original DSCP

value.

Select default to have the ZyWALL set the DSCP value of the packets to

Table 133 Application Policy Edit (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 461

Action Block For some applications, you can select individual uses of the application

that the policy will have the ZyWALL block. These fields only apply when

Access is set to forward.

this application.

Message - Select this option to block users from sending or receiving

instant messages.

Audio - Select this option to block users from sending or receiving audio

traffic.

Video - Select this option to block users from sending or receiving video

traffic.

File Transfer - Select this option to block users from sending or

receiving files.

Bandwidth

Management

Configure these fields to set the amount of bandwidth the application

can use. These fields only apply when Access is set to forward.

You must also enable bandwidth management in the main application

patrol screen (AppPatrol > General) in order to apply bandwidth

shaping.

Inbound

kbps Type how much inbound bandwidth, in kilobits per second, this policy

allows the application to use. Inbound refers to the traffic the ZyWALL

sends to a connection’s initiator.

If you enter 0 here, this policy does not apply bandwidth management

for the application’s traffic that the ZyWALL sends to the initiator. Traffic

with bandwidth management disabled (inbound and outbound are both

set to 0) is automatically treated as the lowest priority (7).

If the sum of the bandwidths for routes using the same next hop is

higher than the actual transmission speed, lower priority traffic may not

be sent if higher priority traffic uses all of the actual bandwidth.

Outbound

kbps Type how much outbound bandwidth, in kilobits per second, this policy

allows the application to use. Outbound refers to the traffic the ZyWALL

sends out from a connection’s initiator.

If you enter 0 here, this policy does not apply bandwidth management

for the application’s traffic that the ZyWALL sends out from the initiator.

Traffic with bandwidth management disabled (inbound and outbound are

both set to 0) is automatically treated as the lowest priority (7).

If the sum of the bandwidths for routes using the same next hop is

higher than the actual transmission speed, lower priority traffic may not

be sent if higher priority traffic uses all of the actual bandwidth.

Table 133 Application Policy Edit (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

462

28.4 The Other Applications Screen

Sometimes, the ZyWALL cannot identify the application. For example, the

application might be a new application, or the packets might arrive out of

sequence. (The ZyWALL does not reorder packets when identifying the

application.)

The Other (applications) screen controls the default policy for TCP and UDP traffic

that the ZyWALL cannot identify. You can use source zone, destination zone,

destination port, schedule, user, source, and destination information as criteria to

create a sequence of specific conditions, similar to the sequence of rules used by

firewalls, to specify what the ZyWALL should do more precisely. You can also

control the bandwidth used by these other applications.This screen also allows you

to add, edit, and remove conditions to this default policy.

Priority This field displays when the inbound or outbound bandwidth

management is not set to 0. Enter a number between 1 and 7 to set the

priority for this application’s traffic that matches this policy. The smaller

the number, the higher the priority.

The ZyWALL gives traffic of an application with higher priority bandwidth

before traffic of an application with lower priority.

The ZyWALL uses a fairness-based (round-robin) scheduler to divide

bandwidth between applications with the same priority.

The number in this field is ignored if the incoming and outgoing limits

are both set to 0. In this case the traffic is automatically treated as being

set to the lowest priority (7) regardless of this field’s configuration.

Maximize

Bandwidth

Usage

This field displays when the inbound or outbound bandwidth

management is not set to 0. Enable maximize bandwidth usage to let

the traffic matching this policy “borrow” any unused bandwidth on the

out-going interface.

After each application gets its configured bandwidth rate, the ZyWALL

uses the fairness- based scheduler to divide any unused bandwidth on

the out-going interface amongst applications that need more bandwidth

and have maximize bandwidth usage enabled.

Log Select whether to have the ZyWALL generate a log (log), log and alert

(log alert) or neither (no) when the application’s traffic matches this

policy. See Chapter 46 on page 731 for more on logs.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this screen without saving your changes.

Table 133 Application Policy Edit (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 463

Click AppPatrol > Other to open the Other (applications) screen.

Figure 282 AppPatrol > Other

The following table describes the labels in this screen. See Section 28.4.1 on page

465 for more information as well.

Table 134 AppPatrol > Other

LABEL DESCRIPTION

Add Click this to create a new entry. Select an entry and click Add to create a

new entry after the selected entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To change an entry’s position in the numbered list, select it and click

Move to display a field to type a number for where you want to put that

entry and press [ENTER] to move the entry to the number that you

typed.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

# This field is a sequential value, and it is not associated with a specific

condition.

Note: The ZyWALL checks conditions in the order they appear in

the list. While this sequence does not affect the functionality,

you might improve the performance of the ZyWALL by putting

more common conditions at the top of the list.

Port This field displays the specific port number to which this policy applies.

Schedule This is the schedule that defines when the policy applies. any means the

policy always applies.

User This is the user name or user group to which the policy applies. If any

displays, the policy applies to all users.

From This is the source zone of the traffic to which this policy applies.

To This is the destination zone of the traffic to which this policy applies.

Source This is the source address or address group for whom this policy applies.

If any displays, the policy is effective for every source.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

464

Destination This is the destination address or address group for whom this policy

applies. If any displays, the policy is effective for every destination.

Protocol This is the protocol of the traffic to which this policy applies.

Access This field displays what the ZyWALL does with packets that match this

policy.

forward - the ZyWALL routes the packets.

Drop - the ZyWALL does not route the packets and does not notify the

client of its decision.

Reject - the ZyWALL does not route the packets and notifies the client

of its decision.

DSCP Marking This is how the ZyWALL handles the DSCP value of the outgoing packets

that match this policy.

In - Inbound, the traffic the ZyWALL sends to a connection’s initiator.

Out - Outbound, the traffic the ZyWALL sends out from a connection’s

initiator.

If this field displays a DSCP value, the ZyWALL applies that DSCP value

to the route’s outgoing packets.

preserve means the ZyWALL does not modify the DSCP value of the

route’s outgoing packets.

default means the ZyWALL sets the DSCP value of the route’s outgoing

packets to 0.

The “af” choices stand for Assured Forwarding. The number following

the “af” identifies one of four classes and one of three drop preferences.

See Assured Forwarding (AF) PHB for DiffServ on page 299 for more

details.

BWM These fields show the amount of bandwidth the traffic can use. These

fields only apply when Access is set to forward.

In - This is how much inbound bandwidth, in kilobits per second, this

policy allows the matching traffic to use. Inbound refers to the traffic the

ZyWALL sends to a connection’s initiator. If no displays here, this policy

does not apply bandwidth management for the inbound traffic.

Out - This is how much outgoing bandwidth, in kilobits per second, this

policy allows the matching traffic to use. Outbound refers to the traffic

the ZyWALL sends out from a connection’s initiator. If no displays here,

this policy does not apply bandwidth management for the outbound

traffic.

Pri - This is the priority for the traffic that matches this policy. The

smaller the number, the higher the priority. Traffic with a higher priority

is given bandwidth before traffic with a lower priority. The ZyWALL

ignores this number if the incoming and outgoing limits are both set to

0. In this case the traffic is automatically treated as being set to the

lowest priority (7) regardless of this field’s configuration.

Table 134 AppPatrol > Other (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 465

28.4.1 The Other Applications Add/Edit Screen

The Other Configuration Add/Edit screen allows you to create a new condition

or edit an existing one. To access this screen, go to the Other Protocol screen

(see Section 28.4 on page 462), and click either the Add icon or an Edit icon.

Figure 283 AppPatrol > Other > Edit

The following table describes the labels in this screen.

Log Select whether to have the ZyWALL generate a log (log), log and alert

(log alert) or neither (no) when traffic matches this policy. See Chapter

46 on page 731 for more on logs.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Table 134 AppPatrol > Other (continued)

LABEL DESCRIPTION

Table 135 AppPatrol > Other > Edit

LABEL DESCRIPTION

Create new

Object

Use to configure any new settings objects that you need to use in this

screen.

Enable Select this check box to turn on this policy.

Port Use this field to specify a specific port number to which to apply this

policy. Type zero, if this policy applies for every port number.

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

466

Schedule Select a schedule that defines when the policy applies or select Create

Object to configure a new one (see Chapter 38 on page 619 for details).

Otherwise, select any to make the policy always effective.

User Select a user name or user group to which to apply the policy. Use

Create new Object if you need to configure a new user account (see

Section 35.2.1 on page 594 for details). Select any to apply the policy

for every user.

From Select the source zone of the traffic to which this policy applies.

To Select the destination zone of the traffic to which this policy applies.

Source Select a source address or address group for whom this policy applies.

Use Create new Object if you need to configure a new one. Select any

if the policy is effective for every source.

Destination Select a destination address or address group for whom this policy

applies. Use Create new Object if you need to configure a new one.

Select any if the policy is effective for every destination.

Protocol Select the protocol for which this condition applies. Choices are: TCP

and UDP. Select any to apply the policy to both TCP and UDP traffic.

Access This field controls what the ZyWALL does with packets that match this

policy. Choices are:

forward - the ZyWALL routes the packets.

Drop - the ZyWALL does not route the packets and does not notify the

client of its decision.

Reject - the ZyWALL does not route the packets and notifies the client

of its decision.

DSCP Marking Set how the ZyWALL handles the DSCP value of the outgoing packets

that match this policy. Inbound refers to the traffic the ZyWALL sends to

a connection’s initiator. Outbound refers to the traffic the ZyWALL sends

out from a connection’s initiator.

Select one of the pre-defined DSCP values to apply or select User

Defined to specify another DSCP value. The “af” choices stand for

Assured Forwarding. The number following the “af” identifies one of four

classes and one of three drop preferences. See Assured Forwarding (AF)

PHB for DiffServ on page 299 for more details.

Select preserve to have the ZyWALL keep the packets’ original DSCP

value.

Select default to have the ZyWALL set the DSCP value of the packets to

Bandwidth

Management

Configure these fields to set the amount of bandwidth the application

can use. These fields only apply when Access is set to forward.

Table 135 AppPatrol > Other > Edit (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide 467

Inbound

kbps Type how much inbound bandwidth, in kilobits per second, this policy

allows the traffic to use. Inbound refers to the traffic the ZyWALL sends

to a connection’s initiator.

If you enter 0 here, this policy does not apply bandwidth management

for the matching traffic that the ZyWALL sends to the initiator. Traffic

with bandwidth management disabled (inbound and outbound are both

set to 0) is automatically treated as the lowest priority (7).

If the sum of the bandwidths for routes using the same next hop is

higher than the actual transmission speed, lower priority traffic may not

be sent if higher priority traffic uses all of the actual bandwidth.

Outbound

kbps Type how much outbound bandwidth, in kilobits per second, this policy

allows the traffic to use. Outbound refers to the traffic the ZyWALL sends

out from a connection’s initiator.

If you enter 0 here, this policy does not apply bandwidth management

for the matching traffic that the ZyWALL sends out from the initiator.

Traffic with bandwidth management disabled (inbound and outbound are

both set to 0) is automatically treated as the lowest priority (7).

If the sum of the bandwidths for routes using the same next hop is

higher than the actual transmission speed, lower priority traffic may not

be sent if higher priority traffic uses all of the actual bandwidth.

Priority This field displays when the inbound or outbound bandwidth

management is not set to 0. Enter a number between 1 and 7 to set the

priority for traffic that matches this policy. The smaller the number, the

higher the priority.

Traffic with a higher priority is given bandwidth before traffic with a

lower priority.

The ZyWALL uses a fairness-based (round-robin) scheduler to divide

bandwidth between traffic flows with the same priority.

The number in this field is ignored if the incoming and outgoing limits

are both set to 0. In this case the traffic is automatically treated as being

set to the lowest priority (7) regardless of this field’s configuration.

Maximize

Bandwidth

Usage

This field displays when the inbound or outbound bandwidth

management is not set to 0. Enable maximize bandwidth usage to let

the traffic matching this policy “borrow” any unused bandwidth on the

out-going interface.

After each application or type of traffic gets its configured bandwidth

rate, the ZyWALL uses the fairness- based scheduler to divide any

unused bandwidth on the out-going interface amongst applications and

traffic types that need more bandwidth and have maximize bandwidth

usage enabled.

Log This field controls what kind of record the ZyWALL creates when traffic

matches this policy. See Chapter 46 on page 731 for more on logs.

no - the ZyWALL does not record anything

log - the ZyWALL creates a record in the log

log alert - the ZyWALL creates an alert

Table 135 AppPatrol > Other > Edit (continued)

LABEL DESCRIPTION

Chapter 28 Application Patrol

ZyWALL USG 50 User’s Guide

468

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this screen without saving your changes.

Table 135 AppPatrol > Other > Edit (continued)

LABEL DESCRIPTION

ZyWALL USG 50 User’s Guide 469

CHAPTER 29

Anti-Virus

29.1 Overview

Use the ZyWALL’s anti-virus feature to protect your connected network from virus/

spyware infection. The ZyWALL checks traffic going in the direction(s) you specify

for signature matches. In the following figure the ZyWALL is set to check traffic

coming from the WAN zone (which includes two interfaces) to the LAN zone.

Figure 284 ZyWALL Anti-Virus Example

29.1.1 What You Can Do in this Chapter

•Use the General screens (Section 29.2 on page 472) to turn anti-virus on or off,

set up anti-virus policies and check the anti-virus engine type and the anti-virus

license and signature status.

•Use the Black/White List screen (Section 29.3 on page 477) to set up anti-

virus black (blocked) and white (allowed) lists of virus file patterns.

•Use the Signature screen (Section 29.6 on page 480) to search signatures to

get more information about signatures.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

470

29.1.2 What You Need to Know

Anti-Virus Engines

Subscribe to signature files for Kaspersky’s anti-virus engine. After the trial

expires, you need to purchase an iCard for the anti-virus engine you want to use

and register it in the Registration > Service screen. You must use the Kaspersky

anti-virus iCard for the Kaspersky anti-virus engine. See Section 10.1 on page 213

for details.

Virus and Worm

A computer virus is a small program designed to corrupt and/or alter the

operation of other legitimate programs. A worm is a self-replicating virus that

resides in active memory and duplicates itself. The effect of a virus attack varies

from doing so little damage that you are unaware your computer is infected to

wiping out the entire contents of a hard drive to rendering your computer

inoperable.

ZyWALL Anti-Virus Scanner

The ZyWALL has a built-in signature database. Setting up the ZyWALL between

your local network and the Internet allows the ZyWALL to scan files transmitting

through the enabled interfaces into your network. As a network-based anti-virus

scanner, the ZyWALL helps stop threats at the network edge before they reach the

local host computers.

You can set the ZyWALL to examine files received through the following protocols:

• FTP (File Transfer Protocol)

• HTTP (Hyper Text Transfer Protocol)

• SMTP (Simple Mail Transfer Protocol)

• POP3 (Post Office Protocol version 3)

• IMAP4 (Internet Message Access Protocol version 4)

How the ZyWALL Anti-Virus Scanner Works

The following describes the virus scanning process on the ZyWALL.

1The ZyWALL first identifies SMTP, POP3, IMAP4, HTTP and FTP packets through

standard ports.

2If the packets are not session connection setup packets (such as SYN, ACK and

FIN), the ZyWALL records the sequence of the packets.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide 471

3The scanning engine checks the contents of the packets for virus.

4If a virus pattern is matched, the ZyWALL removes the infected portion of the file

along with the rest of the file. The un-infected portion of the file before a virus

pattern was matched still goes through.

5If the send alert message function is enabled, the ZyWALL sends an alert to the

file’s intended destination computer(s).

Note: Since the ZyWALL erases the infected portion of the file before sending it, you

may not be able to open the file.

Notes About the ZyWALL Anti-Virus

The following lists important notes about the anti-virus scanner:

1The ZyWALL anti-virus scanner can detect polymorphic viruses.

2When a virus is detected, an alert message is displayed in Microsoft Windows

computers. Refer to the user’s guide appendices Appendix C on page 865 if your

Windows computer does not display the alert messages.

3Changes to the ZyWALL’s anti-virus settings affect new sessions (not the sessions

that already existed before you applied the changed settings).

4The ZyWALL does not scan the following file/traffic types:

• Simultaneous downloads of a file using multiple connections. For example,

when you use FlashGet to download sections of a file simultaneously.

• Encrypted traffic. This could be password-protected files or VPN traffic where

the ZyWALL is not the endpoint (pass-through VPN traffic).

• Traffic through custom (non-standard) ports. The only exception is FTP traffic.

The ZyWALL scans whatever port number is specified for FTP in the ALG

screen.

• ZIP file(s) within a ZIP file.

Finding Out More

• See Section 6.5.18 on page 105 for related information on these screens.

• See Section 29.7 on page 483 for anti-virus background information.

29.1.3 Before You Begin

• Before using anti-virus, see Section 10.1 on page 213 for how to register for the

anti-virus service.

• You may need to customize the zones (in the Network > Zone) used for the

anti-virus scanning direction.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

472

29.2 Anti-Virus Summary Screen

Click Configuration > Anti-X > Anti-Virus to display the configuration screen

as shown next.

Figure 285 Configuration > Anti-X > Anti-Virus > General

The following table describes the labels in this screen.

Table 136 Configuration > Anti-X > Anti-Virus > General

LABEL DESCRIPTION

Show Advance

Settings / Hide

Advance

Settings

Click this button to display a greater or lesser number of configuration

fields.

Enable Anti-

Virus and Anti-

Spyware

Select this check box to check traffic for viruses and spyware. The

following table lists policies that define which traffic the ZyWALL scans

and the action it takes upon finding a virus.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide 473

Scan EICAR Select this option to have the ZyWALL check for the EICAR test file and

treat it in the same way as a real virus file. The EICAR test file is a

standardized test file for signature based anti-virus scanners. When the

virus scanner detects the EICAR file, it responds in the same way as if it

found a real virus. Besides straightforward detection, the EICAR file can

also be compressed to test whether the anti-virus software can detect it

in a compressed file. The test string consists of the following human-

readable ASCII characters.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-

TEST-FILE!$H+H*

Policies

Add Click this to create a new entry. Select an entry and click Add to create

a new entry after the selected entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To change an entry’s position in the numbered list, select it and click

Move to display a field to type a number for where you want to put that

entry and press [ENTER] to move the entry to the number that you

typed.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Priority This is the position of an anti-virus policy in the list. The ordering of

your anti-virus policies is important as the ZyWALL applies them in

sequence. Once traffic matches an anti-virus policy, the ZyWALL applies

that policy and does not check the traffic against any more policies.

From The anti-virus policy has the ZyWALL scan traffic coming from this zone

and going to the To zone.

To The anti-virus policy has the ZyWALL scan traffic going to this zone from

the From zone.

Protocol These are the protocols of traffic to scan for viruses.

FTP applies to traffic using the TCP port number specified for FTP in the

ALG screen.

HTTP applies to traffic using TCP ports 80, 8080 and 3128.

SMTP applies to traffic using TCP port 25.

POP3 applies to traffic using TCP port 110.

IMAP4 applies to traffic using TCP port 143.

License The following fields display information about the current state of your

subscription for virus signatures.

License

Status This field displays whether a service is activated (Licensed) or not (Not

Licensed) or expired (Expired).

Table 136 Configuration > Anti-X > Anti-Virus > General (continued)

LABEL DESCRIPTION

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

474

License Type This field displays whether you applied for a trial application (Trial) or

registered a service with your iCard’s PIN number (Standard). None

displays when the service is not activated.

Apply new

Registration This link appears if you have not registered for the service or only have

the trial registration. Click this link to go to the screen where you can

Signature

Information

The following fields display information on the current signature set that

the ZyWALL is using.

Anti-Virus

Engine Type This field displays Kaspersky’s anti-virus engine .

Current

Version This field displays the anti-virus signature set version number. This

number gets larger as the set is enhanced.

Signature

Number This field displays the number of anti-virus signatures in this set.

Released

Date This field displays the date and time the set was released.

Update

Signatures Click this link to go to the screen you can use to download signatures

from the update server.

Apply Click Apply to save your changes.

Reset Click Reset to return the screen to its last-saved settings.

Table 136 Configuration > Anti-X > Anti-Virus > General (continued)

LABEL DESCRIPTION

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide 475

29.2.1 Anti-Virus Policy Add or Edit Screen

Click the Add or Edit icon in the Configuration > Anti-X > Anti-Virus >

General screen to display the configuration screen as shown next.

Figure 286 Configuration > Anti-X > Anti-Virus > General > Add

The following table describes the labels in this screen.

Table 137 Configuration > Anti-X > Anti-Virus > General > Add

LABEL DESCRIPTION

Enable Select this check box to have the ZyWALL apply this anti-virus policy

to check traffic for viruses.

From

Select source and destination zones for traffic to scan for viruses. The

anti-virus policy has the ZyWALL scan traffic coming from the From

zone and going to the To zone.

Protocols to Scan Select which protocols of traffic to scan for viruses.

HTTP applies to traffic using TCP ports 80, 8080 and 3128.

FTP applies to traffic using the TCP port number specified for FTP in

the ALG screen.

SMTP applies to traffic using TCP port 25.

POP3 applies to traffic using TCP port 110.

IMAP4 applies to traffic using TCP port 143.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

476

Actions When

Matched

Destroy infected

file

When you select this check box, if a virus pattern is matched, the

ZyWALL overwrites the infected portion of the file (and the rest of the

file) with zeros. The un-infected portion of the file before a virus

pattern was matched goes through unmodified.

Send Windows

Message

Select this check box to set the ZyWALL to send a message alert to

files’ intended user(s) using Microsoft Windows computers connected

to the to interface.

Refer to Appendix C on page 865 if your Windows computer does not

display the alert messages.

Log These are the log options:

no: Do not create a log when a packet matches a signature(s).

log: Create a log on the ZyWALL when a packet matches a

signature(s).

log alert: An alert is an e-mailed log for more serious events that

may need more immediate attention. Select this option to have the

ZyWALL send an alert when a packet matches a signature(s).

White List / Black

List Checking

Check White List Select this check box to check files against the white list.

Check Black List Select this check box to check files against the black list.

File

decompression

Enable file

decompression

(ZIP and RAR)

Select this check box to have the ZyWALL scan a ZIP file (the file does

not have to have a “zip” or “rar” file extension). The ZyWALL first

decompresses the ZIP file and then scans the contents for viruses.

Note: The ZyWALL decompresses a ZIP file once. The ZyWALL

does NOT decompress any ZIP file(s) within a ZIP file.

Table 137 Configuration > Anti-X > Anti-Virus > General > Add (continued)

LABEL DESCRIPTION

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide 477

29.3 Anti-Virus Black List

Click Configuration > Anti-X > Anti-Virus > Black/White List to display the

screen shown next. Use the Black List screen to set up the Anti-Virus black

(blocked) list of virus file patterns. Click a column’s heading cell to sort the table

entries by that column’s criteria. Click the heading cell again to reverse the sort

order.

Figure 287 Configuration > Anti-X > Anti-Virus > Black/White List > Black List

Destroy

compressed

files that could

not be

decompressed

Note: When you select this option, the ZyWALL deletes ZIP files

that use password encryption.

Select this check box to have the ZyWALL delete any ZIP files that it

is not able to unzip. The ZyWALL cannot unzip password protected

ZIP files or a ZIP file within another ZIP file. There are also limits to

the number of ZIP files that the ZyWALL can concurrently unzip.

Note: The ZyWALL’s firmware package cannot go through the

ZyWALL with this option enabled. The ZyWALL classifies

the firmware package as not being able to be

decompressed and deletes it.

You can upload the firmware package to the ZyWALL with the option

enabled, so you only need to clear this option while you download

the firmware package.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving your changes.

Table 137 Configuration > Anti-X > Anti-Virus > General > Add (continued)

LABEL DESCRIPTION

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

478

The following table describes the labels in this screen.

29.4 Anti-Virus Black List or White List Add/Edit

From the Configuration > Anti-X > Anti-Virus > Black/White List > Black

List (or White List) screen, click the Add icon or an Edit icon to display the

following screen.

• For a black list entry, enter a file pattern that should cause the ZyWALL to log

and delete a file.

• For a white list entry, enter a file pattern that should cause the ZyWALL to allow

a file.

Figure 288 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or

White List) > Add

Table 138 Configuration > Anti-X > Anti-Virus > Black/White List > Black List

LABEL DESCRIPTION

Enable Black

List

Select this check box to log and delete files with names that match the

black list patterns. Use the black list to log and delete files with names

that match the black list patterns.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

#This is the entry’s index number in the list.

File Pattern This is the file name pattern. If a file’s name that matches this pattern,

the ZyWALL logs and deletes the file.

Apply Click Apply to save your changes.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide 479

The following table describes the labels in this screen.

29.5 Anti-Virus White List

Click Configuration > Anti-X > Anti-Virus > Black/White List > White List

to display the screen shown next. Use the Black/White List screen to set up

Anti-Virus black (blocked) and white (allowed) lists of virus file patterns. Click a

Table 139 Configuration > Anti-X > Anti-Virus > Black/White List > Black List (or

White List) > Add

LABEL DESCRIPTION

Enable If this is a black list entry, select this option to have the ZyWALL apply

this entry when using the black list.

If this is a white list entry, select this option to have the ZyWALL apply

this entry when using the white list.

File Pattern For a black list entry, specify a pattern to identify the names of files that

the ZyWALL should log and delete.

For a white list entry, specify a pattern to identify the names of files that

the ZyWALL should not scan for viruses.

• Use up to 80 characters. Alphanumeric characters, underscores (_),

dashes (-), question marks (?) and asterisks (*) are allowed.

• A question mark (?) lets a single character in the file name vary. For

example, use “a?.zip” (without the quotation marks) to specify

aa.zip, ab.zip and so on.

• Wildcards (*) let multiple files match the pattern. For example, use

“*a.zip” (without the quotation marks) to specify any file that ends

with “a.zip”. A file named “testa.zip would match. There could be any

number (of any type) of characters in front of the “a.zip” at the end

and the file name would still match. A file named “test.zipa” for

example would not match.

• A * in the middle of a pattern has the ZyWALL check the beginning

and end of the file name and ignore the middle. For example, with

“abc*.zip”, any file starting with “abc” and ending in “.zip” matches,

no matter how many characters are in between.

• The whole file name has to match if you do not use a question mark

or asterisk.

• If you do not use a wildcard, the ZyWALL checks up to the first 80

characters of a file name.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

480

column’s heading cell to sort the table entries by that column’s criteria. Click the

heading cell again to reverse the sort order.

Figure 289 Configuration > Anti-X > Anti-Virus > Black/White List > White List

The following table describes the labels in this screen.

29.6 Signature Searching

Click Configuration > Anti-X > Anti-Virus > Signature to display this screen.

Use this screen to locate signatures and display details about them.

Table 140 Configuration > Anti-X > Anti-Virus > Black/White List > White List

LABEL DESCRIPTION

Enable White

List

Select this check box to have the ZyWALL not perform the anti-virus

check on files with names that match the white list patterns.

Use the white list to have the ZyWALL not perform the anti-virus check

on files with names that match the white list patterns.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

#This is the entry’s index number in the list.

File Pattern This is the file name pattern. If a file’s name matches this pattern, the

ZyWALL does not check the file for viruses.

Apply Click Apply to save your changes.

Reset Click Reset to return the screen to its last-saved settings.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide 481

If Internet Explorer opens a warning screen about a script making Internet

Explorer run slowly and the computer maybe becoming unresponsive, just click

No to continue. Click a column’s heading cell to sort the table entries by that

column’s criteria. Click the heading cell again to reverse the sort order.

Figure 290 Configuration > Anti-X > Anti-Virus > Signature: Search by Severity

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

482

The following table describes the labels in this screen.

Table 141 Configuration > Anti-X > Anti-Virus > Signature

LABEL DESCRIPTION

Signatures

Select the criteria on which to perform the search.

Select By Name from the drop down list box and type the name or part

of the name of the signature(s) you want to find. This search is not

case-sensitive.

Select By ID from the drop down list box and type the ID or part of the

ID of the signature you want to find.

Select By Severity from the drop down list box and select the severity

level of the signatures you want to find.

Select By Category from the drop down list box and select whether you

want to see virus signatures or spyware signatures.

Click Search to have the ZyWALL search the signatures based on your

specified criteria.

Query all

signatures and

export

Click Export to have the ZyWALL save all of the anti-virus signatures to

your computer in a .txt file.

Query Result

# This is the entry’s index number in the list.

Name This is the name of the anti-virus signature. Click the Name column

heading to sort your search results in ascending or descending order

according to the signature name.

Click a signature’s name to see details about the virus.

ID This is the IDentification number of the anti-virus signature. Click the ID

column header to sort your search results in ascending or descending

order according to the ID.

Severity This is the severity level of the anti-virus signature. Click the severity

column header to sort your search results by ascending or descending

severity.

Category This column displays whether the signature is for identifying a virus or

spyware. Click the column heading to sort your search results by

category.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide 483

29.7 Anti-Virus Technical Reference

Types of Computer Viruses

The following table describes some of the common computer viruses.

Computer Virus Infection and Prevention

The following describes a simple life cycle of a computer virus.

1A computer gets a copy of a virus from a source such as the Internet, e-mail, file

sharing or any removable storage media. The virus is harmless until the execution

of an infected program.

2The virus spreads to other files and programs on the computer.

3The infected files are unintentionally sent to another computer thus starting the

spread of the virus.

4Once the virus is spread through the network, the number of infected networked

computers can grow exponentially.

Types of Anti-Virus Scanner

The section describes two types of anti-virus scanner: host-based and network-

based.

Table 142 Common Computer Virus Types

TYPE DESCRIPTION

File Infector This is a small program that embeds itself in a legitimate program. A

file infector is able to copy and attach itself to other programs that are

executed on an infected computer.

Boot Sector

Virus

This type of virus infects the area of a hard drive that a computer

reads and executes during startup. The virus causes computer crashes

and to some extend renders the infected computer inoperable.

Macro Virus Macro viruses or Macros are small programs that are created to

perform repetitive actions. Macros run automatically when a file to

which they are attached is opened. Macros spread more rapidly than

other types of viruses as data files are often shared on a network.

E-mail Virus E-mail viruses are malicious programs that spread through e-mail.

Polymorphic

Virus

A polymorphic virus (also known as a mutation virus) tries to evade

detection by changing a portion of its code structure after each

execution or self replication. This makes it harder for an anti-virus

scanner to detect or intercept it.

A polymorphic virus can also belong to any of the virus types discussed

above.

Chapter 29 Anti-Virus

ZyWALL USG 50 User’s Guide

484

A host-based anti-virus (HAV) scanner is often software installed on computers

and/or servers in the network. It inspects files for virus patterns as they are

moved in and out of the hard drive. However, host-based anti-virus scanners

cannot eliminate all viruses for a number of reasons:

• HAV scanners are slow in stopping virus threats through real-time traffic (such

as from the Internet).

• HAV scanners may reduce computing performance as they also share the

resources (such as CPU time) on the computer for file inspection.

• You have to update the virus signatures and/or perform virus scans on all

computers in the network regularly.

A network-based anti-virus (NAV) scanner is often deployed as a dedicated

security device (such as your ZyWALL) on the network edge. NAV scanners inspect

real-time data traffic (such as E-mail messages or web) that tends to bypass HAV

scanners. The following lists some of the benefits of NAV scanners.

• NAV scanners stops virus threats at the network edge before they enter or exit a

network.

• NAV scanners reduce computing loading on computers as the read-time data

traffic inspection is done on a dedicated security device.

ZyWALL USG 50 User’s Guide 485

CHAPTER 30

IDP

30.1 Overview

This chapter introduces packet inspection IDP (Intrusion, Detection and

Prevention), IDP profiles, binding an IDP profile to a traffic flow, custom signatures

and updating signatures. An IDP system can detect malicious or suspicious

packets and respond instantaneously. IDP on the ZyWALL protects against

network-based intrusions.

30.1.1 What You Can Do in this Chapter

•Use the Anti-X > IDP > General screen (Section 30.2 on page 487) to turn

IDP on or off, bind IDP profiles to traffic directions, and view registration and

signature information. Click the Add or Edit icon in this screen to bind an IDP

profile to a traffic direction.

•Use the Anti-X > IDP > Profile screen (Section 30.3 on page 489) to add a

new profile, edit an existing profile or delete an existing profile.

•Use the Anti-X > IDP > Custom Signature screens (Section 30.8 on page

504) to create a new signature, edit an existing signature, delete existing

signatures or save signatures to your computer.

30.1.2 What You Need To Know

Packet Inspection Signatures

A signature identifies a malicious or suspicious packet and specifies an action to be

taken. You can change the action in the profile screens. Packet inspection

signatures examine OSI (Open System Interconnection) layer-4 to layer-7 packet

contents for malicious data. Generally, packet inspection signatures are created

for known attacks while anomaly detection looks for abnormal behavior (see

Section 31.1 on page 519).

Zone

A zone is a combination of ZyWALL interfaces and VPN connections used for

configuring security. See the zone chapter for details on zones and the interfaces

chapter for details on interfaces.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

486

IDP Profiles

An IDP profile is a set of related IDP signatures that you can activate as a set and

configure common log and action settings. You can apply IDP profiles to traffic

flowing from one zone to another. For example, apply the default LAN_IDP profile

to any traffic going to the LAN zone in order to protect your LAN computers.

Note: You can only apply one IDP profile to one traffic flow.

Base IDP Profiles

Base IDP profiles are templates that you use to create new IDP profiles.The

ZyWALL comes with several base profiles. See Table 144 on page 490 for details

on base profiles.

IDP Policies

An IDP policy refers to application of an IDP profile to a traffic flowing from one

zone to another.

Applying Your IDP Configuration

Changes to the ZyWALL’s IDP settings affect new sessions (not the sessions that

already existed before you applied the changed settings).

Finding Out More

• See Section 6.5.19 on page 105 for IDP prerequisite information.

• See Section 31.1 on page 519 for anomaly detection and protection.

• See Section 30.9 on page 516 for more information on network-based intrusions

• See Section 30.6.2 on page 496 for a list of attacks that the ZyWALL can protect

against.

• See Section 30.7 on page 503 for how to create your own custom IDP

signatures.

30.1.3 Before You Begin

• Register for a trial IDP subscription in the Registration screen (see Section

10.2 on page 215). This gives you access to free signature updates. This is

important as new signatures are created as new attacks evolve. When the trial

subscription expires, purchase and enter a license key using the same screens

to continue the subscription.

• Configure zones on the ZyWALL - see Chapter 15 on page 317 for more

information.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 487

30.2 The IDP General Screen

Click Configuration > Anti-X > IDP > General to open this screen. Use this

screen to turn IDP on or off, bind IDP profiles to traffic directions, and view

registration and signature information.

Note: You must register in order to use packet inspection signatures. See the

Registration screens.

If you try to enable IDP when the IDP service has not yet been registered, a

warning screen displays and IDP is not enabled.

Figure 291 Configuration > Anti-X > IDP > General

The following table describes the screens in this screen.

Table 143 Configuration > Anti-X > IDP > General

LABEL DESCRIPTION

General Settings

Enable

Signature

Detection

You must register for IDP service in order to use packet inspection

signatures. If you don’t have a standard license, you can register for

a once-off trial one.

Policies Use this list to specify which IDP profile the ZyWALL uses for traffic

flowing in a specific direction. Edit the policies directly in the table.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

488

Add Click this to create a new entry. Select an entry and click Add to

create a new entry after the selected entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To change an entry’s position in the numbered list, select it and click

Move to display a field to type a number for where you want to put

that entry and press [ENTER] to move the entry to the number that

you typed.

#This is the entry’s index number in the list.

Priority IDP policies are applied in order of priority.

Status The activate (light bulb) icon is lit when the entry is active and

dimmed when the entry is inactive.

From, To This is the direction of travel of packets to which an IDP profile is

bound. Traffic direction is defined by the zone the traffic is coming

from and the zone the traffic is going to.

Note: Depending on your network topology and traffic load,

binding every packet direction to an IDP profile may affect

the ZyWALL’s performance.

Use the From field to specify the zone from which the traffic is

coming. Use the To field to specify the zone to which the traffic is

going.

From LAN1 To LAN1 means packets traveling from a computer on

one LAN1 subnet to a computer on another LAN subnet via the

ZyWALL’s LAN1 zone interfaces. The ZyWALL does not check packets

traveling from a LAN1 computer to another LAN1 computer on the

same subnet.

From WAN To WAN means packets that come in from the WAN

zone and the ZyWALL routes back out through the WAN zone.

IDP Profile This field shows which IDP profile is bound to which traffic direction.

Select an IDP profile to apply to the entry’s traffic direction.

Configure the IDP profiles in the IDP profile screens.

License You need to create an account at myZyXEL.com, register your

ZyWALL and then subscribe for IDP in order to be able to download

new packet inspection signatures from myZyXEL.com. There’s an

initial free trial period for IDP after which you must pay to subscribe

to the service. See the Registration chapter for details.

License Status Licensed, Not Licensed or Expired indicates whether you have

subscribed for IDP services or not or your registration has expired.

License Type This field shows Trial, Standard or None depending on whether

you subscribed to the IDP trial, bought an iCard for IDP service or

neither.

Table 143 Configuration > Anti-X > IDP > General (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 489

30.3 Introducing IDP Profiles

An IDP profile is a set of packet inspection signatures.

Packet inspection signatures examine packet content for malicious data. Packet

inspection applies to OSI (Open System Interconnection) layer-4 to layer-7

contents. You need to subscribe for IDP service in order to be able to download

new signatures.

In general, packet inspection signatures are created for known attacks while

anomaly detection looks for abnormal behavior (see Section 31.1 on page 519 for

information on anomaly detection).

Apply new

Registration This link appears if you have not registered for the service or only

have the trial registration. Click this link to go to the screen where

you can register for the service.

Signature

Information

The following fields display information on the current signature set

that the ZyWALL is using.

Current Version This field displays the IDP signature set version number. This number

gets larger as the set is enhanced.

Signature

Number This field displays the number of IDP signatures in this set. This

number usually gets larger as the set is enhanced. Older signatures

and rules may be removed if they are no longer applicable or have

been supplanted by newer ones.

Released Date This field displays the date and time the set was released.

Update

Signatures Click this link to go to the screen you can use to download signatures

from the update server.

Apply Click Apply to save your changes.

Reset Click Reset to return the screen to its last-saved settings.

Table 143 Configuration > Anti-X > IDP > General (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

490

30.3.1 Base Profiles

The ZyWALL comes with several base profiles. You use base profiles to create new

profiles. In the Configuration > Anti-X > IDP > Profile screen, click Add to

display the following screen.

Figure 292 Base Profiles

The following table describes this screen.

Table 144 Base Profiles

BASE

PROFILE DESCRIPTION

none All signatures are disabled. No logs are generated nor actions are taken.

all All signatures are enabled. Signatures with a high or severe severity

level (greater than three) generate log alerts and cause packets that

trigger them to be dropped. Signatures with a very low, low or medium

severity level (less than or equal to three) generate logs (not log alerts)

and no action is taken on packets that trigger them.

wan Signatures for all services are enabled. Signatures with a medium, high

or severe severity level (greater than two) generate logs (not log alerts)

and no action is taken on packets that trigger them. Signatures with a

very low or low severity level (less than or equal to two) are disabled.

lan This profile is most suitable for common LAN network services.

Signatures for common services such as DNS, FTP, HTTP, ICMP, IM,

IMAP, MISC, NETBIOS, P2P, POP3, RPC, RSERVICE, SMTP, SNMP, SQL,

TELNET, TFTP, MySQL are enabled. Signatures with a high or severe

severity level (greater than three) generate logs (not log alerts) and

cause packets that trigger them to be dropped. Signatures with a low or

medium severity level (two or three) generate logs (not log alerts) and

no action is taken on packets that trigger them. Signatures with a very

low severity level (one) are disabled.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 491

30.4 The Profile Summary Screen

Select Anti-X > IDP > Profile. Use this screen to:

• Add a new profile

• Edit an existing profile

• Delete an existing profile.

Click a column’s heading cell to sort the table entries by that column’s criteria.

Click the heading cell again to reverse the sort order.

Figure 293 Configuration > Anti-X > IDP > Profile

The following table describes the fields in this screen.

dmz This profile is most suitable for networks containing your servers.

Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP,

MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET,

Oracle, MySQL are enabled. Signatures with a high or severe severity

level (greater than three) generate log alerts and cause packets that

trigger them to be dropped. Signatures with a low or medium severity

level (two or three) generate logs (not log alerts) and no action is taken

on packets that trigger them. Signatures with a very low severity level

(one) are disabled.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving your changes.

Table 144 Base Profiles (continued)

BASE

PROFILE DESCRIPTION

Table 145 Configuration > Anti-X > IDP > Profile

LABEL DESCRIPTION

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

#This is the entry’s index number in the list.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

492

30.5 Creating New Profiles

You may want to create a new profile if not all signatures in a base profile are

applicable to your network. In this case you should disable non-applicable

signatures so as to improve ZyWALL IDP processing efficiency.

You may also find that certain signatures are triggering too many false positives or

false negatives. A false positive is when valid traffic is flagged as an attack. A false

negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As

each network is different, false positives and false negatives are common on initial

IDP deployment.

You could create a new ‘monitor profile’ that creates logs but all actions are

disabled. Observe the logs over time and try to eliminate the causes of the false

alarms. When you’re satisfied that they have been reduced to an acceptable level,

you could then create an ‘inline profile’ whereby you configure appropriate actions

to be taken when a packet matches a signature.

30.5.1 Procedure To Create a New Profile

To create a new profile:

1Click the Add icon in the Configuration > Anti-X > IDP > Profile screen to

display a pop-up screen allowing you to choose a base profile.

2Select a base profile (see Table 144 on page 490) and then click OK to go to the

profile details screen.

Note: If Internet Explorer opens a warning screen about a script making Internet

Explorer run slowly and the computer maybe becoming unresponsive, just click

No to continue.

3Type a new profile name

4Enable or disable individual signatures.

5Edit the default log options and actions.

Name This is the name of the profile you created.

Base Profile This is the base profile from which the profile was created.

Table 145 Configuration > Anti-X > IDP > Profile (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 493

30.6 Profiles: Packet Inspection

Select Configuration > Anti-X > IDP > Profile and then add a new or edit an

existing profile select. Packet inspection signatures examine the contents of a

packet for malicious data. It operates at layer-4 to layer-7.

30.6.1 Profile > Group View Screen

Figure 294 Configuration > Anti-X > IDP > Profile > Edit: Group View

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

494

The following table describes the fields in this screen.

Table 146 Configuration > Anti-X > IDP > Profile > Group View

LABEL DESCRIPTION

Name This is the name of the profile. You may use 1-31 alphanumeric

characters, underscores(_), or dashes (-), but the first character cannot

be a number. This value is case-sensitive. These are valid, unique profile

names:

MyProfile

mYProfile

Mymy12_3-4

These are invalid profile names:

1mYProfile

My Profile

MyProfile?

Whatalongprofilename123456789012

Switch to

query view

Click this button to go to a screen where you can search for signatures by

criteria such as name, ID, severity, attack type, vulnerable attack

platforms, service category, log options or actions.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Log To edit an item’s log option, select it and use the Log icon. These are the

log options:

no: Select this option on an individual signature or a complete service

group to have the ZyWALL create no log when a packet matches a

signature(s).

log: Select this option on an individual signature or a complete service

group to have the ZyWALL create a log when a packet matches a

signature(s).

log alert: An alert is an e-mailed log for more serious events that may

need more immediate attention. Select this option to have the ZyWALL

send an alert when a packet matches a signature(s).

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 495

Action To edit what action the ZyWALL takes when a packet matches a signature,

select the signature and use the Action icon.

none: Select this action on an individual signature or a complete service

group to have the ZyWALL take no action when a packet matches the

signature(s).

drop: Select this action on an individual signature or a complete service

group to have the ZyWALL silently drop a packet that matches the

signature(s). Neither sender nor receiver are notified.

reject-sender: Select this action on an individual signature or a complete

service group to have the ZyWALL send a reset to the sender when a

packet matches the signature. If it is a TCP attack packet, the ZyWALL will

send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the

ZyWALL will send an ICMP unreachable packet.

reject-receiver: Select this action on an individual signature or a

complete service group to have the ZyWALL send a reset to the receiver

when a packet matches the signature. If it is a TCP attack packet, the

ZyWALL will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP

attack packet, the ZyWALL will do nothing.

reject-both: Select this action on an individual signature or a complete

service group to have the ZyWALL send a reset to both the sender and

receiver when a packet matches the signature. If it is a TCP attack packet,

the ZyWALL will send a packet with a ‘RST’ flag to the receiver and sender.

If it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP

unreachable packet.

#This is the entry’s index number in the list.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Service Click the + sign next to a service group to expand it. A service group is a

group of related IDP signatures.

Message This is the name of the signature.

SID This is the signature ID (identification) number that uniquely identifies a

ZyWALL signature.

Severity These are the severities as defined in the ZyWALL. The number in brackets

is the number you use if using commands.

Severe (5): These denote attacks that try to run arbitrary code or gain

system privileges.

High (4): These denote known serious vulnerabilities or attacks that are

probably not false alarms.

Medium (3): These denote medium threats, access control attacks or

attacks that could be false alarms.

Low (2): These denote mild threats or attacks that could be false alarms.

Very Low (1): These denote possible attacks caused by traffic such as

Ping, trace route, ICMP queries etc.

Policy Type This is the attack type as defined on the ZyWALL. See Table 147 on page

496 for a description of each type.

Table 146 Configuration > Anti-X > IDP > Profile > Group View (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

496

30.6.2 Policy Types

This section describes IDP policy types, also known as attack types, as categorized

in the ZyWALL. You may refer to these types when categorizing your own custom

rules.

Log These are the log options. To edit this, select an item and use the Log

icon.

Action This is the action the ZyWALL should take when a packet matches a

signature here. To edit this, select an item and use the Action icon.

OK A profile consists of three separate screens. If you want to configure just

one screen for an IDP profile, click OK to save your settings to the

ZyWALL, complete the profile and return to the profile summary page.

Cancel Click Cancel to return to the profile summary page without saving any

changes.

Save If you want to configure more than one screen for an IDP profile, click

Save to save the configuration to the ZyWALL, but remain in the same

page. You may then go to another profile screen (tab) in order to complete

the profile. Click OK in the final profile screen to complete the profile.

Table 146 Configuration > Anti-X > IDP > Profile > Group View (continued)

LABEL DESCRIPTION

Table 147 Policy Types

POLICY TYPE DESCRIPTION

P2P Peer-to-peer (P2P) is where computing devices link directly to each

other and can directly initiate communication with each other; they

do not need an intermediary. A device can be both the client and the

server. In the ZyWALL, P2P refers to peer-to-peer applications such

as e-Mule, e-Donkey, BitTorrent, iMesh, etc.

IM IM (Instant Messenger) refers to chat applications. Chat is real-time,

text-based communication between two or more users via networks-

connected computers. After you enter a chat (or chat room), any

room member can type a message that will appear on the monitors of

all the other participants.

SPAM Spam is unsolicited “junk” e-mail sent to large numbers of people to

promote products or services.

DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal

information, but to disable a device or network on the Internet.

A Distributed Denial of Service (DDoS) attack is one in which multiple

compromised systems attack a single target, thereby causing denial

of service for users of the targeted system.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 497

30.6.3 IDP Service Groups

An IDP service group is a set of related packet inspection signatures.

Scan A scan describes the action of searching a network for an exposed

service. An attack may then occur once a vulnerability has been

found. Scans occur on several network levels.

A network scan occurs at layer-3. For example, an attacker looks for

network devices such as a router or server running in an IP network.

A scan on a protocol is commonly referred to as a layer-4 scan. For

example, once an attacker has found a live end system, he looks for

open ports.

A scan on a service is commonly referred to a layer-7 scan. For

example, once an attacker has found an open port, say port 80 on a

server, he determines that it is a HTTP service run by some web

server application. He then uses a web vulnerability scanner (for

example, Nikto) to look for documented vulnerabilities.

Buffer Overflow A buffer overflow occurs when a program or process tries to store

more data in a buffer (temporary data storage area) than it was

intended to hold. The excess information can overflow into adjacent

buffers, corrupting or overwriting the valid data held in them.

Intruders could run codes in the overflow buffer region to obtain

control of the system, install a backdoor or use the victim to launch

attacks on other devices.

Virus/Worm A computer virus is a small program designed to corrupt and/or alter

the operation of other legitimate programs. A worm is a program that

is designed to copy itself from one computer to another on a network.

A worm’s uncontrolled replication consumes system resources, thus

slowing or stopping other tasks.

Backdoor/Trojan A backdoor (also called a trapdoor) is hidden software or a hardware

mechanism that can be triggered to gain access to a program, online

service or an entire computer system. A Trojan horse is a harmful

program that is hidden inside apparently harmless programs or data.

Although a virus, a worm and a Trojan are different types of attacks,

they can be blended into one attack. For example, W32/Blaster and

W32/Sasser are blended attacks that feature a combination of a

worm and a Trojan.

Access Control Access control refers to procedures and controls that limit or detect

access. Access control attacks try to bypass validation checks in order

to access network resources such as servers, directories, and files.

Web Attack Web attacks refer to attacks on web servers such as IIS (Internet

Information Services).

Table 147 Policy Types (continued)

POLICY TYPE DESCRIPTION

Table 148 IDP Service Groups

WEB_PHP WEB_MISC WEB_IIS WEB_FRONTPAGE

WEB_CGI WEB_ATTACKS TFTP TELNET

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

498

The following figure shows the WEB_PHP service group that contains signatures

related to attacks on web servers using PHP exploits. PHP (PHP: Hypertext

Preprocessor) is a server-side HTML embedded scripting language that allows web

developers to build dynamic websites.

Logs and actions applied to a service group apply to all signatures within that

group. If you select original setting for service group logs and/or actions, all

signatures within that group are returned to their last-saved settings.

Figure 295 Configuration > Anti-X > IDP > Profile > Edit > IDP Service Group

SQL SNMP SMTP RSERVICES

RPC POP3 POP2 P2P

ORACLE NNTP NETBIOS MYSQL

MISC_EXPLOIT MISC_DDOS MISC_BACKDOOR MISC

IMAP IM ICMP FTP

FINGER DNS

Table 148 IDP Service Groups (continued)

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 499

30.6.4 Profile > Query View Screen

Click Switch to query view in the screen as shown in Figure 294 on page 493 to

go to a signature query screen. In the query view screen, you can search for

signatures by criteria such as name, ID, severity, attack type, vulnerable attack

platforms, service category, log options or actions.

Figure 296 Configuration > Anti-X > IDP > Profile: Query View

The following table describes the fields specific to this screen’s query view.

Table 149 Configuration > Anti-X > IDP > Profile: Query View

LABEL DESCRIPTION

Name This is the name of the profile that you created in the IDP > Profiles >

Group View screen.

Switch to group

view

Click this button to go to the IDP profile group view screen where IDP

signatures are grouped by service and you can configure activation, logs

and/or actions.

Query

Signatures

Select the criteria on which to perform the search.

Search all

custom

signatures

Select this check box to search for signatures you created or imported in

the Custom Signatures screen. You can search by name or ID. If the

name and ID fields are left blank, then all custom signatures are

displayed.

Name Type the name or part of the name of the signature(s) you want to find.

Signature

ID Type the ID or part of the ID of the signature(s) you want to find.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

500

Severity Search for signatures by severity level(s). Hold down the [Ctrl] key if

you want to make multiple selections.

These are the severities as defined in the ZyWALL. The number in

brackets is the number you use if using commands.

Severe (5): These denote attacks that try to run arbitrary code or gain

system privileges.

High (4): These denote known serious vulnerabilities or attacks that are

probably not false alarms.

Medium (3): These denote medium threats, access control attacks or

attacks that could be false alarms.

Low (2): These denote mild threats or attacks that could be false

alarms.

Very-Low (1): These denote possible attacks caused by traffic such as

Ping, trace route, ICMP queries etc.

Attack Type Search for signatures by attack type(s) (see Table 147 on page 496).

Attack types are known as policy types in the group view screen. Hold

down the [Ctrl] key if you want to make multiple selections.

Platform Search for signatures created to prevent intrusions targeting specific

operating system(s). Hold down the [Ctrl] key if you want to make

multiple selections.

Service Search for signatures by IDP service group(s). See Table 148 on page

497 for group details. Hold down the [Ctrl] key if you want to make

multiple selections.

Action Search for signatures by the response the ZyWALL takes when a packet

matches a signature. See Table 146 on page 494 for action details. Hold

down the [Ctrl] key if you want to make multiple selections.

Activation Search for activated and/or inactivated signatures here.

Log Search for signatures by log option here. See Table 146 on page 494 for

option details.

Search Click this button to begin the search. The results display at the bottom

of the screen. Results may be spread over several pages depending on

how broad the search criteria selected were. The tighter the criteria

selected, the fewer the signatures returned.

Query Result The results are displayed in a table showing the SID, Name, Severity,

Attack Type, Platform, Service, Activation, Log, and Action criteria

as selected in the search. Click the SID column header to sort search

results by signature ID.

OK Click OK to save your settings to the ZyWALL, complete the profile and

return to the profile summary page.

Cancel Click Cancel to return to the profile summary page without saving any

changes.

Save Click Save to save the configuration to the ZyWALL, but remain in the

same page. You may then go to the another profile screen (tab) in order

to complete the profile. Click OK in the final profile screen to complete

the profile.

Table 149 Configuration > Anti-X > IDP > Profile: Query View (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 501

30.6.5 Query Example

This example shows a search with these criteria:

• Severity: severe and high

• Attack Type: DDoS

• Platform: Windows 2000 and Windows XP computers

•Service: Any

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

502

•Actions: Any

Figure 297 Query Example Search Criteria

Figure 298 Query Example Search Results

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 503

30.7 Introducing IDP Custom Signatures

Create custom signatures for new attacks or attacks peculiar to your network.

Custom signatures can also be saved to/from your computer so as to share with

others.

You need some knowledge of packet headers and attack types to create your own

custom signatures.

30.7.1 IP Packet Header

These are the fields in an Internet Protocol (IP) version 4 packet header.

Figure 299 IP v4 Packet Headers

The header fields are discussed below:

Table 150 IP v4 Packet Headers

HEADER DESCRIPTION

Version The value 4 indicates IP version 4.

IHL IP Header Length is the number of 32 bit words forming the total

length of the header (usually five).

Type of Service The Type of Service, (also known as Differentiated Services Code

Point (DSCP)) is usually set to 0, but may indicate particular

quality of service needs from the network.

Total Length This is the size of the datagram in bytes. It is the combined length

of the header and the data.

Identification This is a 16-bit number, which together with the source address,

uniquely identifies this packet. It is used during reassembly of

fragmented datagrams.

Flags Flags are used to control whether routers are allowed to fragment

a packet and to indicate the parts of a packet to the receiver.

Fragment Offset This is a byte count from the start of the original sent packet.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

504

30.8 Configuring Custom Signatures

Select Configuration > Anti-X > IDP > Custom Signatures. The first screen

shows a summary of all custom signatures created. Click the SID or Name

heading to sort. Click the Add icon to create a new signature or click the Edit icon

to edit an existing signature. You can also delete custom signatures here or save

them to your computer.

Time To Live This is a counter that decrements every time it passes through a

router. When it reaches zero, the datagram is discarded. It is used

to prevent accidental routing loops.

Protocol The protocol indicates the type of transport packet being carried,

for example, 1 = ICMP; 2= IGMP; 6 = TCP; 17= UDP.

Header Checksum This is used to detect processing errors introduced into the packet

inside a router or bridge where the packet is not protected by a link

layer cyclic redundancy check. Packets with an invalid checksum

are discarded by all nodes in an IP network.

Source IP Address This is the IP address of the original sender of the packet.

Destination IP

Address

This is the IP address of the final destination of the packet.

Options IP options is a variable-length list of IP options for a datagram that

define IP Security Option, IP Stream Identifier, (security and

handling restrictions for the military), Record Route (have each

router record its IP address), Loose Source Routing (specifies a

list of IP addresses that must be traversed by the datagram),

Strict Source Routing (specifies a list of IP addresses that must

ONLY be traversed by the datagram), Timestamp (have each

router record its IP address and time), End of IP List and No IP

Options.

Padding Padding is used as a filler to ensure that the IP packet is a multiple

of 32 bits.

Table 150 IP v4 Packet Headers (continued)

HEADER DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 505

Note: The ZyWALL checks all signatures and continues searching even after a match

is found. If two or more rules have conflicting actions for the same packet, then

the ZyWALL applies the more restrictive action (reject-both, reject-receiver or

reject-sender, drop, none in this order). If a packet matches a rule for reject-

receiver and it also matches a rule for reject-sender, then the ZyWALL will

reject-both.

Figure 300 Configuration > Anti-X > IDP > Custom Signatures

The following table describes the fields in this screen.

Table 151 Configuration > Anti-X > IDP > Custom Signatures

LABEL DESCRIPTION

Custom

Signature

Rules

Use this part of the screen to create, edit, delete or export (save to your

computer) custom signatures.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Export To save an entry or entries as a file on your computer, select them and

click Export. Click Save in the file download dialog box and then select a

location and name for the file.

Custom signatures must end with the ‘rules’ file name extension, for

example, MySig.rules.

#This is the entry’s index number in the list.

SID SID is the signature ID that uniquely identifies a signature. Click the SID

header to sort signatures in ascending or descending order. It is

automatically created when you click the Add icon to create a new

signature. You can edit the ID, but it cannot already exist and it must be

in the 9000000 to 9999999 range.

Name This is the name of your custom signature. Duplicate names can exist,

but it is advisable to use unique signature names that give some hint as

to intent of the signature and the type of attack it is supposed to prevent.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

506

30.8.1 Creating or Editing a Custom Signature

Click the Add icon to create a new signature or click the Edit icon to edit an

existing signature in the screen as shown in Figure 300 on page 505.

A packet must match all items you configure in this screen before it matches the

signature. The more specific your signature (including packet contents), then the

fewer false positives the signature will trigger.

Customer

Signature Rule

Importing

Use this part of the screen to import custom signatures (previously saved

to your computer) to the ZyWALL.

Note: The name of the complete custom signature file on the

ZyWALL is ‘custom.rules’. If you import a file named

‘custom.rules’, then all custom signatures on the ZyWALL are

overwritten with the new file. If this is not your intention, make

sure that the files you import are not named ‘custom.rules’.

File Path Type the file path and name of the custom signature file you want to

import in the text box (or click Browse to find it on your computer) and

then click Import to transfer the file to the ZyWALL.

New signatures then display in the ZyWALL IDP > Custom Signatures

screen.

Table 151 Configuration > Anti-X > IDP > Custom Signatures (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 507

Try to write signatures that target a vulnerability, for example a certain type of

traffic on certain operating systems, instead of a specific exploit.

Figure 301 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

508

The following table describes the fields in this screen.

Table 152 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit

LABEL DESCRIPTION

Name Type the name of your custom signature. You may use 1-31

alphanumeric characters, underscores(_), or dashes (-), but the first

character cannot be a number. This value is case-sensitive.

Duplicate names can exist but it is advisable to use unique signature

names that give some hint as to intent of the signature and the type

of attack it is supposed to prevent. Refer to (but do not copy) the

packet inspection signature names for hints on creating a naming

convention.

Signature ID A signature ID is automatically created when you click the Add icon

to create a new signature. You can edit the ID to create a new one (in

the 9000000 to 9999999 range), but you cannot use one that already

exists. You may want to do that if you want to order custom

signatures by SID.

Information Use the following fields to set general information about the

signature as denoted below.

Severity The severity level denotes how serious the intrusion is. Categorize

the seriousness of the intrusion here. See Table 146 on page 494 as a

reference.

Platform Some intrusions target specific operating systems only. Select the

operating systems that the intrusion targets, that is, the operating

systems you want to protect from this intrusion. SGI refers to Silicon

Graphics Incorporated, who manufactures multi-user Unix

workstations that run the IRIX operating system (SGI's version of

UNIX). A router is an example of a network device.

Service Select the IDP service group that the intrusion exploits or targets.

See Table 148 on page 497 for a list of IDP service groups. The

custom signature then appears in that group in the IDP > Profile >

Group View screen.

Policy Type Categorize the type of intrusion here. See Table 147 on page 496 as

a reference.

Frequency Recurring packets of the same type may indicate an attack. Use the

following field to indicate how many packets per how many seconds

constitute an intrusion

Threshold Select Threshold and then type how many packets (that meet the

criteria in this signature) per how many seconds constitute an

intrusion.

Header Options

Network Protocol Configure signatures for IP version 4.

Type Of Service Type of service in an IP header is used to specify levels of speed and/

or reliability. Some intrusions use an invalid Type Of Service

number. Select the check box, then select Equal or Not-Equal and

then type in a number.

Identification The identification field in a datagram uniquely identifies the

datagram. If a datagram is fragmented, it contains a value that

identifies the datagram to which the fragment belongs. Some

intrusions use an invalid Identification number. Select the check

box and then type in the invalid number that the intrusion uses.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 509

Fragmentation A fragmentation flag identifies whether the IP datagram should be

fragmented, not fragmented or is a reserved bit. Some intrusions can

be identified by this flag. Select the check box and then select the

flag that the intrusion uses.

Fragmentation

Offset When an IP datagram is fragmented, it is reassembled at the final

destination. The fragmentation offset identifies where the fragment

belongs in a set of fragments. Some intrusions use an invalid

Fragmentation Offset number. Select the check box, select Equal,

Smaller or Greater and then type in a number

Time to Live Time to Live is a counter that decrements every time it passes

through a router. When it reaches zero, the datagram is discarded.

Usually it’s used to set an upper limit on the number of routers a

datagram can pass through. Some intrusions can be identified by the

number in this field. Select the check box, select Equal, Smaller or

Greater and then type in a number.

IP Options IP options is a variable-length list of IP options for a datagram that

define IP Security Option, IP Stream Identifier, (security and

handling restrictions for the military), Record Route (have each

router record its IP address), Loose Source Routing (specifies a list

of IP addresses that must be traversed by the datagram), Strict

Source Routing (specifies a list of IP addresses that must ONLY be

traversed by the datagram), Timestamp (have each router record

its IP address and time), End of IP List and No IP Options. IP

Options can help identify some intrusions. Select the check box,

then select an item from the list box that the intrusion uses

Same IP Select the check box for the signature to check for packets that have

the same source and destination IP addresses.

Transport Protocol The following fields vary depending on whether you choose TCP, UDP

or ICMP.

Tran sport

Protocol: TCP

Port Select the check box and then enter the source and destination TCP

port numbers that will trigger this signature.

Table 152 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

510

Flow If selected, the signature only applies to certain directions of the

traffic flow and only to clients or servers. Select Flow and then select

the identifying options.

Established: The signature only checks for established TCP

connections

Stateless: The signature is triggered regardless of the state of the

stream processor (this is useful for packets that are designed to

cause devices to crash)

To Client: The signature only checks for server responses from A to

To Server: The signature only checks for client requests from B to A.

From Client:.The signature only checks for client requests from B to

From Servers: The signature only checks for server responses from

A to B.

No Stream: The signature does not check rebuilt stream packets.

Only Stream: The signature only checks rebuilt stream packets.

Flags Select what TCP flag bits the signature should check.

Sequence

Number Use this field to check for a specific TCP sequence number.

Ack Number Use this field to check for a specific TCP acknowledgement number.

Window Size Use this field to check for a specific TCP window size.

Tran sport

Protocol: UDP

Port Select the check box and then enter the source and destination UDP

port numbers that will trigger this signature.

Tran sport

Protocol: ICMP

Type Use this field to check for a specific ICMP type value.

Code Use this field to check for a specific ICMP code value.

ID Use this field to check for a specific ICMP ID value. This is useful for

covert channel programs that use static ICMP fields when they

communicate.

Sequence

Number Use this field to check for a specific ICMP sequence number. This is

useful for covert channel programs that use static ICMP fields when

they communicate.

Payload Options The longer a payload option is, the more exact the match, the faster

the signature processing. Therefore, if possible, it is recommended to

have at least one payload option in your signature.

Table 152 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 511

Payload Size This field may be used to check for abnormally sized packets or for

detecting buffer overflows.

Select the check box, then select Equal, Smaller or Greater and

then type the payload size.

Stream rebuilt packets are not checked regardless of the size of the

payload.

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

#This is the entry’s index number in the list.

Offset This field specifies where to start searching for a pattern within a

packet. For example, an offset of 5 would start looking for the

specified pattern after the first five bytes of the payload.

Content Type the content that the signature should search for in the packet

payload. Hexadecimal code entered between pipes is converted to

ASCII. For example, you could represent the ampersand as either &

or |26| (26 is the hexadecimal code for the ampersand).

Case-

insensitive Select Yes if content casing does NOT matter.

Decode as URI A Uniform Resource Identifier (URI) is a string of characters for

identifying an abstract or physical resource (RFC 2396). A resource

can be anything that has identity, for example, an electronic

document, an image, a service (“today's weather report for Taiwan”),

a collection of other resources. An identifier is an object that can act

as a reference to something that has identity. Example URIs are:

ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol

services

http://www.math.uio.no/faq/compression-faq/part1.html; http

scheme for Hypertext Transfer Protocol services

mailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail

addresses

telnet://melvyl.ucop.edu/; telnet scheme for interactive services via

the TELNET Protocol

Select Yes for the signature to search for normalized URI fields. This

means that if you are writing signatures that includes normalized

content, such as %2 for directory traversals, these signatures will not

be triggered because the content is normalized out of the URI buffer.

For example, the URI:

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver

will get normalized into:

/winnt/system32/cmd.exe?/c+ver

Table 152 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

512

30.8.2 Custom Signature Example

Before creating a custom signature, you must first clearly understand the

vulnerability.

30.8.2.1 Understand the Vulnerability

Check the ZyWALL logs when the attack occurs. Use web sites such as Google or

Security Focus to get as much information about the attack as you can. The more

specific your signature, the less chance it will cause false positives.

As an example, say you want to check if your router is being overloaded with DNS

queries so you create a signature to detect DNS query traffic.

OK Click this button to save your changes to the ZyWALL and return to

the summary screen.

Cancel Click this button to return to the summary screen without saving any

changes.

Table 152 Configuration > Anti-X > IDP > Custom Signatures > Add/Edit (continued)

LABEL DESCRIPTION

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 513

30.8.2.2 Analyze Packets

Use the packet capture screen (see Section 48.3 on page 759) and a packet

analyzer (also known as a network or protocol analyzer) such as Wireshark or

Ethereal to investigate some more.

Figure 302 DNS Query Packet Details

From the details about DNS query you see that the protocol is UDP and the port is

53. The type of DNS packet is standard query and the Flag is 0x0100 with an

offset of 2. Therefore enter |010| as the first pattern.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

514

The final custom signature should look like as shown in the following figure.

Figure 303 Example Custom Signature

30.8.3 Applying Custom Signatures

After you create your custom signature, it becomes available in the IDP service

group category in the Configuration > Anti-X > IDP > Profile > Edit screen.

Custom signatures have an SID from 9000000 to 9999999.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 515

You can activate the signature, configure what action to take when a packet

matches it and if it should generate a log or alert in a profile. Then bind the profile

to a zone.

Figure 304 Example: Custom Signature in IDP Profile

30.8.4 Verifying Custom Signatures

Configure the signature to create a log when traffic matches the signature. (You

may also want to configure an alert if it is for a serious attack and needs

immediate attention.) After you apply the signature to a zone, you can see if it

works by checking the logs (Monitor > Log).

The Priority column shows warn for signatures that are configured to generate a

log only. It shows critical for signatures that are configured to generate a log and

alert. All IDP signatures come under the IDP category. The Note column displays

ACCESS FORWARD when no action is configured for the signature. It displays

ACCESS DENIED if you configure the signature action to drop the packet. The

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

516

destination port is the service port (53 for DNS in this case) that the attack tries to

exploit.

Figure 305 Custom Signature Log

30.9 IDP Technical Reference

This section contains some background information on IDP.

Host Intrusions

The goal of host-based intrusions is to infiltrate files on an individual computer or

server in with the goal of accessing confidential information or destroying

information on a computer.

You must install a host IDP directly on the system being protected. It works

closely with the operating system, monitoring and intercepting system calls to the

kernel or APIs in order to prevent attacks as well as log them.

Disadvantages of host IDPs are that you have to install them on each device (that

you want to protect) in your network and due to the necessarily tight integration

with the host operating system, future operating system upgrades could cause

problems.

Chapter 30 IDP

ZyWALL USG 50 User’s Guide 517

Network Intrusions

Network-based intrusions have the goal of bringing down a network or networks

by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is

compromised for example, then the whole LAN is compromised. Host-based

intrusions may be used to cause network-based intrusions when the goal of the

host virus is to propagate attacks on the network, or attack computer/server

operating system vulnerabilities with the goal of bringing down the computer/

server. Typical “network-based intrusions” are SQL slammer, Blaster, Nimda

MyDoom etc.

Snort Signatures

You may want to refer to open source Snort signatures when creating custom

ZyWALL ones. Most Snort rules are written in a single line. Snort rules are divided

into two logical sections, the rule header and the rule options as shown in the

following example:

alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 a5|”;

msg:”mountd access”;)

The text up to the first parenthesis is the rule header and the section enclosed in

parenthesis contains the rule options. The words before the colons in the rule

options section are the option keywords.

The rule header contains the rule's:

•Action

•Protocol

• Source and destination IP addresses and netmasks

• Source and destination ports information.

The rule option section contains alert messages and information on which parts of

the packet should be inspected to determine if the rule action should be taken.

These are some equivalent Snort terms in the ZyWALL.

Table 153 ZyWALL - Snort Equivalent Terms

ZYWALL TERM SNORT EQUIVALENT TERM

Type Of Service tos

Identification id

Fragmentation fragbits

Fragmentation Offset fragoffset

Time to Live ttl

IP Options ipopts

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

518

Note: Not all Snort functionality is supported in the ZyWALL.

Same IP sameip

Transport Protocol

Transport Protocol: TCP

Port (In Snort rule header)

Flow flow

Flags flags

Sequence Number seq

Ack Number ack

Window Size window

Transport Protocol: UDP (In Snort rule header)

Port (In Snort rule header)

Transport Protocol: ICMP

Type itype

Code icode

ID icmp_id

Sequence Number icmp_seq

Payload Options (Snort rule options)

Payload Size dsize

Offset (relative to start of

payload) offset

Relative to end of last match distance

Content content

Case-insensitive nocase

Decode as URI uricontent

Table 153 ZyWALL - Snort Equivalent Terms (continued)

ZYWALL TERM SNORT EQUIVALENT TERM

ZyWALL USG 50 User’s Guide 519

CHAPTER 31

ADP

31.1 Overview

This chapter introduces ADP (Anomaly Detection and Prevention), anomaly

profiles and applying an ADP profile to a traffic direction. ADP protects against

anomalies based on violations of protocol standards (RFCs – Requests for

Comments) and abnormal flows such as port scans.

31.1.1 ADP and IDP Comparison

1ADP anomaly detection is in general effective against abnormal behavior while IDP

packet inspection signatures are in general effective for known attacks (see

Chapter 30 on page 485 for information on packet inspection).

2ADP traffic and anomaly rules are updated when you upload new firmware. This is

different from the IDP packet inspection signatures and the system protect

signatures you download from myZyXEL.com.

31.1.2 What You Can Do in this Chapter

•Use Anti-X > ADP > General (Section 31.2 on page 521) to turn anomaly

detection on or off and apply anomaly profiles to traffic directions.

•Use Anti-X > ADP > Profile (Section 31.3 on page 522) to add a new profile,

edit an existing profile or delete an existing profile.

31.1.3 What You Need To Know

Traffic Anomalies

Traffic anomaly rules look for abnormal behavior or events such as port scanning,

sweeping or network flooding. It operates at OSI layer-2 and layer-3. Traffic

anomaly rules may be updated when you upload new firmware.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

520

Protocol Anomalies

Protocol anomalies are packets that do not comply with the relevant RFC (Request

For Comments). Protocol anomaly detection includes HTTP Inspection, TCP

Decoder, UDP Decoder and ICMP Decoder. Protocol anomaly rules may be updated

when you upload new firmware.

ADP Profile

An ADP profile is a set of traffic anomaly rules and protocol anomaly rules that you

can activate as a set and configure common log and action settings. You can apply

ADP profiles to traffic flowing from one zone to another.

Base ADP Profiles

Base ADP profiles are templates that you use to create new ADP profiles.The

ZyWALL comes with several base profiles. See Table 155 on page 523 for details

on ADP base profiles.

ADP Policy

An ADP policy refers to application of an ADP profile to a traffic flow.

Finding Out More

• See Section 6.5.20 on page 105 for ADP prerequisites.

• See Chapter 30 on page 485 for IDP information.

• See Section 30.1.2 on page 485 for IDP-related term definitions.

• See Section 31.4 on page 531 for background information on these screens.

31.1.4 Before You Begin

Configure the ZyWALL’s zones - see Chapter 15 on page 317 for more information.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 521

31.2 The ADP General Screen

Click Configuration > Anti-X > ADP > General. Use this screen to turn

anomaly detection on or off and apply anomaly profiles to traffic directions.

Figure 306 Configuration > Anti-X > ADP > General

The following table describes the screens in this screen.

Table 154 Configuration > Anti-X > ADP > General

LABEL DESCRIPTION

General Settings

Enable

Anomaly

Detection

Select this check box to enable traffic anomaly and protocol anomaly

detection.

Policies Use this list to specify which anomaly profile the ZyWALL uses for

traffic flowing in a specific direction. Edit the policies directly in the

table.

Add Click this to create a new entry. Select an entry and click Add to

create a new entry after the selected entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Move To change an entry’s position in the numbered list, select it and click

Move to display a field to type a number for where you want to put

that entry and press [ENTER] to move the entry to the number that

you typed.

#This is the entry’s index number in the list.

Priority This is the rank in the list of anomaly profile policies. The list is

applied in order of priority.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

522

31.3 The Profile Summary Screen

Use this screen to:

• Create a new profile using an existing base profile

• Edit an existing profile

• Delete an existing profile

Status The activate (light bulb) icon is lit when the entry is active and

dimmed when the entry is inactive.

From, To This is the direction of travel of packets to which an anomaly profile

is bound. Traffic direction is defined by the zone the traffic is coming

from and the zone the traffic is going to.

Use the From field to specify the zone from which the traffic is

coming. Select ZyWALL to specify traffic coming from the ZyWALL

itself.

Use the To field to specify the zone to which the traffic is going.

Select ZyWALL to specify traffic destined for the ZyWALL itself.

From LAN1 To LAN1 means packets traveling from a computer on

one LAN1 subnet to a computer on another LAN1 subnet via the

ZyWALL’s LAN1 zone interfaces. The ZyWALL does not check packets

traveling from a LAN1 computer to another LAN1 computer on the

same subnet.

From WAN To WAN means packets that come in from the WAN

zone and the ZyWALL routes back out through the WAN zone.

Note: Depending on your network topology and traffic load,

applying every packet direction to an anomaly profile may

affect the ZyWALL’s performance.

Anomaly Profile An anomaly profile is a set of anomaly rules with configured

activation, log and action settings. This field shows which anomaly

profile is bound to which traffic direction. Select an ADP profile to

apply to the entry’s traffic direction. Configure the ADP profiles in the

ADP profile screens.

Apply Click Apply to save your changes.

Reset Click Reset to return the screen to its last-saved settings.

Table 154 Configuration > Anti-X > ADP > General (continued)

LABEL DESCRIPTION

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 523

31.3.1 Base Profiles

The ZyWALL comes with base profiles. You use base profiles to create new

profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to

display the following screen.

Figure 307 Base Profiles

These are the default base profiles at the time of writing.

31.3.2 Configuring The ADP Profile Summary Screen

Select Configuration > Anti-X > ADP > Profile.

Figure 308 Configuration > Anti-X > ADP > Profile

Table 155 Base Profiles

BASE

PROFILE DESCRIPTION

none All traffic anomaly and protocol anomaly rules are disabled. No logs are

generated nor actions are taken.

all All traffic anomaly and protocol anomaly rules are enabled. Rules with a

high or severe severity level (greater than three) generate log alerts

and cause packets that trigger them to be dropped. Rules with a very

low, low or medium severity level (less than or equal to three) generate

logs (not log alerts) and no action is taken on packets that trigger them.

OK Click OK to save your changes.

Cancel Click Cancel to exit this screen without saving your changes.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

524

The following table describes the fields in this screen.

31.3.3 Creating New ADP Profiles

You may want to create a new profile if not all rules in a base profile are applicable

to your network. In this case you should disable non-applicable rules so as to

improve ZyWALL ADP processing efficiency.

You may also find that certain rules are triggering too many false positives or false

negatives. A false positive is when valid traffic is flagged as an attack. A false

negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As

each network is different, false positives and false negatives are common on initial

ADP deployment.

You could create a new ‘monitor profile’ that creates logs but all actions are

disabled. Observe the logs over time and try to eliminate the causes of the false

alarms. When you’re satisfied that they have been reduced to an acceptable level,

you could then create an ‘inline profile’ whereby you configure appropriate actions

to be taken when a packet matches a rule.

ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To

create a new profile, select a base profile (see Table 155 on page 523) and then

click OK to go to the profile details screen. Type a new profile name, enable or

disable individual rules and then edit the default log options and actions.

31.3.4 Traffic Anomaly Profiles

The traffic anomaly screen is the second screen in an ADP profile. Traffic anomaly

detection looks for abnormal behavior such as scan or flooding attempts. In the

Configuration > Anti-X > ADP > Profile screen, click the Edit icon or click the

Add icon and choose a base profile. If you made changes to other screens

Table 156 Anti-X > ADP > Profile

LABEL DESCRIPTION

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

#This is the entry’s index number in the list.

Name This is the name of the profile you created.

Base Profile This is the base profile from which the profile was created.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 525

belonging to this profile, make sure you have clicked OK or Save to save the

changes before selecting the Traffic Anomaly tab.

Figure 309 Profiles: Traffic Anomaly

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

526

The following table describes the fields in this screen.

Table 157 Configuration > ADP > Profile > Traffic Anomaly

LABEL DESCRIPTION

Name This is the name of the ADP profile. You may use 1-31 alphanumeric

characters, underscores(_), or dashes (-), but the first character cannot

be a number. This value is case-sensitive. These are valid, unique profile

names:

MyProfile

mYProfile

Mymy12_3-4

These are invalid profile names:

1mYProfile

My Profile

MyProfile?

Whatalongprofilename123456789012

Scan/Flood

Detection

Sensitivity (Scan detection only.) Select a sensitivity level so as to reduce false

positives in your network. If you choose low sensitivity, then scan

thresholds and sample times are set low, so you will have fewer logs and

false positives; however some traffic anomaly attacks may not be

detected.

If you choose high sensitivity, then scan thresholds and sample times are

set high, so most traffic anomaly attacks will be detected; however you

will have more logs and false positives.

Block

Period Specify for how many seconds the ZyWALL blocks all packets from being

sent to the victim (destination) of a detected anomaly attack.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Log To edit an item’s log option, select it and use the Log icon. Select

whether to have the ZyWALL generate a log (log), log and alert (log

alert) or neither (no) when traffic matches this anomaly rule. See

Chapter 46 on page 731 for more on logs.

Action To edit what action the ZyWALL takes when a packet matches a rule,

select the signature and use the Action icon.

none: The ZyWALL takes no action when a packet matches the

signature(s).

block: The ZyWALL silently drops packets that matches the rule. Neither

sender nor receiver are notified.

#This is the entry’s index number in the list.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 527

31.3.5 Protocol Anomaly Profiles

Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules

check for protocol compliance against the relevant RFC (Request for Comments).

Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder,

and ICMP Decoder where each category reflects the packet type inspected.

Protocol anomaly rules may be updated when you upload new firmware.

31.3.6 Protocol Anomaly Configuration

In the Configuration > Anti-X > ADP > Profile screen, click the Edit icon or

click the Add icon and choose a base profile, then select the Protocol Anomaly

tab. If you made changes to other screens belonging to this profile, make sure you

have clicked OK or Save to save the changes before selecting the Protocol

Anomaly tab.

Name This is the name of the traffic anomaly rule. Click the Name column

heading to sort in ascending or descending order according to the rule

name.

Log These are the log options. To edit this, select an item and use the Log

icon.

Action This is the action the ZyWALL should take when a packet matches a rule.

To edit this, select an item and use the Action icon.

Threshold For flood detection you can set the number of detected flood packets per

second that causes the ZyWALL to take the configured action.

OK Click OK to save your settings to the ZyWALL, complete the profile and

return to the profile summary page.

Cancel Click Cancel to return to the profile summary page without saving any

changes.

Save Click Save to save the configuration to the ZyWALL but remain in the

same page. You may then go to the another profile screen (tab) in order

to complete the profile. Click OK in the final profile screen to complete

the profile.

Table 157 Configuration > ADP > Profile > Traffic Anomaly (continued)

LABEL DESCRIPTION

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

528

Figure 310 Profiles: Protocol Anomaly

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 529

The following table describes the fields in this screen.

Table 158 Configuration > ADP > Profile > Protocol Anomaly

LABEL DESCRIPTION

Name This is the name of the profile. You may use 1-31 alphanumeric

characters, underscores(_), or dashes (-), but the first character cannot

be a number. This value is case-sensitive. These are valid, unique profile

names:

MyProfile

mYProfile

Mymy12_3-4

These are invalid profile names:

1mYProfile

My Profile

MyProfile?

Whatalongprofilename123456789012

HTTP Inspection/TCP Decoder/UDP Decoder/ICMP Decoder

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Log To edit an item’s log option, select it and use the Log icon. Select whether

to have the ZyWALL generate a log (log), log and alert (log alert) or

neither (no) when traffic matches this anomaly rule. See Chapter 46 on

page 731 for more on logs.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

530

Action To edit what action the ZyWALL takes when a packet matches a signature,

select the signature and use the Action icon.

original setting: Select this action to return each signature in a service

group to its previously saved configuration.

none: Select this action on an individual signature or a complete service

group to have the ZyWALL take no action when a packet matches a rule.

drop: Select this action on an individual signature or a complete service

group to have the ZyWALL silently drop a packet that matches a rule.

Neither sender nor receiver are notified.

reject-sender: Select this action on an individual signature or a

complete service group to have the ZyWALL send a reset to the sender

when a packet matches the signature. If it is a TCP attack packet, the

ZyWALL will send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack

packet, the ZyWALL will send an ICMP unreachable packet.

reject-receiver: Select this action on an individual signature or a

complete service group to have the ZyWALL send a reset to the receiver

when a packet matches the rule. If it is a TCP attack packet, the ZyWALL

will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack

packet, the ZyWALL will do nothing.

reject-both: Select this action on an individual signature or a complete

service group to have the ZyWALL send a reset to both the sender and

receiver when a packet matches the rule. If it is a TCP attack packet, the

ZyWALL will send a packet with a ‘RST’ flag to the receiver and sender. If

it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP

unreachable packet.

#This is the entry’s index number in the list.

Status The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Name This is the name of the protocol anomaly rule. Click the Name column

heading to sort in ascending or descending order according to the

protocol anomaly rule name.

Activation Click the icon to enable or disable a rule or group of rules.

Log These are the log options. To edit this, select an item and use the Log

icon.

Action This is the action the ZyWALL should take when a packet matches a rule.

To edit this, select an item and use the Action icon.

Log Select whether to have the ZyWALL generate a log (log), log and alert

(log alert) or neither (no) when traffic matches this anomaly rule. See

Chapter 46 on page 731 for more on logs.

Action Select what the ZyWALL should do when a packet matches a rule.

none: The ZyWALL takes no action when a packet matches the

signature(s).

block: The ZyWALL silently drops packets that matches the rule. Neither

sender nor receiver are notified.

Table 158 Configuration > ADP > Profile > Protocol Anomaly (continued)

LABEL DESCRIPTION

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 531

31.4 ADP Technical Reference

This section is divided into traffic anomaly background information and protocol

anomaly background information.

Traffic Anomaly Background Information

The following sections may help you configure the traffic anomaly profile screen

(Section 31.3.4 on page 524).

Port Scanning

An attacker scans device(s) to determine what types of network protocols or

services a device supports. One of the most common port scanning tools in use

today is Nmap.

Many connection attempts to different ports (services) may indicate a port scan.

These are some port scan types:

•TCP Portscan

•UDP Portscan

• IP Portscan

An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the

remote computer, but also additional IP protocols such as EGP (Exterior Gateway

Protocol) or IGP (Interior Gateway Protocol). Determining these additional

protocols can help reveal if the destination device is a workstation, a printer, or a

router.

OK Click OK to save your settings to the ZyWALL, complete the profile and

return to the profile summary page.

Cancel Click Cancel to return to the profile summary page without saving any

changes.

Save Click Save to save the configuration to the ZyWALL but remain in the

same page. You may then go to the another profile screen (tab) in order

to complete the profile. Click OK in the final profile screen to complete the

profile.

Table 158 Configuration > ADP > Profile > Protocol Anomaly (continued)

LABEL DESCRIPTION

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

532

Decoy Port Scans

Decoy port scans are scans where the attacker has spoofed the source address.

These are some decoy scan types:

•TCP Decoy Portscan

• UDP Decoy Portscan

• IP Decoy Portscan

Distributed Port Scans

Distributed port scans are many-to-one port scans. Distributed port scans occur

when multiple hosts query one host for open services. This may be used to evade

intrusion detection. These are distributed port scan types:

• TCP Distributed Portscan

• UDP Distributed Portscan

• IP Distributed Portscan

Port Sweeps

Many different connection attempts to the same port (service) may indicate a port

sweep, that is, they are one-to-many port scans. One host scans a single port on

multiple hosts. This may occur when a new exploit comes out and the attacker is

looking for a specific service. These are some port sweep types:

• TCP Portsweep

• UDP Portsweep

•IP Portsweep

•ICMP Portsweep

Filtered Port Scans

A filtered port scan may indicate that there were no network errors (ICMP

unreachables or TCP RSTs) or responses on closed ports have been suppressed.

Active network devices, such as NAT routers, may trigger these alerts if they send

out many connection attempts within a very small amount of time. These are

some filtered port scan examples.

• TCP Filtered

Portscan

• UDP Filtered Portscan • IP Filtered Portscan

• TCP Filtered Decoy

Portscan

•UDP Filtered Decoy

Portscan

• IP Filtered Decoy

Portscan

• TCP Filtered

Portsweep

• UDP Filtered Portsweep • IP Filtered Portsweep

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 533

Flood Detection

Flood attacks saturate a network with useless data, use up all available

bandwidth, and therefore make communications in the network impossible.

ICMP Flood Attack

An ICMP flood is broadcasting many pings or UDP packets so that so much data is

sent to the system, that it slows it down or locks it up.

Smurf

A smurf attacker (A) floods a router (B) with Internet Control Message Protocol

(ICMP) echo request packets (pings) with the destination IP address of each

packet as the broadcast address of the network. The router will broadcast the

ICMP echo request packet to all hosts on the network. If there are numerous

hosts, this will create a large amount of ICMP echo request and response traffic.

If an attacker (A) spoofs the source IP address of the ICMP echo request packet,

the resulting ICMP traffic will not only saturate the receiving network (B), but the

network of the spoofed source IP address (C).

Figure 311 Smurf Attack

TCP SYN Flood Attack

Usually a client starts a session by sending a SYN (synchronize) packet to a server.

The receiver returns an ACK (acknowledgment) packet and its own SYN, and then

•ICMP Filtered

Portsweep

• TCP Filtered Distributed

Portscan

• UDP Filtered

Distributed Portscan

• IP Filtered

Distributed Portscan

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

534

the initiator responds with an ACK (acknowledgment). After this handshake, a

connection is established.

Figure 312 TCP Three-Way Handshake

A SYN flood attack is when an attacker sends a series of SYN packets. Each packet

causes the receiver to reply with a SYN-ACK response. The receiver then waits for

the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses

on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes

back or when an internal timer ends the three-way handshake. Once the queue is

full, the system will ignore all incoming SYN requests, making the system

unavailable for other users.

Figure 313 SYN Flood

LAND Attack

In a LAND attack, hackers flood SYN packets into a network with a spoofed source

IP address of the network itself. This makes it appear as if the computers in the

network sent the packets to themselves, so the network is unavailable while they

try to respond to themselves.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 535

UDP Flood Attack

UDP is a connection-less protocol and it does not require any connection setup

procedure to transfer data. A UDP flood attack is possible when an attacker sends

a UDP packet to a random port on the victim system. When the victim system

receives a UDP packet, it will determine what application is waiting on the

destination port. When it realizes that there is no application that is waiting on the

port, it will generate an ICMP packet of destination unreachable to the forged

source address. If enough UDP packets are delivered to ports on victim, the

system will go down.

Protocol Anomaly Background Information

The following sections may help you configure the protocol anomaly profile screen

(see Section 31.3.5 on page 527)

HTTP Inspection and TCP/UDP/ICMP Decoders

The following table gives some information on the HTTP inspection, TCP decoder,

UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.

Table 159 HTTP Inspection and TCP/UDP/ICMP Decoders

LABEL DESCRIPTION

HTTP Inspection

APACHE-WHITESPACE

ATTACK This rule deals with non-RFC standard of tab for a space

delimiter. Apache uses this, so if you have an Apache

server, you need to enable this option.

ASCII-ENCODING

ATTACK This rule can detect attacks where malicious attackers use

ASCII-encoding to encode attack strings. Attackers may

use this method to bypass system parameter checks in

order to get information or privileges from a web server.

BARE-BYTE-

UNICODING-ENCODING

ATTACK

Bare byte encoding uses non-ASCII characters as valid

values in decoding UTF-8 values. This is NOT in the HTTP

standard, as all non-ASCII values have to be encoded with

a %. Bare byte encoding allows the user to emulate an IIS

server and interpret non-standard encodings correctly.

BASE36-ENCODING

ATTACK This is a rule to decode base36-encoded characters. This

rule can detect attacks where malicious attackers use

base36-encoding to encode attack strings. Attackers may

use this method to bypass system parameter checks in

order to get information or privileges from a web server.

DIRECTORY-TRAVERSAL

ATTACK This rule normalizes directory traversals and self-referential

directories. So, “/abc/this_is_not_a_real_dir/../xyz” get

normalized to “/abc/xyz”. Also, “/abc/./xyz” gets

normalized to “/abc/xyz”. If a user wants to configure an

alert, then specify “yes”, otherwise “no”. This alert may give

false positives since some web sites refer to files using

directory traversals.

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

536

DOUBLE-ENCODING

ATTACK This rule is IIS specific. IIS does two passes through the

request URI, doing decodes in each one. In the first pass,

IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is

done. In the second pass ASCII, bare byte, and %u

encodings are done.

IIS-BACKSLASH-

EVASION ATTACK This is an IIS emulation rule that normalizes backslashes to

slashes. Therefore, a request-URI of “/abc\xyz” gets

normalized to “/abc/xyz”.

IIS-UNICODE-

CODEPOINT-ENCODING

ATTACK

This rule can detect attacks which send attack strings

containing non-ASCII characters encoded by IIS Unicode.

IIS Unicode encoding references the unicode.map file.

Attackers may use this method to bypass system

parameter checks in order to get information or privileges

from a web server.

MULTI-SLASH-

ENCODING ATTACK This rule normalizes multiple slashes in a row, so something

like: “abc/////////xyz” get normalized to “abc/xyz”.

NON-RFC-DEFINED-

CHAR ATTACK This rule lets you receive a log or alert if certain non-RFC

characters are used in a request URI. For instance, you may

want to know if there are NULL bytes in the request-URI.

NON-RFC-HTTP-

DELIMITER ATTACK This is when a newline “\n” character is detected as a

delimiter. This is non-standard but is accepted by both

Apache and IIS web servers.

OVERSIZE-CHUNK-

ENCODING ATTACK This rule is an anomaly detector for abnormally large chunk

sizes. This picks up the apache chunk encoding exploits and

may also be triggered on HTTP tunneling that uses chunk

encoding.

OVERSIZE-REQUEST-

URI-DIRECTORY ATTACK This rule takes a non-zero positive integer as an argument.

The argument specifies the max character directory length

for URL directory. If a URL directory is larger than this

argument size, an alert is generated. A good argument

value is 300 characters. This should limit the alerts to IDS

evasion type attacks, like whisker.

SELF-DIRECTORY-

TRAVERSAL ATTACK This rule normalizes self-referential directories. So, “/abc/./

xyz” gets normalized to “/abc/xyz”.

U-ENCODING ATTACK This rule emulates the IIS %u encoding scheme. The %u

encoding scheme starts with a %u followed by 4

characters, like %uXXXX. The XXXX is a hex encoded value

that correlates to an IIS unicode codepoint. This is an ASCII

value. An ASCII character is encoded like, %u002f = /,

%u002e = ., etc.

UTF-8-ENCODING

ATTACK The UTF-8 decode rule decodes standard UTF-8 unicode

sequences that are in the URI. This abides by the unicode

standard and only uses % encoding. Apache uses this

standard, so for any Apache servers, make sure you have

this option turned on. When this rule is enabled, ASCII

decoding is also enabled to enforce correct functioning.

Table 159 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL DESCRIPTION

Chapter 31 ADP

ZyWALL USG 50 User’s Guide 537

WEBROOT-DIRECTORY-

TRAVERSAL ATTACK This is when a directory traversal traverses past the web

server root directory. This generates much fewer false

positives than the directory option, because it doesn’t alert

on directory traversals that stay within the web server

directory structure. It only alerts when the directory

traversals go past the web server root directory, which is

associated with certain web attacks.

TCP Decoder

BAD-LENGTH-OPTIONS

ATTACK This is when a TCP packet is sent where the TCP option

length field is not the same as what it actually is or is 0.

This may cause some applications to crash.

EXPERIMENTAL-

OPTIONS ATTACK This is when a TCP packet is sent which contains non-RFC-

complaint options. This may cause some applications to

crash.

OBSOLETE-OPTIONS

ATTACK This is when a TCP packet is sent which contains obsolete

RFC options.

OVERSIZE-OFFSET

ATTACK This is when a TCP packet is sent where the TCP data offset

is larger than the payload.

TRUNCATED-OPTIONS

ATTACK This is when a TCP packet is sent which doesn’t have

enough data to read. This could mean the packet was

truncated.

TTCP-DETECTED ATTACK T/TCP provides a way of bypassing the standard three-way

handshake found in TCP, thus speeding up transactions.

However, this could lead to unauthorized access to the

system by spoofing connections.

UNDERSIZE-LEN ATTACK This is when a TCP packet is sent which has a TCP datagram

length of less than 20 bytes. This may cause some

applications to crash.

UNDERSIZE-OFFSET

ATTACK This is when a TCP packet is sent which has a TCP header

length of less than 20 bytes.This may cause some

applications to crash.

UDP Decoder

OVERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length

field of greater than the actual packet length. This may

cause some applications to crash.

TRUNCATED-HEADER

ATTACK This is when a UDP packet is sent which has a UDP

datagram length of less the UDP header length. This may

cause some applications to crash.

UNDERSIZE-LEN ATTACK This is when a UDP packet is sent which has a UDP length

field of less than 8 bytes. This may cause some applications

to crash.

ICMP Decoder

TRUNCATED-ADDRESS-

HEADER ATTACK This is when an ICMP packet is sent which has an ICMP

datagram length of less than the ICMP address header

length. This may cause some applications to crash.

Table 159 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL DESCRIPTION

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

538

TRUNCATED-HEADER

ATTACK This is when an ICMP packet is sent which has an ICMP

datagram length of less than the ICMP header length. This

may cause some applications to crash.

TRUNCATED-

TIMESTAMP-HEADER

ATTACK

This is when an ICMP packet is sent which has an ICMP

datagram length of less than the ICMP Time Stamp header

length. This may cause some applications to crash.

Table 159 HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL DESCRIPTION

ZyWALL USG 50 User’s Guide 539

CHAPTER 32

Content Filtering

32.1 Overview

Use the content filtering feature to control access to specific web sites or web

content.

32.1.1 What You Can Do in this Chapter

•Use the General screens (Section 32.2 on page 541) to configure global

content filtering settings, configure content filtering policies, and check the

content filtering license status.

•Use the Filter Profile screens (Section 32.4 on page 546) to set up content

filtering profiles.

32.1.2 What You Need to Know

Content Filtering

Content filtering allows you to block certain web features, such as cookies, and/or

block access to specific web sites. It can also block access to specific categories of

web site content. You can create different content filter policies for different

addresses, schedules, users or groups and content filter profiles. For example, you

can configure one policy that blocks John Doe’s access to arts and ainment web

pages during the workday and another policy that lets him access them after

work.

Content Filtering Policies

A content filtering policy allows you to do the following.

• Use schedule objects to define when to apply a content filter profile.

• Use address and/or user/group objects to define to whose web access to apply

the content filter profile.

• Apply a content filter profile that you have custom-tailored.

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

540

Content Filtering Profiles

A content filtering profile conveniently stores your custom settings for the

following features.

• Category-based Blocking

The ZyWALL can block access to particular categories of web site content, such

as pornography or racial intolerance.

• Restrict Web Features

The ZyWALL can disable web proxies and block web features such as ActiveX

controls, Java applets and cookies.

• Customize Web Site Access

You can specify URLs to which the ZyWALL blocks access. You can alternatively

block access to all URLs except ones that you specify. You can also have the

ZyWALL block access to URLs that contain particular keywords.

Content Filtering Configuration Guidelines

When the ZyWALL receives an HTTP request, the content filter searches for a

policy that matches the source address and time (schedule). The content filter

checks the policies in order (based on the policy numbers). When a matching

policy is found, the content filter allows or blocks the request depending on the

settings of the filtering profile specified by the policy. Some requests may not

match any policy. The ZyWALL allows the request if the default policy is not set to

block. The ZyWALL blocks the request if the default policy is set to block.

External Web Filtering Service

When you register for and enable the external web filtering service, your ZyWALL

accesses an external database that has millions of web sites categorized based on

content. You can have the ZyWALL block, block and/or log access to web sites

based on these categories.

Keyword Blocking URL Checking

The ZyWALL checks the URL’s domain name (or IP address) and file path

separately when performing keyword blocking.

The URL’s domain name or IP address is the characters that come before the first

slash in the URL. For example, with the URL www.zyxel.com.tw/news/

pressroom.php, the domain name is www.zyxel.com.tw.

The file path is the characters that come after the first slash in the URL. For

example, with the URL www.zyxel.com.tw/news/pressroom.php, the file path is

news/pressroom.php.

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 541

Since the ZyWALL checks the URL’s domain name (or IP address) and file path

separately, it will not find items that go across the two. For example, with the URL

www.zyxel.com.tw/news/pressroom.php, the ZyWALL would find “tw” in the

domain name (www.zyxel.com.tw). It would also find “news” in the file path

(news/pressroom.php) but it would not find “tw/news”.

Finding Out More

• See Section 6.5.21 on page 105 for related information on these screens.

• See Section 32.7 on page 563 for content filtering background/technical

information.

32.1.3 Before You Begin

• You must configure an address object, a schedule object and a filtering profile

before you can set up a content filter policy.

• You must subscribe to use the external database content filtering (see the

Licensing > Registration screens).

32.2 Content Filter General Screen

Click Configuration > Anti-X > Content Filter > General to open the Content

Filter General screen. Use this screen to enable content filtering, view and order

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

542

your list of content filter policies, create a denial of access message or specify a

redirect URL and check your external web filtering service registration status.

Figure 314 Configuration > Anti-X > Content Filter > General

The following table describes the labels in this screen.

Table 160 Configuration > Anti-X > Content Filter > General

LABEL DESCRIPTION

General Settings

Enable Content Filter Select this check box to enable the content filter.

Enable Content Filter

Report Service

Select this check box to have the ZyWALL collect category-based

content filtering statistics.

Policies This is a list of the configured content filter policies.

Block web access

when no policy is

applied

Select this check box to stop users from accessing the Internet by

default when their attempted access does not match a content

filter policy.

Add Click this to create a new entry. Select an entry and click Add to

create a new entry after the selected entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

Activate To turn on an entry, select it and click Activate.

Inactivate To turn off an entry, select it and click Inactivate.

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 543

Move To change an entry’s position in the numbered list, select it and

click Move to display a field to type a number for where you want

to put that entry and press [ENTER] to move the entry to the

number that you typed.

# This column lists the index numbers of the content filter policies.

The ordering of the content filter policies is important as they are

used in the order they are listed. The ZyWALL checks requests for

Web sessions against the list of content filter policies (starting from

the first in the list). The ZyWALL’s content filter feature blocks or

allows the Web session according to the first matching content

filter policy and does not check any other content filter policies.

The ZyWALL does not perform content filter on Web session

requests that do not match any of the content filter policies.

Status The activate (light bulb) icon is lit when the entry is active and

dimmed when the entry is inactive.

Address A content filter policy applies to web access from the IP addresses

listed here. any means the content filter policy applies to all of the

web access requests that the ZyWALL receives from any IP

address.

Schedule This column displays the name of the schedule for each content

filter policy. You can define different policies for different time

periods. none means the content filter policy applies all of the

time.

User This column displays the individual or group to which this policy

applies. any means the content filter policy applies to all of the

web access requests that the ZyWALL receives from any user.

Filter Profile This column displays the name of the content filter profile that

each content filter policy uses. The content filter profile defines to

which web services, web sites or web site categories access is to

be allowed or denied.

Denied Access

Message

Enter a message to be displayed when content filter blocks access

to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-

_!~*'()%,”). For example, “Access to this web page is not allowed.

Please contact the network administrator”.

It is also possible to leave this field blank if you have a URL

specified in the Redirect URL field. In this case if the content filter

blocks access to a web page, the ZyWALL just opens the web page

you specified without showing a denied access message.

Redirect URL Enter the URL of the web page to which you want to send users

when their web access is blocked by content filter. The web page

you specify here opens in a new frame below the denied access

message.

Use “http://” or “https://” followed by up to 262 characters (0-9a-

zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/

blocked access.

Table 160 Configuration > Anti-X > Content Filter > General (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

544

32.3 Content Filter Policy Add or Edit Screen

Click Configuration > Anti-X > Content Filter > General > Add or Edit to

open the Content Filter Policy screen. Use this screen to configure a content

License Status This read-only field displays the status of your content-filtering

database service registration.

Not Licensed displays if you have not successfully registered and

activated the service.

Expired displays if your subscription to the service has expired.

Licensed displays if you have successfully registered the ZyWALL

and activated the service.

After you register for content filter, you can see Chapter 32 on

page 546 for how to use the Test Against Web Filtering Server

button. When the content filter is active, you should see the web

page’s category. The query fails if the content filter is not active.

You can view content filter reports after you register the ZyWALL

and activate the subscription service in the Registration screen

(see Chapter 33 on page 565).

License Type This read-only field displays what kind of service registration you

have for the content-filtering database.

None displays if you have not successfully registered and

activated the service.

Standard displays if you have successfully registered the ZyWALL

and activated the service.

Trial displays if you have successfully registered the ZyWALL and

activated the trial service subscription.

Apply new

Registration

This link appears if you have not registered for the service or only

have the trial registration. Click this link to go to the screen where

you can register for the service.

Expiration Date This field displays the date your service license expires.

Apply Click Apply to save your changes back to the ZyWALL.

Reset Click Reset to return the screen to its last-saved settings.

Table 160 Configuration > Anti-X > Content Filter > General (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 545

filter policy. A content filter policy defines which content filter profile should be

applied, when it should be applied, and to whose web access it should be applied.

Figure 315 Configuration > Anti-X > Content Filter > General > Add l

The following table describes the labels in this screen.

Table 161 Configuration > Anti-X > Content Filter > General > Add

LABEL DESCRIPTION

Create new

Object

Use this to configure any new settings objects that you need to use in this

screen.

Schedule Select a schedule to define when to apply this content filter policy. You can

define different policies for different time periods. For example, you could

have one policy that blocks access to certain categories of web sites during

working hours and another policy that allows access to certain categories

after the work day is over.

Select none to have the content filter policy apply all of the time.

Address Select the address or address group for which you want to use this policy.

Select any to have the content filter policy apply to all of the web access

requests that the ZyWALL receives from any IP address.

Filter Profile Use the drop-down list box to select the content filter profile that you want

to use for this policy. The content filter profile defines to which web

services, web sites or web site categories access is to be allowed or denied.

Use the content filter Filter Profile screens to configure the profiles.

User/Group Use the drop-down list box to select the individual or group for which you

want to use this policy.

Select any to have the content filter policy apply to all of the web access

requests that the ZyWALL receives from any user.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this screen without saving your changes.

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

546

32.4 Content Filter Profile Screen

Click Configuration > Anti-X > Content Filter > Filter Profile to open the

Filter Profile screen. A content filter profile defines to which web services, web

sites or web site categories access is to be allowed or denied.

Figure 316 Configuration > Anti-X > Content Filter > Filter Profile

The following table describes the labels in this screen.

32.5 Content Filter Categories Screen

Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit

to open the Categories screen. Use this screen to enable external database

content filtering and select which web site categories to block and/or log.

Note: You must register for external content filtering before you can use it. See

Section 10.2 on page 215 for how to register.

Table 162 Configuration > Anti-X > Content Filter > Filter Profile

LABEL DESCRIPTION

Add Click this to create a new entry.

Edit Select an entry and click this to be able to modify it.

Remove Select an entry and click this to delete it.

# This column lists the index numbers of the content filter profiles.

Filter Profile Name This column lists the names of the content filter profiles.

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 547

See Chapter 33 on page 565 for how to view content filtering reports.

Figure 317 Configuration > Anti-X > Content Filter > Filter Profile > Add

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

548

Figure 318 Configuration > Anti-X > Content Filter > Filter Profile > Add (Continue)

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 549

The following table describes the labels in this screen.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add

LABEL DESCRIPTION

License Status This read-only field displays the status of your content-filtering

database service registration.

Not Licensed displays if you have not successfully registered

and activated the service.

Expired displays if your subscription to the service has expired.

Licensed displays if you have successfully registered the

ZyWALL and activated the service.

After you register for content filter, you can see Chapter 32 on

page 546 for how to use the Test Against Web Filtering

Server button. When the content filter is active, you should see

the web page’s category. The query fails if the content filter is

not active.

You can view content filter reports after you register the

ZyWALL and activate the subscription service in the

Registration screen (see Chapter 33 on page 565).

License Type This read-only field displays what kind of service registration

you have for the content-filtering database.

None displays if you have not successfully registered and

activated the service.

Standard displays if you have successfully registered the

ZyWALL and activated the standard content filtering service.

Trial displays if you have successfully registered the ZyWALL

and activated the trial service subscription.

Name Enter a descriptive name for this content filtering profile name.

You may use 1-31 alphanumeric characters, underscores(_), or

dashes (-), but the first character cannot be a number. This

value is case-sensitive.

Enable Content Filter

Category Service

Enable external database content filtering to have the ZyWALL

check an external database to find to which category a

requested web page belongs. The ZyWALL then blocks or

forwards access to the web page depending on the configuration

of the rest of this page.

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

550

Action for Unsafe Web

Pages

Select Pass to allow users to access web pages that match the

unsafe categories that you select below.

Select Block to prevent users from accessing web pages that

match the unsafe categories that you select below. When

external database content filtering blocks access to a web page,

it displays the denied access message that you configured in the

Content Filter General screen along with the category of the

blocked web page.

Select Warn to display a warning message before allowing

users to access web pages that match the unsafe categories

that you select below.

Select Log to record attempts to access web pages that match

the unsafe categories that you select below.

Action for Managed

Web Pages

Select Pass to allow users to access web pages that match the

other categories that you select below.

Select Block to prevent users from accessing web pages that

match the other categories that you select below. When

external database content filtering blocks access to a web page,

it displays the denied access message that you configured in the

Content Filter General screen along with the category of the

blocked web page.

Select Log to record attempts to access web pages that match

the other categories that you select below.

Action for Unrated Web

Pages

Select Pass to allow users to access web pages that the

external web filtering service has not categorized.

Select Block to prevent users from accessing web pages that

the external web filtering service has not categorized. When the

external database content filtering blocks access to a web page,

it displays the denied access message that you configured in the

Content Filter General screen along with the category of the

blocked web page.

Select Warn to display a warning message before allowing

users to access web pages that the external web filtering

service has not categorized.

Select Log to record attempts to access web pages that are not

categorized.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 551

Action When Category

Server Is Unavailable

Select Pass to allow users to access any requested web page if

the external content filtering database is unavailable.

Select Block to block access to any requested web page if the

external content filtering database is unavailable.

Select Warn to display a warning message before allowing

users to access any requested web page if the external content

filtering database is unavailable.

The following are possible causes for the external content

filtering server not being available:

• There is no response from the external content filtering

server within the time period specified in the Content Filter

Server Unavailable Timeout field.

• The ZyWALL is not able to resolve the domain name of the

external content filtering database.

• There is an error response from the external content filtering

database. This can be caused by an expired content filtering

registration (External content filtering’s license key is

invalid”).

Select Log to record attempts to access web pages that occur

when the external content filtering database is unavailable.

Select Categories

Select All Categories Select this check box to restrict access to all site categories

listed below.

Clear All Categories Select this check box to clear the selected categories below.

Security Threat

(unsafe)

These are categories of web pages that are known to pose a

threat to users or their computers.

Phishing This category includes pages that are designed to appear as a

legitimate bank or retailer with the intent to fraudulently

capture sensitive data (i.e. credit card numbers, pin numbers).

Spyware/Malware

Sources This category includes pages which distribute spyware and other

malware. Spyware and malware are defined as software which

takes control of your computer, modifies computer settings,

collects or reports personal information, or misrepresents itself

by tricking users to install, download, or enter personal

information. This includes drive-by downloads; browser

hijackers; dialers; intrusive advertising; any program which

modifies your homepage, bookmarks, or security settings; and

keyloggers. It also includes any software which bundles

spyware (as defined above) as part of its offering. Information

collected or reported is "personal" if it contains uniquely

identifying data, such as e-mail addresses, name, social security

number, IP address, etc. A site is not classified as spyware if the

user is reasonably notified that the software will perform these

actions (that is, it alerts that it will send personal information,

be installed, or that it will log keystrokes). Note: Sites rated as

spyware should have a second category assigned with them.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

552

Spyware Effects/

Privacy Concerns This category includes pages to which spyware (as defined in

the Spyware/Malware Sources category) reports its findings or

from which it alone downloads advertisements. Also includes

sites that contain serious privacy issues, such as “phone home”

sites to which software can connect and send user info; sites

that make extensive use of tracking cookies without a posted

privacy statement; and sites to which browser hijackers redirect

users. Usually does not include sites that can be marked as

Spyware/Malware. Note: Sites rated as spyware effects typically

have a second category assigned with them.

Proxy Avoidance This category includes pages that provide information on how to

bypass proxy server/appliance features or gain access to URLs

in any way that bypasses the proxy server/appliance. It also

includes any service that will allow a person to bypass the

content filtering feature, such as anonymous surfing services.

Managed Categories These are categories of web pages based on their content.

Select categories in this section to control access to specific

types of Internet content.

You must have the standard content filtering license to filter

these categories.

Adult Related

Adult/Mature

Content This category includes pages that contain material of adult

nature that does not necessarily contain excessive violence,

sexual content, or nudity. These pages include very profane or

vulgar content and pages that are not appropriate for children.

Alternative

Sexuality/Lifestyles This category includes pages that provide information, promote,

or cater to alternative sexual expressions in their myriad forms.

It includes but is not limited to the full range of non-traditional

sexual practices, interests, orientations or fetishes. It does not

include sites that are sexually gratuitous in nature which would

typically fall under the Pornography category, nor does it include

lesbian, gay, bi-sexual, transgender or any sites which speak to

one's sexual identity.

Extreme This category includes pages that are extreme in nature and not

suitable for general viewership. Includes sites that revel in or

glorify gore, human or animal suffering, scatological or other

aberrant behaviors, perversities, or debaucheries. Visual or

written depictions deemed to be of an unusually horrific nature

are included. These sites are salacious that are bereft of

historical context, educational value or artistic merit created

solely to debase, dehumanize or shock. Examples include

necrophilia, cannibalism, scat and amputee fetish sites.

Intimate Apparel/

Swimsuit This category includes pages that contain images or offer the

sale of swimsuits or intimate apparel or other types of

suggestive clothing. It does not include pages selling

undergarments as a subsection of other products offered.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 553

Nudity This category includes pages containing nude or seminude

depictions of the human body. These depictions are not

necessarily sexual in intent or effect, but may include pages

containing nude paintings or photo galleries of artistic nature.

This category also includes nudist or naturist pages that contain

pictures of nude individuals.

Pornography This category includes pages that contain sexually explicit

material for the purpose of arousing a sexual or prurient

interest.

Open/Mixed Content This category includes pages that contain generally non-

offensive content but that also have potentially objectionable

content such as adult or pornographic material.

Sex Education This category includes pages that provide graphic information

(sometimes graphic) on reproduction, sexual development, safe

sex practices, sexuality, birth control, and sexual development.

It also includes pages that offer tips for better sex as well as

products used for sexual enhancement.

Liability Concerns

Illegal Drugs This category includes pages that promote, offer, sell, supply,

encourage or otherwise advocate the illegal use, cultivation,

manufacture, or distribution of drugs, pharmaceuticals,

intoxicating plants or chemicals and their related paraphernalia.

Illegal/Questionable This category includes pages that advocate or give advice on

performing illegal acts such as service theft, evading law

enforcement, fraud, burglary techniques and plagiarism. It also

includes pages that provide or sell questionable educational

materials, such as term papers.

Note: This category includes sites identified as being

malicious in any way (such as having viruses,

spyware and etc.).

Gambling This category includes pages where a user can place a bet or

participate in a betting pool (including lotteries) online. It also

includes pages that provide information, assistance,

recommendations, or training on placing bets or participating in

games of chance. It does not include pages that sell gambling

related products or machines. It also does not include pages for

offline casinos and hotels (as long as those pages do not meet

one of the above requirements).

Violence/Hate/

Racism This category includes pages that depict extreme physical harm

to people or property, or that advocate or provide instructions

on how to cause such harm. It also includes pages that

advocate, depict hostility or aggression toward, or denigrate an

individual or group on the basis of race, religion, gender,

nationality, ethnic origin, or other characteristics.

Weapons This category includes pages that sell, review, or describe

weapons such as guns, knives or martial arts devices, or

provide information on their use, accessories, or other

modifications. It does not include pages that promote collecting

weapons, or groups that either support or oppose weapons use.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

554

Security Concerns

Hacking This category includes pages that distribute, promote, or

provide hacking tools and/or information which may help gain

unauthorized access to computer systems and/or computerized

communication systems. Hacking encompasses instructions on

illegal or questionable tactics, such as creating viruses,

distributing cracked or pirated software, or distributing other

protected intellectual property.

Pay to Surf This category includes pages that pay users in the form of cash

or prizes, for clicking on or reading specific links, email, or web

pages.

Placeholders This category includes pages that are under construction,

parked domains, search-bait or otherwise generally having no

useful value.

Potentially

Unwanted Software This category includes pages that contain distribute software

that is not malicious but may be unwanted within an

organization such as intrusive adware and hoaxes.

Remote Access Tools This category includes pages that primarily focus on providing

information about and/or methods that enables authorized

access to and use of a desktop computer or private network

remotely.

Suspicious This category includes pages considered to have suspicious

content and/or intent that poses an elevated security or privacy

risk. This is determined by analysis of web reputation factors. It

also includes sites that are part of the Web and email spam

ecosystem. Sites that are determined to be clearly malicious or

benign will be placed in a different category.

File Transfer

Online Storage This category includes pages that provide a secure, encrypted,

off-site backup and restoration of personal data. These online

repositories are typically used to store, organize and share

videos, music, movies, photos, documents and other

electronically formatted information. Sites that fit this criteria

essentially act as your personal hard drive on the Internet.

Peer-to-Peer This category includes pages that distribute software to

facilitate the direct exchange of files between users, including

software that enables file search and sharing across a network

without dependence on a central server.

Software Downloads This category includes pages that are dedicated to the electronic

download of software packages, whether for payment or at no

charge.

Society/Government

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 555

Alternative

Spirituality/Occult This category includes pages that promote and provide

information on religions such as Wicca, Witchcraft or Satanism.

Occult practices, atheistic views, voodoo rituals or any other

form of mysticism are represented here. Includes sites that

endorse or offer methods, means of instruction, or other

resources to affect or influence real events through the use of

spells, incantations, curses and magic powers. This category

includes sites which discuss or deal with paranormal or

unexplained events.

Cultural/Charitable

Organizations This category includes pages that nurture cultural

understanding and foster volunteerism such as 4H, the Lions

and Rotary Clubs. Also encompasses non-profit associations

that cultivate philanthropic or relief efforts. Sites that provide a

learning environment or cultural refinement/awareness outside

of the strictures of formalized education such as museums and

planetariums are included under this heading.

Government/Legal This category includes pages sponsored by or which provide

information on government, government agencies and

government services such as taxation and emergency services.

It also includes pages that discuss or explain laws of various

governmental entities.

LGBT This category includes pages that provide information

regarding, support, promote, or cater to one's sexual

orientation or gender identity including but not limited to

lesbian, gay, bi-sexual, and transgender sites. It does not

include sites that are sexually gratuitous in nature which would

typically fall under the Pornography category.

Military This category includes pages that promote or provide

information on military branches or armed services.

Political/Activist

Groups This category includes pages sponsored by or which provide

information on political parties, special interest groups, or any

organization that promotes change or reform in public policy,

public opinion, social practice, or economic activities.

Religion This category includes pages that promote and provide

information on conventional or unconventional religious or

quasi-religious subjects, as well as churches, synagogues, or

other houses of worship. It does not include pages containing

alternative religions such as Wicca or witchcraft or atheist

beliefs (Alternative Spirituality/Occult).

Society/Lifestyle This category includes pages providing information on matters

of daily life. This does not include pages relating to ainment,

sports, jobs, sex or pages promoting alternative lifestyles such

as homosexuality. Personal homepages fall within this category

if they cannot be classified in another category.

Social Interaction

Blogs Personal

Pages This category includes pages that offer access to Usenet news

groups or other messaging or bulletin board systems. Also, blog

specific sites or an individual with his own blog. This does not

include social networking communities with blogs.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

556

Greeting Cards This category includes pages that facilitate the sending of

electronic greeting cards, animated cards, or similar electronic

messages typically used to mark an event or occasion.

Personals/Dating This category includes pages that promote interpersonal

relationships.

Social Networking This category includes pages that enable people to connect with

others to form an online community. Typically members

describe themselves in personal web page profiles and form

interactive networks, linking them with other members based

on common interests or acquaintances. Instant messaging, file

sharing and web logs (blogs) are common features of Social

Networking sites. Note: These sites may contain offensive

material in the community-created content. Sites in this

category are also referred to as "virtual communities" or "online

communities". This category does not include more narrowly

focused sites, like those that specifically match descriptions for

Personals/Dating sites or Business sites.

Mulitimedia

Audio/Video Clips This category includes pages that provide streams or downloads

of audio or video clips which are typically less than 15 minutes

or less in length. Also includes sites that provide downloaders

and players for audio and video clips.

Media Sharing This category includes pages that allow sharing of media (e.g.,

photo sharing) and have a low risk of including objectionable

content such as adult or pornographic material.

Radio/Audio

Streams This category includes pages that provide streams or downloads

of radio, music, or other audio content-typically more than 15

minutes in length.

TV/Video Streams This category includes pages that provide streams or downloads

of television, movie, Webcam, or other video content-typically

more than 15 minutes in length.

Communication

Chat/Instant

Messaging This category includes pages that provide chat or instant

messaging capabilities or client downloads.

Online Meetings This category includes pages that facilitate online meetings or

provide online meeting, conferencing or training services.

Email This category includes pages offering web-based email services,

such as online email reading, e-cards, and mailing list services.

Newsgroups/Forums This category includes pages that primarily offer access to

newsgroups, messaging or bulletin board systems, or group

blogs where participants can post comments, hold discussions,

or seek opinions or expertise on a variety of topics.

Internet Telephony This category includes pages that facilitate Internet telephony

or provide Internet telephony services such as voice over IP

(VoIP).

Health Related

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 557

Abortion This category includes pages that provide information or

arguments in favor of or against abortion, describe abortion

procedures, offer help in obtaining or avoiding abortion, or

provide information on the effects, or lack thereof, of abortion.

Restaurants/Dining/

Food This category includes pages that list, review, discuss, advertise

and promote food, catering, dining services, cooking and

recipes.

Alcohol Sites that promote, offer for sale, glorify, review, or in any way

advocate the use or creation of alcoholic beverages, including

but not limited to beer, wine, and hard liquors. Pages that sell

alcohol as a subset of other products such as restaurants or

grocery stores are not included.

Tobacco This category includes pages that promote, offer for sale,

glorify, review, or in any way advocate the use or creation of

tobacco or tobacco related products including but not limited to

cigarettes, pipes, cigars and chewing tobacco. Pages that sell

tobacco as a subset of other products such as grocery stores are

not included.

Health This category includes pages that provide advice and

information on general health such as fitness and well-being,

personal health or medical services, drugs, alternative and

complimentary therapies, medical information about ailments,

dentistry, optometry, general psychiatry, self-help, and support

organizations dedicated to a disease or condition.

Leisure

Art/Culture This category includes pages that nurture and promote cultural

understanding of fine art including but not limited to sculpture,

paintings and other visual art forms, literature, music, dance,

ballet, and performance art and the venues or foundations that

support, foster or house them such as museums, galleries,

symphonies and the like. Sites that provide a learning

environment or cultural awareness outside of the strictures of

formalized education such as museums and planetariums are

included under this heading.

Entertainment This category includes pages that provide information on or

promote mass entertainment media including but not limited to

film, film trailers, television, home entertainment, music,

comics, entertainment-oriented periodicals, reviews, interviews,

fan clubs, and celebrity gossip. Also includes wedding or other

photography sites of a non-adult nature.

For Kids This category includes pages designed specifically for children.

Games This category includes pages that provide information and

support game playing or downloading, video games, computer

games, electronic games, tips, and advice on games or how to

obtain cheat codes. It also includes pages dedicated to selling

board games as well as journals and magazines dedicated to

game playing. It includes pages that support or host online

sweepstakes and giveaways.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

558

Humor/Jokes This category includes pages that primarily focus on comedy,

jokes, fun, etc. This may include pages containing jokes of adult

or mature nature. Pages containing humorous Adult/Mature

content also have an Adult/Mature category rating.

Sports/Recreation This category includes pages that promote or provide

information about spectator sports, recreational activities, or

hobbies. This does not include pages that discuss or promote

gardening, collecting, board games, scrapbooking, quilting, etc.

Commerce

Brokerage/Trading This category includes pages that provide or advertise trading of

securities and management of investment assets (online or

offline). It also includes insurance pages, as well as pages that

offer financial investment strategies, quotes, and news.

Business/Economy This category includes pages devoted to business firms,

business information, economics, marketing, business

management and entrepreneurship. This does not include pages

that perform services that are defined in another category (such

as Information Technology companies, or companies that sell

travel services).

Financial Services This category includes pages that provide or advertise banking

services (online or offline) or other types of financial

information, such as loans. It does not include pages that offer

market information, brokerage or trading services.

Job Search/Careers This category includes pages that provide assistance in finding

employment, and tools for locating prospective employers.

Real Estate This category includes pages that provide information on

renting, buying, or selling real estate or properties.

Auctions This category includes pages that support the offering and

purchasing of goods between individuals. This does not include

classified advertisements.

Shopping This category includes pages that provide or advertise the

means to obtain goods or services. It does not include pages

that can be classified in other categories (such as vehicles or

weapons).

Travel This category includes pages that promote or provide

opportunity for travel planning, including finding and making

travel reservations, vehicle rentals, descriptions of travel

destinations, or promotions for hotels or casinos.

Vehicles This category includes pages that provide information on or

promote vehicles, boats, or aircraft, including pages that

support online purchase of vehicles or parts.

Web Advertisements This category includes pages that provide online advertisements

or banners. This does not include advertising servers that serve

adult-oriented advertisements.

Technology

Computers/Internet This category includes pages that sponsor or provide

information on computers, technology, the Internet and

technology-related organizations and companies.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide 559

Content Servers This category includes servers that provide commercial hosting

for a variety of content such as images and media files. These

types of servers are typically used in conjunction with other web

servers to optimize content retrieval speeds.

Non Viewable This category includes servers with non-malicious, non-

offensive content or resources used by applications, but not

directly viewable by web browsers. It includes but is not limited

to Web analytics sites (such as visitor tracking and ranking

sites) and content filtering systems.

Web Hosting This category includes pages of organizations that provide top-

level domain pages, as well as web communities or hosting

services.

Web Applications This category includes pages with interactive, Web-based office/

business applications. It excludes email, chat/IM or other sites

that have a specific content category.

Information Related

Education This category includes pages that offer educational information,

distance learning and trade school information or programs. It

also includes pages that are sponsored by schools, educational

facilities, faculty, or alumni groups.

News/Media This category includes pages that primarily report information

or comments on current events or contemporary issues of the

day. It also includes radio stations and magazines. It does not

include pages that can be rated in other categories.

Reference This category includes pages containing personal, professional,

or educational reference, including online dictionaries, maps,

census, almanacs, library catalogues, genealogy-related pages

and scientific information.

Search Engines/

Portals This category includes pages that support searching the

Internet, indices, and directories.

Translation This category includes pages that allow translation of text

(words, phrases, web pages, between various languages) or

that can be used to identify a language.

Test Web Site Category

URL to test You can check which category a web page belongs to. Enter a

web site URL in the text box.

Test Against Local

Cache

Click this button to see the category recorded in the ZyWALL’s

content filtering database for the web page you specified (if the

database has an entry for it).

Test Against Content

Filter Category Server

Click this button to see the category recorded in the external

content filter server’s database for the web page you specified.

OK Click OK to save your changes back to the ZyWALL.

Cancel Click Cancel to exit this screen without saving your changes.

Table 163 Configuration > Anti-X > Content Filter > Filter Profile > Add (continued)

LABEL DESCRIPTION

Chapter 32 Content Filtering

ZyWALL USG 50 User’s Guide

560

32.5.1 Content Filter Blocked and Warning Messages

These are the content filtering warning messages:

32.6 Content Filter Customization Screen

Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit

> Customization to open the Customization screen. You can create a list of

good (allowed) web site addresses and a list of bad (blocked) web site addresses.

You can also block web sites based on whether the web site’s address contains a

Table 164 Content Filter Warning Messages

CASE WARNING MESSAGE

Safe

Zyxel Zywall Usg 50 Users Manual User’s Guide

Navigation menu

Versions of this User Manual:

Views

Navigation